CMMC – an overview of the US Department of Defense framework
The Cybersecurity Maturity Model Certification (CMMC) is a US initiative lead by the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defense (DoD). It imposes requirements on DOD contractors and subcontractors to help safeguard information within the US defense supply chain.
This blog post is the first in a series looking at CMMC. It gives an overview of the framework and provides some initial observations to help suppliers.
The framework encompasses five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision” when selecting suppliers.
When does CMMC become effective?
Version 1.0 of CMMC became available in January 2020. From June 2020, it will begin to appear in Requests for Information. The new certification won’t be required for any contracts already signed, only new ones. The first solicitations mandating the framework are due to come out in the third quarter of 2020. That means it will take some time to bring all contractors into compliance, as five years is the typical duration of many contracts.
How CMMC affects entities that must comply
All suppliers who handle Controlled Unclassified Information (CUI) used to self-certify compliance with the NIST SP 800-171 standard. The introduction of CMMC represents a step-change to requirements, as many suppliers will require certification to be done by a third-party auditor.
The CMMC framework provides a means of improving the maturity of processes and practices, aligned to the type and sensitivity of information to be protected and the range of threats. There are five maturity levels that organisations can be certified against:
CMMC Maturity Levels
Suppliers looking to achieve Maturity Level 2 and above need to undertake an audit and obtain certification from a third-party auditor that their processes and practices are evident and operating as per the framework’s requirements. However, it is worth noting that the big step change comes when moving up to Maturity Level 3, when the number of practices jumps from 17 to more than 110.
Structure
The CMMC framework’s capabilities, processes and practices are organised into a set of domains. The 17 domains are shown below:
CMMC Domains
CMMC Version 1.0 contains 43 capabilities and 171 practices. The framework maps these capabilities and practices across the five maturity levels, as per the excerpt below.
Excerpt from CMMC Model v1.0 Appendices
The framework is cumulative, which means that in order to achieve a desired maturity level, an organisation must also demonstrate achievement of the preceding lower levels. The full, latest table of requirements can be found on the official site here:
https://www.acq.osd.mil/cmmc/about-us.html
Next steps – looking at the history of maturity models
In this post, we’ve given an overview of CMMC to help suppliers understand the requirements. In the next post, we’ll look at the history of how the CMMC came about and why it’s important in cybersecurity that we adopt a model like this to ensure we continually improve our security posture. In future posts we will look at a selection of domains and follow the progression of maturity from the lowest to the highest level, providing context and examples of how you can fulfil the capabilities and practices.