U.S. Department of Defense Publishes New Cybersecurity Standards

February 7, 2020

The U.S. Department of Defense (DoD) has published a new guide on cybersecurity standards, known as the Cybersecurity Maturity Model Certification (CMMC) version 1.0.

The CMMC model framework organizes processes and cybersecurity best practices into a set of domains. Practices are activities performed at each level for the domain include:

Access Control (AC)
Asset Management (AM)
Awareness and Training (AT)
Audit and Accountability (AU)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
System and Information Integrity (SI)
System and Communications Protection (SC)
Situational Awareness (SA)
Security Assessment (CA)
Physical Protection (PE)
Risk Management (RM)
Recovery (RE)

CMMC Maturity Process Progression:

LEVEL 1 PERFORMED:

Select practices are documented where required

LEVEL 2 DOCUMENTED:

Each practice is documented, including Level 1 practices
A policy exists that includes all activities

LEVEL 3 MANAGED:

Each practice is documented, including lower levels
A policy exists that cover all activities
A plan exists, is maintained, and resourced that includes all activities

LEVEL 4 REVIEWED:

Each practice is documented, including lower levels
A policy exists that covers all activities
A plan exists that includes all activities
Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)

LEVEL 5 OPTIMIZING:

Each practice is documented, including lower levels
A policy exists that covers all activities
A plan exists that includes all activities*
Activities are reviewed and measured for effectiveness
There is a standardized, documented approach across all applicable organizational units

CMMC Practice Progression

LEVEL 1 BASIC CYBER HYGIENE: 17 practices

Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21

LEVEL 2 INTERMEDIATE CYBER HYGIENE: 72 practices

Comply with the FAR
Includes a select subset of 48 practices from the NIST SP 800- 171 r1
Includes an additional 7 practices to support intermediate cyber hygiene

LEVEL 3 GOOD CYBER HYGIENE: 130 practices

Comply with the FAR
Encompasses all practices from NIST SP 800-171 r1
Includes an additional 20 practices to support good cyber hygiene

LEVEL 4 PROACTIVE: 156 practices

Comply with the FAR
Encompasses all practices from NIST SP 800-171 r1
Includes a select subset of 11 practices from Draft NIST SP 800-171B
Includes an additional 15 practices to demonstrate a proactive cybersecurity program

LEVEL 5 ADVANCED / PROGRESSIVE: 171 practices

Comply with the FAR
Encompasses all practices from NIST SP 800-171 r1
Includes a select subset of 4 practices from Draft NIST SP 800-171B
Includes an additional 11 practices to demonstrate an advanced cybersecurity program

The CMMC Model leverages multiple sources and references, including:

CMMC Level 1 only addresses practices from FAR Clause 52.204-21
CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others
CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others
Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model

Ellen Lord, the Under Secretary of Defense for acquisition and sustainment, said, “Obviously this is a complicated rollout for industry, and we’re being realistic in terms of making sure we have pathfinder projects that we’ll implement, and then learn, get the feedback and go on. This is a critical cornerstone of the department’s overall cybersecurity effort, and we believe we are doing this with what I would call irreversible momentum. We want to make sure that this works and that it is sustained.”

Lord also noted that, “Adversaries know that in today’s great power competition environment, information and technology are both key cornerstones [of national security] and attacking a sub-tier supplier is far more appealing than a prime.”

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

U.S. Department of Defense Publishes New Cybersecurity Standards

Related Articles

Related Products

Related Events

Report Abusive Comment