CMM Overview
The Cybersecurity Maturity Model Certification (CMMC) was developed by the
Office of the Under Secretary of Defense for Acquisition and Sustainment
(OUSD(A&S)), DoD stakeholders, University Affiliated Research Centers (UARCs),
Federally Funded Research and Development Centers (FFRDCs) and the Defense
Industrial Base (DIB) to measure an organization's cybersecurity maturity.
The
North
Star CMM repurposes the CMMC for broader use by all businesses while
maintaining the integrity of the model. The last C is dropped as Certification
is a separate business decision from cyber and data protection. The remainder
of this page focuses on the structure and practices that must be followed to
satisfy each level of the model and is referred to as the CMM.
The CMM spans five levels and aligns processes and practices to the type, and
sensitivity, of information that is to be protected from cyber threats. The
model includes industry best practices from a variety of cybersecurity
standards, frameworks, and direct input from the DIB community. The model was
originally designed to protect Federal Contract Information (FCI) and
Controlled Unclassified Information (CUI) held by government contractors. The
CMM has wide application for any business that needs to protect confidential
information.
The CMM consists of 17 domains. The majority of these domains originate from the security-related areas in Federal
Information Processing Standards (FIPS) Publication 200 and the related security requirement families from NIST SP 800-171.
MSU SBDC Cybersecurity is not a certifying body and has no affiliation with the
CMMC Accreditation Board (CMMC-AB). As the CMM is discussed, we provide broad
guidance on how to protect a business’s confidential information.
CMM Levels
Each level of the CMM builds on the level prior to it and the organization will implement additional controls as it moves up to
higher levels. There are a total of 171 practices that are divided among the five levels. The model is cumulative in nature. For
example, if an organization would like to satisfy all practices up to Level 3, they would have to implement practices from Level 1,
Level 2, and Level 3. Below is a description of the intended purpose behind each level and the type of information that will be
protected.
- CMM Level 1 is the baseline that any organization with a government contract must have. It is composed of 17
practices that outline the requirements for Basic Cyber Hygiene according to the CMM. Level 1 is equivalent to all
the safeguarding requirements from Federal Acquisition Regulation (FAR) 52.204-21. Its main focus is the protection
of Federal Contract Information (FCI).
- CMM Level 2 is an intermediate step for organizations attempting to achieve Level 3 of CMM. It requires a total
of 72 practices (it includes practices from Level 1). This level is used to progress to the protection of Control
Unclassified Information (CUI).
- CMM Level 3 focuses on the protection of CUI. This level encompasses all of the security requirements specified
in NIST SP 800-171 as described by DFARS 252.204 plus 20 additional practices. It requires a total of 130 practices.
- CMM Level 4 & 5 focus on using enhanced security requirements that include practices from NIST 800-172. It is
expected that only a small portion of the Defense Industrial Base (DIB) will be required to need these levels of
certification.
Data Protection
The CMM can be used as a standard to identify the security posture of an
organization. For businesses performing government contracts, there are
requirements for which level an organization must be certified to receive and
keep their government contract.
For businesses that do not have government contracts, the CMM can be used as a
vetted cybersecurity standard for protecting any type of information. (e.g.
intellectual property, customer data, employee data. etc.).
CMMC Requirements
For businesses that do hold contracts with the U.S. government, there are
requirements for which level of the CMMC that needs to be satisfied. This will
depend upon what each program office sets for their own RFPs. The required
level will be known prior to proposal submission.
The
CMMC Accreditation Board
(CMMC-AB) offers a marketplace where businesses seeking
certification will be able to visit to find a CMMC Third-Party Assessor
Organization (C3PAO). C3PAO's are accredited organizations that have been
trained on how to properly conduct CMMC assessments.