On 31 January 2020, the US Department of Defense (DoD) introduced a new cybersecurity standard, the Cybersecurity Maturity Model Certification (CMMC).1 Every cybersecurity and compliance professional, including senior executives, must raise their awareness of this important and valuable cybersecurity standard developed by the DoD. The CMMC Model v1.02 was introduced on 18 March 2020.2
So, why the CMMC? Malicious cyberactors continue to target the defense industrial base (DIB) and the supply chain of the DoD. This challenge to US national security, including economic security, is what raised the priority for the DoD to establish a credible and unified cybersecurity standard for organizations that provide services to it, i.e., the cyber supply chain.
The Focus of the CMMC
The focus of the CMMC is on Controlled Unclassified Information (CUI). CUI is the information shared with DoD suppliers that requires safeguarding. CUI is, specifically, information the US federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or governmentwide policy requires or permits an agency to handle only when using safeguarding or dissemination controls. A CUI registry provides information on the specific categories and subcategories of information that the US federal government’s executive branch protects.
The CMMC is a cybersecurity certification standard. This standard is intended to serve as a verification mechanism to ensure that appropriate levels of cybersecurity practices and processes are in place and to protect CUI that resides on the networks of the DoD’s industry partners.
How the CMMC Is Organized
The CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyberhygiene to highly advanced practices. The CMMC defines 5 distinct levels, which include:3
- Level 1—Performed
- Level 2—Documented
- Level 3—Managed
- Level 4—Reviewed
- Level 5—Optimizing
These levels encompass the following:4
- 17 capability domains with 43 capabilities
- 5 processes to measure process maturity
- 171 practices to measure technical capabilities
The CMMC framework organizes processes and cybersecurity best practices into a set of domains. There are 17 capability domains that have been defined in the CMMC. Process maturity or process institutionalization characterizes the extent to which an activity is embedded in the operations of an organization. Practices are activities performed at each level for the domain. Each level consists of practices and processes as well as those specified in lower levels. In addition to assessing an organization’s implementation of cybersecurity practices, the CMMC also assesses the organization’s institutionalization of cybersecurity processes.
2021 Cyberdefense Strategy
The CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multitier supply chain. To reduce risk, the DIB sector must enhance its protection of CUI in its networks.
The CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multitier supply chain.
Every organization must establish its own cybersecurity strategy. The recommendation is that all organizations, not just those directly impacted by the mandate, take the first step and establish a deeper understanding of the CMMC standard. The levels defined within CMMC provide a framework that an organization can leverage to establish its cybersecurity strategy and priorities over a 12- to 24-month period. Cyberdefense is all about kaizen,5 and the CMMC is an excellent reference that organizations can use to continuously improve their security posture.
Endnotes
1 Blanchard, C.; R. Lee; et. al.; “DoD Releases Final Cybersecurity Maturity Model Certification Framework and Establishes Cybersecurity Audit and Accreditation Organization,” Arnold & Porter, 13 February 2020
2 Office of the Under Secretary of Defense for Acquisition and Sustainment—Cybersecurity Maturity Model Certification, “CMMC Model,” USA, 2020
3 PreVeil, “What Are the 5 Levels of CMMC?” USA, 2020
4 Ibid.
5 Foster, B. “Security Kaizen: Adopting the Practice of Continuous Improvement to Improve Your Security Posture,” Security Intelligence, January 5 2015
Uday Ali Pabrai, CISSP, HITRUST CCSFP, ISSAP, ISSMP, Security+
Is the chief executive of ecfirst, a firm focused on global delivery of cybersecurity and compliance services. His career was launched with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory, in Chicago, Illinois, USA. He has served as vice chairman and in several senior officer positions with NASDAQ-based enterprises. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. He can be reached at Pabrai@ecfirst.com.