On November 7, 2019, the U.S Department of Defense released for public review the Cybersecurity Maturity Model Certification (CMMC) Version 0.6 in preparation for the final Version 1 release in January 2020. CMMC Version 0.6 does not address Maturity Level (ML) 4 and 5 but instead concentrates on MLs 1-3. MLs 4 and 5 will be included in the next release.  The draft model was released to provide the Defense Industrial Base (DIB) sector time to prepared for the inevitable release and implementation of strict criteria tied to the ML for the DoD certification process. The identification of the minimum require ML will be identified in RFIs and RFPs starting in June of 2020.  Certification under this model requires an independent third-party assessment. The CMMC Accreditation organization is expected to be selected soon and begin defining the process for training and or certifying auditors as well as determining the process and schedule for certifying DoD contractors under the CMMC.

The CMMC Framework is modeled into 17 Domains. Domains are key sets of capabilities. Within each Domain there is a set of Capabilities which are achievements to ensure cybersecurity objectives are met for that Domain. Within each Capability, there are Practices and Processes which are activities required to achieve a capability for a desired Maturity Level. The CMMC model has five progressively accumulative Maturity Levels

Let’s break each of these down.

Domains:

• Access Control (AC)
• Asset Management (AM)
• Audit and Accountability (AA)
• Awareness and Training (AT)
• Configuration Management (CM)
• Identification and Authentication (IDA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PP)
• Recovery (RE)
• Risk Management (RM)
• Security Assessment (SAS)
• Situational Awareness (SA)
• Systems and Communications Protections (SCP) and
• System and Information Integrity (SII

Capabilities for each Domain:

Each capability is assigned a unique number C###. For example, the first capability within the Domain Access Control (AC) is C0001- Establish system access requirements.

• Access Control (AC)
  1. Establish system access requirements
  2. Control internal system access
  3. Control remote system access
  4. Limit data access to authorized users and processes
• Asset Management (AM)
  1. Identify and document assets
• Audit and Accountability (AA)
  1. Define audit requirements
  2. Perform auditing
  3. Identify and protect audit information
  4. Review and manage audit logs
• Awareness and Training (AT)
  1. Conduct security awareness activities
  2. Conduct training
• Configuration Management (CM)
  1. Establish configuration baselines
  2. Perform configuration and change management
• Identification and Authentication (IDA)
  1. Grant access to authenticated entities
• Incident Response (IR)
  1. Plan incident response
  2. Detect and report events
  3. Develop and implement a response to a declared incident
  4. Perform post incident reviews
  5. Test incident response
• Maintenance (MA)
  1. Manage maintenance
• Media Protection (MP)
  1. Identify and mark media
  2. Protect and control media
  3. Sanitize media
  4. Protect media during transport
• Personnel Security (PS)
  1. Screen personnel
  2. Protect federal contract information during personnel actions
• Physical Protection (PP)
  1. Limit physical access
• Recovery (RE)
  1. Manage back-ups
• Risk Management (RM)
  1. Identify and evaluate risk
  2. Manage risk
• Security Assessment (SAS)
  1. Develop and manage a system security plan
  2. Define and manage controls
  3. Perform code reviews
• Situational Awareness (SA)
  1. Implement threat monitoring
• Systems and Communications Protection (SCP)
  1. Define security requirements for systems and communications
  2. Control communications at system boundaries
• System and Information Integrity (SII)
  1. Identify and manage information system flaws
  2. Identify malicious content
  3. Perform network and system monitoring
  4. Implement advanced email protections

Practices and Processes:

Each practice for a given Capability is assigned a unique number P1###

and contains a bulleted list of references (48 CFR 52.204-21, NIST SP 800-171r1, Draft NIST SP 800-171B, etc.) used to develop the practice where applicable. There are defined practice statement(s) assigned to a given Level. Practices were designed to measure the technical activities required to achieve compliance with a given capability requirement, and processes were designed to measure the maturity of a company’s processes.

Figure 1CMMC V0.6 example

Remember these are progressively accumulative so if you are striving for Maturity Level 3, you must meet not only Maturity Level 3 Practices and Processes but everything from the previous Maturity Levels.

Maturity Levels:

Practices are separated by the level they are assigned to and are abbreviated by the level number they are assigned too. For example, Maturity Level 1 has a column heading of Level 1 (L1).

CMMC is coming soon and the DIB needs to get prepared for the changes to be implemented in June of 2020. Unfortunately, there are still some unanswered questions and conflicts in the guidance that we are all waiting on to be released but with the release of CMMC Version 0.6 a majority of model has been solidified for Maturity Levels 1-3. These levels will cover a majority of the DIB sector contractors sharing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) which will greatly reduce the attack surface of the Department of Defense (DoD).