Level 2
CMMC Level 2 is considered a steppingstone to get from Level 1 to Level 3. No RFPs will be issued with CMMC Level 2 certification requirements.
CMMC Level 2 builds from the 17 practices (controls) in Level 1 and adds an additional 55 practices. In addition, Level 2 requires two process – that each of the 72 practices is documented and that an overall cybersecurity policy be written that includes all cybersecurity activities. In other words, you will begin building a quality management system (QMS) for your cybersecurity program to achieve a consistent, quality result.
NOTE: CMMC Level 1 in a Box includes steps to help build a QMS for your cybersecurity program.
Recommendations:
1. Since no RFPs will be issued with CMMC Level 2 certification requirements, it does not make financial sense to request a Level 2 audit from a C3PAO – there would be no return on your investment.
2. CMMC Level 1 in a Box can be used as a model for continuing on to Level 2.
3. When determining where to begin in terms of practices, start with the easiest and least costly practices first.
4. If you are considering engaging a cybersecurity consultant, you might want to include Level 3 practices rather than pay a company to assist with Level 2 compliance, then have to engage them again to assist with Level 3 compliance. For a list of cybersecurity consultants to consider, please Click Here.
CONTACT US
Main Point of Contact:
Laura Rodgers
Director of Cybersecurity Practice
Secure Computing Institute
EB II, 2240B
NC State University
ldrodger@ncsu.edu(o) 919-515-5063(c) 828-734-0053-
How to best utilize CyberNC.us: The CyberNC.us website was created to provide North Carolina companies with one location to find all the information they need to develop a cybersecurity compliance program that is compliant with Department of Defense regulations.
The most effective way to utilize the website is to follow the steps below:
- Understand the regulations. Click on the Cybersecurity Regulations tab and review the information about each of the regulations.
- Understand the data. Click on the FCI/CUI tab for detailed information about Federal Contract Information and Controlled Unclassified Information, then review the Cybersecurity Overview presentation.
- The information on the Where to Start tab will help businesses determine which regulation with which they must comply, as well as the level of compliance that is required.
- The DFARS tab contains information about compliance with DFARS 252.204-7012 and the new DFARS Interim Rule.
- The CMMC tab contains information about CMMC 2.0 and includes FAQs and resources.
- The Training tab provides information about resources businesses can use to train their employees.
- The Partners tab contains links to the websites of the I3C partner agencies.
-
The NCMBC and the I3C are not representatives of the DoD or the CMMC Accreditation body. This website is meant to be a community resource for cybersecurity compliance information.
Copyright 2020, North Carolina Military Business Center. All Rights Reserved.