An Introduction to the Cybersecurity Maturity Model Certification (CMMC) insights.sei.cmu.edu
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is a foundational component of acquisition and that some contractors are trading security to benefit cost, schedule, and performance.
While there are two types of unclassified information, federal contract information (FCI) and controlled unclassified information (CUI), the chief concern is with CUI, which is sensitive information (such as contractor rates or architecture documents) that is not classified.
The U.S. National Archives and Records Administration (NARA) defines CUI as
information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies.
Before the development of CMMC, DIB organizations self-certified their compliance with NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and listed gaps on a Plan of Actions and Milestones (POA&M)
POA&Ms will not be allowed under CMMC. This is a significant change from the current DFAR since an organization will need to have all requirements implemented in order to work on contracts at that level.
In 2019, the SEI built the initial versions of the CMMC in collaboration with the Johns Hopkins University Applied Physics Laboratory, a university-affiliated research center.
CMMC currently defines 17 domains of technical capability, each with five levels of certification (L1 through L5) and specific practices. The DoD will require an organization to have CMMC Level 3 certification before it can receive CUI in any domain.
A total of 171 technical practices span the 17 capability domains. In addition, for each capability domain, there are five maturity processes, Maturity Level 1 (ML 1) through Maturity Level 5 (ML 5). To achieve a given CMMC level, an organization must demonstrate both the technical practices and maturity processes defined in that level
The majority of the practices (110 of 171) originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012.
Level 1 represents basic cyber hygiene, basic safeguarding requirements specified in 48 CFR 52.204-21 Level 2 consists of a subset of the security requirements specified in NIST SP 800-171, as well as practices from other standards and references. Level 3 focuses on the protection of CUI. Level 4 proactive activity and encompasses all of the security requirements specified in NIST SP 800‑171, as well as additional practices from other standards and references. Level 5 focuses on the protection of CUI from APTs.
ML 1 requires an organization to perform the specified practices. Documentation, unless specified directly in the practice, is not required at ML 1.
ML 2 requires an organization to establish and document practices within a domain.
ML 3 requires an organization to establish, maintain, and resource a plan for managing CMMC domain activities.
ML 4 requires an organization to review and measure practices for effectiveness. Organizations at this level must also take corrective actions when necessary and inform higher level management of status or issues on a recurring basis.
ML 5 requires a company to standardize and optimize process implementation throughout the organization,In addition, a company must communicate and share improvement information throughout the organization.
Process institutionalization is a key component of CMMC. It also represents one of the largest changes to how DIB companies currently assess compliance.