CMMC 2.0: A consistent cybersecurity framework
Cybersecurity Maturity Model Certification 2.0 – Framework
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of its internal CMMC review:
- Safeguard sensitive information to enable and protect the war-fighter.
- Dynamically enhance DIB cybersecurity to meet evolving threats.
- Ensure accountability while minimizing barriers to compliance with DoD requirements.
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
- Maintain public trust through high professional and ethical standards.
CMMC 2.0 has been changed significantly from CMMC 1.0. The number of levels has been reduced from 5 in CMMC Level 1.0 to 3 and CMMC maturity assessments have been removed completely. CMMC 2.0 relies upon NIST SP 800-171 as required by DFARS 252.204-7012 for CMMC level 1 and 2, adding controls from NIST SP 800-172 for CMMC level 3. NIST SP 800-171 is built of security domains, practices and processes and when combined with organisational capabilities they build best practice for the protection of CUI and FCI.
Figure 1: CMMC 2.0: Cyber security practices and NIST SP 800-171 and NIST SP 800-172 per CMMC level
CMMC 2.0 Cyber domains
The CMMC 2.0 framework consist of 14 cyber security domains, 3 fewer than CMMC 1.0. A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination. The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.
Table 1: CMMC 2.0 (NIST SP 800-171) Domains
In total at Level 3 the CMMC 2.0 framework identifies 110 practices, associated with the 14 security domains. 17 practices applied at maturity level 1 are referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI). The 110 Practices applied at level 2 are referenced from DFARS 252.204-7012 for the safeguarding of covered defence information and cyber Incident reporting. +110 practices at Level 3 include those from NIST SP 800-171 and additional practices included from NIST SP 800-172, that are yet to be agreed.
Capabilities were explicitly referenced in CMMC 1.0 and removed from CMMC 2.0. However for organisations to effectively embed cybersecurity into their organisations risk management practices, strategy and operations they should be considered. Therefore we have not removed them.
Each NIST SP 800-171 domain comprises several capabilities which an organisation should aim to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable. Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviours, when working together enable an organisation to protect FCI and CUI.
Establish system access requirements
Control internal system access
Control remote system access
Limit data access to authorized users and processes
Identify and document assets
Manage asset inventory
Define audit requirements
Identify and protect audit information
Review and manage audit logs
Conduct security awareness activities
Establish configuration baselines
Perform configuration and change management
Grant access to authenticated entities
Plan incident response
Detect and report events
Develop and implement a response to a declared incident
Perform post incident reviews
Test incident response
Identify and mark media
Protect and control media
Protect media during transport
Protect federal contract information during personnel actions
Limit physical access
Manage information security continuity
Identify and evaluate risk
|C033 Manage supply chain|
Develop and manage a system security plan
Define and manage controls
Perform code reviews
Implement threat monitoring
Define security requirements for systems and communications
Control communications at system boundaries
Identify and manage information system flaws
Identify malicious content
Perform network and system monitoring
Implement advanced email protections
Table 2: CMMC Capabilities