CMMC: Not Just Your 800-171 Anymore!

2021-08-04

Much has already been published with respect to the Cybersecurity Maturity Model Certification (CMMC). So, hopefully this introduction will be summarily brief. Let's start at the beginning.

The CMMC was published in 2020 as DoD's extension to NIST SP 800-171. The CMMC "certification" is specifically for contractor organizations. It basically is the same as "authorization to operate". Organizations must fulfill CMMC by award of contract. SP 800-171 was published for a few primary reasons:

• To flip from "for the government agencies" approach in SP 800-53

• To prescribe security for "contractors processing, transmitting and storing government information on their own systems".

• SP 800-171 also clarifies security required by FAR 52.204-21 and DFARS 252-204.7012. Those were very general and (to summarize) cumulatively resulted in "do adequate security".

• Another point is to specifically ensure the proper protection of Controlled Unclassified Information (CUI). See the CUI Registry at https://www.archives.gov/cui/registry/category-list for definitions.

CMMC takes the content of SP 800-171 and puts them in to five (5) levels. Level 1 requires only seventeen (17) basic controls. Each subsequent level requires additional controls. For example, Level 2 and Level 3 each add approximately 50 additional controls. Organizations processing CUI are required to achieve Level 3.

CMMC builds on SP 800-171 and adds certain prescriptions for organizational and security maturity improvements. None are required for Level 1. They are added at Level 2 to Level 5. These specifications result in "Maturity Level". From Level 2, each Level will add requirements such as:

• Establish a policy

• Document practices

• Create resource plans

• Track effectiveness

• Standardize across all business units

You may see similarities between the above and Capability Maturity Model Integration (CMMI). The same organization, the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), wrote both. More details to be published in following issues of the blog.

CMMC is also an ecosystem for defense contractors. Specified within this ecosystem are:

• ROLES - personal credentials for professionals working in the CMMC ecosystem

• ORGANIZATIONS - contractor Organizations Seeking Certification (OSC) and independent Third Party Assessing Organizations (3PAO) who validate the OSC

• LEVEL OF EFFORT

Upcoming blog issues will address these in detail.