The United States Department of Defense published Version 0.4 of the CMMC on September 4, 2019. The publication includes some new insights into the DoD’s plans for the CMMC, including:
- Reinforcement of the January 2020 target date for the release of CMMC 1.0 and the June 2020 target date for incorporation of the CMMC in all RFIs;
- A softening of the target date for incorporation of the CMMC as a mandatory requirement for all acquisitions to “Fall 2020” (this had previously been September 2020);
- A commitment for a second daft of the CMMC which is due in November 2019;
- They are actively pushing to streamline the CMMC and are seeking public comments on how the requirements should be reprioritized and/or reassigned, as well as whether certain requirements should be removed or added;
- The DoD is aware that small and medium businesses may be more severely impacted than large government contractors and is trying to factor SMB concerns into the CMMC;
- The DoD is stressing process maturity, not merely the implementation of certain pieces of technology (which they refer to as “practices”) and asserts that such maturity can help make up for shortcomings in technical control implementations.
- As illustrated in Figure 1, below, the CMMC defines eighteen (18) different cybersecurity-related domains, from Access Control to Systems and Information Integrity. Every domain is comprised of capabilities, and each capability is comprised of both practices and processes.
- The CMMC defines two sets of maturity metrics: one for technical practices (i.e., whether certain controls have been implemented), and one for processes (i.e., how well the organization has documented not only its plans for implementing the controls, but also monitoring how well it is performing/implementing the controls). The practice maturity levels are:
- Basic Cyber Hygiene;
- Intermediate cyber Hygiene;
- Good Cyber Hygiene;
- Proactive; and,
- The process maturity levels are:
- Reviewed; and,
- Each organization’s maturity will be assessed against all eighteen domains, and the assessment will look at at both the practices and processes. Organizations, especially small and medium organizations, frequently do not prioritize documentation of processes, therefore it can take months, and even years, for organizations to obtain process maturity level 2 or beyond. We strongly encourage organizations to start documenting their processes now, before CMMC 1.0 is released. We recognize that this process can be intimidating for even sophisticated organizations. Contact Fathom Cyber today to learn more about how we can help your organization prepare for CMMC 1.0.
Subscribe to our newsletter for more details about the DoDs Cybersecurity Maturity Model and other business-oriented cybersecurity news and information. To view CMMC Version 0.4, visit https://www.acq.osd.mil/cmmc/draft.html