Cybersecurity Maturity Model Certification (CMMC)

What is Cybersecurity Maturity Model Certification?

To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain, the U.S. Department of Defense (DoD) is working with DoD stakeholders, university-affiliated research centers, federally funded centers and industry at large to develop the Cybersecurity Maturity Model Certification (CMMC), a process that measures the ability of company within the defense industrial base (DIB) sector to protect FCI and CUI. CMMC also adds a certification element to verify implementation of cybersecurity requirements. Certifications will need to be performed by accredited third parties such as Schneider Downs, who will independently validate the proper implementation and satisfaction of the security requirements.

CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk and account for flow down to subcontractors in a multitier supply chain. The CMMC will be included in RFIs and RFPs in 2020 and will eventually be mandatory for all prime contractors and subcontractors.

The CMMC Model Framework

The CMMC model framework categorizes cybersecurity best practices at the highest level by domains. Each domain is further segmented by a set of capabilities – achievements to ensure that cybersecurity objectives are met within each domain. Companies will further validate compliance with the required capabilities by demonstrating adherence to practices and processes that have been mapped across five maturity levels (explained below). Within this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, while processes will measure the maturity of a company’s processes.

CMMC Levels

The CMMC model has five defined levels, each with a set of supporting practices and processes, from Level 1 that addresses basic cyber hygiene to proactive and advanced Levels 4 and 5. In parallel, processes range from being performed at Level 1, documented at Level 2 and optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:

  • Level 1 – Requires an organization to demonstrate basic cyber hygiene. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity. At this level, organizations may be provided with FCI, which is information not intended for public release but provided by or generated for the government under a contract to develop or deliver a product or service to the government.
  • Level 2 – Requires an organization to demonstrate intermediate cyber hygiene. At this level, an organization is expected to establish and document standard operating procedures, policies and strategic plans to guide the implementation of their cybersecurity program. At Level 2, organizations may be provided with FCI.
  • Level 3 – Requires an organization to demonstrate good cyber hygiene and effective NIST SP 800-171 Rev 1 security requirements. For process maturity, a Level 3 organization is expected to adequately resource and review activities related to adherence to policy and procedures, and demonstrate management of practice implementation. Organizations that require access to CUI and/or generate CUI should achieve Level 3.
  • Level 4 and 5 – At Levels 4 and 5, an organization has a substantial and proactive cybersecurity program, with the capability to adapt their protection and sustainment activities to address the changing tactics, techniques and procedures (TTPs) in use by APTs. For process maturity, the organization is expected to review and document activities for effectiveness and inform high-level management of any issues, as well as ensure that process implementation has been generally optimized across the organization.

CMMC Domains

The CMMC model consists of 17 domains, the majority which originated from the FIPS 200 security-related areas and the NIST SP 800-171 control families. The domains are as follows:

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AA)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IDA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (SAS)
  • Situational Awareness (SA)
  • System and Communications Protections (SCP)
  • System and Information Integrity (SII)

CMMC Timeline and Cost

While draft versions of the CMMC are currently available for review, the final version of CMMC is not expected to be released until January 2020. CMMC is set to start appearing in RFIs in June 2020, and the expectation is that it will start appearing in RFPs in September 2020.

As it relates to price, the FAQ section of the CMMC webpage notes that, “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified.” Given that, we expect future RFIs and RFPs will allow prime contractors subcontractors to work the cost of compliance into their bids.

CMMC Assessments

CMMC assessments will need to be performed by CMMC third-party assessment organizations (C3PAO), training for which is expected to take place between January and June of 2020.

How Schneider Downs Can Help

Schneider Downs intends to become a C3PAO. In the meantime, until such requirements are made public, we can help your organization prepare for CMMC by performing an assessment against the NIST 800-171 framework. For more information, please Daniel J. Desko or Troy Fine.

case studies

big problem:
Ransomware attack halted a global manufacturer's operations.
big thinking:
Recover and secure the system – fast – save $1 million in ransom.
big problem:
High tax burden for family-owned franchisor.
big thinking:
Comprehensive planning for a 15% tax reduction.

our thoughts on

NSA Makes Unprecedented Vulnerability Disclosure - Microsoft Vulnerability CVE-2020-0601

Microsoft’s Patch Tuesday has come again and, with it, another highly publicized vulnerability, CVE-2020-0601. This week’s notification is

read more >

Wawa's Data Breach

Reset the days without a major data breach back to zero. In the constantly evolving world of cybersecurity, it doesn’t look like the phrase above

read more >

New Orleans Under State of Emergency Due to Ransomware Attack

The city of New Orleans continues to operate under a state of emergency following a devastating ransomware attack. The hack was discovered in the early

read more >

Brian Krebs Sheds Light on Cybercrime at Pittsburgh’s Premiere Cybersecurity Event

On December 9, 2019, I was honored to represent the Pittsburgh Chapter of ISACA and Schneider Downs as the leader of Pittsburgh’s Information Security

read more >

Brian Krebs Sheds Light on Cybercrime at Pittsburgh’s Premiere Cybersecurity Event

On December 9, 2019, I was honored to represent the Pittsburgh Chapter of ISACA and Schneider Downs as the leader of Pittsburgh’s Information Security

read more >

Ryuk Ransomware Facts and Protections

Ransomware is a type of malicious software that either prevents access to existing files or to the computer entirely until a ransom is paid. It is so widespread

read more >

Seeing is Believing. The Benefits of Data Visualization.

Every day, companies collect massive amounts of data, including information regarding website traffic, customer inquiries, or sales data. With all this

read more >

Russian Hackers Indicted in Pittsburgh

Two Russian nationals, Maksim Yakubets and Igor Turashev, were indicted in Pittsburgh on December 5th, for involvement in international multimillion-dollar

read more >

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102