What, exactly is CMMC?

 

Per the Office of the Under Secretary of Defense for Acquisitions & Sustainment, the Cybersecurity Maturity Model Certification (CMMC) is the unified Cybersecurity Standard for Department of Defense (DoD) Acquisitions to reduce the exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).  CMMC combines various Cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices.  The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.201-7012, and incorporates practices from multiple sources such as NIST SP 800-171 Rev 1. and Draft NIST SP 800-171B. CMMC also adds a certification element to verify the implementation of cybersecurity requirements.  CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain. The current draft version 0.6 of this guidance can be downloaded from: HERE

What is the CMMC Model Framework?

 

The CMMC model framework consists of 18 domains based on Cybersecurity best practices.  Each domain contains capabilities for cybersecurity and each capability is comprised of one or more practices that are mapped to CMMC Level 1 through Level 5.

What are the 18 Domains?

 

Access Control Identification and Authentication Recovery
Asset Management Incident Response Risk Assessment
Awareness and Training Maintenance Security Assessment
Audit and Accountability Media Protection Situational Awareness
Configuration Management Personal Security System and Communications Protection
Cybersecurity Governance Physical Protection System and Information Integrity

What are the Levels 1 through 5?

 

Level 1 focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 CFT 52.204-21.  The Level 1 pratices establish a foundation for the higher levels of the model and must be completed by all certificated organizations.  While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity.

Level 2 focuses on intermediate cyber hygine, creating a maturity-based progression for organziations to step from Level 1 to 3.  This more advanced set of practices gives the organization greater ability to both protect and sustain their assets against more cyber threats compared to Level 1.  CMMC Level 2 also introduces the process maturity dimension of the model. At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.

Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs). For process maturity, a CMMC Level 3 organization is expected to adequately resource and review activities adherence to policy and procedures, demonstrating management of practice implementation.

Level 4 and Level 5 At CMMC Level 4 and 5, an organization has a substantial and proactive cybersecurity program. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures(TTPs) in use by APTs. For process maturity, the organization is expected to review and document activities for effectiveness and inform high-level management of any issues as well as ensure that process implementation has been generally optimized across the organization. The updates to CMMC Levels 4-5 will be provided in the next public release.

What does all this mean to me?

 

If your company wants to continue to bid/work on DoD contracts, you will need to be certified at the CMMC level specified within each contract opportunity.

 What is the CMMC Schedule for Implementation?

 

  • CMMC Rev 1.0 is scheduled to be released in January 2020
  • Requirement will be included in Request for Information (RFIs) in June 2020
  • Requirement will be included in Request for Proposals (RFPs) in Fall 2020