Author(s)
CMMC – The New DoD CyberSecurity Standard 

12/20/19 - Cyber Maturity Model Certification Draft Version 0.7 Released 

Updates regarding the new CMMC draft version 0.7 are out for the public to review. The full version of this release can be found here. As we are nearing final revision versions for CMMC, it is critical to understand and prepare for this new cybersecurity standard before it is released, regulated, and enforced in future DoD contracts. 

 

Notable Changes in the Draft

42 New Controls 

  • 26 new controls have been added to Level 4 

  • 16 new controls have been added to Level 5 

  • 3 controls have been moved up from Level 2 to Level 3 

  • 17 controls are completely new and unique to CMMC 

  • 16 controls have been taken from NIST SP 800-171B, 9 of which have been modified. 

  • 2 controls have been taken and modified from NIST SP 800-171 

  • 2 controls are from NIST CSF 

  • 1 control is from ISO 27001 

 

Changes to Practices, Capabilities, and Processes 

  • Practices have been included for Levels 4 and 5 

  • Capabilities and practices have remained the same for Levels 1, 2, and 3 with some clarification provided 

  • Appendixes have been added to better illustrate what the Maturity Model looks like, including a broader clarification of the model. It is interesting to note that with the clarification to the Maturity Levels, CMMC can be viewed as having two types of requirements; practices and processes. 

 

CMMC Version 1.0 Expected Release in January 2020 

The timetable for rolling out CMMC remains unchanged. The final version, 1.0, is due out before the end of January.  Those in charge of CMMC have done a very good job in sticking to their time commitments and deadlines, so there is no reason to believe that June 1st will not see the first inclusion of CMMC Maturity Levels as part of all RFI’s, and August/September as a requirement to respond to all RFP’s and re-competes.    

 

 

----------------------------------------------------------------------------------------------------------------------

 

 

Cyber Maturity Model Certification Draft Version .6 Released Friday, November 8th, 2019 

As promised, Office of the Under Secretary of Defense for Acquisition & Sustainment released draft version 0.6 of the CMMC the first week of November.

PDF - DRAFT CMMC Draft Version 0.6 

Draft version 0.6 updates the technical practices for levels 1-3 and will be releasing the updated technical practices for levels 4-5 in the next public release. One of the key points to note for version 0.6 is in Appendix B. It provides Level one clarification with examples to help, not guide. Version 0.4 Model and Version 0.6 are contextually different. If you compare the two models, 0.4 had basic requirements that were not completed. Now in version 0.6, there is clarification and some requirements were moved from level 1 to level 2. 

Level 3 begins policy-driven requirements. These requirements are based on NIST SP 800-171. We will find out more in the next release. 

Stay tuned for more updates.

 

----------------------------------------------------------------------------------------------------------------------

 

CMMC UPDATES 10/30/19

Katie Arrington, Chief Information Security Officer at the Office of the Under Secretary of Defense for Acquisition and Sustainment, just shared insights on the progress of CMMC.  Here are some of the key points mentioned.

ALL COMPANIES IN THE SUPPLY CHAIN WILL NEED SOME LEVEL OF CMMC

The thought of not needing a CyberSecurity model in your business is now a thought of the past.  No matter the size of the company or involvement, CMMC will mandate that your organization reaches a level within the CMMC. At a minimum, you will be required to maintain at least a basic CyberSecurity hygiene.

FULL IMPLEMENTATION PREDICTED BY 2025

Although this seems to be a distant time frame, starting your CMMC journey needs to be a priority.  Finding what level best describes the needs of your organization and creating avenues to reach this level is a priority. After all, this is not just a checklist item. These are steps that will secure and protect your role within the supply chain.

RE-CERTIFICATION PERIODS

Level 1 – 3 Years

Level 2 – 3 Years

Level 3 – 2 Years

Level 4 – Annually

Level 5 – Annually

CMMC Levels

 

 

 

 

 

 

 

 

 

 

 

 

Upcoming Revisions

Revision 0.6 of the CMMC will launch the first week of November 2019. Another version will drop in late November that will be 99% complete.  This will most likely be the last update before the final release in January 2020.

Link to the Slide deck is HERE.

