Title : CMMC Explained

Posted by : Tariq Azmi | 2020-10-15

In response to the growing number of cyber threats that continue threaten our national security, the Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC). This is to ensure that the Defense Industrial Base suppliers (DIBS) are adequately protecting sensitive data known as Controlled Unclassified Information (CUI) We are Only As Strong as Our Weakest Link, one machine shop that doesn’t follow simplest security rule of changing password or have safeguards in place is the link in the DoD’s supply chain that can potentially compromise national security.   

The CMMC model ensures that DoD Contractors, and any other organizations within their supply chain, have been certified that the systems and practices they have in place meet the specific certification-level cybersecurity requirements.  

Prior to the implementation of the CMMC, the DoD still required its contractors to adhere to existing security standards, such as the NIST 800-171, however, these contractors could self-attest that they were compliant. Over time, multiple of prime contractor and/or sub-contractors were the reason for either a hack, or malware or ransomware.

Level 1: Basic Cyber Hygiene 

Level 1 focuses on safeguarding information based on requirements set forth on 48 CFR 52.204-21.  Contractors looking to achieve a Level 1 status need to have basic cybersecurity controls in place.  Rather than handling CUI, these organizations are more likely to deal with Federal Contract Information (FCI).  

Level 1 certification requires compliance with 17 practices as defined in the CMMC model. These 17 required practices for Level 1 certification fall under a few specific domains which are Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection and System and Information Integrity.

Level 2: Intermediate Cyber Hygiene 

Level 2 acts as a transitional step, as companies need to expand their scope from protecting FCI to protecting CUI.  Organizations looking to obtain Level 2 certification need to protect CUI under specific guidelines set forth in NIST SP 800-171.  

The main transition between Level 1 and Level 2 is the inclusion of a maturity model.  This model requires the organization to establish and document policies, procedures, and other strategic plans surrounding IT security.  

Level 2 certification requires compliance with 65 NIST 800-171 requirements, including 7 other practices. In addition to the steps referenced for level compliance, organizations seeking Level 2 completion must document the specific policies and procedures they have in place for carrying out these practices.   These practices fall into 15 domains.  In addition to complying with practices in domains for Level 1 certification, organizations seeking Level 2 certification must comply with additional practices. As mentioned earlier there are 17 domains some of which are in level 2 are Audit and Accountability, Awareness and Training, Configuration Management, Incident Response, Maintenance, Personnel Security, Recovery, Risk Management and Security Assessment.

Level 3: Good Cyber Hygiene 

An organization must comply with various standards and controls across multiple frameworks, including all security requirements of NIST 800-171 and DFARS Clause 252.204.7012. 

To gain Level 3 certification must demonstrate that they have implemented effective security controls and that they can protect CUI.  In relation to the maturity process, the organization must essentially prove that they have successfully implemented and are adhering to policies, procedures, and plans implemented in Level 2. 

Level 3 certification requires compliance with 110 NIST 800-171 requirements, plus 20 other practices, falling into all the CMMC domains.   Over and above the domains for Level 1 and 2, required controls for Level 3 fall into the remaining domains as well, which are Asset Management and Situational Awareness. 


Level 4: Proactive 

Level 4 certification deals largely with protecting CUI from Advanced Persistent Threats, which are generally nation-state sponsored threat actors who are highly dangerous to the nation's security.  Organizations hoping to achieve this level of certification must demonstrate that they have proactive measures in place to safeguard CUI from stealthy adversaries known as  “Advanced Persistent Threats” ( APT’s).