CMMC v1 Published – Cybersecurity Model Certification

On January 30, 2020 the Office of the Under Secretary of Defense for Acquisition & Sustainment released CMMC v1 and it includes the CMMC Model v1.0 Overview, Process, Practice Descriptions and Clarifications, Glossary, Abbreviations and Acronyms, Source Mapping and References.

CMMC v1.0 Model Overview

CMMC is a unified cybersecurity standard for future DoD acquisitions and encompasses the following:

  • 17 capability domains; 43 capabilities
  • 5 processes across five levels to measure process maturity
  • 171 practices across five levels to measure technical capabilities
CMMC LevelPracticesProcesses
Level 1 17
Level 2552
Level 3581
Level 4261
Level 5151

Download the full CMMC Model (pdf)

CMMC v1 Model Framework

CMMC model framework organizes processes and cybersecurity best practices
into a set of domains:

  • Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
    • An organization will continue to perform the activity – including under times of stress – and
    • The outcomes will be consistent, repeatable and of high quality.
  • Practices are activities performed at each level for the domain

CMMC Model Structure in v1.0

17 Capability Domains for v1.0

  • Asset Management (AM)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • System and Information
  • Integrity (SI)
  • System and Communications Protection (SC)
  • Situational Awareness (SA)
  • Security Assessment (CA)
  • Physical Protection (PE)
  • Risk Management (RM)
  • Recovery (RE)

CMMC 5 levels measure cybersecurity maturity

CMMC LevelProcessesProcesses
Level 1 PerformedAdvanced Progressive
Level 2DocumentedProactive
Level 3ManagedGood Cyber Hygiene
Level 4ReviewedIntermediate Cyber Hygiene
Level 5OptimizingBasic Cyber Hygiene

CMMC Level 1 : Performed

0 PROCESSES: Select practices are documented where required

CMMC Level 2 : Documented

2 PROCESSES:

  • Each practice is documented, including Level 1 practices
  • A policy exists that includes all activities

CMMC Level 3 : Managed

3 PROCESSES

  • Each practice is documented, including lower levels
  • A policy exists that cover all activities
  • A plan exists, is maintained, and resourced that includes all activities (Planning activities may include mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders

CMMC Level 4 : Reviewed

4 PROCESSES

  • Each practice is documented, including lower levels
  • A policy exists that covers all activities
  • A plan exists that includes all activities
  • Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)

CMMC Level 5 : Optimizing

  • Each practice is documented, including lower levels
  • A policy exists that covers all activities
  • A plan exists that includes all activities
  • Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)
  • There is a standardized, documented approach across all applicable organizational units

CMMC v1.0 Practice Progression

CMMC Level 1 : Basic Cyber Hygiene

17 PRACTICES

  • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21

CMMC Level 2 : Intermediate Cyber Hygiene

72 PRACTICES

  • Comply with the FAR
  • Includes a select subset of 48 practices from the NIST SP 800- 171 r1
  • Includes an additional 7 practices to support intermediate cyber hygiene

CMMC Level 3 : Good Cyber Hygiene

130 PRACTICES

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171 r1
  • Includes an additional 20 practices to support good cyber hygiene

CMMC Level 4 : Proactive

156 PRACTICES

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171 r1
  • Includes a select subset of 11 practices from Draft NIST SP 800-171B
  • Includes an additional 15 practices to demonstrate a proactive cybersecurity program

CMMC Level 5 : Advanced Progressive

171 PRACTICES

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171 r1
  • Includes a select subset of 11 practices from Draft NIST SP 800-171B
  • Includes an additional 11 practices to demonstrate an advanced cybersecurity program

CMMC Model v1.0 Source Counts

Model leverages multiple sources and references

  • CMMC Level 1 only addresses practices from FAR Clause 52.204-21
  • CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others
  • CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others
  • Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model

Number of Practices per Source

CMMC LevelTotal no of Practices
48 CFR 52.204-21NIST
SP 800-171r1
Draft NIST
SP 800-171B **
Other
Level 11715*17*
Level 255487
Level 3584513
Level 4261115
Level 515411
  • 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, and in turn, 17 practices in CMMC
  • 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0

CMMC v1 Model Appendixes

Appendix A provides the model in tabular form with all practices organized by Domain (DO), Capability, and Level (L)

  • Practices are numbered as DO.L.###, with a unique number ###
  • Each practice includes up to nine sources

Appendix A also includes maturity level processes

  • Processes are generalized but apply to all domains
  • Processes are numbered as ML.L.99#

Appendix B Process and Practice Descriptions include:

  • Discussion, derived from source material where available
  • Clarification with examples
  • A list of references

Same framework as model

  • Processes are generalized but apply to all domains
  • Practices are ordered by domain and level

Appendix E Source Mapping summarizes the list of sources for all five processes and 171
practices. Sources include:

  • FAR Clause 52.204-21
  • NIST SP 800-171 Rev 1
  • Draft NIST SP 800-171B
  • CIS Controls v7.1
  • NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
  • CERT Resilience Management Model (CERT RMM) v1.2
  • NIST SP 800-53 Rev 4
  • Others such as CMMC, UK NCSC Cyber Essentials, or AU ACSC Essential Eight

Download the Appendices of CMMC Model v1.0

More info: https://www.acq.osd.mil/cmmc/draft.html