 

---------------------------------------------------------------------------------------------------------------------

 

(Original Blog)

The Department of Defense (DoD)has issued a draft Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) for government contractors who handle sensitive data to make comments until 5pm on September 25th, 2019.  CMMC Rev 0.4 is an effort to secure the supply chain from the largest contractors to the smallest and will be the new cybersecurity standard in 2020.  Contractors now have a glimpse into the cybersecurity standards they will need to meet if they want to work on contracts that handle controlled but unclassified information (CUI) next year. 

CMMC Rev 0.4 has a five-level system that combines guidance currently in place from the National Institute of Standards and Technology (NIST) with new input from the private sector and academia, including Johns Hopkins Applied Physics Lab and Carnegie Mellon Software Engineering Institute. The new details shed light on the third-party certification system, which will be managed by a nonprofit company in the coming months.  

Slide 9 of the recently released presentation from the Department of Defense (DoD), found HERE, explains the levels of certification and descriptions. 

CMMC Slide 9

Each level describes the maturity level expected to be for contract placement. It is assumed that contracts will be available to companies based on their maturity level. There will be a certain number of contracts released based on these levels of maturity. Level 1 and 2 are your basic cybersecurity maturity. These levels are achievable by small businesses with limited resilience against exfiltration and malicious actions.  

Levels 3-5 are to be more rigorous by requiring compliance with all NIST 800-171 controls.  

The model itself is still being revised. It is anticipated to be reduced in size by down selecting, prioritizing, and consolidating capabilities.  

The Office of the Under Secretary of Defense for Acquisition & Sustainment is asking for your comments and suggestions by answering the following question: 

  1. What do you recommend moving within the model? 

  1. Which elements provide the highest value to your organization? 

  1. Which practices would you move or cross-reference between levels? 

  1. What recommendations do you have to clarify the processes? 

They are also asking you to fill out their Comment Matrix with further suggestions to add or delete from the model.  

Once they have received comments from the public, which is open until September 25th, they plan to adjust the model with the intent to add additional controls. You can view their synopsis in the below chart.  

CMMC Rev 0.4 will be adding 230 total practices into its certification model.   

 

CMMC Practices

 

 Main Takeaways from CMMC Rev 0.4 

  • All companies doing business with the DOD must utilize the CMMC and be certified.  

  • DoD migrating from only utilizing NIST SP 800-171 standard to adding a security maturity model referred to CMMC in 2020. 

  • All DoD contractors & subcontractors will receive a cybersecurity maturity certification score between 1 & 5, with 5 being the highest. 

  • The higher your score the more contract opportunities become available. 

  • CMMC Version 1.0 to be released in January 2020. 

  • By the fall of 2020 requests for information (RFIs) and request for proposal (RFPs) will begin to include CMMC. 

  • Cybersecurity is now an “allowable cost.” 

  • Despite best intentions, companies are more likely to overrate than underrate their performance against the NIST SP 800-171 security controls when they self-assess and attest to the results.  

  • Assessment of cyber maturity or cyber posture cannot be a one-time event. Regular assessment and security monitoring are imperative.  

  • Insufficient understanding of individual controls by the assessor, the implementer, or both  

  • SP 800-171 is necessary, but not enough. Continuous processes must augment the practices reflected in the controls.  

  • External audits (Self-attestation is out, external 3rd party certification is in) of processes and practices. 

  • Produce more thorough, consistent, and accurate results.  

  • Which in turn drives stronger security and improved safeguarding of CUI throughout the DoD contractor supply chain. 

 

InfusionPoints wants to make sure our clients and potential clients are always kept up to date. We are excited about the new model to roll out. We will be following this new model very closely. Keep an eye out for our next blog and webinar for the next revision of the CMMC. 

 

References: 

Office of the Under Secretary of Defense for Acquisitions & Sustainment 
Cybersecurity Maturity Model Certification:  https://www.acq.osd.mil/cmmc/draft.html 

Draft Model: https://www.acq.osd.mil/cmmc/docs/cmmc-draft-model-30aug19.pdf 

CMMC Briefing: https://www.acq.osd.mil/cmmc/docs/cmmc-overview-brief-30aug19.pdf 

 

News Articles: 

https://desiredoutcomesllc.com/2019/08/03/cybersecurity-maturity-model-certification-cmmc-everything-you-need-to-know-for-2020/ 

https://www.fedscoop.com/dod-contractors-cybersecurity-standards-draft/ 

 

 

Let InfusionPoints assist you with your CyberSecurity needs today!

Contact Us