Much has already been published with respect to the Cybersecurity Maturity Model Certification (CMMC). So, hopefully this introduction will be summarily brief. Let’s start at the beginning.
The CMMC was published in 2020 as DoD’s extension to NIST SP 800‑171. The CMMC “certification” is specifically for contractor organizations. It basically is the same as “authorization to operate”. Organizations must fulfill CMMC by award of contract. SP 800‑171 was published for a few primary reasons:
CMMC takes the content of SP 800‑171 and puts them in to five (5) levels. Level 1 requires only seventeen (17) basic controls. Each subsequent level requires additional controls. For example, Level 2 and Level 3 each add approximately 50 additional controls. Organizations processing CUI are required to achieve Level 3.
CMMC builds on SP 800‑171 and adds certain prescriptions for organizational and security maturity improvements. None are required for Level 1. They are added at Level 2 to Level 5. These specifications result in “Maturity Level”. From Level 2, each Level will add requirements such as:
You may see similarities between the above and Capability Maturity Model Integration (CMMI). The same organization, the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), wrote both. More details to be published in following issues of the blog.
CMMC is also an ecosystem for defense contractors. Specified within this ecosystem are:
Upcoming blog issues will address these in detail.