The CMMC Explained...
The United States Department of Defense (DOD) has determined that the theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activities threatens the economic and national security of the United States. To enhance the resilience and security of the Defense Industrial Base (DIB), DOD has developed a consolidated Cybersecurity standard which mandates the implementation of certain Cybersecurity practices and controls by all 300,000+ DIB contractors (Prime contractors, subcontractors, and select vendors).
The input behind it.....
The CMMC standard was developed on a foundation of existing frameworks such as NIST SP 800-171r1, FAR 52.204-21, NIST SP 800-171B as well as other U.S. and international standards/frameworks.
The CMMC structure explained...
The CMMC maturity model consists of 5 levels, across 17 Cybersecurity domains, with each domain containing an associated set of practices (Cybersecurity controls). The requirement to implement specific practices is dependent upon the level of CMMC certification required. Additionally, each level of CMMC has a corresponding process (system maturity level) associated with it. The CMMC requires that an organization demonstrate both the requisite institutionalization of processes for the
CMMC Level Descriptions
required CMMC level as well as implementation of all associated practices for the level desired (and all preceding level). Example: certification for Level 3 of CMMC will requires implementation of all processes and practices contained in Levels 1, 2 and 3.
What you need to show in order to get certified.....
The CMMC requires that an organization demonstrate both the requisite institutionalization of processes for the required CMMC level as well as implementation of all associated practices for the level desired (and all preceding level). Example: certification for Level 3 of CMMC will requires implementation of all processes and practices contained in Levels 1, 2 and 3.
A brief description of each CMMC level
(process/maturity level in parenthesis)*
Level 1 – Basic Cyber Hygiene (Performed)* – 17 practices: Safeguard Federal Contract Information (FCI)
Level 2 – Intermediate Cyber Hygiene (Documented)* – 72 practices: Serves as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI)
Level 3 – Good Cyber Hygiene (Managed)* – 130 practices: Protect CUI
Level 4 – Proactive Cyber Hygiene (Reviewed)* – 156 practices: Protect CUI and reduce risk of Advanced Persistent Threats (ATPs)
Level 5 – Advanced Cyber Hygiene (Optimized)* – 171 practices: Protect CUI reduce risk of ATPs (with additional process and controls over Level 4)
17 CMMC Capability Domains
Here's an example
Level 3 requires that the company’s Cybersecurity system is Performed, Documented and Managed (the Process level requirements), as well as the implementation of 130 Cybersecurity controls (the 17 from Level 1 + the 55 from Level 2 + 58 additional controls specified in Level 3).
It's worth noting that...
CMMC Level 1’s 17 practices address the requirements of FAR Clause 52.204-21, and
CMMC Level 3 includes all the practices from NIST SP 800-171r1 as well as additional practices
Some more free resources that will help you...
Office of the Under Secretary of Defense for Acquisition and Sustainment Cybersecurity Maturity Model Web Site: https://www.acq.osd.mil/cmmc/index.html
Quick link to CMMC documents, where PDF versions of the CMMC Model, Appendices and a useful overview briefing can be downloaded: https://www.acq.osd.mil/cmmc/draft.html
CMMC Accreditation Body Web Site: https://www.cmmcab.org/
Link to FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems: https://www.acquisition.gov/content/52204-21-basic-safeguarding-covered-contractor-information-systems
Link to NIST SP 800-171 Rev. 1: https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
YouTube Video: Hitting the Ground Running: Reviewing the 17 CMMC Level 1 Practices. Prepared by Carnegie Mellon University, Software Engineering Institute: https://www.youtube.com/watch?v=RG8wc9rckQc&feature=youtu.be
Project Spectrum web site: https://www.projectspectrum.io/#!/ Project Spectrum is an initiative supported by DOD Office of Small Business Programs. They are monitoring CMMC implementation closely and the sponsor frequent CMMC Info Webinars.
Project Spectrum CMMC quick look-up by domain and level-very useful tool: https://www.projectspectrum.io/#!/standards