CMMC Levels Compliance Matrix for Orange County Defense Contractors

Limit System Access to Authorized Users

Restrict information system access to authorized users, processes acting on their behalf, and authorized devices. This is one of the 15 basic FAR 52.204-21 safeguards that applies even at the entry level.

Multi-Factor Authentication for CUI Systems

Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Required once a contractor handles CUI under NIST SP 800-171.

Separate Authentication for Critical Systems

Employ additional authentication and identity controls for the most sensitive systems, drawn from the NIST SP 800-172 enhanced requirements that distinguish Level 3 from Level 2.

Identify CUI and Its System Locations

Inventory where CUI is stored, processed, and transmitted, and define the assessment scope accordingly. Scoping is the first step in any Level 2 assessment and drives how the rest of the matrix applies.

Encrypt CUI at Rest and in Transit

Protect the confidentiality of CUI using FIPS-validated cryptography when stored on servers, endpoints, and backups, and when transmitted across networks. Validated modules, not just any encryption, are expected.

Limit Information on Public Systems

Control information posted or processed on publicly accessible systems so that FCI is not exposed. This basic safeguard appears at Level 1 and carries through every higher level.

Create and Retain Audit Logs

Create, protect, and retain system audit records sufficient to monitor, analyze, investigate, and report unlawful or unauthorized activity. Logs must be reviewed and tied to individual users.

Correlate Audit Data Across the Enterprise

Correlate and analyze audit information across the environment to detect advanced persistent threats, an enhanced expectation from NIST SP 800-172 reserved for Level 3 programs.

Update Malicious Code Protection

Provide protection from malicious code at designated locations and update protection mechanisms as new releases become available. Required at the basic level under FAR 52.204-21.

Vulnerability Scanning and Remediation

Periodically scan systems and applications for vulnerabilities and remediate findings within defined timelines based on risk. Expected once CUI is in scope under NIST SP 800-171.

Incident Handling and Reporting

Establish an incident handling capability that includes preparation, detection, analysis, containment, recovery, and reporting. DFARS 252.204-7012 also requires reporting cyber incidents to DoD within 72 hours.

System Security Plan (SSP)

Develop and maintain a System Security Plan that describes system boundaries, environment of operation, how requirements are implemented, and the relationships with other systems. A current SSP is mandatory for a Level 2 assessment.

Plan of Action and Milestones (POA&M)

Document a POA&M for any requirement not yet fully met. CMMC allows conditional certification with a limited POA&M that must be closed within 180 days for eligible controls.

Annual NIST SP 800-171 Self-Assessment Score in SPRS

Submit a current NIST SP 800-171 assessment score to the Supplier Performance Risk System (SPRS). DFARS 252.204-7019 and 7020 require this for contracts involving CUI, separate from the third-party assessment.

Third-Party Assessment by a C3PAO

Undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO) for most Level 2 contracts, while Level 1 allows annual self-assessment with an executive affirmation.

Government-Led Assessment

Pass an assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on top of the Level 2 requirements. This government-led review is unique to Level 3.

Security Awareness and Role-Based Training

Ensure managers, administrators, and users are trained on security risks and their responsibilities, including role-based training for those with significant security duties. Required once CUI is handled.

Boundary Protection and Network Segmentation

Monitor and control communications at external boundaries and key internal boundaries, and separate CUI systems from general-purpose networks to reduce assessment scope.