Cybersecurity Maturity Model Certification

From Wikipedia, the free encyclopedia

The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third party assessment program of cybersecurity in the United States government Defense Industrial Base (DIB)[1] aimed at measuring the maturity of an organization's cybersecurity processes (process institutionalization) toward demonstrating compliance with the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).[2]

The CMMC framework was first being developed by a memorandum of understanding, and is now under contract between United States Department of Defense (DOD) and a non-profit accreditation board composed of industry stakeholders.[3]

The framework, designed to increase cyber hygiene through maturation of practices and processes,[4] will impact the $712bn Defense industry - 3.2% of the Gross Domestic Product of the United States of America.[5]

History[]

In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to transition from a mechanism of self-attestation of an organization’s basic cyber hygiene which was used to govern the Defense Industrial Base. Since 2017 all defense contractors were required to self-assess and report their cybersecurity readiness against the standard.

After a series of breaches in the supply chain,[6] the Department of Defense working in partnership with industry created the CMMC model.

The CMMC puts an end to self-assessment and requires a third party assessor to verify the cybersecurity maturation level[7]

Katie Arrington was appointed Chief Information Security Officer for Acquisition for the Office of the Under Secretary of Defense for Acquisition and Sustainment to lead the effort.[8]

An interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020 with an effective date of November 30, 2020.[9]

On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline[10] that has the model fully implemented by September 2021.

On December 8, 2020, the Department of Defense releases seven pathfinder grants that will pilot the CMMC framework and require any contractor on the grant to have a certified third party assessor measure a companies compliance[11]

On December 31, 2020 the General Services Administration released a Request for Proposal for their Polaris program that noted while CMMC currently applies only to the Department of Defense all government contractors, civilian or military, should prepare to meet CMMC requirements.[12]

On November 4, 2021, the Department of Defense announced the release of CMMC 2.0.[13] This new version was designed to streamline its requirements.

Purpose[]

The CMMC measures cybersecurity maturity through processes, practices, and focus areas as illustrated in the table below[14]:

Level Process Practice Focus Area
1 Performed Basic Cyber Hygiene Safeguard Federal Contract Information (FCI)
2 Documented Intermediate Cyber Hygiene Serve as transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI)
3 Managed Good Cyber Hygiene Protect Controlled Unclassified Information (CUI)
4 Reviewed Proactive Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
5 Optimizing Advanced/Progressive

The CMMC organizes the aforementioned processes, practices, and focus areas into a model framework that consists of a set of 17 domains that are mapped across the five levels.

CMMC Domains and Maturity levels

In order to achieve a specific CMMC level of cybersecurity, an organization must also demonstrate achievement of all levels preceding it.

CMMC Maturity Process Progression

To provide additional structure, the framework aligns the practices to a set of capabilities within each domain.

CMMC Model Framework

Furthermore, the model consists of 171 cybersecurity best practices that are mapped across the five levels for all capabilities and domains.

Cmmc levels and practices

Upcoming guidance has been promised from the CMMC office to help set expectations for companies in the as to what level accreditation should be sought, depending on their role as a prime or sub on various contracts.

Additional information can be found on the official FAQ.[4]

Controversy[]

Industry professionals have voiced significant concern over the lack of centralized official communications and the accelerated timeline for rollout. The sheer number of companies affected in the Defense industrial base create a level of volume for the still-not-yet accredited CMMC Third Party Assessment Organizations (C3PAOs) that would appear to be unrealistic by the proposed deadlines and has been discussed heavily on LinkedIn.[15][16] Arrington has responded by asserting that reciprocity with existing certification programs such as FedRAMP and FIPS 140 will remove duplicative work and keep the work level minimal for companies already in compliance.[17]

There were some allegations of cronyism due to the appointment of Ty Schieber as Chairman of the CMMC Accreditation Body as Schieber and Katie Arrington worked together previously.[18] Schieber subsequently left the board, along with Mark Berman, communications director, amidst an apparently unsanctioned 'Pay to Play' sponsorship program being published to the CMMC-AB website. Karlton Johnson stepped into the Chair role.[19][20]

See also[]

References[]

  1. ^ "CMMC explained: What defense contractors need to know". 8 April 2020.
  2. ^ "CMMC Public Briefing" (PDF).
  3. ^ Jackson Barnett (30 November 2020). "CMMC board inks new deal with DOD, solidifying its place rolling out new cyber standards". FedScoop.
  4. ^ a b "Cybersecurity Maturity Model Certification (CMMC)".
  5. ^ "Stockholm International Peace Research Institute. "Trends in World Military Expenditure, 2019," Pages 2-3. Accessed Dec. 7, 2020" (PDF).
  6. ^ "FBI Strategy Addresses Evolving Cyber Threat - Federal Bureau of Investigation". Federal Bureau of Investigation. 2020-09-16. Retrieved 2021-01-08.
  7. ^ A&, OUSD; Webmaster, S; A&, OUSD; Webmaster, S (2020-12-10). "Cybersecurity Maturity Model Certification (CMMC)". OUSD A&S - Home. Retrieved 2021-01-08.
  8. ^ Eversden, Andrew (Jun 25, 2020). "'Lightning in her veins': How Katie Arrington is convincing defense contractors to love cybersecurity". C4ISRNET. Retrieved Jan 9, 2021.
  9. ^ "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)". Federal Register. Sep 29, 2020. Retrieved Jan 9, 2021.
  10. ^ "Update on the CMMC Timeline". CyberDI. Jan 5, 2021. Retrieved Jan 9, 2021.
  11. ^ Serbu, Jared (2020-12-15). "Pentagon reveals first contracts to serve as pathfinders for CMMC". Federal News Network. Retrieved 2021-01-08.
  12. ^ Boyd, Aaron (2021-01-04). "GSA Releases Draft of New Government IT Services Contract Polaris". Nextgov.com. Retrieved 2021-01-08.
  13. ^ "OUSD". November 4, 2021.
  14. ^ "Explaining CMMC and DoD's ABCs of Cybersecurity". 30 September 2020.
  15. ^ "Tech companies tell DoD its new cyber standards are missing the mark". Federal News Network. Mar 27, 2020. Retrieved Jan 9, 2021.
  16. ^ "DoD warns vendors about fake third-party CMMC certifiers". Federal News Network. Feb 24, 2020. Retrieved Jan 9, 2021.
  17. ^ Williams, By Lauren C.; Sep 08, 2020. "CMMC reciprocity guidelines are still a work in progress -". FCW. Retrieved Jan 9, 2021.CS1 maint: numeric names: authors list (link)
  18. ^ "DOD's Arrington Threatens To Disband CMMC AB Hand Accreditation Authority To Body Subject To Peer Audits by China". Oxebridge. 30 September 2020. Retrieved 2021-01-09.
  19. ^ "Cybersecurity Maturity Model Certification Issues". Fedscoop. 28 July 2020. Retrieved 2021-01-09.
  20. ^ "CMMC AB Ousts Chairman Ty Schieber and Mark Berman". Fedscoop. 16 September 2020. Retrieved 2021-01-09.

External links[]

Retrieved from ""