What Is the CMMC Framework?
The CMMC framework includes a “comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level,” according to the DOD.
According to the Pentagon, the framework is designed to ensure that defense contractors “can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.”
Michael Cardaci, CEO of FedHive, a Federal Risk and Authorization Management Program-certified cloud service offering that provides security compliance solutions, says the key to the CMMC is in the name, in that it follows a maturity model.
“The idea behind it is the embodiment of security, as opposed to just kind of checking off a list of things that you make sure you do, like change your password and that sort of thing,” he says. “I view it as more of an immersive kind of thing.”
According to a DOD document on the CMMC, the framework “aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats.” The model includes maturity processes and cybersecurity best practices from multiple cybersecurity standards and frameworks.
Ultimately, the DOD states, CMMC “adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.”
What Are the 5 CMMC levels?
Unlike NIST 800-171, the CMMC model has five levels. “The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels,” the DOD states.
Each level consists of a set of processes and practices, with the practices ranging from “basic cyber hygiene” at level 1 to advanced or progressive cybersecurity at level 5. The processes range from “performed” at level 1, through to “optimizing” at level 5.
Essentially, each level up indicates a higher degree of protection for sensitive information. In order for an organization to achieve a specific CMMC level, it must demonstrate achievement of all of the preceding lower levels. Additionally, organizations must show assessors that they demonstrate the institutionalization of both processes and practices, and in cases where an organization demonstrates differing levels for one or the other, the organization will be certified at the lower of the two levels.
CMMC levels can be categorized this way:
- CMMC level 1: Safeguard federal contract information
- CMMC level 2: Serve as a transition step in cybersecurity maturity progression to protection controlled unclassified information
- CMMC level 3: Protect CUI
- CMMC levels 4-5: Protect CUI and reduce the risk of advanced persistent threats
Bai notes that only a tiny percentage of the DIB is going to require a level 4 or 5 certification and will likely only apply to companies dealing with data that foreign nation-states are targeting.