Introduction

The Cybersecurity Maturity Model Certification (CMMC) is a critical requirement for DoD contractors, ensuring that sensitive federal contract information (FCI) and controlled unclassified information (CUI) are adequately protected. As the CMMC framework continues to evolve, recent developments, including a recent Department of Defense (DoD) Proposed Rule in the Federal Register (on proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS)), highlight the importance of robust cybersecurity practices. These DFARS changes are directly tied to CMMC compliance, emphasizing the need for comprehensive policies that align with the updated requirements. In this guide, we’ll explore the key policy requirements necessary to meet CMMC audits, offering practical steps to ensure your organization is fully prepared for both Level 1 and Level 2 self-assessments and Level 2 and Level 3 third-party audits.

One key assumption in cost estimates for CMMC compliance is that organizations already have a mature cybersecurity posture. However, many small businesses affected by CMMC are not existing DoD contractors but rather suppliers to prime contractors. These small businesses often lack sophisticated cybersecurity practices, making compliance more challenging and costly. The DoD has noted that approximately 76,000 companies will require CMMC Level 2 certification, with the majority needing third-party assessments. This underscores the need for these smaller entities to make significant investments in cybersecurity to meet the stringent requirements of CMMC 2.0, particularly if they handle CUI.

Detailed Policy Requirements by CMMC Level

The CMMC framework establishes a set of practices and policies that organizations must implement to protect sensitive information. As organizations progress through the CMMC levels—from basic to advanced requirements—the complexity and scope of these policies expand accordingly. Here’s a detailed narrative of what policies are required at each CMMC level, who typically manages them, and examples of artifacts needed to prove compliance.

Level 1: Basic Cyber Hygiene

CMMC Level 1 lays the foundation for protecting Federal Contract Information (FCI) through basic cyber hygiene practices. Organizations at this level must focus on fundamental policies, including Access Control and Identity Management, Data Encryption and Transmission, System and Information Integrity, and Physical and Environmental Security.

The Access Control and Identity Management Policy ensures that only authorized users can access systems and information. Managed by the IT department, this policy requires organizations to maintain user access logs, document account creation and deletion, and regularly review access permissions. Meanwhile, the Data Encryption and Transmission Policy requires basic encryption to secure FCI at rest and in transit, with IT teams responsible for managing encryption configurations and key management logs.

The System and Information Integrity Policy addresses the need to protect system integrity through regular monitoring, malware protection, and software updates. IT departments must produce artifacts such as patch management records, antivirus scan results, and system audit logs. Finally, the Physical and Environmental Security Policy, overseen by Facilities Management, focuses on securing physical access to sensitive areas. Organizations must document physical access controls, visitor logs, and environmental monitoring to demonstrate compliance.

Level 2: Intermediate Cyber Hygiene

At CMMC Level 2, organizations must expand their cybersecurity practices to protect Controlled Unclassified Information (CUI). This level includes all the policies required for Level 1 but adds more stringent requirements and new policies like Incident Response and Monitoring, Configuration and System Integrity Management, Security Awareness and Training, and Risk and Supply Chain Management.

Building on the basic access controls established in Level 1, the Access Control and Identity Management Policy for Level 2 incorporates multi-factor authentication and more sophisticated remote access controls. The IT department is responsible for implementing and documenting these advanced measures, ensuring that all access to systems is secure and authenticated. The Incident Response and Monitoring Policy, managed by the Security Operations Center (SOC), requires organizations to develop detailed incident response plans and maintain continuous monitoring to detect and respond to threats. Artifacts such as incident reports, detection timelines, and SOC logs are critical for proving compliance at this level.

The Configuration and System Integrity Management Policy expands on the basic system integrity controls by introducing configuration baselines and automated monitoring for unauthorized changes. The IT department must maintain comprehensive configuration management records, ensuring that systems are secure and compliant. Additionally, the Security Awareness and Training Policy is essential at Level 2, requiring tailored training for different roles within the organization. HR and IT departments collaborate to ensure that training is delivered, documented, and evaluated, with artifacts such as training schedules, materials, and post-training assessments.

The Risk and Supply Chain Management Policy introduces continuous risk assessments and supply chain management practices. This policy is typically overseen by Risk Management and Procurement, with organizations needing to provide risk assessment reports, vendor security evaluations, and supply chain monitoring logs to demonstrate compliance.

Level 3: Advanced / Expert Cyber Hygiene

CMMC Level 3 represents the highest level of cybersecurity maturity, incorporating all the requirements from Levels 1 and 2 while adding advanced controls tailored to combat sophisticated threats like Advanced Persistent Threats (APTs). Policies at this level include those required for the previous levels, but they are enhanced with advanced features and new practices such as Threat Intelligence, Continuous Monitoring, and Penetration Testing.

The Access Control and Identity Management Policy for Level 3 must include advanced controls like bidirectional authentication and network isolation, ensuring that only authorized, verified users and systems can access sensitive information. The IT department must maintain detailed records of these authentication and isolation processes, along with network segmentation documentation.

The Incident Response and Monitoring Policy at Level 3 requires the establishment of a 24/7 SOC and a specialized incident response team. These teams must be ready to respond to incidents rapidly and effectively. SOC operations logs, deployment records, and threat detection reports are vital artifacts that demonstrate the organization’s readiness and capability to manage incidents at this advanced level.

The Configuration and System Integrity Management Policy must now include automated detection mechanisms that identify and respond to unauthorized changes in real-time, as well as the use of cryptographic signatures to verify the integrity of critical software. IT departments are responsible for implementing these automated solutions and providing evidence of their effectiveness through detailed monitoring logs and integrity check reports.

Additionally, the Security Awareness and Training Policy for Level 3 involves role-specific training that includes practical exercises designed to prepare employees for real-world threats. HR and IT must document the results of these exercises, along with feedback and evaluations, to ensure that the workforce is adequately prepared for sophisticated cyber threats.

The Data Encryption and Transmission Policy at Level 3 mandates strict information flow controls between security domains, with IT departments managing and documenting these flows to ensure compliance with the highest encryption standards. Finally, the Risk and Supply Chain Management Policy is enhanced to include advanced threat hunting activities, continuous monitoring, and automated risk assessments. Procurement and Risk Management teams must produce comprehensive reports detailing these activities, including supply chain risk mitigation strategies and real-time threat intelligence updates.

Comprehensive Matrix of CMMC Policy Requirements Across Levels 1, 2, and 3

Conclusion

Across all CMMC levels, these policies serve as the backbone of an organization’s cybersecurity framework. As organizations progress through the levels, the complexity and scope of these policies expand to address increasingly sophisticated threats. Detailed documentation and continuous monitoring are essential at each level to ensure compliance and demonstrate the effectiveness of the policies during audits. By implementing these policies, organizations can build a robust cybersecurity posture capable of protecting both FCI and CUI from a wide range of cyber threats.

Sources and References

1. Federal Register: Defense Federal Acquisition Regulation Supplement (DFARS) – CMMC Implementation
   Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation
2. Cybersecurity Maturity Model Certification (CMMC) 2.0 Overview – U.S. Department of Defense
   DoD CMMC 2.0 Program Overview
3. NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
   NIST SP 800-171
4. NIST Special Publication 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information
   NIST SP 800-172
5. Cybersecurity Maturity Model Certification Accreditation Body (Cyber AB) Resources
   Cyber AB CMMC Resources