Overview of the Cybersecurity Maturity Model Certification
What is the CMMC?
The CMMC, or Cybersecurity Maturity Model Certification, was created by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to enhance the cybersecurity of contractors and sub-contractors in the supply chain.
What is the CMMC 2.0?
In November 2021, the DoD released their updates to CMMC 1.02 in order to streamline the assessment process for the DiB and reduce anticipated costs for the assessments. They narrowed the levels from 5 to 3 by removing Maturity Levels 2 and 4, eliminated the 20 “CMMC specific” practices which were part of the old Maturity Level 3, and they removed the CMMC “processes” which required process and procedures. So level 1 is unchanged, Level 2 is the old Maturity Level 3, and Level 3 is the old Maturity Level 5.
Companies at Level 1 will be required to self-attest their compliance annually, Level 2 will be assessessed by a CMMC-AB certified third party assessment organization (C3PAO) every three years, and level 3 companies will be assessed by the DIBCAC. A small number of level 2 companies may be eligible for a self-attestation (TBD), and others may get a waiver. That process has not been fully vetted.
How do I get certified at Level 2?
An accreditation body is enlisting assessment companies today. Visit the CMMC-AB marketplace to find an assessment organization.
Do I have to pay for an assessment?
Yes, but the cost has not been determined. Some prime contractors may be paying for the assessments so check with your compliance officers.
What is the NIST SP 800-171 DoD Assessment Score, or Supplier Performance Risk System (SPRS) score?
The DoD has developed a scoring rubric as part of their NIST SP 800-171 Assessment Methodology dated June 24th, 2020. The Security Catapult as part of your CMMC assessment will generate a SPRS score and SPRS assesment report from your answers. Please see this page for more details. DoD prime contractors are required to register with the Supplier Performance Risk System, enter their score, and upload a copy of their System Security Plan as part of a Basic Assessment.
Digging in to the CMMC
What are CMMC Domains?
The CMMC specifies 17 cybersecurity groupings of capabilities (or controls) into logical groupings. This is for organizational purposes, but also serves as a grouping for your security plans and policies.
What are Capabilities?
Within each Domain, the CMMC is further broken down into 43 different Capabilities. This is also for organizational purposes, but is another meaningful way to group policies.
What are Practices?
The CMMC Practices may be referred to as controls in other frameworks. Here is where you find the thing that needs to be done. There are 171 total different Practices.
Do I have to implement every Practice?
The practices you need to implement are dependent on what Maturity Level you wish to achieve. Maturity Level Maturity Level 1 has 17 required practices, Level 2 has 110, and level 3 has not been determined yet, but will be based upon NIST SP 800-172.
What are Processes, and how do they relate to the rest of this?
Processes were phased out in CMMC 2.0 In version 1.0 the CMMC describes Processes as a way to measure organizational maturity; they are really about documentation, organizational oversight, and governance. While these are not part of CMMC 2.0, they may return in future iterations. The Process maturity levels were also cumulative.
- Process Maturity Level 1 – Process Maturity is not measured at Level 1, so there are no documentation requirements. You enact the 17 practices as described and can prove this to an auditor.
- Process Maturity Level 2 – The 72 required practices are in place, and the organization has created a policy or policies for each practice to be in place. Policies should be grouped by Domain, but may be further grouped by capability.
- Process Maturity Level 3 – The organization must create a Security Plan for each Domain. The Plan must describe how the organization is implementing each Practice. What tools are you using? Are there costs? How about training requirements? A Security Plan may be one document, or a series of documents, describing your implementation.
- Process Maturity Level 4 – Now the organization must measure the effectiveness of its practices and be able to report to management/leadership the efficiency of those practices. For some Practices, this is straight-forward, such as monitoring your compliance with your security patch policy as a percentage, or ensuring that unused accounts are disabled in a timely fashion. Others may be less obvious, such as measuring the effectiveness of your procedures for handling CUI. (AM.3.036).
