What is Cybersecurity Maturity Model Certification?
The Office of the Under Secretary of Defense for Acquisition & Sustainment has released the Cybersecurity Maturity Model Certification program. The program will be made effective in new programs released by the Department of Defense (DoD) and will be a requirement for product and service providers. This program has been formed to enhance the protection of unclassified information within the supply chain. This information can be broken down into the following categories:
- Federal Contract Information (FCI) – Information provided by or for the Government that is not intended for public release
- Controlled Unclassified Information (CUI) – Information that requires safeguarding as defined by various government policies, regulations and laws.
The CMMC is a cooperative effort between the DoD and industry to provide a set of processes and practices to protect information from multiple cybersecurity standards and frameworks.
The Importance of CMMC
Cybersecurity threats are increasing at a staggering rate. Many of these threats are conducted at by hostile nation states such as the People’s Republic of China, North Korea, and Iran. These attacks have resulted in the theft of classified information. They have also resulted in massive economic losses. The Center for Strategic and International Studies estimated that the global cost of cybercrime was as high as $600 billion in 2017. Because an actual dollar figure cannot be placed on the loss or compromise of data, the actual cost far exceed these numbers.
The Structure of Certification
The framework of the CMMC model encompasses multiple domains. Each of these domains involve processes that are comprised of 5 different levels. For a given domain there are also five levels of capabilites. Each capability is comprised of one or more practices. These levels as shown in the figure below are cumulative. An organization must demonstrate achievement of lower levels to receive certification for upper levels.