DoD Releases CMMC Version 1.0

By Kristen Morales • February 6, 2020

It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DoD acquisition process with certification becoming a pre-RFP requirement to bid a government contract.  Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.

 

Overview of CMMC Levels 1-5 per the DoD’s released CMMC v1.0

Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21.  Level 1 is the only level where processes will not be assessed.

Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI).  Unlike Level 1, documentation of processes and policies is a requirement in Level 2.

Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3.  In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”

Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models.  Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.

Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.”  Level 5 requires the continuous optimization of documentation and processes across the organization.

 

Key Differences between NIST 800-171 and CMMC v1.0

CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.

Level 2 requires increased standards for Incident Response

Level 2 requires an organization to review logs

Level 3 requires increased standards for Risk Management

Level 3 requires organizations to collect audit logs in one or more central repositories

Level 3 includes new requirements to protect email services

Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)

Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)

 

Key Differences between CMMC draft v0.7 and CMMC v1.0

Level 4 SOC is now 24/7 instead of “normal business hours”

Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.

 

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO