The US Department of Defense (DoD) cybersecurity standard, the Cybersecurity Maturity Model Certification (CMMC), establishes 5 maturity levels.1 The core objective of the certification is to ensure that vendors providing products and services to the DoD have an appropriate level of implemented cybersecurity capabilities; hence, the CMMC standard. The higher the CMMC Maturity Level, the greater the requirements are to secure the organization. The CMMC combines various cybersecurity standards and maps these best practices and processes to corresponding maturity levels, ranging from basic cyberhygiene to highly advanced practices.
The CMMC defines 5 distinct Maturity Levels, which include:2
- Level 1—Performed (basic cyberhygiene)
- Level 2—Documented (intermediate cyberhygiene)
- Level 3—Managed (good cyberhygiene)
- Level 4—Reviewed (proactive)
- Level 5—Optimizing (advanced/progressive)
Organizations need to examine the CMMC model and its applicability to secure the cybersecurity supply chain. Maturity Level 1 (ML1), which is the first step to establishing the foundation of resilience in the cybersecurity supply chain is examined here. Achieving ML1 certification establishes a credible foundation for the CMMC levels that follow.
ORGANIZATIONS NEED TO EXAMINE THE CMMC MODEL AND ITS APPLICABILITY TO SECURE THE CYBERSECURITY SUPPLY CHAIN.
ML1 addresses the protection of US federal contract information (FCI). This level encompasses the basic safeguarding requirements for FCI, which are specified in the US Federal Acquisition Regulation (FAR) Clause 52.204-21.3 FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simplified transactional information, such as necessary to process payments.” DoD contracts that specify the need for a contractor to process, store or transmit FCI require the organization to comply with CMMC Maturity Level 1 practices. There is no process maturity assessed at Level 1.
Organization of the CMMC Framework
The CMMC framework organizes cybersecurity processes and best practices into a set of domains. There are 17 capability domains defined in the CMMC. Process maturity, or process institutionalization, characterizes the extent to which an activity is embedded in the operations of an organization. Practices are activities performed at each level for the domain. Each level consists of practices and processes as well as those specified in lower levels. In addition to assessing an organization’s implementation of cybersecurity practices, the CMMC also assesses the organization’s institutionalization of cybersecurity processes.
ML1 Domains, Practices and Capabilities
ML1 includes practice requirements associated with the following domains:
- Domain 1—Access Control (AC), 4 practices
- Domain 6—Identification and Authentication (IA), 2 practices
- Domain 9—Media Protection (MP), 1 practice
- Domain 11—Physical Protection (PE), 4 practices
- Domain 16—System and Communications Protection (SC), 2 practices
- Domain 17—System and Information Integrity (SI), 4 practices
ML1 requirements include 17 practices across 6 domains. This level establishes requirements for 16 capabilities and requires an organization to perform the practices specified within. Since the organization may only be able to perform these practices in an ad hoc manner and may or may not rely on documentation, process maturity is not assessed for ML1.
The CMMC maturity levels and associated sets of processes and practices across domains are cumulative. For an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. ML1 is the starting point defined in the CMMC model. Organizations that process FCI data and Controlled Unclassified Information (CUI) are required to meet the criteria of higher Maturity Levels, such as Maturity Level 2 or Maturity Level 3. The highest Maturity Level that an organization can achieve is Maturity Level 5 (ML5). The objective of ML5 is to ensure that the organization is prepared to address advanced persistent threats (APTs) using implemented capabilities.
A good starting point for any organization interested in the CMMC is ML1. Get started and perform a readiness assessment to address the requirements associated with ML1.
Endnotes
1 Office of the Under Secretary of Defense for Acquisition and Sustainment—Cybersecurity Maturity Model Certification; CMMC Model, USA, 2020
2 PreVeil; “What Are the 5 Levels of CMMC?” USA, 2020
3 Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, and The Johns Hopkins University Applied Physics Laboratory LLC, Baltimore, Maryland, USA, Cybersecurity Maturity Model Certification (CMMC) Version 1.02, 18 March 2020
Uday Ali Pabrai, CMMC RP, CISSP, HITRUST CCSFP, MSEE, Security+
Is the chief executive of ecfirst, an Inc. 500 business. His career was launched with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory, in Chicago, Illinois, USA. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. Pabrai can be reached at Pabrai@ecfirst.com.