What you should understand about CMMC...
Organizations who currently comply with National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 1 (NIST SP 800-171 R1) are well-positioned to receive their CMMC Level 3 certification from an approved third-party assessor. NIST SP 800-171 R1’s 110 security controls (practices) and 14 control families (domains) form the foundation for Level 3. Organizations must account for an additional 21 practices and 3 domains (asset management, recovery, and situational awareness). They also must be able to demonstrate an appropriate level of process maturity to maintain good cyber hygiene (review activities for adherence to policies and practices and provide adequate resources to conduct the reviews and respond accordingly). The additional practices – derived from sources including ISO 27001, the Center for Internet Security Controls (ISC), and the Software Engineering Institute’s CERT Resilience Management Model – support capabilities such as CUI labeling and handling, risk assessment and mitigation, network and system monitoring, software code reviews, and email protection.
The following graphic illustrates how CMMC v1.0 compares to its predecessors and NIST SP 800-171 R1 for Levels 1-3, along with notable practices required at each level.
Adherence to CMMC processes and practices is cumulative. Once a practice is introduced in a level, it is a required practice for all levels above as well. For an organization to achieve Level 3, all the practices and processes defined in Levels 1, 2, and 3 must be achieved. Similarly, to achieve a specific level of CMMC, an organization must meet both the practices and processes within that level and below across all the domains of the model.
The release of CMMC v1.0 makes it crystal clear that the DoD intends to adhere to its aggressive implementation timeline, and it will not compromise with respect to the core cybersecurity practices and processes that protect FCI and CUI from the ex-filtration that costs taxpayers hundreds of billions of dollars and places national security at risk. However, v0.7 also reduces the burden and offers significant assistance to suppliers who were not subject to NIST SP 800-171 R1 requirements and only need CMMC Level 1 or 2 certification. And, v0.7 streamlines the path to CMMC Level 3 certification for those companies that already should be NIST SP 800-171 R1-compliant.
- CMMC is the Cybersecurity Maturity Model Certification
- Combines various cybersecurity standards and best practices
- Maps these practices and processes across several maturity levels that rank from basic cyber hygiene to advanced
- Each level and the associated requirements when implemented will reduce risk against a specific set of cyber threat
- The CMMC builds upon the existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements
- The intent is for certified independent 3rd party organizations to conduct audits and inform risk
- CMMC is a unified cybersecurity standard for DOD acquisitions to reduce ex-filtration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).