Posted on

Need assistance navigating federal records management? Download our NARA Compliance Resource Package!

In The month of january, work from the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&ampS)) released the Cybersecurity Maturity Model Certification (CMMC) framework. This framework was created in collaboration with DoD stakeholders, College Affiliated Research Centers (UARCs), Federally Funded Development and research Centers (FFRDCs), and also the DIB sector with the aim of supplying an accreditation road to demonstrate compliance with information handling and safeguarding needs when using the services of the DoD.

Whenever using the DoD, organizations end up getting to conform with a number of federal rules. CMMC “encompasses the fundamental safeguarding needs for FCI (federal contract information) specified by Federal Acquisition Regulation (FAR) Clause 52.204-21 and also the security needs for CUI (controlled unclassified information) specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.2047012 [3, 4, 5].”

As the certification process and needs for being a CMMC 3rd Party Assessment Organization (C3PAO) is not finalized, a CMMC Accreditation Body continues to be created to find out these needs. This body determines the needs for C3PAOs and intends to setup a “marketplace” for organizations looking for CMMC certification to consider help achieving it. However, it remains true there are no accredited C3PAOs, and anybody advertising certification, training, or accredited services associated with CMMC certification should be considered suspect, at the best.

Most organizations understand the FAR, DFARS, and NIST security needs. They are technical controls set up within the IT infrastructure to safeguard sensitive data. The CMMC incorporates individuals practices (organized into 17 domains) and adds the idea of a maturity model towards the actual practice of those needs and also the processes of evaluating them. Because the CMMC documentation explains:

“In general, a maturity model is some characteristics, attributes, indicators, or patterns that represent capacity and progression inside a particular discipline. The information of these one typically exemplifies guidelines and could incorporate standards or any other codes of practice of this discipline. A maturity model thus supplies a benchmark by which a company can assess the current degree of capacity of their processes, practices, and techniques and hang goals and priorities for improvement. To determine progression, maturity models normally have levels along a scale [9,10].


That’s the easiest method to consider CMMC: a benchmark to judge current security protocols and practices, review them, and institutionalize the correct practice of securing information.

The CMMC breaks lower into 5 levels, with every level including distinct practices or processes which are attracted from the FAR, DFARS, and NIST fundamental data handling needs. However, additional controls aren’t the aim of the greater amounts of CMMC. The model is supposed to appraise the maturity and institutionalization from the security practices involved.

How can you measure maturity? Again, quoting in the CMMC document: “The CMMC model measures cybersecurity maturity with five levels.  All these levels, consequently, includes a group of processes and practices that are characterised in Figure 2. The processes vary from ‘Performed’ at Level 1 to ‘Optimizing’ at Level 5 and also the practices vary from ‘Basic Cyber Hygiene’ at Level 1 to ‘Advanced/Progressive’ at Level 5.”

CMMC Levels and Descriptions.

CMMC Levels are cumulative your business must show it meets all of the needs of ‘abnormal’ amounts to become certified at a level. It isn’t enough to exhibit the practices each and every level happen to be implemented. Organizations should also show they have institutionalized the approaches for each level, and all sorts of levels the following. If unconditionally the business meets different achievements for process institutionalization and exercise implementation, the business is going to be certified in the lower level.

Each CMMC level increases the amount of practices and increases the amount of process institutionalization needed for certification. Below, I’ve listed each level along with a short description from the process institutionalization and exercise implementation needed. (Note: Practices are direct quotes in the CMMC document.)

Level 1

Processes: Performed

Level the first is for individuals cases when a company might have minimal FCI or CUI and might not have processes that may be institutionalized or are just utilized in an advertisement hoc manner. Maturity isn’t assessed at level 1.

Practices: Fundamental Cyber Hygiene

“Level 1 concentrates on the security of FCI and consists only of practices that match the fundamental safeguarding needs specified by 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”) [3].“

Level 2

Processes: Documented

Level 2 may be the first assessment of maturity. Only at that level, all security practices are documented at least.

Practices: Intermediate Cyber Hygiene

“Level 2 works as a progression from Level 1 to Level 3 and includes a subset from the security needs specified by NIST SP 800-171 [4] in addition to practices using their company standards and references.  As this level represents a transitional stage, a subset from the practices reference the security of CUI.“

Level 3

Processes: Managed

At level 3, a company must start to handle their security practices. Beyond simply documenting the practices being used, this involves such things as written policies, removal plans, and much more intensive analysis of risk. This is actually the CMMC Level nearly all organizations using the services of the DoD will have to be certified for, because this is the amount where CUI begins that need considering (though CUI might not be handled through the organization).

Practices: Good Cyber Hygiene

“Level 3 concentrates on the security of CUI and encompasses all the security needs specified by NIST SP 800-171 [4] in addition to additional practices using their company standards and references to mitigate threats. It’s noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) [5] specifies additional needs past the NIST SP 800-171 security needs for example incident reporting.“


Level 4

Processes: Reviewed

Creating overall policies and documenting practices is just helpful once the practices and policies are reviewed regularly. Level 4 adds regular review needs towards the entire information security “stack” – review processes, policies, practices, and abilities.

Practices: Positive

“Level 4 concentrates on the security of CUI from APTs and has a subset from the enhanced security needs from Draft NIST SP 800-171B [6] along with other cybersecurity guidelines.  These practices boost the recognition and response abilities of the organization to deal with and adjust to the altering tactics, techniques, and operations (TTPs) utilized by APTs (advanced persistent threats).”

Level 5

Processes: Optimizing

At level 5, a company should demonstrate a maturity that enables these to begin optimizing their security practices, processes, policies, and abilities. Organizations at level 5 could be regularly reviewing and analyzing their security posture to combat advanced and prospective risks.

Practices: Advanced/Positive

“Level 5 concentrates on the security of CUI from APTs. The extra practices boost the depth and class of cybersecurity abilities.”

The CMMC that’s been developed is an extremely comprehensive and anxiously needed update towards the way organizations consider information security. It’s great, and can allow it to be far simpler to make sure organizations satisfy the security needs for dealing with the DoD.

To learn more, please visit the next references:

Find more sources for public sector professionals by registering to our blog.