Cybersecurity Maturity Model Certification (CMMC)

 

The Cybersecurity Maturity Model Certification (CMMC) is a new standard that has been developed by the U.S. Department of Defense (DoD) to ensure that contractors and subcontractors who work with the DoD meet specific cybersecurity standards.

The CMMC framework provides a comprehensive set of cybersecurity standards and best practices that organizations must implement to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model consists of five levels of maturity, ranging from basic cyber hygiene practices to advanced cybersecurity practices, with each level building upon the previous one.

To obtain certification, contractors and subcontractors must undergo a third-party assessment by a CMMC Accreditation Body (AB) authorized organization. The assessment will determine the organization's maturity level and provide a certification level that corresponds to the maturity level achieved. The CMMC certification is required for all DoD contracts and subcontracts, and failure to comply can result in the loss of business opportunities.

The CMMC is designed to enhance the cybersecurity posture of the defense industrial base and ensure that contractors and subcontractors who work with the DoD are taking adequate measures to safeguard sensitive information.

The Cybersecurity Maturity Model Certification (CMMC) has five levels, each with increasing requirements for cybersecurity controls and practices.

Here is a brief overview of each level:

Level 1: Basic Cyber Hygiene - At this level, organizations are expected to have basic cybersecurity practices in place and demonstrate that they are following certain practices for protecting Federal Contract Information (FCI).

Level 2: Intermediate Cyber Hygiene - At this level, organizations are expected to establish and document practices and policies to guide their implementation of cybersecurity controls to protect CUI.

Level 3: Good Cyber Hygiene - At this level, organizations are expected to establish and maintain a set of robust and standardized cybersecurity practices and demonstrate the ability to manage the implementation of these practices to protect CUI.

Level 4: Proactive - At this level, organizations are expected to have advanced cybersecurity practices in place to protect CUI from advanced persistent threats (APTs) and other sophisticated attacks.

Level 5: Advanced/Progressive - At this level, organizations are expected to have an advanced and comprehensive cybersecurity program in place, with a focus on continuous improvement, monitoring, and adapting to changing threats.

Each level builds upon the previous level, with an increasing number of cybersecurity controls, and practices required to achieve higher maturity levels. Organizations must obtain the certification level required for their specific DoD contract, with higher-level contracts requiring higher levels of certification.

The Cybersecurity Maturity Model Certification (CMMC) is directly related to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

NIST SP 800-171 is a set of cybersecurity standards that was developed to protect Controlled Unclassified Information (CUI) that is stored or transmitted outside of federal systems. The standards require federal contractors and subcontractors to implement specific cybersecurity controls to protect CUI, and they apply to all non-federal organizations that process, store or transmit CUI.

The CMMC builds upon NIST SP 800-171 by adding additional cybersecurity practices and controls that are necessary to protect CUI from advanced persistent threats (APTs) and other sophisticated cyber-attacks. The CMMC framework includes all the cybersecurity controls outlined in NIST SP 800-171 and adds additional controls to each of the five maturity levels.

In other words, while NIST SP 800-171 provides the minimum-security requirements for protecting CUI, the CMMC framework provides a more comprehensive and tailored approach to cybersecurity that is designed specifically for defense contractors and subcontractors. The CMMC certification process also requires an assessment of the implementation and effectiveness of the security controls, while NIST SP 800-171 only requires organizations to self-attest to their compliance with the standards.