Man designing a cybersecurity program.

Preparing for CMMC Level 2 Changes

As we are nearing the end of the CMMC Proposed rule comment period, I look at the Level 2 changes made in the document.  We are entering another waiting period while the comments are being reviewed and the changes made.  I don’t anticipate a lengthy wait, as the DOD is eager to get the CMMC up and running.

History in short

The Cybersecurity Maturity Model Certification, or CMMC, directly correlates to U.S. Defense Industrial Base (DIB) supply chain management.  The CMMC project was developed by the Office of the Under Secretary of Defense and was known as “CMMC 1.0.”

Beginning in 2021, the DoD will begin work on “CMMC 2.0” and release the updated framework by the end of 2021. One of the drivers for CMMC 2.0 was to make the framework more accessible for small organizations. Many small businesses that contract with the DoD found themselves unable to meet the regulations of CMMC 1.0, resulting in the updates.

DoD officially submitted the latest CMMC rule to the OIRA on 24 July 2023, and on 26 December 2023, it was released as a proposed rule, with 60 days for comments to be submitted.

Level 1 is the lowest level of certification and is based on FAR 54. 204- 21 (Basic safeguarding of covered contractor information systems), authoritative document.  Level 2 is based on NIST SP 800-171, AND Level 3 is on NIST SP 800-172.

Changes Ahead

Changes by Regulation

1. Access Control (AC)

There are 110 controls for Level 2.  There is a significant number of changes, so listing every single one of them would make for a very lengthy document.  I will attempt to discuss the biggest changes here.

One of the most obvious changes is substituting the word “contractor” for “OSC,” Organization seeking Certification.  Just as with Level 1, the most significant changes happened to the further discussion areas and the example areas of the regulation.

Another wording change is from using the word “practice” to using the word “regulation.” I have not pointed out this change in every control in this blog.

Looking at the first practice: Access Control, the AC. L2-3.1.4 Separation of Duties, and AC. L2-3.1.9 Privacy & Security Notices control, had no changes made to it.

The following had changes made to the further discussion field:

  • L2-3.1.13 Remote Access Confidentiality
  • L2-3.1.17 Wireless Access Protection
  • L2-3.1.18 Mobile Device Connection

All the rest of the controls in this Access Control regulation had changes made to the example field.

2. Awareness and Training (AT)

Awareness and Control has three regulations. The only one with changes to the wording is AT. L2-3.2.1 Role-Based Risk Awareness, where a small change was made to the wording in the “Example” field.

3. Audit and Accountability (AU)

AU. L2-3.3.1 System Auditing and AU. L2-3.3.5 Audit Correlation was not changed.  The other seven regulations had changes made to the example fields.  Many of these include adding a word to make the example clearer.

4. Configuration Management (CM)

In the CM. L2-3.4.2 Security Configuration Enforcement regulation, the example sentence was changed to include the wording” including those that store, process and transmit CUI.”

CM. L2-3.4.3 System Change Management now  “including those that process CUI” in the Further Discussion field.

5. Identification and Authentication (IA)

Only one change occurred in this regulation.  In IA. L2-3.5.3 Multifactor Authentication, the objective was changed as follows.  The sentence “Multifactor authentication is not required for access to mobile devices such as smartphones or tablets – which are not considered network devices or information systems” was changed to “If a mobile device is used to access a system or application containing CUI, multi-factor authentication is required. “   

6. Incident Response (IR)

Incident Response has a total of three regulations. There have been no changes made to any of these apart from the change from “contractor” to “OSC” and the change from “practice” to “regulation.”

7. Maintenance (MA)

Like the Incident Response regulation there has only been one change in this group of regulations.  This is seen in MA. L2-3.7.5 Non-local Maintenance.  In the Discussion field the words “This practice, MA. L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions and complements five other practices dealing with remote access” have been changed to “This requirement, MA. L2-3.7.5 specifies the addition of multifactor authentication for remote maintenance sessions and complements five other requirements dealing with remote access.”

8. Media Protection (MP)

Very few changes took place in this group, too. In MP. L2-3.8.5 Media Accountability, under the “Further Discussion” field, the sentence “Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC. L2-3.13.11” was added and aims to clarify the discussion.

9. Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA) and System and Information Integrity (SI)

No changes were made to regulations regarding Personnel Security, Physical Protection, Risk Assessment, or System and Information Integrity.

10. Security Assessment (CA)

This is one of the requirement groups where only one change surfaced. In the CA. L2-3.12.1 Security Control Assessment, only one word changed. In the “Further Discussion” field, the word “Required” was changed to “mandated.”

11. System and Communications Protection (SC)

System Communication Protection saw two changes made.  SC. L2-3.13.8 Data in Transit had the “Further Discussion” field reduced.  SC. L2-3.13.11 CUI Encryption also had a change made to the “Further Discussion” field, and similar to the System Communication protection regulation, it has been reduced.  SC. L2-3.13.16 Data at Rest had some sentences reconstructed in the “Further Discussion” field.


There are only minor changes in CMMC Level 2.  However, one of the most significant changes is not in the Level 2 requirements.  It lies in the fact that a Level 2 self-assessment will be permitted under certain circumstances.  For all level 2 assessments, you must have 67% of the ” MET ” assessment objectives.  These objectives are not allowed to have POA&M.
In addition, your minimum allowed score is 88 out of 110. Any less than that, and you would not be allowed a POA&M period. Once the 180 days for the POA&M are over, a score of “met” on all items is mandatory.
Dealings with the DOD will need to be looked at carefully, and when in doubt, an external assessor should be called in to assist.  The accusation will win contracts if you have a good reputation without the possibility of getting into a False Claims Act.

Have you missed the Level 1 changes?

How to prepare.

Start with a Level 1 GAP assessment.

Subscribe to keep up to date.

Similar Posts