The U.S. Department of Defense released the highly anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. This model serves as a unified standard for implementing cybersecurity controls across the defense industrial base which applies to over 300,000 entities across the country. With the increasing amount of supply chain attacks disrupting and compromising sensitive information concerning national security, the CMMC seeks to rectify major malpractice via this uniformed model.
From the official CMMC Government Portal: “The Cybersecurity Maturity Model Certification framework includes a comprehensive and scalable certification element to verify the processes and practices associated with the achievement of a cybersecurity maturity level. CMMC can adequately protect sensitive unclassified information, accounting for flow down to subcontractors in a multi-tier supply chain.”
The current CMMC framework is based on a variety of pre-existing standards including the highly influential ISO 27001 and NIST SP 800-171, which both pertain to the protection of controlled unclassified information in non-federal organizations as well as general best practices when handling sensitive information of any kind that does not belong to you or the organization you may represent. The idea of a maturity model stems from the tier-based approach to compliance in which 5 total levels of maturity can be reached, each broken up into a variety of best practices and controls:
These best practices make up a total of 17 Capability Domains including Access Control, Risk Management, Media Protection, Incident Response, and more. The CMMC Accreditation Board breaks down these domains into the 171 best practices depicted in the graph I’ve created above.
With the topic of supply chain risk becoming increasingly relevant, and with the new Biden Administration revisiting and amplifying current Cybersecurity controls and measures, such as the CMMC, we will continue to explore the topic of federal compliance over the coming weeks, breaking down these aforementioned controls even further and helping you to understand where you may fall into this complex framework.
STAY UP TO DATE WITH TWITTER, INSTAGRAM, FACEBOOK, AND LINKEDIN SO YOU KNOW WHAT WE’RE UP TO!
Written By: Austin Grupposo'23 // Digital Forensics & CybersecurityThe post AMSec Project Introduction appeared first on The Leahy Center for Digital Forensics & Cybersecurity.