The United States Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is working with the Defense Industrial Base (DIB) sector to enhance the protection of sensitive data – namely, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), within the supply chain.
The sharing of FCI and CUI with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary. Cybersecurity must become a foundation of DoD acquisition. Towards that end, OUSD(A&S) is working with DoD stakeholders, University-Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the Cybersecurity Maturity Model Certification (CMMC).
CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices.
The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and incorporates practices from multiple sources such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171 rev 1, Draft NIST SP 800-171B, the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight [11,12,47,4]. CMMC also adds a certification element to verify implementation of cybersecurity requirements.
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to subcontractors in a multi-tier supply chain. With respect to implementation, a DIB contractor may meet a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s).
The DoD is releasing this draft version to support the public’s continued review of the draft model in preparation for the release of the CMMC Model Version 1.0 at the end of January 2020. Section 2 describes the model framework, including levels, capability domains, and processes. Section 3 provides instructions on how to read the model. Appendix A presents the latest version of the CMMC Model. Appendices B, C, and D present the practice clarifications for CMMC Levels 1-3, respectively. This document also provides key references, a glossary of terms, and a list of acronyms.
The CMMC model framework (Figure 1) categorizes cybersecurity best practices at the highest level by domains. Each domain is further segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met within each domain.
Companies will further demonstrate compliance with the required capabilities by demonstrating adherence to practices and processes, which have been mapped across the five maturity levels of CMMC.
Under this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, and processes will measure the maturity of a company’s processes. Within each domain, DIB companies will be accredited under the CMMC only if they can demonstrate compliance with the required practices and mature processes as required for the given CMMC level.
Figure 1. CMMC Model Framework Framework
Figure 2. CMMC Level Descriptions
The CMMC model has five defined levels, each with a set of supporting practices and processes, illustrated in Figure 2. Practices range from Level 1 (basic cyber hygiene) and to Level 5 (advance/progressive). In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.
Level 1 focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 CFR 52.204-21. The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organizations. Not every domain within CMMC has Level 1 practices. At both this level and
Level 2, organizations may be provided with FCI. FCI is information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity processes.
Level 2 focuses on intermediate cyber hygiene, creating a maturity-based progression for organizations to step from Level 1 to 3. This more advanced set of practices gives the organization greater ability to both protect and sustain their assets against more cyber threats compared to Level 1. CMMC Level 2 also introduces the process maturity dimension of the model. At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.
Level 3, organizations assessed at Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs). Note that organizations subject to DFARS clause 252.204-7012 will have to meet additional requirements such as incident reporting. For process maturity, a CMMC Level 3 organization is expected to adequately resource activities and review adherence to policy and procedures, demonstrating management of practice implementation.
Level 4, organizations have a substantial and proactive cybersecurity program. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues.
Level 5, organizations have an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities. The organization has the capability to optimize their cybersecurity capabilities in an effort to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization.
Note that adherence to CMMC processes and practices is cumulative. Once a practice is introduced in a level, it is a required practice for all levels above as well. For an organization to achieve Level 3, all the practices and processes defined in Levels 1, 2, and 3 must be achieved. Similarly, to achieve a specific level of CMMC, an organization must meet both the practices and processes within that level and below across all of the domains of the model. For example, an organization that achieves Level 3 on practice implementation and Level 2 on process institutionalization will be certified at CMMC Level 2. Because the CMMC model is cumulative, an organization seeking to achieve CMMC Level 3 or higher must implement the practices in Levels 1 and 2 for CUI (in addition to FCI).
The sharing of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary.