CMMC 1.0: A consistent framework

Cybersecurity Maturity Model Certification (CMMC) – Framework

The CMMC 1.0 framework was built of 4 elements; security domains, capabilities, practices and processes and when combined they build best practice for the protection of an organisation and associated FCI and CUI.  These elements form the five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) which comprise the CMMC framework.  With Level 1 being the least mature and level 5 the most mature.

Cyber domains

The CMMC 1.0 framework consisted of 17 cyber security domains.  A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination.  The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.

Access Control
(AC)		Asset Management
(AM)		Audit and Accountability
(AU)		Awareness and Training
(AT)		Configuration Management
(CM)
Identification and Authentication
(IA)		Incident response
(IR)		Maintenance
(MA)		Media Protection
(MP)		Personnel Security
(PS)
Physical Protection
(PE)		Recovery
(RE)		Risk Management
(RM)		Security Assessment
(CA)		Situational Awareness
(SA)
System Communications Protection
(SC)		Systems Information Integrity
(SI)

Table 1: CMMC 1.0 Domains

Capabilities

Each domain comprises several capabilities which an organisation is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable.  Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviours, when working together enable an organisation to protect FCI and CUI.

C001
Establish system access requirements		C002
Control internal system access		C003
Control remote system access		C004
Limit data access to authorized users and processes		C005
Identify and document assets
C006
Manage asset inventory		C007
Define audit requirements		C008
Perform auditing		C009
Identify and protect audit information		C010
Review and manage audit logs
C011
Conduct security awareness activities		C012
Conduct training		C013
Establish configuration baselines		C014
Perform configuration and change management		C015
Grant access to authenticated entities
C016
Plan incident response		C017
Detect and report events		C018
Develop and implement a response to a declared incident		C019
Perform post incident reviews		C020
Test incident response
C021
Manage maintenance		C022
Identify and mark media		C023
Protect and control media		C024
Sanitize media		C025
Protect media during transport
C026
Screen personnel		C027
Protect federal contract information during personnel actions		C028
Limit physical access		C029
Manage back-ups		C030
Manage information security continuity
C031
Identify and evaluate risk		C032
Manage risk		C033 Manage supply chain
risk		C034
Develop and manage a system security plan		C035
Define and manage controls
C036
Perform code reviews		C037
Implement threat monitoring		C038
Define security requirements for systems and communications		C039
Control communications at system boundaries		C040
Identify and manage information system flaws
C041
Identify malicious content		C042
Perform network and system monitoring		C043
Implement advanced email protections

Table 2: CMMC Capabilities

Practices

In total (at Level 5) the CMMC framework identifies 171 practices, associated with the 17 security domains, mapped across the 5 maturity levels.  Practices applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI).  Practices applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defence information and cyber Incident reporting.

Cybersecurity practices applied to each maturity level
CMMC Levels

Table 1: Cyber security practices and (D)FARS regulation per CMMC level

Maturity Processes

To ensure that security domains, capabilities and practices are implemented effectively and institutionalised.  5 maturity processes spanning levels 1, 2, 3, 4 and 5 are applied.  The processes are implemented to all security domains and to each of the 5 levels of cybersecurity maturity (Level 1, 2, 3, 4 and 5).  The processes describe the expected state of the practices applied at each level.  From the 17 practices being applied at level 1, through to the 171 practices being applied, documented, established, effective and optimised at level 5.

Maturity levelLevel descriptionProcess
ML 1Performed• There are no (Maturity) processes assessed at level 1.
• An organisation performs level 1 practices but they are not institutionalised.
ML 2Documented• Policies are established for each ‘security domain’ identified as required under level 2.
• CMMC practices are documented to implement the policy defined under level 2.
ML 3Managed• Practices are established, maintained, resourced and a plan of action is in place for their management.
ML 4Reviewed• The effectiveness of the practices are reviewed and measured.
ML 5Optimising• Practices are standardised and optimised across all organisational units.

Table 3: CMMC 1.0 maturity processes

Levels

The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers.  A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity.  Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land, and sea-based systems.   A cybersecurity maturity model is the most appropriate solution to achieve this. 

The CMMC comprises of 5 levels of cyber maturity.  Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice.  They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5.  The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will managed, FCI or CUI and the perceived threat to the DoD.  With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.

CMMC maturity and progression

Note:  CMMC process maturity associated at each level accumulates as maturity levels increase.  i.e. the 171 practices at level 5 must be performed, documented, managed, reviewed and optimised to protect CUI.

For Further information on CMMC levels 1, 2, 3, 4 and 5, the associated domains, practices and maturity processes the links below will help clarify.

Level 1Level 2Level 3Level 4Level 5

Table 4: CMMC levels 1, 2, 3, 4 and 5