Exploring the CMMC Framework

Understanding the Maturity Model

Previously, federal contractors were allowed to self-certify as required in the DFARS 252.204-7012 clause, which could include a Plan of Action and Milestones (POAM) for any security gaps that existed. With the inception of the Cybersecurity Maturity Model Certification (CMMC), defense contractors must now achieve CMMC certification via a certified and accredited 3rd-party auditor in order to be awarded a defense contract. This article will explore the CMMC Framework. 

The maturity model allows contractors to evaluate their current level of capability for processes, practices, and methods against predetermined benchmarks and then the contractor can set goals and priorities for improvement based on the evaluation. Once all items for certification at the requested level are met, the contractor is ready to apply for certification. 

According to the Department of Defense’s (DOD) documentation, the CMMC framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and DOD stakeholders. The CMMC framework contains five maturity processes and 171 cybersecurity best practices progressing across five maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding of federal contact information (FCI) at Level 1, moving to the broad protection of Controlled Unclassified Information (CUI) at Level 3, and culminating with reducing the risk of Advanced Persistent Threats (APTs) at Levels 4 and 5. The CMMC framework is coupled with a certification program to verify the implementation of processes and practices. 

All DOD service providers, both primary and subcontractors, IT and non-IT providers, will need to acquire at least Level 1 certification. CMMC requirements are expected to appear in RFPs starting in September 2020. It is important to note that Level 2 is designed as a transition level to prepare companies for CMMC Level 3 since the bulk of DOD contracts will require Level 3. 

The CMMC builds on a variety of security standards and best practices including but not limited to:

• DFARS 252.204-7012
• NIST SP 800-171
• NIST SP 800-171B
• NIST SP 800-53
• AIA NAS9933
• ISO 270001
• ISO 27032

DOMAINS, CAPABILITIES, PRACTICES, AND PROCESSES

Each level of CMMC has specific domains, capabilities, practices, and processes that build upon each other. The model leverages multiple sources and references. 

The CMMC model is a framework that organizes processes and cybersecurity best practices into multiple domains. For each domain, there are processes and capabilities that span a subset of the five levels. The capabilities are further broken down into practices, which are activities performed at each level for the domain. 

Process maturity characterizes the extent to which an activity is embedded in the operations of an organization. The more deeply ingrained an activity is in an organization, the more likely the company will continue to perform the activity, even during times of stress. Also, with deeply embedded processes, the outcomes will be consistent, repeatable, and of high quality. 

With the maturity model, each level builds on the previous. For example, when you move to Level 2, everything from Level 1 is included as a foundation and then additional domains, capabilities, practices, and processes are added on to that. 

Domains

The CMMC consists of 17 Capability Domains which are broken down into 43 capabilities. 

The Capability Domains are:

• Access Control
• Asset Management
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personal Security
• Physical Protection
• Recovery
• Risk Management 
• Security Assessment
• Situational Awareness
• System and Communications Protection
• System Information Integrity

Practices

Starting with Level 1, there are 17 practices that focus on basic cyber hygiene. The practices at this level are the equivalent to all practices in the Federal Acquisition Regulation (FAR) 48 CFR 52.204-1. 

For Level 2, there are a total of 72 practices. Because this level builds on Level 1, all requirements from FAR 52.204-1 need to be met. There are 55 additional practices which draw mainly from NIST SP 800-171r1. All practices at this level are designed to support intermediate cyber hygiene practices. 

There are a total of 130 practices designed to support good cyber hygiene practices at Level 3. Building on Levels 1 and 2, this level includes all of FAR 52.204-1 and NIST SP 800-171r1, and adds 20 additional practices. 

Level 4 has a total of 156 practices to demonstrate a proactive cybersecurity program. At this level, all practices from FAR 52.204-1 and NIST SP 800-171r1 are met. It adds on additional practices, including a subset of practices from Draft NIST SP 800-171B. 

