The U.S. Department of Defense (DoD) has published a new guide on cybersecurity standards, known as the Cybersecurity Maturity Model Certification (CMMC) version 1.0.

The CMMC model framework organizes processes and cybersecurity best practices into a set of domains. Practices are activities performed at each level for the domain include:

  1. Access Control (AC)
  2. Asset Management (AM)
  3. Awareness and Training (AT)
  4. Audit and Accountability (AU)
  5. Configuration Management (CM)
  6. Identification and Authentication (IA)
  7. Incident Response (IR)
  8. Maintenance (MA)
  9. Media Protection (MP)
  10. Personnel Security (PS)
  11. System and Information Integrity (SI)
  12. System and Communications Protection (SC)
  13. Situational Awareness (SA)
  14. Security Assessment (CA)
  15. Physical Protection (PE)
  16. Risk Management (RM)
  17. Recovery (RE)

CMMC Maturity Process Progression:

LEVEL 1 PERFORMED:  

  • Select practices are documented where required

LEVEL 2 DOCUMENTED: 

  • Each practice is documented, including Level 1 practices
  • A policy exists that includes all activities

LEVEL 3 MANAGED: 

  • Each practice is documented, including lower levels
  • A policy exists that cover all activities
  • A plan exists, is maintained, and resourced that includes all activities 

LEVEL 4 REVIEWED:

  • Each practice is documented, including lower levels 
  • A policy exists that covers all activities 
  • A plan exists that includes all activities 
  • Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)

LEVEL 5 OPTIMIZING:

  • Each practice is documented, including lower levels 
  • A policy exists that covers all activities 
  • A plan exists that includes all activities* 
  • Activities are reviewed and measured for effectiveness 
  • There is a standardized, documented approach across all applicable organizational units

CMMC Practice Progression

LEVEL 1 BASIC CYBER HYGIENE: 17 practices

  • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21 

LEVEL 2 INTERMEDIATE CYBER HYGIENE: 72 practices

  • Comply with the FAR 
  • Includes a select subset of 48 practices from the NIST SP 800- 171 r1 
  • Includes an additional 7 practices to support intermediate cyber hygiene

LEVEL 3 GOOD CYBER HYGIENE: 130 practices

  • Comply with the FAR 
  • Encompasses all practices from NIST SP 800-171 r1
  • Includes an additional 20 practices to support good cyber hygiene

LEVEL 4 PROACTIVE: 156 practices

  • Comply with the FAR 
  • Encompasses all practices from NIST SP 800-171 r1
  • Includes a select subset of 11 practices from Draft NIST SP 800-171B 
  • Includes an additional 15 practices to demonstrate a proactive cybersecurity program

LEVEL 5 ADVANCED / PROGRESSIVE: 171 practices

  • Comply with the FAR 
  • Encompasses all practices from NIST SP 800-171 r1
  • Includes a select subset of 4 practices from Draft NIST SP 800-171B 
  • Includes an additional 11 practices to demonstrate an advanced cybersecurity program

The CMMC Model leverages multiple sources and references, including:

  1. CMMC Level 1 only addresses practices from FAR Clause 52.204-21
  2. CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others
  3. CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others
  4.  Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model

Ellen Lord, the Under Secretary of Defense for acquisition and sustainment, said, “Obviously this is a complicated rollout for industry, and we’re being realistic in terms of making sure we have pathfinder projects that we’ll implement, and then learn, get the feedback and go on. This is a critical cornerstone of the department’s overall cybersecurity effort, and we believe we are doing this with what I would call irreversible momentum. We want to make sure that this works and that it is sustained.”

Lord also noted that, “Adversaries know that in today’s great power competition environment, information and technology are both key cornerstones [of national security] and attacking a sub-tier supplier is far more appealing than a prime.”