By Andrew Victor and Robert Nichols

DoD recently released updated guidance, a draft version 0.4 of its the Cybersecurity Maturity Model Certification (CMMC) model and requested industry feedback. This post follows up on our previous post in this area and explains the CMMC model.

DoD’s guidance explains that version 0.4 of the CMMC model organizes cybersecurity best practices into 18 “domains”:

  • Access Control
  • Asset Management
  • Awareness and Training
  • Audit & Accountability
  • Configuration Management
  • Cybersecurity Governance
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery
  • Risk Assessment
  • Security Assessment
  • Situational Awareness
  • System and Communications Protection
  • System and Information Integrity

For each domain, the CMMC establishes “key sets of capabilities for cybersecurity,” which are practices and processes classified by maturity level; Level 1, the most basic, to Level 5, the most advanced.  Notably, version 0.4 dramatically expands the number of practices for each maturity level. For instance, version 0.3 had 17 practices for Level 1, “Basic Cyber Hygiene,” and 46 practices for Level 2, “Intermediate Cyber Hygiene.”  Version 0.4 added 18 practices to Level 1 for a total of 35 and 69 practices to Level 2 for a total of 115.

In setting forth the capabilities for each domain across the five maturity levels, version 0.4 includes a citation to the external standard that DoD has looked to for each practice.  DoD’s sources for version 0.4 include NIST SP 800-171, standards developed by the Defense Industrial Base Sector Coordinating Council, and the CERT Resilience Management Model, among others.  Given the length and complexity of version 0.4, DoD explained that it continues to refine the model and anticipates a reduction in the model’s size.

Going forward, contractors should consider whether to submit feedback as invited by DoD by September 25th.  In particular, DoD has asked industry to answer the following questions:

  1. What do you recommend removing or de-prioritizing to simplify the model and why?
  2. Which elements provide high value to your organization?
  3. Which practices would you move or cross-reference between levels and domains?
  4. In preparation for the pending easy-to-use assessment guidance, what recommendations might you have to clarify practices and processes?

Contractors should also continue to monitor the CMMC website for new information and the release of version 0.6 in November.