The IV&V Group® is preparing to meet the requirements imposed by CMMC.  We are a sub-contractor for a number of federal government contracts.  As we make our own way through the CMMC requirements we hope that our understandings, as illustrated below, will help others with their understanding.

As mentioned in the first blog, each level of maturity contains its own set of practices.  As an organization achieves a higher and higher level of cybersecurity maturity it increases the number of practices for which it is responsible  This is because the practices encompass the current level and the practices from all lower levels.

It is anticipated that some federal contracts, both DoD and non-DoD, will require a contractor to have a Level 4 or even a Level 5 certification.  It is also expected that many will require lower levels and that some will require only a Level 1 certification.

The various practices required by each of the maturity levels are described below.

Level 1 Practices:

  • Basic cybersecurity
  • Achievable for small companies
  • Subset of universally accepted common practices
  • Limited resistance against data exfiltration
  • Limited resilience against malicious actions

Level 2 Practices:

  • Inclusive of universally accepted cybersecurity best practices
  • Resilient against unskilled threat actors
  • Limited resistance against data exfiltration
  • Limited resilience against malicious actions

Level 3 Practices:

  • Coverage of all NIST SP 800-171 rev 1 controls
  • Additional practices beyond the scope of Controlled Unclassified Information (CUI) protection
  • Resilient against moderately skilled threat actors
  • Moderate resistance against data exfiltration
  • Moderate resilience against malicious actions
  • Comprehensive knowledge of cybersecurity

Level 4 Practices:

  • Advanced and sophisticated cybersecurity practices
  • Resilient against advanced threat actors
  • Defensive responses approach machine speed
  • Increase resistance against and detection of data exfiltration
  • Complete and continuous knowledge of cyber assets

Level 5 Practices:

  • Highly Advanced cybersecurity practices
  • Reserved for most critical systems
  • Resilient against the most advanced threat actors
  • Defensive responses performed at machine speed
  • Machine performed analytics and defensive actions
  • Resistant against, and detection of, data exfiltration
  • Autonomous knowledge of cyber assets

Each practice is aligned to a Capability (e.g., Establish System Access Requirements, Identify and Document Assets) which is then aligned to a Domain (e.g., Access Control, Configuration Management).

The next blog (Part Three) will describe the CMMC Processes.



Eva freund
[email protected]