Everything you need to know about the Cybersecurity Maturity Model Certification (CMMC) framework!
What is the CMMC framework?
The Department of Defense (DoD) supply chain and the Defense Industrial Base (DIB) it supports are continuously under threat by malicious actors. The theft of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) doesn’t just stifle innovation and undercut U.S. technical advantages, it significantly increases the risk to national security.
To reduce this risk, the DoD released the CMMC framework, which is intended to assess and enhance the cybersecurity posture of the more than 300,000 companies that contribute towards the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.
When does the CMMC go into effect?
The initial version of the CMMC framework was released in January 2020, and the first 72 candidates for the Provisional Assessor program were selected by the CMMC Accreditation Body (CMMC-AB) in August 2020. Official Certified CMMC Professional (CCP) and Certified CMMC Assessor Level 1 (CCA-1) training from CMMC-AB License Training Partners (LTPs) is expected to be available in July 2021.
Additionally, 10 DoD contracts are expected to be chosen as “pathfinder programs” to help assess the success of initial CMMC rollout. A phased rollout will continue until all DoD contracts require CMMC certification by 2025.
What are Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA)?
To become a Certified CMMC Assessor (CCA), you must first become a Certified CMMC Professional (CCP). The CCP serves as a gateway for assessors, but it also certifies you as a valuable resource for consulting agencies, CMMC Third-Party Assessor Organizations (C3PAOs) and organizations needing CMMC support and guidance. The CMMC-AB career path contains four levels:
– Certified CMMC Professional (CCP)
– Certified CMMC Assessor Level 1 (CCA-1)
– Certified CMMC Assessor Level 3 (CCA-3)
– Certified CMMC Assessor Level 5 (CCA-5)
Certified CMMC Assessors can only conduct organizational assessments up to their maturity level.
What are organizations seeking certification (OSC)?
CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored.
CMMC-AB estimates the certification process will take at least six months for organizations to get certified.
What are the CMMC requirements?
Although the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 rev1. Additional practices and processes are drawn from other standards, references and sources, such as:
– NIST SP 800-53
– Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
– Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2
CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels.
What are the 5 CMMC maturity levels?
The CMMC framework contains five maturity levels, with Level 5 being the highest. The processes and practices required for each level are aligned around:
– Level 1: Safeguarding Federal Contract Information (FCI)
– Level 2: Transitioning towards protecting Controlled Unclassified Information (CUI)
– Level 3: Protecting CUI
– Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs)
Organizations must demonstrate both the institutionalization of processes and the implementation of practices to achieve a certification level. For example, if an organization demonstrates Level 3 practices but only Level 2 processes, they will be classified overall as Level 2. CMMC levels are cumulative. To achieve Level 5, an organization must demonstrate all 5 processes and 171 practices included in the framework.
Download our CMMC ebook for the full list of requirements: https://www.infosecinstitute.com/form/cmmc-ebook/