As promised, on Friday, January 31st, the Department of Defense (DoD) released its final version of the Cybersecurity Maturity Model Certification commonly referred to as the CMMC Model v1.0 or CMMC Certification. The CMMC sets the standard for the DoD’s future vendors, making cybersecurity the foundation of defense acquisitions in order to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The new CMMC framework evaluates the maturity of vendors’ cybersecurity practices and processes across 17 domains and assigns vendors a CMMC Level of 1 through 5 based on their maturity. To obtain CMMC certification, an accredited and independent third-party commercial certification organization will assess the vendor and award it a certificate at the applicable CMMC level. In particular, each level corresponds to a specific focus: Level 1 demonstrates basic protection of FCI, Level 2 marks a transition to safeguarding CUI, Level 3 shows protection of CUI, and Levels 4-5 indicates protection of CUI and reduction of risks caused by Advanced Persistent Threats.
The CMMC’s 17 domains each contain a set of processes and capabilities, while each capability encompasses one or more practices, for a total of 43 capabilities and 171 practices.
The sources of the CMMC framework’s practices and processes include familiar cybersecurity-related standards:
FAR Clause 52.204-21, NIST SP 800-171 Rev 1, Draft NIST SP 800-171B, CIS Controls v7.1 – NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1, CERT Resilience Management Model (CERT RMM) v1.2 – NIST SP 800-53 Rev 4 , among others.
The DoD’s enhanced focus on verifying vendors’ cybersecurity maturity will impact all companies across the DoD’s supply chain.
If you fall within the DoD’s supply chain, you need to fully understand the 17 domains, 43 capabilities, and 171 practices. Moreover, you’ll need to implement the appropriate processes and practices and demonstrate the requisite maturity to reach the certification level designated in the Request for Proposals.
If you’re not sure where to start or how to implement the CMMC framework, refer to the CMMC Certification Model, which covers in detail the domains, processes, and practices, and explains the assessment process, as well as provides examples.
The CMMC will go into effect on DoD RFP’s starting June 2020, but you can audit your operations and start to optimize cybersecurity standards to level up today.