Any company that takes on lucrative contracts with the US Department of Defense (DoD) and becomes part of the Defense Industrial Base sector (DIB) needs to keep its cybersecurity practices up to date. You will also need to adhere to the Cybersecurity Maturity Model Certification (CMMC), including self-assessment and outside auditing, to confirm your compliance. This CMMC assessment guide will break down what it takes to get started.
Complete CMMC Assessment Guide
CMMC is a publication of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S). It simplifies the adopting practices required by the Defense Federal Acquisition Regulation Supplement (DFARS), including all of Special Publication 800-171.
Implementing and assessing all requirements for compliance can be highly complex. In this guide, we’ll walk you through everything you need to know to be fully compliant, including:
- The general focus of each level, including practice and process maturity goals
- A detailed breakdown of every control required at each level
- Some resources to help you achieve compliance at all levels
By the time we’re done, you’ll be well prepared to get started with assessment and certification or move on to the next stage in your cybersecurity journey. But first, let’s cover some basic CMMC definitions.
CMMC Framework Basics: Levels and Domains
At the CMMC’s core are 17 “Domains.” Each targets several “Capabilities” (43 total) across its “Practices,” or controls (171 total). These controls are implemented gradually across five “Maturity Levels.” These elements of the CMMC core break down as follows:
Maturity Levels:
- Maturity Level 1 – Safeguarding Federal Contract Information (FCI)
- Maturity Level 2 – Transitioning into Level 3 (and protection of CUI)
- Maturity Level 3 – Protecting CUI (controlled unclassified information)
- Maturity Level 4 – Finalizing CUI protection and preparing for APTs
- Maturity Level 5 – Preventing APTs (Advanced Persistent Threats)
At each Level, new and existing Practices are held to “process maturity” standards, measuring how integrated it is across the company. Practices must be revisited and upgraded at each successive level.
Cybersecurity Domains:
- Access and Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- Systems and Communications Protection (SC)
- System and Information Integrity (SI)
Now, let’s discuss all of the Levels’ general focuses, practice and process maturity goals, and the control breakdowns to prepare for assessment at every level. All content in the sections below is sourced directly from CMMC V1.02, unless otherwise noted.
Assess your CMMC Compliance
CMMC Level 1 Overview: Safeguarding FCI
The first CMMC Maturity Level focuses on safeguards for federal contract information (FCI), one of the two types of data CMMC is designed to protect. Its Practice goals constitute “basic Cyber hygiene,” and Processes at Level 1 must be merely “performed” (not measured).
In total, CMMC Level 1 comprises 17 practices, encompassing six Domains. This is the second-fewest Practices of any Level, and combined with the relatively lenient Process goal, CMMC basic assessment at Level 1 is designed for accessibility. Let’s take a closer look at what it entails.
Breakdown of Level 1 Controls by Domain
The 17 Practices added at Level 1 break down as follows:
- Level 1 AC – Fundamental controls to authenticate access to sensitive FCI (four Practices)
- Level 1 IA – Basic parameters further defining authentication methodology (two Practices)
- Level 1 MP – A principle for deleting traces of FCI stored on hardware and software before reuse, repurpose, recycle, sale, or other disposals thereof (one Practice)
- Level 1 PE – Basic controls for monitoring physical and proximal access (four Practices)
- Level 1 SC – Basic controls for network traffic within defined borders (two Practices)
- Level 1 SI – Fundamental protocols for regular monitoring of systems (four Practices)
CMMC Level 2 Overview: Preparing for CUI
The second CMMC Maturity Level focuses less on any inherent goal and more on a transitional one, preparing for complete protection of controlled unclassified information at Level 3. Its Practices’ goals constitute “intermediate cyber hygiene,” and Processes must be performed and “documented.”
Level 2 adds 55 new Practices, the second most of any Level, for a running total of 72. Since all these Practices need to be documented, this is the first Level at which Process Maturity requires official measurement and CMMC assessment tools. Let’s take a closer look.
Download our CMMC Whitepaper: Best Cybersecurity Practices for DoD Contractors
Here are a few more articles to help you learn more about CMMC :
Breakdown of Level 2 Controls by Domain
The 55 Practices added at Level 2 break down as follows:
- Level 2 AC – Stronger access controls, including the application of “least privilege” principle and individual session management (ten Practices)
- Level 2 AU – Initial controls to guarantee regular auditing and audit logging (four Practices)
- Level 2 AT – Initial controls specifying training requirements for all staff (two Practices)
- Level 2 CM – Initial controls requiring immediate deletion and replacement of default security settings installed by the manufacturer on hardware, software, etc. (six Practices)
- Level 2 IA – Stronger requirements for length and complexity of credentials (five Practices)
- Level 2 IR – Initial protocols for management of incidents as they occur (five Practices)
- Level 2 MA – Initial controls specifying regular intervals for maintenance and the need for special service after updates, attacks, and other relevant events (four Practices)
- Level 2 MP – Stronger restrictions on access to FCI and CUI media (three Practices)
-
- Level 2 PS – Initial controls integrating cybersecurity into recruiting, hiring, onboarding, promoting, firing, and other personnel movement procedures (two Practices)
- Level 2 PE – Physical controls extending beyond perimeter protections (one Practice)
- Level 2 RM – Initial controls for systematic management of risks or threats (three Practices)
- Level 2 CA – Initial controls for regular assessment of security architecture (three Practices)
- Level 2 SC – Stronger network communications controls, such as encryption protocols and restriction of remote access to networks containing FCI and CUI (two Practices)
- Level 2 SI – Stronger controls to guarantee integrity, including immediate corrective response to identified flaws and weaknesses in system architecture (three Practices)
CMMC Level 3 Overview: Protecting CUI
The third CMMC Maturity Level focuses on the full protection of CUI, which coincides with the implementation of all NIST SP 800-171 controls. Practices goals for Level 3 constitute “good cyber hygiene,” and Processes at Level 3 must be documented and actively “managed.”
