The Cybersecurity Maturity Model Certification (CMMC) is a framework for cybersecurity that all companies contracting with the US Department of Defense (DoD) must comply with. Version one of the CMMC model was released in January 2020, and all defense contractors will eventually need to achieve the required CMMC maturity level to continue working on existing contracts or bidding on new ones.
There are five CMMC levels with a hierarchical structure, meaning each level has the requirements of the level below it in addition to requirements that are new to that level. The levels range from 1 to 5, with CMMC Level 1 indicating basic cyber hygiene.
Each DoD contract will specify the minimum CMMC level that contractors will need before they can bid on it. The DoD determines the CMMC level for each contract based on the type of Controlled Unclassified Information (CUI) that contractors will need to handle. Many contracts will require CMMC Level 3 because this is the lowest level that fully achieves the goal of CUI protection by incorporating all the requirements of NIST SP 800-171 in addition to requirements from other sources.
Beryllium InfoSec Collaborative educates users and helps organizations take ownership over their cybersecurity. Our cuick trac™ software is a solution for meeting CMMC Level 3 requirements and other government security standards. Contact us to request a free security consultation and demo.
DoD contractors have been required to maintain specific cybersecurity protocols since the passage of Defense Acquisition Federal Regulation Supplement (DFARS) in 2015. CMMC is a tool that helps contractors achieve compliance with these regulations, and it also helps auditors assess the security posture of contractors. Its overall purpose is to improve cybersecurity across the network of DoD contractors, especially the DoD’s supply chain known as the Defense Industrial Base (DIB).
These contractors handle two types of sensitive information, including Federal Contract Information (FCI) and CUI. FCI is information related to contracts generated by federal organizations or otherwise related to them that aren’t intended for public access or use. CUI is information that’s legally required to be confidential but isn’t currently classified. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked with Federally Funded Research and Development Centers (FFRDs) and University Affiliated Research Centers (UARCs) to develop the CMMC.
The major elements of the CMMC framework include 17 domains and five levels. Domains are categories of cybersecurity practices based on Federal Information Processing Standards (FIPS) Publication 200, which lists 43 capabilities governing these practices. CMMC Levels are progressive measures of an organization’s increasing security maturity that consist of practices and processes. Practices are the individual security behaviors, controls and protocols required to achieve the given maturity level, while processes indicate the extent of institutionalization of those practices within the organization.
CMMC requires DoD contractors to implement these practices according to the standards specified by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171. The CMMC framework works with NIST SP 800-171 to ensure contractors have the controls in place that are appropriate for the CUI they will handle for their contracts.
CMMC also combines elements of other frameworks such as Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252- 204-7012 to protect CUI and Federal Acquisition Regulation (FAR) Clause 52.203-21 to protect FCI.
CMMC Level 3 is classified as Good Cyber Hygiene and should be the minimum CMMC level for any contractor that generates or has access to CUI. A contractor certified at this level has implemented all the security controls required by NIST SP 800-171, meaning that it’s able to meet most threats in keeping information secure.
However, contractors at Level 3 may find it difficult to fend off advanced persistent threats (APTs). Furthermore, they must document and report such cybersecurity incidents if they need to meet DFARS clause 252.204-7012 standards.
CMMC Level 3 has a total of 130 practices that contractors must implement to achieve this maturity level, including the 58 that are new to Level 3. Institutionalizing these practices is more challenging at this level because it requires organizations to transition from merely documenting processes to actively managing them.
A Certified Third Party Assessment Organization (C3PAO) qualified by the CMMC Accreditation Body (CMMC-AB) grants CMMC certification after an audit that establishes a baseline of the contractor's security posture. C3PAOs should also walk contractors through all stages of implementing, documenting and managing their processes, which involves demonstrating that you have the planning and resources needed to maintain CMMC compliance
CMMC Volume 1.02, published in March 2020, shows that CMMC Level 2 requires an organization to implement 72 practices. Level 3 adds another 58 practices, bringing the total number of practices for Level 3 to 130.
Forty-five of the new practices come from NIST SP 800-171, while the remaining 13 come from other sources. The 58 practices that are new for Level 3 fall into the following 16 domains:
CMMC Level 3 introduces the following eight Access Control practices.
Level 3 introduces the first Asset Management practice as follows:
CMMC Level 3 introduces the following seven Audit and Accountability practices:
Level 3 introduces the first Awareness and Training practice as follows:
CMMC Level 3 introduces the following three Configuration Management practices:
CMMC Level 3 introduces the following four Identification and Authentication practices:
CMMC Level 3 introduces the following two Incident Response practices:
CMMC Level 3 introduces the following two Maintenance practices:
CMMC Level 3 introduces the following four Media Protection practices:
Level 3 introduces the first Physical Protection practice as follows:
Level 3 introduces the first Recovery practice as follows:
CMMC Level 3 introduces the following three Risk Management practices:
CMMC Level 3 introduces the following two Security Assessment practices:
Level 3 introduces the first Situational Awareness practice as follows:
Level 3 introduces 15 new controls for System and Communications, the most of any domain. These include the following:
CMMC Level 3 introduces the following three System and Information Integrity practices:
Cuick trac™ is a pre-configured, secure virtual enclave that allows government contractors to handle, store, and process CUI, along with the supporting documentation you need to meet NIST SP 800-171 requirements.
Learn how cuick trac™ can help your organization prepare for CMMC Level 3 compliance. Request a free cuick trac™ demo today or speak with one of the security experts at Beryllium InfoSec about your cybersecurity needs.