'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Resources-Documentation/ CMMC Level 2 Assessment Guide Version 2.13, September 2024] from the Department of Defense Chief Information Officer (DoD CIO).'''

== NOTICES ==

The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or departmental policies.

 

DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.

== Introduction ==

This document provides guidance in the preparation for and conduct  of a Level  2  self-assessment or Level 2 certification  assessment  under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in  section  170.16  of title  32,  Code of Federal Regulations (CFR) and 32 CFR § 170.17 respectively. Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in ''CMMC Assessment Guide – Level 1''. Guidance for conducting a Level 3 certification assessment can be found in ''CMMC'' ''Assessment Guide – Level 3''. More details on the model can be found in the ''CMMC Model Overview'' document.

An  ''Assessment'' as defined in 32 CFR  § 170.4  means  ''the testing or evaluation of security ''

 

''controls to determine the extent to which the controls are implemented correctly, operating as ''

''intended, and producing the desired outcome with respect to meeting the security requirements ''

''for an information system or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18''.

 

For Level 2 there are two types of assessments:  

  A s''elf-assessment'' is the term for the activity performed by an entity to evaluate its own

 

CMMC Level, as applied to Level 1 and some Level 2.  

 

  A ''Level 2 certification assessment ''is the term for the activity performed by a Certified

Third-Party Assessment Organization (C3PAO)to evaluate the CMMC level of an OSC.  

 

32 CFR § 170.16(b) describes contract or subcontract eligibility for any contract with a Level

 

2 self-assessment requirement, and 32 CFR § 170.17(b) describes contract or subcontract

eligibility for any contract with a Level 2 certification  assessment  requirement. Level 2

certification assessment requires the Organization Seeking Assessment (OSA) achieve the  

 

CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO), as described

 

in 32 § CFR 170.4, obtained through an assessment by an accredited C3PAO.  

 

and Technology (NIST) Special Publication (SP) 800-171 Revision 2, ''Protecting Controlled ''

 

''Unclassified Information in Nonfederal Systems and Organizations''. <br />

Level 2 addresses the protection of Controlled Unclassified Information (CUI), as defined in

 

32 CFR § 2002.4(h):

 

''Information the Government creates or possesses, or that an entity creates or ''

 

''possesses for or on behalf of the Government, that a law, regulation, or ''

 

''Government-wide policy requires or permits an agency to handle using ''

 

''safeguarding or dissemination controls. However, CUI does not include classified ''

 

''information (see paragraph (e) of this section) or information a non-executive ''

 

''branch entity possesses and maintains in its own systems that did not come from, ''

 

''or was not created or possessed by or for, an executive branch agency or an entity ''

 

''acting for an agency. Law, regulation, or Government-wide policy may require ''

 

 

''' '''

CMMC Assessment Guide – Level 2 | Version 2.13

 

 

''permitting agencies to control or protect the information but providing no ''

''specific controls, which makes the information CUI Basic; requiring or ''

 

''permitting agencies to control or protect the information and providing specific ''

 

''controls for doing so, which makes the information CUI Specified; or requiring or ''

''permitting agencies to control the information and specifying only some of those ''

''controls, which makes the information CUI Specified, but with CUI Basic controls ''

 

''where the authority does not specify.''  

 

Level 2 certification assessments provides increased assurance to the DoD that an OSA can

adequately protect CUI at a level commensurate with the adversarial  risk,  including

protecting information flow with subcontractors in a multi-tier supply chain.  

 

 

This guide is intended for assessors, OSAs, cybersecurity professionals, and individuals and  

companies that support CMMC efforts. This document can be used as part of preparation for

and conducting a Level 2 self-assessment or a Level 2 certification assessment. The term

Level 2 assessment encompasses both Level 2 self-assessment  and Level 2 certification

assessment. <br />

 

  '''Assessment and Certification:''  '''''provides an overview of the Level 2  self-assessment

processes set forth in 32 CFR §170.16 as well as the Level 2 certification assessment

processes set forth in 32 CFR  § 170.17.  It  provides  guidance regarding the scope

 

requirements set forth in 32 CFR § 170.19(c).  

