It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DOD acquisition process with certification becoming a pre-RFP requirement to bid a government contract. Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.
Overview of CMMC Levels 1-5 per the DOD’s released CMMC v1.0
Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21. Level 1 is the only level where processes will not be assessed.
Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI). Unlike Level 1, documentation of processes and policies is a requirement in Level 2.
Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3. In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”
Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models. Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.
Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.” Level 5 requires the continuous optimization of documentation and processes across the organization.
Key Differences between NIST 800-171 and CMMC v1.0
CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.
Level 2 requires increased standards for Incident Response
Level 2 requires an organization to review logs
Level 3 requires increased standards for Risk Management
Level 3 requires organizations to collect audit logs in one or more central repositories
Level 3 includes new requirements to protect email services
Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)
Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)
Key Differences between CMMC draft v0.7 and CMMC v1.0
Level 4 SOC is now 24/7 instead of “normal business hours”
Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.
If you have any questions or would like support as you ready your organization for CMMC, contact us. We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS. Register Now
In this webinar you will learn:
- Mapping NIST 800-171 to CMMC
- Levels 1-5: Challenges and complexities to consider at each compliance level
- Step by step path to attaining CMMC