Understanding the CMMC Framework Levels

As those in the Defense Industrial Base (DIB) look into the CMMC requirements, what exactly are the different levels of certification within the Framework?

The CMMC Framework

The CMMC Framework doesn’t aim to reinvent the wheel. Rather CMMC is based on pre-existing frameworks such as CMMI Cybermaturity, NIST 800-171, and DFARS, and the certification is geared towards the DIB, those bidding for DoD contracts and those active in DoD contract supply chains.

For a rundown of what CMMC is, you can refer to our previous article here.

CMMC and NIST share a similar agenda:

• Identify – Identify your risks.
• Protect – Implement safeguards.
• Detect – Capture cyber events.
• Respond – Act upon cyber events.
• Recover – Review, repair, and plan for the future.

At the core, CMMC hopes to improve cyber hygiene in the DIB.

The CMMC Levels

Within the CMMC Framework there are five tiered levels of certification that expand on technical requirements. Each level aims to build the maturity of a DIB company in protecting sensitive information garnered during DoD contracts, thereby protecting national defense.

Here is a summarized, short-and-sweet overview of each Framework level:

Level 1

“Basic cyber hygiene” including antivirus software, rotating passwords, basic protection of Federal Contract Information (FCI).

Level 2

“Intermediate cyber hygiene” including documentation of practices for Controlled Unclassified Information (CUI) via NIST 800-171 requirements.

Level 3

“Good cyber hygiene” including institutionalized practices to protect CUI along with added standards.

Level 4

Beyond cyber hygiene, the company must have a review process to measure the effectiveness of their cyber program. They must also have ways to detect and respond to developing TTPs of APTs.

Level 5

Standardized and advanced cyber practices, capabilities around APTs.

CMMC Domains

While CMMC is a standard combining other frameworks listed above, the Framework distills its domains into 17 categories to better protect FCI and CUI:

1. Access Control
2. Asset Management
3. Audit and Accountability
4. Awareness and Training
5. Configuration Management
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Personnel Security
11. Physical Security
12. Recovery
13. Risk Management
14. Security Assessment
15. Situational Awareness
16. Systems and Communications Protection
17. System and Information Integrity

CMMC Self-Assessment

The CMMC cannot be obtained via self-assessment, although organizations are encouraged to perform a self-assessment as means of preparation for certification. Certification must be completed via an audit by an authorized third-party. Certification will become a requirement for DoD contract bids as well as those working within the supply chain.

Third-party organizations are currently undergoing review to be accredited auditors for the CMMC. Stay tuned to the blog to hear news of when RedLegg is available for CMMC consultation appointments.

Sources:

https://www.csoonline.com/article/3535797/the-cybersecurity-maturity-model-certification-explained-what-defense-contractors-need-to-know.html

https://securityboulevard.com/2020/01/understanding-cybersecurity-maturity-model-certification-cmmc/

https://cmmiinstitute.com/cmmc

https://cmmiinstitute.com/news/blog/the-dod%E2%80%99s-cybersecurity-maturity-model-certificati

https://www.acq.osd.mil/cmmc/faq.html