CMMC

CMMC stands for Cybersecurity Maturity Model Certification, and is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD.

CMMC specifies a range of maturity levels that must be met and will be used by the DoD as qualification for vendor selection.

Anyone in the defense contract supply chain. According to the DoD, “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”

CMMC will replace the current ‘self-declaring’ model with third-party certification, and the resulting audit and certification process will establish compliance as a condition of doing business with the Defense Department.

DoD contractors will demonstrate compliance with required capabilities by showing adherence to practices and processes that have been mapped across the five maturity levels of CMMC.

Practices will measure the technical activities necessary to achieve compliance with a given capability requirement, while processes will measure the maturity of a company’s processes.

The CMMC model has five defined levels, each with a corresponding set of practices and processes. Practices range from basic cyber hygiene (Level 1) to advanced/progressive capabilities (Level 5).

In parallel, processes step up from Level 1 (being performed) to Level 5 (being optimized across the organization).

Contractors must meet both associated practices and processes to achieve each specific CMMC level.

Source: https://resources.infosecinstitute.com/

The CMMC model consists of 17 domains. Many of these CMMC domains originated from the Federal Information Processing Standards (FIPS) 200 security-related areas and the NIST SP 800-171 control families.

Source: https://force-x.net/cmmc/

Two great resources are CMMC Accreditation Body. https://cmmcab.org and Office of the Under Secretary of Defense for Acquisition & Sustainment Cyber Security Maturity Model Certification.