The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology. [1]
The CMMC framework and model was developed by Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) of the United States Department of Defense through existing contracts with Carnegie Mellon University, The Johns Hopkins University Applied Physics Laboratory, and Futures, Inc. [2] The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. [3]
CMMC, which often requires third party assessment if a contractor handles Controlled Unclassified Information, will impact the $768bn Defense industry – 3.2% of the Gross Domestic Product of the United States of America. [4]
The purpose of the CMMC is to verify that the information systems used by the contractors of the United States Department of Defense to process, transmit or store sensitive data are compliant with the mandatory information security requirements. [5] The goal is to ensure appropriate protection of controlled unclassified information (CUI) [6] and federal contract information (FCI) that is stored and processed by partner or vendor.
The framework provides a model for contractors in the Defense Industrial Base to meet the security requirements from NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Some contracts will also include a subset of requirements from NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171. [7]
CMMC organizes these practices into a set of domains, which map directly to the NIST SP 800-171 Rev 2 and NIST SP 800-172 families. There are three levels within CMMC—Level 1, Level 2, and Level 3 [8]
Level | Description | Practices | Objectives | Assessment | Focus Area |
---|---|---|---|---|---|
1 | Foundational | 14 based on FAR 52.204-21 cross referenced to NIST SP 800-171 rev 2 | 59 | Annual Self-assessment | Safeguard Federal Contract Information (FCI) |
2 | Advanced | 110 practices aligned with NIST SP 800-171 | 320 | Triennial third-party assessments for critical national security information. Annual self-assessment for select programs | Protection of Controlled Unclassified Information (CUI) |
3 | Expert | 110+ practices based on NIST SP 800-171 plus a subset of the security requirements in NIST SP 800-172 | 320+ Total objectives waiting for final guidance from DoD (which controls from NIST SP 800-172) | Triennial government-led assessments | Enhanced Protection of Controlled Unclassified Information (CUI) |
CMMC will not be enforced on federal contracts until the final rulemaking has completed and incorporated into the 32 & 48 Code of Federal Regulations (CFR). . [7]
Upcoming guidance has been promised from the CMMC office to help set expectations for companies in the Defense Industrial Base as to what level accreditation should be sought, depending on their role as a prime or sub on various contracts.
In 2002 the Federal Information Security Management Act required each federal agency in the United States to develop, document, and implement an agency-wide program to provide information security for the information and information systems.
In 2002 Cybersecurity Research and Development Act authorized appropriations to the National Science Foundation (NSF) and to the Secretary of Commerce for the National Institute of Standards and Technology (NIST) to establish new programs, and to increase funding for certain current programs, for computer and network security (CNS) research and development and CNS research fellowships. This led to the development of security requirements in the Cybersecurity Maturity Model Certification framework.
In 2003 FISMA Project, Now the Risk Management Project, launched and published requirements such as FIPS 199, FIPS 200, and NIST Special Publications 800–53, 800–59, and 800–6. Then NIST Special Publications 800–37, 800–39, 800–171, 800-53A.
In 2010 Executive Order 13556 – Controlled Unclassified Information rescinded a previous order and created a standard for labeling data across the government.
In 2011 Defense Federal Acquisition Regulation Supplemental (DFARS) the proposed rule 7000 to enact requirements for safeguarding unclassified information specifically as it related to fundamental research got proposed in Case 2011-D039.
In 2013 DFARS 252.204-7000 Rule goes into effect which required the protection of sensitive data on non-federal systems.
In 2016 DFARS 7012 clause goes into in effect requiring all contract holders to self-assess to meeting the security requirements of NIST SP 800-171.
In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to transition from a mechanism of self-attestation of an organization's basic cyber hygiene which was used to govern the Defense Industrial Base. Since 2017 all defense contractors were required to self-assess and report their cybersecurity readiness against the NIST SP 800-171 standard.
After a series of breaches in the supply chain, [9] the Department of Defense working in partnership with industry created the CMMC model.
In 2019 interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020, with an effective date of November 30, 2020. [10]
On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline [11] that has the model fully implemented by September 2021.
