The Controlled Unclassified Information (CUI) program standardizes how the U.S. Federal Government manages sensitive information that does not meet the criteria for classification but still requires protection. Sensitive but unclassified data may include personal information, proprietary business information, certain types of law enforcement data, protected health information, and critical infrastructure and cybersecurity information. Even though this data isn’t classified, it is still protected and must go through a specific process to ensure it is handled and accessed securely.
The security practices (NIST SP 800-171) upon which CMMC 2.0 Level 2 is based have been mandatory for DoD contractors handling sensitive information since December 2017, when the DFARS clause 252.204-7012 was included in DoD contracts.
In response to inconsistent self-monitoring and assessment, the DoD launched the CMMC program, where compliance is verified by independent third-party assessors through DoD-certified CMMC Third Party Assessment Organizations (C3PAOs). The assessment findings are submitted by the C3PAO to the Cyber-AB, which then issues the certification.
If your business processes, handles, or manages information critical to national security, you must demonstrate CMMC 2.0 Level 2 compliance with the 110 controls from NIST SP 800-171.
NIST 800-171 consists of 14 domain families that form a comprehensive framework for protecting CUI in non-federal information systems and environments. Adherence is crucial to securing CUI. The domain families are the foundation on which the various levels of CMMC compliance certification are built. CMMC 2.0 Level 2 covers all 110 controls that map to each of the 14 NIST SP 800-171 domains, inclusive of all Level 1 requirements.
Click here for more about the NIST SP 800-171 domain families and controls.
Well-trained and knowledgeable personnel who support the core security domains of CMMC 2.0 Level 2 are essential assets to any organization. Safeguarding CUI is a continuous, active, and unwavering commitment to protect data from unauthorized access.
Achieving CMMC 2.0 Level 2 compliance is a rigorous process that demands meticulous planning, a thorough understanding of cybersecurity requirements, and a commitment to continuous improvement. It also demands active engagement and support by executive leadership to foster an organization-wide culture of cybersecurity resilience. While it presents challenges, it also offers opportunities to fortify your cybersecurity posture, enhance your reputation, and secure your place in the DoD supply chain.