CMMC Series: Tier Two Overview

CMMC Series: Tier Two Overview

This is the third week of our Cybersecurity Maturity Model Certification (CMMC) Series. You can find week one, which was a look at what’s happening with CMMC in 2022 here. Last week, we gave you an overview of tier one which you can review here.

Tier one in CMMC really covers the basic foundational steps you must take to move on to tier two and tier three. For some contractors, tier one will be enough to keep and maintain compliance with their Department of Defense (DoD) contracts. Every situation is unique, but broadly speaking if you don’t handle Controlled Unclassified Information (CUI) in your business – tier one will probably be the extent that you need to reach.

If you do handle any CUI data, then we recommend you strive towards tier two or tier three. Many of the protections that come in the later tiers specifically cover how to safeguard this data and it’s in your businesses best interest to meet the requirements. While there are no direct financial penalties at the time of writing for not doing so, the DoD is considering a system of rewarding businesses who achieve greater CMMC maturity levels.

If you and another business are exactly the same in what you do and, in your pricing, - or even if their pricing is a bit higher than yours - if they have achieved tier three cybersecurity maturity model certification and your business is tier one or not certified at all yet, it’s likely your competitor will win the bid.

So, what goes into reaching tier two in CMMC?

Tier two is the next milestone within CMMC, and the difficulty does scale considerably with each level. While tier one had 17 provisions, tier two introduces 55 more for a total of 72 practices you’ll need to cover to meet the requirements (the practices are cumulative).

In addition to more practices tier two also introduces new domains.

First there is Access Control, tier two access control looks to limit access to who can log into your organizations systems (and how much they can access when they do).

Next is Awareness and Training, in tier two you will need to make sure your managers, administrators and anyone else you who would have access to sensitive systems is attending regular cybersecurity training.

In Audit and Accountability, we look to maintain logs of user activity for review.

Security Assessment is where we really begin to see accountability being held on organizations, you will need to conduct regular assessments as you work towards your cybersecurity goals and develop cybersecurity plans based on the assessment results.

Configuration Management covers the need to manage the configurations of your office devices and equipment with cybersecurity best practices in mind.

Identification and Authentication is similar to access control, but it specifically looks to limit sensitive systems to only those who should have authorization to access them.

While tier one in CMMC only covered the basics and didn’t address what happens when you have a cyber incident, tier two starts to cover that with the Incident Response control.

The Maintenance control in tier two actually refers to your devices and how you maintain them, and what you will need to do in case of their failure.

Media Protection in tier two covers specific provisions around the handling and destruction of removable media, such as flash drives.

We started looking at Physical Protection in tier one by keeping visitor logs, but tier two asks that you actually begin to escort guests through your facilities and screening personnel.

Tier one surprisingly doesn’t ask that you backup your data (even though we would always recommend that) – in tier two Recovery you must have a plan for backing up your data.

In tier two Risk Management, CMMC asks that you begin to conduct risk assessments and fix any vulnerabilities that are uncovered during the process.

Systems and Communications Protection in tier two includes controlling communications within your organization, not just monitoring them.

Finally, the System and Information Integrity domain covers actively monitoring your systems for breaches and quickly resolving any that come up.

As you can see, CMMC maturity tier two dives into the deep end of cybersecurity, but the provisions it covers will make a discernible impact in your cyber readiness throughout your entire business.

Does your business need to meet the requirements for being certified with CMMC? Valley Techlogic can help, we have experience helping DoD contracted businesses reach their cybersecurity and CMMC goals, as well as helping with the certification process itself. Learn more today in a free consultation.

Looking for more to read? We suggest these other articles from our site.

This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at or on Facebook at . Follow us on Twitter at