USA - DoD CMMC
1.1. Issuing body
The Cybersecurity Maturity Model Certification ('CMMC') is a framework developed by the U.S. Department of Defense ('DoD') in response to an increase in risk regarding the sharing of Federal Contract Information ('FCI') and Controlled Unclassified Information ('CUI') with contractors of the Defense Industrial Base ('DIB') sector.
1.2. Foundations and purpose
All companies doing business with the DoD will need to obtain the CMMC, including subcontractors.
The aim of the CMMC is to measure a DIB sector company's ability to protect FCI and CUI. In addition, the CMMC combines several existing cybersecurity standards in order to map best practices and processes to maturity levels.
The CMMC also adds a certification element as part of the framework to verify implementation of cybersecurity requirements, and to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.
The CMMC Version 1.0 was released in January 2020.
1.3. Compliance benefits
According to the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment ('OUSD(A&S)'), the CMMC framework is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect CUI that resides on the DoD's industry partners' networks.
1.4. Related legislation, frameworks, standards, and supplemental resources
The OUSD(A&S) developed the CMMC framework in concert with DoD stakeholders, University Affiliated Research Centers, Federally Funded Research and Development Centers, and the DIB sector. The OUSD(A&S) has issued the following supporting documentation:
2. SCOPE OF APPLICATION
All companies doing business with the DoD will need to obtain the CMMC, including subcontractors.
The CMMC consists of 17 capability domains, five processes across five levels to measure process maturity, and 171 practices across five levels to measure technical capabilities.
Under the CMMC, adherence to CMMC processes and practices is cumulative, and therefore once a practice has been introduced for a certain level, organisations will be required to implement the practice for all other levels as well. Similarly, to achieve a specific level of CMMC, an organisation must meet both the practices and processes within that level and below across all of the domains of the model.
The following is a summary of each of the levels:
Level 1: Focuses on basic cyber hygiene. Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organisations. Not every domain within CMMC has Level 1 practices. At both this level and Level 2, organisations may be provided with FCI.
Level 2: Focuses on intermediate cyber hygiene, creating a maturity-based progression for organisations to step from Level 1 to 3, and introduces the process maturity dimension of the model. An organisation is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.
Level 3: Organisations assessed at Level 3 have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organisations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 indicates a basic ability to protect and sustain an organisation's assets and CUI, however, organisations will have challenges defending against advanced persistent threat ('APTs'). A CMMC Level 3, an organisation is expected to adequately resource and review their activities' adherence to policy and procedures, demonstrating management of practice implementation.
Level 4 and Level 5: At CMMC Level 4 and 5, an organisation has a substantial and proactive cybersecurity program, and the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures in use by APTs. The organisation is expected to review and document activities for effectiveness and inform high-level management of any issues, as well as ensure that process implementation has been generally optimised across the organisation.
Each of the 17 domains listed below includes capability includes at least one practice at a specified level in the model.
- Access control
- Asset management
- Audit and accountability
- Awareness and training
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk management
- Security assessment
- Situational awareness
- Systems and communications protection
- System and information integrity
Under the CMMS, process maturity is the extent of institutionalisation of practices at an organisation. The maturity processes listed below are expected to be performed by organisations at each of the CMMC levels.
- Level 1: Performed: There are no maturity processes assessed at Level 1.
- Level 2: Documented:
- Establish a policy that includes the relevant domain.
- Establish practices to implement the relevant domain policy.
- Establish a plan that includes the relevant domain.
- Level 3: Managed:
- Review the relevant domain's activities for adherence to policy and practices.
- Provide adequate resources for the relevant domain's activities.
- Level 4: Reviewed:
- Review and measure the relevant domain's activities for effectiveness.
- Inform high-level management of any issues with the relevant domain's activities.
- Level 5: Optimised:
- Standardise a documented approach for the relevant domain across all applicable organisational units.
- Share identified improvements to the relevant domain's activities across the organisation.
3. KEY DEFINITIONS | BASIC CONCEPTS
See the CMMC for a full list of definitions and key terminologies incorporated.
Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
Administrative Safeguards: Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Awareness: A learning process that sets the stage for training by changing individual and organisational attitudes to realise the importance of security and the adverse consequences of its failure.
Cybersecurity: Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Controlled Unclassified Information: Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, 29 December 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Defense Industrial Base: The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Federal Contract Information: Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
Organisation Seeking Certification: The company that is going through the CMMC assessment process to receive a level of certification for a given environment.
Personally Identifiable Information: Information which can be used to distinguish or trace the identity of an individual (e.g. name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g. date and place of birth, mother’s maiden name, etc.).
As the CMMC focuses on the processing, storage, or transmission of CUI, general data processing principles found in comprehensive data protection law, such as use limitation and suitability and data minimisation, storage limitation and accuracy, form a core part of the CMMC and are discussed further below.
Cybersecurity risk is defined as 'risk to organisational operations, resources, and other organisations due to the potential for unauthorised access, use, disclosure, disruption, modification, or destruction of information or IT, and risk management practices flow throughout the CMMC.' Capabilities include:
- periodic assessment of the risk to organisational operations (including mission, functions, image, or reputation), organisational assets, and individuals, resulting from the operation of organisational systems and the associated processing, storage, or transmission of CUI (Level 2);
- developing and implementing risk mitigation plans (Level 3);
- managing non-vendor-supported products (e.g. end of life) separatelym and restricting as necessary to reduce risk;
- cataloguing and periodically updating threat profiles (Level 4); and
- employing threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities (Level 5).
