The purpose of the CMMC is to act as a verification framework to make sure DOD contractors are following appropriate cybersecurity practices; the reason for this is to protect what the DOD refers to as Controlled Unclassified Information (CUI). The CMMC, Version 1.0 has been developed and released by OSD. The timeline for CMMC implementation is as follows:
February-May 2020: First group of auditors/assessors will be trained by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
June-September 2020: The DOD intends to release a few RFI’s to validate the implementation of the CMMC as a pilot and in the fall of 2020 release formal RFP’s
October 2020 & Onward: DOD contractors will be required to be accredited to the appropriate level as defined in the DOD RFP in order to bid for new contract work.
CMMC entails an intricate maturity model framework that organizations need to be familiar with before audits take place. The maturity model has 5 levels that organizations can be accredited to; these levels range from basic cyber hygiene to advanced/progressive cyber hygiene. Each level has processes and practices that must be adhered to the capacity dictated by each level. The 5 levels are the DOD acknowledging that every contract can have varying degrees of control required and not all contracts awarded will require a Level 5 Accreditation. The 5 levels are:
- Level 1: Basic Cyber Hygiene: This level has 17 security controls and is characterized by basic safeguarding of Controlled Unclassified Information (CUI). This level requires that organizations perform specified practices by the DOD, but it doesn’t have to be well-documented.
- Level 2: Intermediate Cyber Hygiene: This level has 46 security controls and is characterized as a transition step to protect CUI. In addition to performing the processes described by level 1, this level also requires proper documentation.
- Level 3: Good Cyber Hygiene: This level has 47 security controls and requires the protection of CUI. Level 3 requires that organizations establish, maintain and have a plan that exhibits the management of activities performed.
- Level 4: Proactive: This level has 26 security controls and also protects CUI, but it’s also required to reduce the risks of Advanced Persistent Threats (APTs). Level 4 requires organizations to measure and review practices for effectiveness.
- Level 5: Advanced/Progressive: This final level has 4 security controls and requires for the full protection of CUI and sufficiently reducing the risks of APTs. Level 5 requires organizations to standardize and optimize process implementation throughout the entire organization.
Note: Each level above builds on the prior level, therefore at Level 3 one would have to meet all the requirements of Levels 1, 2 and 3.
Now that you are familiar with maturity levels, you’ll have to decide what kind of CMMC certification your organization is seeking. To do this, your organization will have to coordinate with an independent third party commercial certification organization; once the assessment is set up between your organization and the certification entity, you will be given CMMC certification if you pass the assessment. If you’d like to learn more about the specifics of CMMC, click here for the Initial Release of the CMMC Model’s complete Draft 1.0.