The aim of the CMMC is to measure a DIB sector company’s ability to protect FCI and CUI. In addition, the CMMC combines several existing cybersecurity standards in order to map best practices and processes to maturity levels (described further below), including NIST SP 800-171 rev 1, Draft NIST SP 800-171B, the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight.
The CMMC also adds a certification element as part of the framework to verify implementation of cybersecurity requirements, and to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.
The Draft CMMC Version 0.4 was released for public review and comment in early September 2019, and Version 0.6 was released on 7 November 2019.
According to the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment (‘OUSD(A&S)’), Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
See Appendix C: Glossary of the CMMC for a full list of definitions and key terminologies incorporated into the CMMC.
Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
Administrative Safeguards: Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Awareness: A learning process that sets the stage for training by changing individual and organisational attitudes to realise the importance of security and the adverse consequences of its failure.
Cybersecurity: Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Controlled Unclassified Information: Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Defense Industrial Base: The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Federal Contract Information: Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
Organisation Seeking Certification: The company that is going through the CMMC assessment process to receive a level of certification for a given environment.
Personally Identifiable Information: Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).
In addition to the CMMC itself, the OUSD(A&S) has released a series of FAQs regarding the CMMC, as well as the certification process.
CMMC Model Framework
The CMMC categorises cybersecurity best practices according to 17 domains, which is then further broken down by a set of capabilities, which are achievements to ensure that objectives are met within each domain.
In addition, companies must also demonstrate compliance with the required capabilities by demonstrating adherence to practices and processes, which have been mapped across the five maturity levels, and companies will only be accredited under the CMMC if they can demonstrate compliance with the required practices for the given CMMC level.
Under the CMMC, adherence to CMMC processes and practices is cumulative, and therefore once a practice has been introduced for a certain level, organisations will be required to implement the practice for all other levels as well. Similarly, to achieve a specific level of CMMC, an organisation must meet both the practices and processes within that level and below across all of the domains of the model.
The following is a summary of each of the levels:
Level 1: Focuses on basic cyber hygiene. Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organisations. Not every domain within CMMC has Level 1 practices. At both this level and Level 2, organisations may be provided with FCI.
Level 2: Focuses on intermediate cyber hygiene, creating a maturity-based progression for organisations to step from Level 1 to 3. and introduces the process maturity dimension of the model. An organisation is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.
Level 3: Organisations assessed at Level 3 have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organisations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 indicates a basic ability to protect and sustain an organisation’s assets and CUI, however, organisations will have challenges defending against advanced persistent threat (‘APTs’). A CMMC Level 3 organisation is expected to adequately resource and review activities adherence to policy and procedures, demonstrating management of practice implementation.
Level 4 and Level 5: At CMMC Level 4 and 5, an organisation has a substantial and proactive cybersecurity program, and the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures in use by APTs. The organisation is expected to review and document activities for effectiveness and inform high-level management of any issues as well as ensure that process implementation has been generally optimised across the organisation.
Each of the 17 domains listed below includes capability includes at least one practice at a specified level in the model.
- Access control;
- Asset management;
- Audit and accountability;
- Awareness and training;
- Configuration management;
- Identification and authentication;
- Incident response;
- Media protection;
- Personnel security;
- Physical protection;
- Risk management;
- Security assessment;
- Situational awareness;
- Systems and communications protection; and
- System and information integrity.
CMMC Process Maturity
Under the CMMS, process maturity is the extent of institutionalisation of practices at an organisation. The maturity processes listed below are expected to be performed by organisations at each of the CMMC levels.
- ML 1: Performed: There are no maturity processes assessed at ML 1.
- ML 2: Documented:
- Establish a policy that includes the relevant domain
- Establish practices to implement the relevant domain policy
- Establish a plan that includes the relevant domain
- ML 3: Managed:
- Review the relevant domain’s activities for adherence to policy and practices
- Provide adequate resources for the relevant domain’s activities
- ML 4: Reviewed:
- Review and measure the relevant domain’s activities for effectiveness
- Inform high-level management of any issues with the relevant domain’s activities
- ML 5: Optimised:
- Standardise a documented approach for the relevant domain across all applicable organisational units
- Share identified improvements to the relevant domain’s activities across the organisation
In its FAQs, the OUSD(A&S) has advised that organisation will coordinate directly with an accredited and independent third party commercial certification organisation to request and schedule a CMMC assessment. Companies will specify the level of the certification requested based on business requirements, and they will be awarded certification at the appropriate CMMC level at which they have demonstrated the appropriate capabilities and processes to the assessor and certifier.
Matters such as the duration of the certification and cost are still undergoing discussion.
Standards and Frameworks
The Cybersecurity Maturity Model Certification (‘CMMC’) is a framework currently being developed by the U.S. Department of Defense (‘DoD’) in response to an increase in risk regarding the sharing of Federal Contract Information (‘FCI’) and Controlled Unclassified Information (‘CUI’) with contractors of the Defense Industrial Base (‘DIB’) sector. All companies doing business with the DoD will need to obtain the CMMC, including subcontractors.
Last Updated: December 3, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.