On December 8, 2020, the Department of Defense releases seven pathfinder grants that will pilot the CMMC framework and require any contractor on the grant to have a certified third-party assessor measure a company's compliance. [12]
On December 31, 2020, the General Services Administration released a Request for Proposal for their Polaris program that noted while CMMC currently applies only to the Department of Defense all government contractors, civilian or military, should prepare to meet CMMC requirements. [13]
On November 4, 2021, the Department of Defense announced the release of CMMC 2.0. [14] This new version was designed to streamline its requirements.
On September 29, 2022, the Cyber AB (the accreditation body for the CMMC for the Department of Defense), established a subsidiary to manage the training and certification entitled the "Cybersecurity Assessor and Instructor Certification" (CAICO). [15]
On October 25, 2022, the Cybersecurity Assessor and Instructor Certification Organization (CAICO) announced the launch of the Certified CMMC Professional (CCP) exam. This exam verifies a candidate's knowledge of the Department of Defense's CMMC framework and the roles and responsibilities of the various positions within it. [16]
On January, 5th, 2023 RedSpin a CMMC third party assessor announced they had successfully assessed a client as part of the Joint Surveillance Voluntary Assessment Program (JSVAP) assessment. [17]
On December 26, 2023, the Department of Defense issued the Proposed Rule, Cybersecurity Maturity Model Certification (CMMC) Program, to the Federal Register establishing the updated requirements for CMMC 2.0. [18]
Industry professionals have voiced significant concern over the lack of centralized official communications and the accelerated timeline for roll-out. The sheer number of companies affected in the Defense industrial base create a level of volume for the still-not-yet accredited CMMC Third Party Assessment Organizations (C3PAOs) that would appear to be unrealistic by the proposed deadlines and has been discussed heavily on LinkedIn. [19] [20] Arrington has responded by asserting that reciprocity with existing certification programs such as FedRAMP and FIPS 140 will remove duplicative work and keep the work level minimal for companies already in compliance. [21]
CMMC Accreditation Body Chairman Ty Schieber left the board, along with Mark Berman, communications director, amidst an apparently unsanctioned 'Pay to Play' sponsorship program being published to the CMMC-AB website. Karlton Johnson stepped into the Chair role. [22] [23]
The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary which used to define Type 1, 2, 3, and 4 products. The definitions of numeric type products have been removed from the government lexicon and are no longer used in government procurement efforts.
The Federal Information Processing Standard Publication 140-2,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001, and was last updated December 3, 2002.
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptographic modules.
FIPS 201 is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.
Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
The National Information Assurance Certification and Accreditation Process (NIACAP) formerly was the minimum-standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national-security information. NIACAP was derived from the Department of Defense Certification and Accreditation Process (DITSCAP), and it played a key role in the National Information Assurance Partnership.
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a deprecated United States Department of Defense (DoD) process meant to ensure companies and organizations applied risk management to information systems (IS). DIACAP defined a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS which maintained the information assurance (IA) posture throughout the system's life cycle.
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information. Federal contractors who handle CUI will be required to self-assess with the Cybersecurity Maturity Model Certification (CMMC) under the Cyber AB.
The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digital and Multimedia (D/MM) forensics by DoD Directive 5505.13E, and serves as the operational focal point for the Defense Industrial Base (DIB) Cybersecurity program. DC3 operates as a Field Operating Agency (FOA) under the Inspector General of the Department of the Air Force.
NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.
The Federal Information Processing Standard Publication 140-3 is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on March 22, 2019 and it supersedes FIPS 140-2.
Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.
Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is typically the core component of any security operations center (SOC), which is the centralized response team addressing security issues within an organization.
The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology (NIST). The RMF, illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.
Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.
The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.
Data sanitization involves the secure and permanent erasure of sensitive data from datasets and media to guarantee that no residual data can be recovered even through extensive forensic analysis. Data sanitization has a wide range of applications but is mainly used for clearing out end-of-life electronic devices or for the sharing and use of large datasets that contain sensitive information. The main strategies for erasing personal data from devices are physical destruction, cryptographic erasure, and data erasure. While the term data sanitization may lead some to believe that it only includes data on electronic media, the term also broadly covers physical media, such as paper copies. These data types are termed soft for electronic files and hard for physical media paper copies. Data sanitization methods are also applied for the cleaning of sensitive data, such as through heuristic-based methods, machine-learning based methods, and k-source anonymity.
{{cite journal}}
: Cite journal requires |journal=
(help)