Level 3 adds 58 new Practices, the most of any Level, making the running total now 130. Plus, the management of all 130 controls makes Level 3 a milestone in compliance and security. The final two Levels will move far beyond cyber hygiene and into advanced proactive measures.
Breakdown of Level 3 Controls by Domain
The 58 Practices added at Level 3 break down as follows:
- Level 3 AC – Stronger methods for access restriction, including limitations of what capabilities are afforded to accounts with privileged access status (eight Practices)
-
- Level 3 AM – Initial definitions of CUI-specific asset handling requirements (one Practice)
- Level 3 AU – Greater specificity for audits and audit logging controls, including the safeguarding, monitoring, and recovery of logged audit data (seven Practices)
- Level 3 AT – More targeted training controls, focusing on internal threats (one Practice)
- Level 3 CM – Stronger controls of device configurations beyond removing defaults, including “black-” or “white-listing” of individual settings for security (three Practices)
- Level 3 IA – Final controls for user accounts, such as multi-factor authentication (MFA) and limitations on recycling of previously used credentials (four Practices)
- Level 3 IR – Stronger internal and external incident reporting protocols (two Practices)
- Level 3 MA – Final requirements for routine and special maintenance (two Practices)Level 3 MP – Stronger media protections, including tight restrictions on transport and transmission of sensitive data, as well as strong encryption (four Practices)
-
- Level 3 PE – A final extension of physical protections irrespective of location (one Practice)
- Level 3 RE – Specifications for performance and maintenance of backups (one Practice)
- Level 3 RM – Stronger risk analysis targeting areas lacking vendor support (three Practices)
- Level 3 CA – Assessment controls targeting internally developed apps (two Practices)
- Level 3 SA – Initial controls for analysis and sharing of threat intelligence (one Practice)
- Level 3 SC – Significantly stronger and broader controls for all elements of network communication, including encryption and VoIP safeguards (15 Practices)
- Level 3 SI – Stronger filtering and response protocols for identified flaws (three Practices)
CMMC Level 4 Overview: Preparing for APT
The fourth CMMC Maturity Level focuses on further optimizing CUI protection and moving into proactive measures to counteract advanced persistent threats. Its Practice goals constitute “proactive” measures, and Processes at Level 4 must be managed and “reviewed.”
Level 4 adds on 26 Practices. Practices’ running total is now 156, all of which now require a deeper level of regular institution-wide review and corrective action to ensure ongoing security.
Breakdown of Level 4 Controls by Domain
The 26 Practices added at Level 4 break down as follows:
- Level 4 AC – Stronger monitoring for and restrictions on the flow of information (three Practices)
- Level 4 AM – A final control facilitating analysis of inventoried assets (one Practice)
- Level 4 AU – Stronger controls enabling automation and analysis of stored audit log information, as well as logging and security of audit analyses (two Practices)
- Level 4 AT – Final training specifications focused on advanced social engineering and other scams specifically targeting uninformed personnel (two Practices)
- Level 4 CM – Smoother configuration management through “white-listing” (one Practice)
- Level 4 IR – Stronger, proactive analytics for preventing incidents, including mobilization of intelligence on past attacks and establishment of a 24/7 response center (two Practices)
- Level 4 RM – Stronger, predictive analytical controls including the use of threat profiles and the management of one or more risk monitoring supply chains (four Practices)
- Level 4 CA – Final controls for ongoing improvement of security processes (three Practices)
- Level 4 SA – Final controls specifying “threat hunting” capabilities (two Practices)
- Level 4 SC – Stronger controls for isolating and protecting network communications, as well as analyzing potentially harmful code in communications infrastructure (five Practices)
- Level 4 SI – Protocols for integrating external and internal intelligence (one Practice)
CMMC Level 5 Overview: Preventing APT
The fifth and final CMMC Maturity Level focuses almost entirely on the most advanced protections for APT available. The final stage of Practices constitute advanced and progressive measures, and Processes at Level 5 must be reviewed and continuously “optimized.”
Level 5 adds only 15 new Practices, the fewest of any level, bringing the final total to 171. But the final Process goal includes keeping Practices up to date and actively seeking out ways to improve and perfect them over time. Let’s take a look at the final slate of Practices.
Breakdown of Level 5 Controls by Domain
The 15 Practices added at Level 5 break down as follows:
- Level 5 AC – A final protection for risks related to wireless access points (one Practice)
- Level 5 AU – A final control for identifying and correcting oversights in audit (one Practice)
- Level 5 CM – A final control for validating the integrity of security settings on software and hardware identified as critical or otherwise essential to the business (one Practice)
- Level 5 IR – Final controls specifying proactive, preventative measures for incidents, such as in-depth analysis of forensic data and unannounced exercises (four Practices)
- Level 5 RE – A final control for continuity, redundancy, and availability (one Practice)
- Level 5 RM – Final controls for an annual review of risk management architecture and periodic updates to exception protocols for non-whitelisted software (two Practices)
- Level 5 SC – Final controls specifying a port and commercial precautions (three Practices)
- Level 5 SI – Final controls for analysis of both systems and personnel (two Practices)
Professional Compliance and Cybersecurity
Across all of these levels, implementing and assessing all required controls can be challenging, especially for smaller to medium-sized companies with more modest IT budgets. RSI Security offers a suite of CMMC compliance advisory services to help your company achieve certification. This CMMC assessment guide is far from the only resource we offer; contact RSI Security today to see how easy CMMC compliance can be!