As those in the Defense Industrial Base (DIB) look into the CMMC requirements, what exactly are the different levels of certification within the Framework?
The CMMC Framework
The CMMC Framework doesn’t aim to reinvent the wheel. Rather CMMC is based on pre-existing frameworks such as CMMI Cybermaturity, NIST 800-171, and DFARS, and the certification is geared towards the DIB, those bidding for DoD contracts and those active in DoD contract supply chains.
For a rundown of what CMMC is, you can refer to our previous article here.
CMMC and NIST share a similar agenda:
- Identify – Identify your risks.
- Protect – Implement safeguards.
- Detect – Capture cyber events.
- Respond – Act upon cyber events.
- Recover – Review, repair, and plan for the future.
At the core, CMMC hopes to improve cyber hygiene in the DIB.
The CMMC Levels
Within the CMMC Framework there are five tiered levels of certification that expand on technical requirements. Each level aims to build the maturity of a DIB company in protecting sensitive information garnered during DoD contracts, thereby protecting national defense.
Here is a summarized, short-and-sweet overview of each Framework level:
“Basic cyber hygiene” including antivirus software, rotating passwords, basic protection of Federal Contract Information (FCI).
“Intermediate cyber hygiene” including documentation of practices for Controlled Unclassified Information (CUI) via NIST 800-171 requirements.
“Good cyber hygiene” including institutionalized practices to protect CUI along with added standards.
Beyond cyber hygiene, the company must have a review process to measure the effectiveness of their cyber program. They must also have ways to detect and respond to developing TTPs of APTs.
Standardized and advanced cyber practices, capabilities around APTs.
While CMMC is a standard combining other frameworks listed above, the Framework distills its domains into 17 categories to better protect FCI and CUI:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Security
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
The CMMC cannot be obtained via self-assessment, although organizations are encouraged to perform a self-assessment as means of preparation for certification. Certification must be completed via an audit by an authorized third-party. Certification will become a requirement for DoD contract bids as well as those working within the supply chain.
Third-party organizations are currently undergoing review to be accredited auditors for the CMMC. Stay tuned to the blog to hear news of when RedLegg is available for CMMC consultation appointments.