Cybersecurity Maturity Model Certification (CMMC)
What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) program was developed by the United States Department of Defense to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. Contracts are required to implement progressively advanced levels of controls depending on the type and sensitivity of information that is shared. In November 2021, the Department of Defense announced CMMC 2.0 with an updated structure and requirements. CMMC 2.0 has 3 tiers of certification that are outlined in the following table.
| Tier | Model | Assessment |
|---|---|---|
| Level 3 | 110+ practices aligned with NIST SP 800-171 and 800-172 |
Triennial government-led assessments |
| Level 2 | 110 practices aligned with NIST SP 800-171 |
Triennial third party assessments for critical national security information, triennial self-assessment for select programs |
| Level 1 | 15 practices |
Annual self-assessment & annual affirmation |
While many organizations are working towards compliance with CMMC 2.0 requirements, the rulemaking process that will formally implement this program is still in progress.
Who is the intended audience?
The CMMC program applies to contractors and subcontractors of the United States Department of Defense, also commonly referred to as the Defense Industrial Base (DIB).
Where can I find more information?
The following resources can be found on the United States Department of Defense and National Institute of Standards and Technology websites:
- Strategic Direction for Cybersecurity Maturity Model Certification Program
- NIST SP 800-171 rev2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information
How can runZero help me with these controls?
The CMMC 2.0 program aligns with NIST Special Publications 800-171 and 800-172. Each of these standards aligns controls with 14 control families. NIST SP 800-171 defines 110 controls across the 14 control families and NIST SP 800-172 defines additional enhanced security requirements for each control family. The following table illustrates how runZero aligns with each control family. Where Strong alignment is noted, runZero can play a significant role in helping an organization implement safeguards. Where Partial alignment is noted, runZero can play a complementary role in helping an organization implement safeguards.
| Control Family | Strong alignment | Partial alignment |
|---|---|---|
| Access Control | ✔ | |
| Awareness and Training | ||
| Audit and Accountability | ||
| Configuration Management | ✔ | |
| Identification and Authentication | ✔ | |
| Incident response | ||
| Maintenance | ||
| Media Protection | ||
| Personnel Security | ||
| Physical Protection | ||
| Risk Assessment | ✔ | |
| Security Assessment | ✔ | |
| System and Communications Protection | ||
| System and Information Integrity | ✔ |