The Cybersecurity Maturity Model Certification (CMMC) assessment is a mandatory component for organizations and Department of Defense contractors bidding on a contract or subcontract to do business with the Department of Defense (DoD), which includes requests for proposals (RFPs) and requests for information (RFIs). The CMMC framework adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a Defense Industrial Base (DIB) contractor can adequately protect Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.
The CMMC, drafted by the DoD, is a new standard that leverages the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations as well as other cybersecurity best practices.
As part of multiple lines of effort focused on the security and resiliency of the DIB sector, the DoD is working with industry to enhance the protection of the following types of unclassified information:
- Federal Contract Information (FCI) – information provided by or generated for the Government under contract not intended for public release.
- Controlled Unclassified Information (CUI) – information that requires safeguarding or dissemination of controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act Of 1954, as amended.
A key difference between NIST SP 800-171 and the CMMC is the removal of a self-attestation component. Organizations will coordinate with accredited independent third parties to request a CMMC assessment and will obtain the maturity level based on the ability to demonstrate the appropriate capabilities.
There are five CMMC certification levels or maturity levels that assessors will leverage:
CMMC Requirements and CMMC Levels
Level 1 – Basic Cyber Hygiene: Basic cybersecurity appropriate for small companies. This level focuses on the protection of Federal Contract Information (FCI). Processes are performed.
Level 2 – Intermediate Cyber Hygiene: Contains universally accepted cybersecurity best practices. This level serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Processes are documented.
Level 3 – Good Cyber Hygiene: Includes coverage of all NIST SP 800-171 controls and additional CMMC components. This level focuses on the protection of CUI. Processes are managed.
Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices and cybersecurity controls. This level focuses on the protection of CUI from advanced persistent threats (APTs) and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. Processes are reviewed.
Level 5 – Advanced/Progressive: Includes highly advanced cybersecurity practices and cybersecurity standards. Similar to Level 4, Level 5 also focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities. This level requires an organization to standardize and optimize process implementation across the organization.
The CMMC framework contains similar domains to the NIST 800-171 and the security-related areas of Federal Information Processing Standards (FIPS), with several additions:
- Asset Management
- Situational Awareness
The Department of Defense is migrating to the new CMMC framework to assess and boost the cybersecurity posture of the Defense Industrial Base (DIB). Version 1.0 of the CMMC was released on January 31, 2020 and it’s estimated that by June 2020, the industry will start to see the CMMC requirements in RFPs.
Additional DoD and DIB Sector Cybercrime Information
The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017.
Malicious cyber actors have targeted, and continue to target the DIB sector and the supply chain of the DoD. According to Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC, the DIB sector consists of over 300,000 companies that support the warfighter and contribute towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security. Hence, adhering to the CMMC is a vital aspect of our overall national security.