{"id":1796,"date":"2020-07-20T17:13:29","date_gmt":"2020-07-20T17:13:29","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=1796"},"modified":"2021-04-12T05:29:09","modified_gmt":"2021-04-12T05:29:09","slug":"cybersecurity-maturity-model-certification-cmmc","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2020\/compliance\/cybersecurity-maturity-model-certification-cmmc\/","title":{"rendered":"What is the Cybersecurity Maturity Model Certification (CMMC)?"},"content":{"rendered":"

In January 2020, the U.S. Department of Defense (DoD) released the latest version of its Cybersecurity Maturity Model Certification<\/a> (CMMC).<\/p>\n

CMMC in a Nutshell<\/h2>\n

The CMMC is a certification procedure developed by the Department of Defense (DoD) to certify that DoD contractors have the controls to protect sensitive data including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).\u00a0 The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 and others into one cohesive standard for cybersecurity.<\/p>\n

Why is CMMC Required?<\/h2>\n

In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)<\/a>\u00a0in response to DFARS 252.204-7012<\/a>. This request from contracting authorities was often post-award, and several companies<\/a> received severe penalties through the False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.<\/p>\n

In addition, in 2018 MITRE had released the report entitled “<\/a>Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War”<\/a> which assesses the state of cybersecurity of the Defense Industrial Base (DIB). According to the report, most government contractors were not meeting the requirements of DFARS 252.204-7012, and many more did not have the understanding or means to meet the regulations. Since the DIB sector consists of over 300.000 companies that support the defense industry and contribute towards the research, engineering, development, acquisition, production, sustainment, and operations of DoD systems, networks, capabilities and services, the loss of intellectual property may pose an increased risk to national security.<\/p>\n

Further, according to a presentation<\/a> by Katie Arlington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, the vast majority of contractors have not implemented the requirements of the NIST SP 800-171 within their information systems. It was therefore apparent that a fourth element should be included in the acquisition process: security. CMMC addresses the DoD’s intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).<\/p>\n

The CMMC in Greater Detail<\/h2>\n

The CMMC model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of the information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards and frameworks. The model framework organizes these processes and practices into a set of domains and maps them across five levels of maturity. To provide additional structure, the framework also aligns the practices to a set of capabilities within each domain.<\/p>\n

\"\"<\/p>\n

Figure 1: CMMC Model Hierarchical View. Source: CMMC Model, version 1.0<\/em><\/p>\n

Processes and Practices<\/h2>\n

Process maturity or process institutionalization characterizes the extent to which an activity is embedded in the operations of an organization. The more deeply ingrained an activity, the more likely it is that the organization will continue to perform the activity \u2013including under times of stress \u2013and that the outcomes will be consistent, repeatable and of high quality.<\/p>\n

On the other hand, practices are activities performed at each level for the domain. The model consists of 171 practices mapped across the five levels for all capabilities and domains.<\/p>\n

Levels and Domains<\/h2>\n

The CMMC model measures cybersecurity maturity at five levels. Each of these levels consists of a set of processes and practices, as depicted in Figure 2 below. The CMMC levels and the associated sets of processes and practices across domains are cumulative. This means that for an organization to achieve a specific CMMC level it must also demonstrate achievement of the preceding levels.<\/p>\n

\"\"<\/p>\n

Figure 2: CMMC Levels. Source: CMMC Model, version 1.0<\/em><\/p>\n

Further, the contractor must demonstrate both the institutionalization of processes and the implementation of practices for the specified CMMC level in order to be certified for that level. Otherwise, the organization will be certified at the lower of the two levels where both requirements are met.<\/p>\n

The CMMC model provides a means of improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of the information to be protected and the associated threats. As a result, CMMC levels focus on:<\/p>\n