All of us here at Rapid7 hope that you and your families are safe and well during this unprecedented national crisis. Despite the fact that COVID-19 has many of us focused on other priorities, the expectation at the time of publication of this blog is that the Cybersecurity Maturity Model Certification (CMMC) is proceeding along original timelines. The certification is presently expected to be phased into new DoD contracts starting in Q3 2020. As such, it is important that all affected organizations continue to prepare for the requirements. In Part 1 of our CMMC Blog series, we’ll look at better explaining terms and structure of the framework.
In current developments, the CMMC Accreditation Body has been established, and it has formed the CMMC Standard Management Working Groups, with objectives of refining the CMMC Standards and Requirements Assessment Guide and developing the Certification Assessment Criteria Levels and Training and Learning Objectives. Additional working groups have been formed, and that information can be found here.
DoD CMMC certification will be required for all contractors and subcontractors working with the U.S. Department of Defense. The goal is to enhance the protection of this information within the Department of Defense supply chain. While CMMC primarily leverages existing standards and regulations, such as FAR Clause 52.204-21 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, it also draws from other best practices.
Under CMMC, organizations can no longer self-assess against 800-171 to be awarded DoD contracts. Instead, organizations will need to be certified by CMMC third-party assessment organizations (C3PAOs) accredited by the CMMC Accreditation Body. Both DoD and the CMMC Accreditation Body encourage organizations to perform self-evaluations for CMMC compliance prior to an official assessment from a C3PAO.
Version 1 of CMMC was released on Jan. 30, and a minor revision of the document, version 1.02, has since been released in March. The latest versions can be found here.
To understand the CMMC framework, you must understand how the different elements work.
We’ll go through some of these terms in the following sections.
The CMMC defines 17 domains, familiar to anyone who has experience with NIST framework requirements. Organizations familiar with 800-171 will notice three additional domains defined within CMMC. These domains are defined as follows:
Each domain has a set of defined criteria that define the overall maturity level for your organization.
Level with us
The CMMC model measures cybersecurity maturity across five levels. Each level consists of a set of processes and practices within a domain. Practices further define capabilities (to be expanded upon in Part 2 of this blog series).
Compliance with CMMC requirements will occur at one of these five levels, depending on the sensitivity of information processed by organizations along the DoD supply chain. All DoD contractors will be required to certify at Level 1 or above, and all contractors that handle any Controlled Unclassified Information (CUI) must certify at Level 3 or above. DoD contract RFIs will specify the certification level required for a contract award.
It’s important to understand that the set of processes and practices is cumulative, meaning that in order to achieve compliance with a specific maturity level, an organization must be compliant with all preceding maturity levels as well. Additionally, it is not enough to have practices implemented. Maturity of process is also required, and this is evaluated by the extent to which the practices are ingrained within the culture of your organization, which the CMMC refers to as institutionalization. If your organization demonstrates Level 3 maturity within a practice, but only a Level 2 maturity within the process, the compliance is certified at the lower of the two maturity levels.