At Level 5, a contractor is expected to meet all practices from FAR 52.204-1, NIST SP 800-171r1, subsets from NIST SP 800-171B, and other cybersecurity practices to demonstrate an advanced cybersecurity program. 

Processes

Processes include planning activities such as mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders. 

The processes in Level 1 include select practices that are documented where required.  

At Level 2, two processes must be met. First, each practice is documented, including all Level 1 practices. Secondly, there is a requirement for a policy that includes all activities. 

There are three processes in Level 3 that need to be managed. Each practice, including those from previous levels, is documented. Also, there must be a policy that covers all activities. Finally, a contractor must show that a plan exists, is maintained, and resourced that includes all activities. 

For Level 4, there are four processes that focus on review. At this level, all previous processes are met, including documentation of each practice, having a policy that covers all activities, and having a plan that includes all activities. This level adds on the requirement that activities are reviewed and measured for effectiveness and the results of the review are shared with higher level management. 

Level 5’s five processes focus on optimizing. As with all previous levels, it includes the four requirements from the previous levels. This level adds on a fifth requirement that there is a standardized, documented approach across all applicable organizational units. 

LEVELS OF MATURITY 

NIST SP 800-171 provides a foundation of controls for strong cyber hygiene that the Federal government saw as a reasonable requirement for service providers accessing and storing CUI.  The DOD has decided that as the threats become more prevalent and more advanced, additional measures must be taken to protect the increasingly valuable CUI and Intellectual Properties of their service providers. The CMMC model uses the maturity model concept to provide DOD contractors a cost efficient and practical methodology to build upon SP 800-171 to a state where their cybersecurity programs actively adapt to the changing threat landscape and their IT resources are more resilient against the more sophisticated threats. The levels 1 through 5 are intended to be established in order with technical practices and processes that logically build upon each other for each domain. 

Maturity Levels for Processes 

The maturity levels for processes are consistent across all domains and follow the CMMI standard levels of maturity from Initial through Optimized. 

In IBSS’s experience assessing cybersecurity programs for our customers, we often see poorly documented processes which leads to inconsistencies and gaps in technical implementations that lead to inefficient management, increased use of resources to operate and maintain, duplicative efforts and implementations, and limitations to achieving a high level of resilience and optimization. In order to achieve a high level of maturity for their technical practices, it is essential to establish, document, and maintain the associated key governance documents (policies, procedures, guidance, etc), implementing a structured process management system or utilizing a system that may already be in place in your organization through a quality management program such as ISO 9001.

Maturity Levels for Technical Practices

Levels 1-3 – The Basic Levels of Maturity

Implementing these three levels establishes strong Cyber Hygiene that meets FAR 52.201-1 and NIST SP 800-171 Rev 1 requirements which establishes resilience and protections against most threats and deters most threat actors. Basically, fully implementing NIST SP 800-171 and a handful of other basic practices actively prevents the bulk of attacks. Certain studies estimate that 93% of all reported cybersecurity incidents were preventable through implementing these practices.  

Level 1 – Performed

There are a total of 17 CMMC Practices that align with requirements set out in the FAR 52.204.1 and NIST SP 800-171 to establish the most basic level of cyber hygiene and to provide a foundation for the higher maturity levels. This level includes implementing the basic concepts of Least privilege; Implicit deny/Explicit allow; Media sanitization (shredders, wiping hard drives and other magnetic and solid state media); Physical and logical access control; Securing networks with firewalls, routers and switches; Antivirus and basic end-point protection. That is all that is required to meet the CMMC Level 1 requirements, which is easily achievable for even small businesses and likely already in place for most organizations.

Level 2  – Documented

At Level 2, contractors will implement the most widely accepted cybersecurity best practices, which include: Scan for vulnerabilities; Patching computer systems; Implementing password strength; Session locks; Implement secure baseline configuration settings; Capture and review event logs; Security awareness; Backup and recovery. 

Level 3 – Managed

At Level 3, a company has full coverage of NIST SP 800-171 requirements and implementation of best practices beyond the needs of protecting CUI. This is where a company starts to build upon and move beyond what the original NIST SP 800-171 set out to do. 

