Level 2, also known as the Advanced level, is required of companies that handle Controlled Unclassified Information (CUI) and establishes a higher level of cybersecurity. Level 2 establishes a minimum-security threshold for organizations that store, process, or transmit CUIs.
Level 2 consists of a total of 110 cybersecurity controls that incorporate the controls in Level 1. These controls, drawn from National Institute of Standards and Technology (NIST) Special Publication 800-171, are organized into 14 domains:
- Access Control (AC) – Management of who has access to systems and sensitive information.
- Asset Management (AM) – Inventory and protection of information system assets.
- Audit and Accountability (AU) – Ensuring the ability to audit and track events and actions in the system.
- Awareness and Training (AT) – Providing cybersecurity training to ensure users are aware of their security responsibilities.
- Configuration Management (CM) – Maintaining security settings and ensuring only approved changes are made.
- Identification and Authentication (IA) – Controlling access to systems by verifying user identities.
- Incident Response (IR) – Planning and managing how to respond to security incidents.
- Maintenance (MA) – Safeguarding maintenance activities to ensure system integrity.
- Media Protection (MP) – Protection of media (hard drives, USBs, etc.) containing sensitive information.
- Personnel Security (PS) – Ensuring personnel handling sensitive data are properly vetted and trained.
- Physical Protection (PE) – Protecting physical access to systems and sensitive data.
- Recovery (RE) – Ensuring data is backed up and can be restored in the event of a breach or failure.
- Risk Management (RM) – Identifying, assessing, and managing risks to the organization.
- Security Assessment (CA) – Continuous monitoring and evaluating security processes to ensure compliance and effectiveness.
