CMMC Overview
(based on CMMC 1.0)
The bottom line the Five Key Takeaways you should know
- Impact on my company: Going forward, defense suppliers wanting to win defense contracts (based on RFI and RFPs) will need to comply with new cybersecurity standards based on "CMMC"
- Assessments (audits): Unlike in past compliance program, defense suppliers will no longer be able to "self-certify" or simply declare their compliance, they will be reviewed by reviewed and approved by "assessors" and third party assessment companies called "C3PAO" (CMMC Third Party Assessment Organizations")
- Schedule: RFIs and RFPs will begin to include CMMC criteria in June and September of 2020
- Rollout: 2020 - DOD estimates there will be about 10 contracts issued in 2020 each of which could impact 150 suppliers - for a total of 1,500 suppliers in the fall of 2020. More suppliers will be impacted beyond that
- Your Suppliers: In many cases, it may not be sufficient for your own company to be CMMC certified. If your company needs to use suppliers - they may need to be CMMC certified also - so you should encourage and perhaps facilitate they're being compliant.
What is the DOD Goal for CMMC?
The Department of Defense is primarily concerned with the stealing or exfiltration of important data from contractors and subcontractors to the DOD supply chain, including
- Controlled but Unclassified Information (CUI)
- Federal Contract Information (FCI)
What are the reasons that DOD is concerned about the theft of sensitive information?
At a November 2019 defense symposium in Washington, DC, CMMC head Katie Arrington talked about the motivations behind the program. Arrington, the Special Assistant for Cybersecurity in the Office of the Under Secretary of Defense for Acquisition & Sustainment, focused on two areas:
- National Security: "Our adversaries, namely China, in building ... I won't say the name of it, but there is a plane in China that looks suspiciously like the F-35," noted Arrington
- U.S. Economy: She also noted the estimated $600 billion that was lost each year to proprietary theft, mostly from Chinese nation-state actors.
What are the historical foundations of CMMC?
- DOD's program to protect Classified Systems
- NIST 800-53 Compliance Program (with 1,000 controls)
- NIST 800-171 Compliance Program of 2017
What are the essential aspects of CMMC?
- Five levels of maturity are used as a mechanism to scale down the compliance program for lower-tier/smaller contractors and suppliers. For example, level 5 only requires 17 practices, whereas level 3 requires about 141 practices.
- 17 domains (previously known as "families of controls") are used as a high-level way to organize practices.
- 43 controls are used as an intermediate way to organize practices.
- There are 36 practices that are new to CMMC or are modifications of previous standards such and NIST 800-171.
- Process maturities for different levels of CMMC
2020 Timeline for DOD and Suppliers
add new schedule info and pics here
- June 2020 - DOD would like CMMC audit inspections of contractors to begin
- Sept 2020 - DOD wants to start issuing RFI and RFPs that may require different levels of CMMC compliance. "You're either certified to do the work, or you cannot bid," Arrington noted.
But there are some key challenges for DOD
1) Since CMMC is a tiered compliance model, the target CMMC level and requisite number of practices a supplier needs to certify to will depend on several key factors that ultimately provide DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk. For instance, according to the DOD, there are about 12,000 companies that would need to comply and certify at Level 3 (141 cumulative practices) in order to do business with the DoD.
2) Level 4 and 5 cover about 285,000 suppliers. That’s a lot of suppliers that will need to learn about CMMC and will need to be certified.
3) CMMC auditors will need to be certified. Unlike under previous DOD compliance programs where suppliers could assert that they are certified, DOD wants contractors and subcontractors to be certified.
4) CMMC introduces three new domains. Although CMMC is reducing the number of practices, at the same time the model is introducing three new domains: asset management, recovery, and situational awareness.
add adams charts for levels
CMMC vs NIST 800-171
If you or your company is familiar with the 2017 NIST 800-171 compliance program, then what are the essential items you need to know about CMMC?
Levels - Scaling Compliance to Different Levels of Maturity!
CMMC has stratified the compliance requirements across five different levels.
Level 1 is the entry-level and only has 17 practices that need to be complied with.
Levels 2, 3, 4, and 5 have more practices and each level needs to comply with all the practices for previous levels.
1) In 171, collections of practices were known as families of controls. In CMMC they are now known as domains.
2) In 171, there were 14 families of controls. In CMMC there are now 17. The three new domains are:
- Asset management
- Recovery
- Situational awareness
Process Maturity
CMMC now introduces process maturity requirements. See section 5 for more details.
Smaller Number of Processes
The number of processes scales with levels -- from 17 in level 1 to much more. Still, compared to the 1,000 practices for NIST 800-53, CMMC has far fewer
New Processes Not Related or Referenced to NIST 800 -171
More information coming soon.
CMMC Domains
The original DFARS program grouped practices in 14 areas called families of controls.
In CMMC, three new areas (now called domains) have been added:
- Asset management
- Recovery
- Situational awareness
The addition of these three new domains results in a total of 17 domains:
- Access Control (AC)
- Asset Management (AM) (new)
- Audit and Accountability (AA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PP)
- Recovery (RE) (new)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA) (new)
- System and Communications Protection (SC)
- System and Informational Integrity (SI)
CMMC Practices
CMMC has 171 practices
Each of the five CMMC levels has a set of practices. Below you can see the practices for each level:
However, each level must adhere not only to the practices at its level -- but also to the practices in the lower levels. You can see below the number of aggregate practices that require compliance at each level.
Process Maturity for each CMMC Maturity Level (ML)
| Process Maturity Level | Processes |
| ML 1: Performed | There are no maturity processes assessed at ML 1. A Level 1 organization performs Level 1 Practices but does not exhibit process institutionalization |
| ML 2: Documented |
|
| ML 3: Managed |
|
| M4: Reviewed |
|
| ML5: Optimized |
|