‍

Achieving CMMC Level 2 is no easy task. It’s a massive step up from Level 1, with more than six times the number of security requirements to implement and document.

While Level 1 is self-assessed and relatively basic, Level 2 requires an extensive third-party assessment based on NIST Special Publication 800-171 to safeguard Controlled Unclassified Information (CUI) and demonstrate advanced cybersecurity protection suitable for sensitive government information.

Working with a CMMC expert is always recommended as it helps organizations prepare for their assessment, pulling focus on the right things and providing niche expertise to accelerate the process.  

CMMC Level 2: Common Challenges

To prepare you for what comes next, today’s article will outline some of the challenges government contractors face in achieving Level 2 certification.

1. Implementing 110 security requirements
   CMMC Level 2 requires the implementation of 110 security requirements. The scope of this process can be vast, depending on the size of the company and the complexity of its systems. Many organizations struggle to identify all devices and machines that handle CUI and may be challenged to translate some technical requirements into documented security policies.
   ‍
2. Establishing new policies, procedures, and documentation
   All policies, procedures, and system security plans (SSPs) must be meticulously documented and proof provided that all new policies are correctly implemented. The SSP, in particular, must detail how each policy is being implemented and whether any third parties or service providers are involved. Many CMMC Level 2 failures are often due to inadequate or incomplete documentation.
   ‍
3. All third-party vendors must be compliant
   Any third-party handling CUI must meet the same stringent requirements. For organizations with a large, fragmented, or complex supply chain, this can be a significant barrier as it necessitates more robust security monitoring, frequent risk assessments, and establishing specific third-party vendor policies.
   ‍
4. Lack of resources
   CMMC readiness requires a significant investment of time, money, and expertise. New tools and systems may be necessary, and some organizations may not have the in-house expertise to manage the process adequately. Outside consultants may be required, but cost may be a factor.
   ‍
5. Technical challenges
   CUI protections are paramount with Level 2. MFA, least privilege access, and robust encryption must be implemented without impacting system performance or impeding productivity. Additionally, employees will need to be trained to recognize common threats and will require regular refresher training to ensure awareness of the current risks.
   ‍
6. Changing rules
   As the threat landscape evolves, CMMC will evolve along with it. Compliance with DoD requirements must remain current, but shifting priorities can make this challenging. In-house teams must stay up to date with CMMC changes and be ready to update systems and policies accordingly.
   ‍
7. Third-party assessments
   While Level 1 assessments can be self-conducted, most Level 2 assessments must be done by an authorized C3PAO. Readiness checks should be ongoing, and organizations must shore up any gaps or fix issues in advance of the audit to improve their chances of success.

While none of these challenges are insurmountable, they underscore the need for third-party expertise to ensure all critical variables are considered.

Essendis supports companies in obtaining CMMC Level 2 compliance, simplifying the process and ensuring stakeholders have the information and knowledge they need to achieve a sustainable result.

Start your CMMC Level 2 journey with Essendis: Connect with an expert today.