While the CMMC certification process is still in development, IT leaders should get familiar with the five CMMC levels and learn how to comply with the security maturity model.
As concerns about cybersecurity have grown, so has the proliferation of standards, regulations and other guidance regarding the validation of security capabilities. Various standards organizations, such as NIST and the International Organization for Standardization, have introduced standards and frameworks to address cybersecurity prevention, response and mitigation.
The latest evidence of this proliferation is a collaboration between Carnegie Mellon University and Johns Hopkins University Applied Physics Laboratory LLC called the Cybersecurity Maturity Model Certification (CMMC) framework.
The CMMC framework has five fundamental maturity processes, which span five maturity levels and use 171 cybersecurity practices. As with many other standards and frameworks, CMMC's intent is to standardize security processes to ensure they are consistent, repeatable and high quality. The framework is associated with a certification process designed to validate the performance and implementation of framework processes and practices.
In this article, examine the CMMC structure and its components, as well as review guidance on how to achieve CMMC compliance. Originally designed for the U.S. Department of Defense, the CMMC framework addresses the needs of the DOD for protecting classified uncontrolled information during the procurement of products and services from the defense industrial base.
For nongovernmental organizations, understanding the CMMC levels is still worthwhile.
Elements of the CMMC framework
The CMMC framework builds on previously established standards, practices and frameworks. The content of practices and processes is organized into a set of domains and maps them across five CMMC levels. Figure 1 depicts the five levels of maturity. Level 1 incorporates 17 practices, and each subsequent level requires additional practices. Achieving compliance with Level 5 involves the allotment of 171 practices in total.
Figure 1. The CMMC framework outlines a five-step approach to developing an organization's cybersecurity controls over time.
Table 1 lists the five CMMC levels, along with a description and list of processes associated with each level.
Table 1. The processes of each of the CMMC's five levels
CMMC has 17 domains that were previously defined in U.S. Federal Information Processing Standards Publication 200 and NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Table 2 lists the 17 CMMC domains.
Table 2. CMMC includes 17 distinct domains.
Each domain involves various capabilities examined in the certification process. The 171 practices are distributed within each of the 17 domains across the five CMMC levels, depending on the complexity of the domain and the number of practices assigned. These are all factors to consider when evaluating a candidate organization for CMMC accreditation.
Achieving CMMC compliance
Third-party contract assessors certified by the DOD to audit CMMC compliance are responsible for conducting certifications. Candidates for CMMC will most likely be current DOD contractors. Results of the CMMC audit will determine if a contractor is awarded a certification. The certification process is currently in development.
For nongovernmental organizations, understanding the CMMC levels is still worthwhile. The framework consolidates best practices and guidance from several existing federal government cybersecurity standards. IT leaders can think of CMMC as an ideal set of assessment and pre-audit metrics so that they can easily assess the current maturity of cybersecurity activities in relation to CMMC.
