R2R

About CMMC

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification(CMMC) is a new requirement for existing DoD contractors, replacing the self-attestation model and moving to third-party certification.

The certification will be build on existing requirements such as NIST SP 800-171, NIST SP 800-53,AIA NAS9933, private sector contributions, and input from academia. This new certification is intended to tighten cybersecurity within the defense industrial base. CMMC consists of five levels to measure cybersecurity practices of contractors.

CMMC Levels

Level 1

Process: At this level, practices are performed in an ad-hoc manner so there is no process requirement.
Practice: It addresses protection of FCI and 17 practices are required for the basic safeguarding requirements specified in 48 CFR 52.204.21.

Level 2

Process: Policy and documentation of practice are required to develop mature capabilities and achieve process Level 2.
Practice: Progression from Level 2 to Level 3. The majority of practices (65 of 72) comes from NIST SP 800-171 and new 7 practices from other standards are added to Level 2, such as audit log review, event detection/reporting, analyzing triaging events, incident response, Incident RCA (root cause analysis), regular data backup and testing, and encrypted session for device mgmt..

Level 3

Process: Not just policy and documentation of practices, a plan is required to demonstrate management of practice implementation activities. The plan needs to address missions, goals, project plans, resourcing, required training and involvement of stakeholders.
Practice: All 110 control requirements of NIST SP 800-171 are required for this level. In addition, 13 new practices from other standards are added to Level 3, such as defining procedures of CUI data handling, collecting audit info into central repositories, regular data backups, periodical risk assessment, risk mitigation plan, separate management of non-vendor-supported products, security assessment of enterprise software, cyber threat intel response plan, DNS filtering, restriction of CUI publication, spam protection mechanisms, email forgery protections, and sandboxing.

Level 4

Process: Practices are reviewed and measured for effectiveness. In addition, correct actions when necessary and communication to higher level mgmt. on a recurring basis are required.
Practice: In order to protect CUI from APTs, 26 practices enhance the detection and response capabilities to address and adapt to TTPs used by APTs.

Level 5

Process: Process standardization and optimization
Practice: The additional 15 practices increase the depth and sophistication of cybersecurity capabilities.