On November 8th, the Department of Defense (DoD) released version 0.6 (v0.6) of the Cybersecurity Maturity Model Certification (CMMC) to the public. CMMC v0.6 represents a significant milestone, given DoD’s guidance to date that the Defense Industrial Base (DIB) should assume minimal changes prior to the official launch of CMMC v1.0, which remains on schedule for January. Members of the DoD supply chain can reference v0.6 with confidence as they initiate and continue to execute preparations for CMMC audit and certification.
CMMC v0.6 accounts for the more than 2000 responses the DoD received from its contractor community to v0.4. It also reflects the pragmatism that small-to-medium sized business (SMB) suppliers need additional insight and understanding of their responsibilities, and that more than 90% of the 300,000 affected companies will require a CMMC certification at Level 3 or below.
As a result, v0.6 focuses on CMMC Levels 1, 2, and 3. It acknowledges that while some DoD suppliers may not handle Controlled Unclassified Information (CUI), all receive and must protect Federal Contract Information (FCI) – information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” defines how FCI must be protected. A Level 1 or 2 certification may be sufficient for those organizations that only receive FCI, while those that handle CUI will need to be certified at Level 3. Remember, qualifying for a Level 3 certification means meeting all of the practices and processes at that level, as well as CMMC Levels 1 and 2.
CMMC v0.6 includes discussion and clarification for the practices that comprise Level 1 and maps them to the safeguarding requirements identified in FAR 52.204-21, which will help SMBs with limited cybersecurity expertise or resources proceed more efficiently and effectively. As compared to CMMC v0.4, the latest release reduces the number of practices across Levels 1-3 by approximately 40%, and eliminates the Cybersecurity Governance domain. v0.6 comprises 131 practices spanning 17 domains for these 3 levels.
Members of the DIB that handle CUI who currently comply with National Institute of Standards and Technology Special Publication 800-171 Revision 1 (NIST SP 800-171 R1) are well-positioned to receive their CMMC Level 3 certification from an approved third-party assessor. NIST SP 800-171 R1’s 110 security controls (practices) and 14 control families (domains) form the foundation for Level 3. Organizations must account for an additional 21 practices and 3 domains (asset management, recovery, and situational awareness). They also must be able to demonstrate an appropriate level of process maturity to maintain good cyber hygiene (review activities for adherence to policies and practices, and provide adequate resources to conduct the reviews and respond accordingly). The additional practices – derived from sources including ISO 27001, the Center for Internet Security Controls, and the Software Engineering Institute’s CERT Resilience Management Model – support capabilities such as CUI labeling and handling, risk assessment and mitigation, network and system monitoring, software code reviews, and email protection.
The following graphic illustrates how CMMC v0.6 compares to its predecessors and NIST SP 800-171 R1 for Levels 1-3, along with notable practices required at each level.
The release of CMMC v0.6 makes it crystal clear that the DoD intends to adhere to its aggressive implementation timeline, and it will not compromise with respect to the core cybersecurity practices and processes that protect FCI and CUI from the exfiltration that costs taxpayers hundreds of billions of dollars and places national security at risk. However, v0.6 also reduces the burden and offers significant assistance to DoD suppliers who were not subject to NIST SP 800-171 R1 requirements and only need CMMC Level 1 or 2 certification. And, v0.6 streamlines the path to CMMC Level 3 certification for those companies that already should be NIST SP 800-171 R1-compliant. All but a small percentage of the companies (those that work on the most sensitive DoD programs) that directly or indirectly do business with the DoD have the clarity they need to immediately embark on their CMMC certification journeys.