Home » U.S. Department of Defense Publishes New Cybersecurity Standards

Cyber Security NewsCyberSecurity Newswire

U.S. Department of Defense Publishes New Cybersecurity Standards

February 7, 2020

The U.S. Department of Defense (DoD) has published a new guide on cybersecurity standards, known as the Cybersecurity Maturity Model Certification (CMMC) version 1.0.

The CMMC model framework organizes processes and cybersecurity best practices into a set of domains. Practices are activities performed at each level for the domain include:

Access Control (AC)
Asset Management (AM)
Awareness and Training (AT)
Audit and Accountability (AU)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
System and Information Integrity (SI)
System and Communications Protection (SC)
Situational Awareness (SA)
Security Assessment (CA)
Physical Protection (PE)
Risk Management (RM)
Recovery (RE)

CMMC Maturity Process Progression:

LEVEL 1 PERFORMED:

Select practices are documented where required

LEVEL 2 DOCUMENTED:

Each practice is documented, including Level 1 practices
A policy exists that includes all activities

LEVEL 3 MANAGED:

Each practice is documented, including lower levels
A policy exists that cover all activities
A plan exists, is maintained, and resourced that includes all activities

LEVEL 4 REVIEWED:

Each practice is documented, including lower levels
A policy exists that covers all activities
A plan exists that includes all activities
Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)

LEVEL 5 OPTIMIZING:

Each practice is documented, including lower levels
A policy exists that covers all activities
A plan exists that includes all activities*
Activities are reviewed and measured for effectiveness
There is a standardized, documented approach across all applicable organizational units

CMMC Practice Progression

LEVEL 1 BASIC CYBER HYGIENE: 17 practices

Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21

LEVEL 2 INTERMEDIATE CYBER HYGIENE: 72 practices

Comply with the FAR
Includes a select subset of 48 practices from the NIST SP 800- 171 r1
Includes an additional 7 practices to support intermediate cyber hygiene

LEVEL 3 GOOD CYBER HYGIENE: 130 practices

Comply with the FAR
Encompasses all practices from NIST SP 800-171 r1
Includes an additional 20 practices to support good cyber hygiene

LEVEL 4 PROACTIVE: 156 practices

Comply with the FAR
Encompasses all practices from NIST SP 800-171 r1
Includes a select subset of 11 practices from Draft NIST SP 800-171B
Includes an additional 15 practices to demonstrate a proactive cybersecurity program

LEVEL 5 ADVANCED / PROGRESSIVE: 171 practices

Comply with the FAR
Encompasses all practices from NIST SP 800-171 r1
Includes a select subset of 4 practices from Draft NIST SP 800-171B
Includes an additional 11 practices to demonstrate an advanced cybersecurity program

The CMMC Model leverages multiple sources and references, including:

CMMC Level 1 only addresses practices from FAR Clause 52.204-21
CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others
CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others
Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model

Ellen Lord, the Under Secretary of Defense for acquisition and sustainment, said, “Obviously this is a complicated rollout for industry, and we’re being realistic in terms of making sure we have pathfinder projects that we’ll implement, and then learn, get the feedback and go on. This is a critical cornerstone of the department’s overall cybersecurity effort, and we believe we are doing this with what I would call irreversible momentum. We want to make sure that this works and that it is sustained.”

Lord also noted that, “Adversaries know that in today’s great power competition environment, information and technology are both key cornerstones [of national security] and attacking a sub-tier supplier is far more appealing than a prime.”

I want to hear from you. Tell me how we can improve.

BNP Media Owner & Co-CEO, Tagg Henderson

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

This webinar will educate viewers on becoming the go-to source for the safety and security of Marijuana farms, dispensaries and all of the other moving pieces of the industry — while also providing an opportunity for professional accreditation.

Security Magazine

2020 July

This month in Security magazine, meet 13 female executives who are succeeding in security leadership roles. How are they contributing to the safety and success of their enterprise and to the industry? Also, experts discuss radio frequency threats, mental health during the global pandemic, the future of security networking, zero trust, AI and more.

View More Create Account

U.S. Department of Defense Publishes New Cybersecurity Standards

Related Articles

Related Products

Related Events

Report Abusive Comment