Level 2

CMMC Level 2 is considered a steppingstone to get from Level 1 to Level 3. No RFPs will be issued with CMMC Level 2 certification requirements.

CMMC Level 2 builds from the 17 practices (controls) in Level 1 and adds an additional 55 practices. In addition, Level 2 requires two process – that each of the 72 practices is documented and that an overall cybersecurity policy be written that includes all cybersecurity activities. In other words, you will begin building a quality management system (QMS) for your cybersecurity program to achieve a consistent, quality result.

NOTE: CMMC Level 1 in a Box includes steps to help build a QMS for your cybersecurity program.

Recommendations:

1. Since no RFPs will be issued with CMMC Level 2 certification requirements, it does not make financial sense to request a Level 2 audit from a C3PAO – there would be no return on your investment.
2. CMMC Level 1 in a Box can be used as a model for continuing on to Level 2.
3. When determining where to begin in terms of practices, start with the easiest and least costly practices first.
4. If you are considering engaging a cybersecurity consultant, you might want to include Level 3 practices rather than pay a company to assist with Level 2 compliance, then have to engage them again to assist with Level 3 compliance. For a list of cybersecurity consultants to consider, please Click Here.

If you are, or plan to be in the Department of Defense supply chain, you must comply with cybersecurity regulations. To help North Carolina defense contractors understand and implement cybersecurity regulations, multiple State entities and organizations that support the defense industry have established the NC Interagency Cybersecurity Coordinating Committee (I3C). The goals of the committee are to provide defense contractors with 1) up to date and accurate information about cybersecurity regulations and requirements; 2) effective tools they can use to assess their current level of compliance in preparation for DoD certification; and 3) access to reputable companies, institutions and other resources to help them bridge their assessment, compliance, workforce and technical gaps to cybersecurity compliance. 

CyberNC.us is managed by the North Carolina Military Business Center through the North Carolina Interagency Cybersecurity Coordinating Committee (I3C).
Support provided by Fayetteville Technical Community College and NC State University's Secure Computing Institute.

The NCMBC and the I3C are not representatives of the DoD or the CMMC Accreditation body. This website is meant to be a community resource for cybersecurity compliance information.

Copyright 2020, North Carolina Military Business Center.  All Rights Reserved.