Posted on:

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's (DoD) newest verification system designed to ensure that cybersecurity practices are adequately protecting Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIB) systems and networks. As early as end of 2020, some new DoD contracts will be required to get CMM Certified to the level required as stated in the RFP.

Talk With A CMMC Expert

The CMMC Framework 

The CMMC Framework will include five cumulative certification levels.  

CMMC Maturity Levels

As of the 1.0 release, here is a Level by Level breakdown of the requirements going beyond or outside NIST 800-171B.

Talk With A CMMC Expert

Level 1 – Basic Cyber Hygiene:

Includes basic cybersecurity appropriate for organizations utilizing a subset of universally accepted standard practices, at least in an ad hoc manner. This level has 17 security practices that must be successfully implemented.

The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organizations. Every domain within CMMC has Level 1 practices. At both this level and Level 2, organizations may be provided with Federal Contract Information (FCI). FCI is information not intended for public release. FCI is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity processes.

Level 2 – Intermediate Cyber Hygiene: 

At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cybersecurity program. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 55 security practices beyond that of Level 1.

Level 2 serves as a progression from Level 1 to Level 3. This more advanced set of practices gives the organization greater ability to both protect and sustain their assets against cyber threats as compared to Level 1. CMMC Level 2 also introduces the process maturity dimension of the model. 

Level 3 – Good Cyber Hygiene: 

An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 includes an additional 58 practices and indicates a basic ability to protect and sustain an organization's assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs). Note that organizations subject to DFARS clause 252.204-7012 will have to meet additional requirements such as incident reporting. For process maturity, a CMMC Level 3 organization is expected to adequately resource activities and review adherence to policy and procedures, demonstrating management of practice implementation

Level 4 – Proactive: 

At this level, an organization has advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, adequately resourced, and are improved regularly across the enterprise. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. In addition, the defensive responses operate at machine speed, and there is a comprehensive knowledge of all cyber assets. This level has an additional 26 practices beyond the first three Levels.

Level 5 – Advanced / Progressive:

Here, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities in an effort to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization.

These are highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 15 practices.

Talk With A CMMC Expert

What is the CMMC Timeline? 

CMMC Timeline

The Certification 

Acquisition teams will begin explicitly stating which CMMC level (between 1 – 5) is required in the request for proposal (RFP). Each RFP will contain this requirement in sections L & M, and it will be a "go/no-go decision." There will not be a self-certification, however, defense industrial base (DIB) companies are encouraged to complete a self-assessment before scheduling a CMMC assessment. These certification levels will connote a degree of cybersecurity maturity similar to the audit of processes and compliance with those processes via the Capability Maturity Model Integration (CMMI) certification program.

Talk With A CMMC Expert

Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB)

The CMMC AB will oversee the training, quality, and administration of third-party assessment organizations. The CMMC AB consists of 15 individuals from industry, the cybersecurity community, and academia. Strict conflict of interest clauses will be integrated throughout a future memorandum of understanding (MOU) that will dictate the activities and influence these 15 individuals have over certifications and audits. The list of board members is as follows:

  1. Chairman, Ty Schieber, University of Virginia, Darden School Foundation
  2. Director, Akin Akinbosoye, Manufacturing x Digital (MxD)
  3. Director, Mark Berman, FutureFeed
  4. Director, Wayne Boline, Raytheon
  5. Director, Jeff Dalton, Broadsword Solutions
  6. Director, Nichole Dean, Accenture Federal Services
  7. Director, Regan Edens, DTC Global
  8. Director, James Goepel, Fathom Cyber, LLC
  9. Director, Chris Golden, Third-Party Risk Management
  10. Director, Karlton Johnson, Delaine Strategy Group, LLC
  11. Director, Richard H. 'Doc' Klodnicki, Aereti, Inc.
  12. Director, Valecia Maclin, Microsoft
  13. Director, Tim Rudolph, 3d Millennium Group
  14. Director, Ben Tchoubineh, Phoenix TS
  15. Director, John Weiler, IT Acquisition Advisory Council (IT-AAC)

How can you start to prepare? 

Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, made it very clear that there will be no trade-offs or fines associated with non-compliance. However, in order to win a contract or successfully rebid on a contract, you will need to pass the audit. It is critical to start with these necessary steps.

  1. If you haven't already done so, get a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in place. This was and will continue to be the starting place. 
  2. Configure your existing environment or build a new environment to NIST 800-171 r2 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
  3. Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider (MSP).

Don't wait for the new guidelines to become effective, connect with our CMMC subject matter experts for a gap assessment and analysis now! 


Talk With A CMMC Expert

Categories: cmmc