UPDATE: In November 2021, the DoD announced changes to the original CMMC model (“CMMC 1.0”), including a reduction in the maturity levels from five to three and the processes for assessments and certifications. The revised model is called CMMC 2.0, and you can read our updated Insight here.
The Cybersecurity Maturity Model Certification (CMMC) is a unifying standard for implementing cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with achieving a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department of Defense that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.1
The CMMC framework was created to assess, support, and strengthen the security posture of the defense sector. CMMC focuses on securing and improving the integrity of three types of data. The heart of the CMMC framework is to protect Controlled Unclassified Information (CUI). In addition to CUI, the CMMC covers Federal Contract Information (FCI) and Covered Defense Information (CDI).
For a complete understanding of CUI, please visit the National Archives’ Website on CUI training.
The CMMC framework consists of cybersecurity best practices from multiple cybersecurity standards, frameworks, and references.
CMMC Domains
The model breaks down into 17 domains (see below), each consisting of processes, capabilities, and practices. An example practice would be verifying, managing, and limiting the connectivity to an external information system.CMMC Levels
The CMMC consists of five certification levels that help reflect the maturity of an organization’s cybersecurity infrastructure, processes, and procedures. The CMMC is not a “one size fits all” model. The type of your contract depends on the level of certification that will be required. Once you are certified, you will be qualified for contracts at any level up to your certification level. The Department of Defense will specify the necessary CMMC Level in their Requests for Information and Requests for Proposals. The whole security model consists of 171 practices. Each CMMC Level builds upon the previous level.CMMC Level 1
Geared towards businesses that provide general supplies and services, CMMC Level 1 focuses on the protection of FCI if you do not store or process CUI or CDI. This CMMC level is considered Basic Cyber Hygiene and consists of 17 practices.CMMC Level 2
While most CMMC requirements will fall under Levels 1 and 3, Level 2 is a transitional stage, serving as a progression from Level 1 to Level 3. It consists of a subset of the security requirements in the NIST 800-171, is considered Intermediate Cyber Hygiene, and consists of 72 practices.CMMC Level 3
CMMC Level 3 focuses on the protection of CUI and covers all of the security requirements found in NIST 800-171, in addition to other standards and references. Level 3 is considered Good Cyber Hygiene and consists of 130 practices.CMMC Level 4
CMMC Level 4 requires that organizations review and measure their practices for effectiveness. Level 4 focuses on protecting CUI and covers a subset of the enhanced security requirements from the Draft NIST 800-171B. Level 4 is considered to be Proactive in regards to Cyber Hygiene and consists of 156 practices.CMMC Level 5
CMMC Level 5 requires an organization to optimize its process implementation across the business. Level 5 focuses on the protection of CUI and consists of 171 practices. Level 5 is considered a Sophisticated Cyber Hygiene.Who needs the CMMC?
Any organization that contracts with the Department of Defense will require some level of the CMMC unless you are only selling commercial-off-the-shelf products. Even if you do not store or process any CUI, you will still need to be certified at Level 1 if you possess any Federal Contract Information. A subcontractor’s required level of certification depends on the type of information shared by the prime contractor.CMMC Timeline
The Department of Defense is deploying the CMMC in a phased approach over the next five years. Also known as the Interim Rule, the Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing CMMC became effective on November 30, 2020.CMMC Readiness
While authorized and accredited CMMC Third Party Assessment Organizations are responsible for conducting the CMMC assessments, it is essential to note that you first should complete an internal readiness assessment. A readiness assessment will take you through the process for CMMC compliance before you submit your request to be certified. This process will help document your current security posture and action plan for compliance. Our readiness assessment process consists of the following five steps.How Abel Solutions Can Help With Your CMMC
Our system and approach create clear and detailed documentation on your processes which will play a critical role in your CMMC assessment. Our approach is ideal for ongoing compliance management since we can review your previous assessments for maintaining your compliance and any necessary documentation for an audit.As an experienced technology partner, we can help guide you through the readiness assessment process to prepare you for your CMMC assessment.
Contact us today to learn how your audit can be streamlined and completed more efficiently, shortening the timeline and reducing the cost to your business.
This Abel Insight was written by Abel Solutions Consulting Director, Glen Feucht.