 

 

  '''CMMC-Custom Terms:''' incorporates definitions from 32 CFR § 170.4 and definitions

 

included by reference from 32 CFR § 170.2, and provides clarification of the intent and  

 

scope of custom terms as used in the context of CMMC.  

 

 

  '''Assessment Criteria and Methodology:''' provides guidance on the criteria and

 

methodology (i.e., ''interview'',  ''examine'', and ''test'')  to be employed  during a Level 2

 

 

 

  '''Requirement  Descriptions:  '''provides  guidance specific to  each  Level  2  security

 

requirement.  

''' '''

 

Assessment and Certification

 

CMMC Assessment Guide – Level 2 | Version 2.13

 

3  

Certified Assessors as described in 32 CFR § 170.11 will use the assessment methods defined

 

in NIST  SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|1]],  ''Assessing Security Requirements for Controlled Unclassified ''

 

''Information'',  along with the supplemental information in this guide, to conduct Level  2

certification assessments. Certified Assessors will review information and evidence to verify

that an OSC meets the stated assessment objectives for all of the requirements. <br />

 

a specific  enclave(s), depending upon how the CMMC  Assessment Scope  is  defined  in

accordance with 32 CFR § 170.19(c). <br />

OSAs  conducting self-assessments  in accordance with 32  CFR  § 170.16  are expected to

 

NIST SP 800-171A and this assessment guide and used for third-party assessments.  

Assessment Scope

 

 

Because the scoping of a Level 2 certification assessment is not the same as the scoping of a

 

 

important to first consider whether the goal is a Level 2 or Level 3 CMMC Status. If the intent

 

is not to achieve a CMMC Status of Final Level 3 (DIBCAC) as defined in 32 CFR § 170.18,

 

refer to the guidance provided in the  ''CMMC Scoping Guide  –  Level  2'' document  which

 

summarizes 32 CFR § 170.19(c). If the intent is to achieve a CMMC Status of Final Level 3

 

(DIBCAC), refer to the guidance provided in the ''CMMC Scoping Guide – Level 3'' document

 

which summarizes 32 CFR § 170.19(d). Both documents are available on the official CMMC

 

documentation site at https://dodcio.defense.gov/CMMC/Documentation/.

 

 

 

 

''' '''

 

CMMC-Custom Terms

 

CMMC Assessment Guide – Level 2 | Version 2.13

 

The CMMC Program has custom terms that align with program requirements. Although some

 

terms may have other definitions in open forums, it is important to understand these terms

as they apply to the CMMC Program. <br />

The specific terms as associated with Level 2 are: <br />

  '''Assessment: '''As defined in 32 CFR § 170.4 means the testing or evaluation of security

 

controls to determine the extent to which the controls are implemented correctly,

 

 

170.15 to 32 CFR § 170.18.  

o  ''Level 2 self-assessment'' is the term for the activity performed by an OSA to evaluate

 

its own information system when seeking a CMMC Status of Level 2 (Self).  

 

o  ''Level 2 certification assessment'' is the term for the activity performed by a C3PAO

 

Level 2 (C3PAO).  

o  ''POA&amp;M closeout self-assessment'' is the term for the activity performed by an OSA

 

to evaluate only the NOT MET requirements that were identified with POA&amp;M

 

during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).  

o  ''POA&amp;M closeout certification assessment'' is the term for the activity performed by

a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were

 

identified with POA&amp;M during the initial assessment, when seeking a CMMC

Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.  

 

  '''Assessment Objective: '''As defined in 32 CFR § 170.4 means a set of determination

statements that, taken together, expresses the desired outcome for the assessment of a  

security requirement. Successful implementation of the corresponding CMMC security

 

requirement requires meeting all applicable assessment objectives defined in NIST SP

 

800–171A or NIST SP 800-172A.