- Process Maturity Level 5 - At this level, you have applied everything from Levels 1-4 across the entire organization, not just a smaller subset concerned with the DoD contracts. For most smaller organizations, once you get to Level 4, you probably have Level 5 completed.
Frequently Asked Questions
How do I write a Policy?
CMMC 2.0 does not require process maturity to a policy, however every organization should have a leadership approved policy backing up their Cybersecurity efforts. Create a description of a practice which has been put into place and is required by the organization. The organization may want to group Policies by Capabilities or Domains. Policies must be approved by a leadership position, management team, or Board. Policies must be reviewed annually and a revision history noted.
The CMMC Catapult will prompt you to answer questions about your Practice implementation, and generate Policies on the fly! The CMMC Catapult will then check in with you on a regular basis for changes, and remind you to resubmit the policy for approval each year.
How do I document the Practices to achieve Process Maturity Levels?
Let's take Practice SI.L184.108.40.206 - Provide protection from malicious code at appropriate locations within the organizational information systems. This is a Level 1 Practice, so EVERYONE needs to implement it. But you are trying to achieve a Maturity Level 3 certification, so what do you do?
- Maturity Level 1: Install Anti-virus/Anti-Malware software on all your workstations and servers! An auditor may ask for you to show the installation to them, so take screenshots of the software installed, or of an administrative dashboard showing the status of the software on each workstations and server.
- Maturity Level 2: Create a policy which simply states: “All workstations will have anti-malware software installed. The software will update regularly, automatically scan for malware, and notify staff if malware is detected.” Note that this policy also covers the next two required capabilities in this section for regular updates and scanning. You may add to your policy a minimum update requirements (hourly) and scanning requirements (daily).
- Maturity Level 3: Describe your implementation in your Plan: Now you are specific about what anti-malware product you have installed, how much it costs, how often it checks for updates, and how often it scans the workstations. You can add other details about notifications, costs and licensing.
- Maturity Level 4: Start tracking anti-virus statistics on a regular basis. What percentage of hosts are updating as required? What percentage are running scans as required? When that information is gathered on a weekly or monthly basis, report it to management or leadership as part of a security report.
- Maturity Level 5: The organization has deployed anti-virus, as described, across all organizational units. Your initial deployment may be to a small subset of workstations directly involved with a DoD contract, but now you have deployed it to everyone in the company.
If this seems like a lot, it is! Your organization may be overwhelmed implementing all of the practices, and not have the time to create all the documentation needed to achieve the required process maturity. The CMMC Catapult will create policies and plans on the fly, and give you tools to record your implementations. Contact us now!
How do I write a plan?
While the Security Plan "process" requirement was removed from CMMC 2.0, it was originally part of the requirements in NIST SP 800-181 (3.12.4) so organizations still will need a Security Plan.
Designed at the Domain level, this describes how you are implementing the practices within each applicable capability in your organization. It includes details such as staffing, training, funding, and tools implemented. It may feel redundant to your policy, and in some cases it may be. Where a policy may be generic in the terms of what is required (All workstations have anti-virus), the Plan will be specific (all workstations have 'Product Name' installed>).
The CMMC Catapult will prompt you for all this information, and generate the Plan for you when you are done! The CMMC Catapult will prompt you regularly to verify this information, and update the Plan for you too!
How do I measure effectiveness?
Let's take Practice SI.L220.127.116.11 - Identify, report, and correct information and information system flaws in a timely manner. You have implemented a patch management system to update all your workstations, and your policy states that all operating system patches are installed within 30 days. Start checking your patch management dashboard to see how many workstations are up to date! Most systems will allow you exclude patches released within certain, recent timeframe when reporting, so you can get an accurate percentage of how the patch management system is performing. Record what percentage of workstations are up to date each month, and include it in a report to management.
The CMMC Catapult can remind you to check the report, provide a place to upload the report, and track the percentage over time for you!