CMMC Draft v0.4 Released
Today the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) for stakeholder feedback. The CMMC vision is to be a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).
Version 1.0 of the CMMC framework will be released in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information (RFI) and it is anticipated that CMMC certification will be required prior to submitting Request for Proposals (RFP) by September 2020.
CMMC combines various cybersecurity standards and “best practices” and maps these practices and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given level, the associated practices and processes, when implemented, will reduce risk against a specific set of cyber threats.
Building on existing DFARS 252.204-7012 requirements, the CMMC is based off the National Institute of Standards and Technology (NIST) Special Publication 800-171, adding a verification component by third-party organizations to audit and certify companies. The goal is for CMMC to be cost effective and affordable for small businesses to implement at the lower maturity levels.
The draft version is being released to allow industry an opportunity to provide feedback. DoD is requesting feedback on the following:
What do you recommend removing or de-prioritizing to simplify the model and why?
Which elements provide high value to your organization?
Which practices would you move or cross-reference between levels or domains?
In preparation for the pending easy-to-use assessment guidance, what recommendations might you have to clarify practices and processes?
So what is the CMMC Framework?
The CMMC Model Framework consists of 18 domains, based on cybersecurity “best practices.” The CMMC domains roughly follow the NIST SP 800-53 rev4 control families with a few minor differences. (Notably they do not follow the families listed in the draft NIST SP 800-53 rev5, currently out for public comment as well). The domains are then comprised of capabilities. Bottom line for those familiar with NIST; Domains = Families.
The capabilities are akin to the security controls contained in NIST SP 800-53 and NIST SP 800-171. Capabilities are comprised of practices and processes, which are mapped to CMMC Level 1 through 5. NIST translation; Capabilities = Controls.
Practices are activities performed at each level for the domain. Processes detail maturity of institutionalization for the practices. For example, a practice may be to limit unsuccessful login attempts. The process would be at what level that practice is implemented, documented, maintained and enforced. NIST translation; Practices = Control Enhancements. Processes = Policies, System Security Plans and Programs of Actions and Milestones.
The draft practices and processes are listed in CMMC v0.4 and available on the OUSD(A&S) website. An overview of the levels is provided below:
All companies doing business with or providing a product or service to the DoD will have to meet Level 1 requirements. Based on the sensitivity of the information, service or product provided, the Maturity Level will increase. Companies handling CUI will be required to obtain Level 3 certification and companies with more sensitive dealings with the DoD will have requirements to be certified at a higher level.
Stay tuned for our next blog post where we'll dig into Maturity Level 1 requirements. Will your company be able to obtain a certification?