Infosys Public Services Advances Cybersecurity Posture with CMMC Level 2 Alignment
Infosys Public Services is advancing its cybersecurity posture in alignment with the U.S. Department of War (Department) Cybersecurity Maturity Model Certification (CMMC) framework, reinforcing its commitment to protecting sensitive government information and supporting the Defense Industrial Base (DIB).
The Department has established stringent cybersecurity requirements for contractors and service providers through the Defense Federal Acquisition Regulation Supplement (DFARS), including clauses such as DFARS 252.204-7012, 252.204-7019, 252.204-7021, and 252.204-7025. These requirements mandate the protection of Controlled Unclassified Information (CUI) through the implementation of controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, with compliance verified under the CMMC framework.
As a longstanding and trusted partner within the DIB, Infosys Public Services is actively progressing toward CMMC Level 2 certification.
CMMC Level 2 Compliance Requirements
CMMC Level 2 requires organizations handling CUI to:
- Implement all 110 security controls defined in NIST SP 800-171;
- Perform self-assessments and report results in the Supplier Performance Risk System (SPRS);
- Undergo an independent assessment conducted by an authorized CMMC Third-Party Assessment Organization (C3PAO); and
- Maintain ongoing compliance through continuous monitoring, annual affirmations, and formal governance processes
Demonstrated Readiness
As of the release date, Infosys Public Services has completed its CMMC Level 2 self-assessment, confirming the implementation and operational effectiveness of required security controls within its CUI environment. Key elements include:
- A comprehensive System Security Plan (SSP) outlining system boundaries, control implementation, and responsibilities
- Documented policies, procedures, and evidence aligned to CMMC Level 2 assessment objectives
- Integrated monitoring, logging, and governance processes to support continuous compliance
- Establishment of a dedicated Controlled Unclassified Information (CUI) enclave aligned with CMMC Level 2 scoping guidance and NIST 800-171 requirements. This enclave provides a secure, logically isolated environment for storing, processing and the overall protecting of CUI, with clearly defined system boundaries, controlled access mechanisms, and continuously monitored data flows.
C3PAO Independent Assessment
With an audit-ready cybersecurity posture, Infosys Public Services is preparing for independent validation through an authorized CMMC Third-Party Assessment Organization (C3PAO), in alignment with evolving DIB requirements. Following attainment of CMMC Level 2 status, Infosys Public Services will reinforce its position as a trusted partner within the DIB with a robust and agile cybersecurity posture.