Levels 4 and 5 – A Look at the highest levels of maturity

Levels 4 and 5 move into the more enhanced capabilities of a mature enterprise level cybersecurity program that becomes automated and responsive as the threat landscape evolves. It also looks to implement a high level of resiliency to protect resources from the more sophisticated threats and threat actors.

Level 4 – Reviewed

At this level, an organization has a well established Cybersecurity program with discrete, full-time cybersecurity specific roles (CISO, ITSO, Incident Response Team, SOC Analysts, Security Architect, etc) and resources (SIEM solution, SOC, Digital Forensics, End-Point Protection, etc) that all work together to protect the organization at an enterprise level. The practices at CMMC Level 4 focus on advanced capabilities of cybersecurity solutions and great use of automation and orchestration allowing different capabilities to work together.

Some examples:

• Behavioral analytics to baseline and enforce access and functions based on time of day, location, business function, and role
• Implementing asset discovery and enforcing asset access control based on defined policies (firmware level, OS level patched and up-to-date, antivirus installed, etc.)
• Log analysis and SIEM solution able to automatically correlate and identify known or potential critical indicators (TTPs, or IOCs) for escalated review
• Active threat intelligence exchange to integrate into other cybersecurity and IT functions to enhance the security architecture and key cybersecurity functions like incident response and network and system administration to keep them apprised of emerging threats
• Increased frequency and enhancing security and awareness training program to incorporate actionable intelligence on updated threats and incorporating functional exercises into the awareness training
• Creation of a Security Operations Center (SOC)
• Supply chain analysis of data-sources, hardware, software, and service vendors
• Regular independent pen-testing and red-team assessments
• Implement a Threat Hunt program
• Enhanced network segmentation based on resource function

Level 5 – Optimized

At Level 5, a company is at a level of a highly effective and adaptive holistic cybersecurity program resilient to most sophisticated attacks and threat actors able to repel APT. At this level,  SOC and Incident Response capabilities would have 24x7x365 coverage, technical cybersecurity capabilities will utilize a high level of automation and orchestration to respond in near real time. 

Knowing Which CMMC Level Your Company Needs

All defense contractors, primary and secondary, IT and non-IT, will need at least Level 1 CMMC. Ultimately, the acquisition will determine which level of CMMC certification your company needs. 

Since most companies have a pipeline of business development, those proposals can help determine which level of CMMC will be needed. Consultants, like IBSS, can look at your business development program to determine which acquisitions will have access to sensitive data and see what level of CMMC would be needed for those acquisitions as well as make recommendations for what is needed to obtain a certain CMMC level. Also, consultants can help service providers pull together all the artifacts needed for a CMMC audit, which would decrease the amount of time needed to perform the audit and could help lower the audit cost. 

While CMMC is coming and all DOD service providers need to have at least CMMC Level 1, acquiring CMMC will have benefits beyond acquisitions. By getting CMMC, service providers are taking their support of the DOD mission to a deeper level as they better protect themselves and national security. 

To learn more about the need for CMMC, read our post called CMMC Certification: Exploring Why CMMC Is Needed.

For a free consultation to see where you stand, contact us at 301-942-9014, email us at cmmc@ibsscorp.com, or fill out this form.

ABOUT IBSS 

Since 1992, IBSS, a woman-owned small business, has provided specialized cybersecurity, enterprise IT, environmental science and engineering, and professional and management consulting services to the Federal sector. Our clients include the National Oceanic and Atmospheric Administration (NOAA), the Department of Defense (DoD), and the Department of Justice (DOJ). We are committed to serving our clients and employees by delivering service excellence, creating value through technology, and continually improving our skills, services, and processes. In addition, we maintain an ISO 9001:2015, ISO 27001, ISO 20000, and CMMI certifications which allow us to optimize current industry best practices to enhance delivery outcomes for our clients and demonstrate our commitment to quality.