Security assessment programs manage the development and implementation of the CMMC security requirements. The domain includes the development, documentation, and updating of system security plans, and the assessment of the security controls in systems to determine if the controls are effective in their application. Organisations must develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities identified.
Roles and responsibilities
Personnel security under the CMMC includes the screening of individuals prior to authorising access to organisational systems containing CUI, and ensuring that organisational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Awareness and training
Awareness and training form a domain of the CMMC and the capabilities identified are aimed at ensuring staff are aware of the security risks associated with their activities and roles as well as providing information security-related training, including to:
- ensure that managers, system administrators, and users of organisational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems (Level 2);
- ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities (Level 2);
- provide security awareness training on recognising and reporting potential indicators of insider threat (Level 3);
- provide awareness training focused on recognising and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviours; update the training at least annually or when there are significant changes to the threat (Level 4); and
- include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training (Level 4).
Policies and procedures
Each Level abovem including Level 2 of the CMMC, requires an organisation to establish, document, and maintain practices and policies to guide the implementation of CMMC efforts, in order to ensure individuals within an organisation can perform them in a repeatable manner.
The CMMC contains several domains and capabilities in relation to data security, including:
- access controls;
- configuration management;
- identification and authentication;
- media protection;
- physical protection;
- recovery; and
- system and information integrity.
In addition, the system and communications protection domain includes several requirements regarding the monitoring, control and protection of organisational communications, as well as protection regarding the disclosure of CUI (discussed further under section 4.6.).
Audit and accountability are considered a single domain under the CMMC, defined as a 'chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result to ensure that the actions of an entity may be traced uniquely to that entity.'
The CMMC provides detail on how organisations should approach the following requirements:
- define audit requirements;
- perform auditing;
- identify and protect audit information; and
- review and manage audit logs.
The capabilities listed include:
- ensuring that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions (Level 2);
- creating and retaining system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorised system activity (Level 2);
- collection of audit information (e.g. logs) into one or more central repositories (Level 3);
- protection of audit information and audit logging tools from unauthorised access, modification, and deletion (Level 3);
- automation of analysis of audit logs to identify and act on critical indicators and/or organisationally defined suspicious activity (Level 4); and
- identifying assets not reporting audit logs and assuring appropriate organisationally defined systems are logging (Level 5).
The CMMC includes specific requirements regarding the protection, transfer and disclosure of CUI, such as:
- preventing unauthorised and unintended information transfer via shared system resources;
- implementation of a policy restricting the publication of CUI on externally owned, publicly accessible websites; and
- employing organisationally defined and tailored boundary protections in addition to commercially available solutions.
As part of the risk management process, Level 2 and above of the CMMC are required to develop and update as required, a plan for managing supply chain risks associated with the IT supply chain. According to the CMMC, the scope of the plan is the IT suppliers for the networking, storage, and computing software, hardware, and services that support the storage, processing, and transmission of CUI and are part of the CMMC assessment.
The CMMC contains detailed requirements regarding incident management and response in relation to planning, detecting, and reporting incidents and breaches.
Incident handling should include activities that prepare an organisation to respond to incidents. These activities may include the following:
- identifying people inside and outside the organisation that may be needed to contact during an incident;
- establishing a way to report incidents, such as an email address or a phone number;
- establishing a system for tracking incidents; and
- determining a place and a way to store evidence of an incident.
In addition, the CMMC notes that, as an organisation matures it should dedicate resources to provide ongoing situational awareness, in particular through a security operations centre ('SOC'), which aims to provide awareness through the ongoing collection of logs from the organisation's various defensive capabilities on its network and endpoints. The SOC processes the logs and any associated alerts in order to quickly identify and remediate threats before more damage is caused. In addition to technology, a SOC must be staffed by the appropriate personnel to ensure data is collected, analysed, and investigated, and must enable a 24-hours a day, seven days a week response capability. An organisation can determine how to:
- establish an operational incident-handling capability for organisational systems that includes preparation, detection, analysis, containment, recovery, and user response activities;
- detect and report events;
- analyse and triage events to support event resolution and incident declaration;
- develop and implement responses to declared incidents according to pre-defined procedures;
- perform root cause analysis on incidents to determine underlying causes;
- track, document, and report incidents to designated officials and/or authorities both internal and external to the organisation;
- test the organisational incident response capability;
- use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution;
- establish and maintain a security operations center capability that facilitates a 24/7 response capability;
- in response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data; and
- use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
While Privacy by Design is not explicitly addressed in the CMMS, the concept is implied into many of its requirements, as highlighted throughout this Note.
In its FAQs, the OUSD(A&S) has advised that organisation will coordinate directly with an accredited and independent third-party commercial certification organisation to request and schedule a CMMC assessment. Companies will specify the level of the certification requested based on business requirements, and they will be awarded certification at the appropriate CMMC level at which they have demonstrated the appropriate capabilities and processes to the assessor and certifier.
Matters such as the duration of the certification and cost are still undergoing discussion.