CYBERSECURITY MATURITY MODEL

CERTIFICATION Hype or Help?

Alan Frost, CISSP

Agenda

◦Overview◦ Intended Use◦ Latest Status◦Auditor Certification◦Conclusion

2

MODEL OVERVIEW

3

Objectives◦ John Hopkins University Applied Physics Laboratory (APL) and

Carnegie Mellon University Software Engineering Institute (SEI) reviewed and combined various cybersecurity standards into one unified standard for cybersecurity.◦ The CMMC levels range from basic hygiene to “State-of-the-Art”◦ Must be semi-automated and, more importantly, cost effective

enough so that Small Businesses can achieve the minimum CMMC level of 1◦ The CMMC model will be agile enough to adapt to emerging

and evolving cyber threats to the DIB sector. ◦ A neutral 3rd party will maintain the standard for the Department.

4

CMMC Model Overview◦ Comprised of:◦ 17 capability domains; 43 capabilities◦ 5 processes across five levels to measure process maturity◦ 171 practices across five levels to measure technical capabilities

CMMC Level Practices ProcessesLevel 1 17 -Level 2 55 2Level 3 58 1Level 4 26 1Level 5 15 1

5

Model Structure

Domains(17) Domains

ProcessesSpanning 5-

levels per domain

CapabilitiesOne or more

spanning 5-levels per domains

PracticesOne or more

spanning 5-levels per domain

6

CMMC Domains & Comparison to RMF

Access Control Asset Mgt Audit & Accountability

Awareness & Training

Configuration Mgt

Identification & Authentication

Incident Response Maintenance Media

ProtectionPersonnel Security

Physical Protection Planning Program Mgt

Recovery(similar CP)

Risk Mgt

Security Assessment

Situational Awareness

System & Comm

ProtectionSystem & Info

IntegritySystem &

Services Acq7

Processes

MaturityLevel

Level Description

Processes

ML 1 Performed NoneML 2 Documented Establish a policy for each domain

Document practices for each domainML 3 Managed Establish, maintain & resource a plan for each domainML 4 Reviewed Review & measure domain activities for effectivenessML 5 Optimizing Standardize & optimize a documented approach for all

domains across the enterprise

8

Levels of MaturityLvl Processes Practices Compliance Level Objective

1 Performed Basic cyber hygiene FAR 38 CFR 52.204-21 Safeguarding FCI

2 Documented Intermediate cyber hygiene

• FAR 38• (48) NIST 800-171 r1 practices• (7) CMMC practices

Transitioning to CUI

3 Managed Good cyber hygiene

• FAR 38• All NIST 800-171 r1 practices• (20) CMMC practices

Protecting CUI

4 Reviewed Proactive• FAR 38• All NIST 800-171 practices• (11) NIST 800-171B practices• (15) CMMC practices

Increased CUI protection

5 Optimizing Advanced/ Progressive

• FAR 38• All NIST 800-171 practices• (4) NIST 800-171B practices• (11) CMMC practices

Reduced APT risk

9

Practices per Level

17 17 17 17 17

55 55 55 55

58 58 58

26 26

15

0

20

40

60

80

100

120

140

160

180

Level 1 Level 2 Level 3 Level 4 Level 5

(130 Practices)

(156 Practices)(171 Practices)

(17 Practices)

(72 Practices)

10

Example: Audit & Accountability

11

CAPABILITYPRACTICES

Level 1 (L1) Level 2 (L2) Level 3 (L3) Level 4 (L4) Level 5 (L5)C010Review and manage audit logs

AU.2.044Review audit logs. • CMMC• CIS Controls v7.1 6.7• NIST CSF v1.1 PR.PT-1• CERT RMM v1.2 COMP:SG3.SP1• NIST SP 800-53 Rev 4 AU-6

AU.3.051Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.• NIST SP 800-171 Rev 1 3.3.5• CIS Controls v7.1 6.6, 6.7• NIST CSF v1.1 DE.AE-3• CERT RMM v1.2 COMP: SG3.SP1• NIST SP 800-53 Rev 4 AU-6(3)

AU.4.053Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.• CMMC• CIS Controls v7.1 6.6• NIST CSF v1.1 DE.AE-3• NIST SP 800-53 Rev 4 SI-4(2)

AU.3.052Provide audit record reduction and report generation to support on-demand analysis and reporting.• NIST SP 800-171 Rev 1 3.3.6• NIST CSF v1.1 RS.AN-3• CERT RMM v1.2 COMP:SG3.SP2• NIST SP 800-53 Rev 4 AU-7

AU.4.054Review audit information for broad activity in addition to per-machine activity.• CMMC• NIST CSF v1.1 PR.PT-1• NIST SP 800-53 Rev 4 RA-5(6), RA-5(8), RA-5(10)

INTENDED USE

12

Intended Use◦ The required CMMC level (between 1 – 5) for a specific contract will be contained

in the RFP sections L & M, and will be a “go/no-go decision”.◦ The CMMC will include a center for cybersecurity education and training.◦ The CMMC will include the development and deployment of a tool that 3rd party

cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.

◦ Compliance◦ DFARS 252.204-7012, Protecting Controlled Unclassified Information (CUI)◦ NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and

Organizations◦ NIST 800-171B (Draft), Protecting Controlled Unclassified Information in Nonfederal Systems

and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

13

LATEST STATUS

14

Cybersecurity Maturity Model Certification (CMMC)◦ Current version is 1.0, released 31 JAN 20◦ Next version will be v1.02, release date TBD◦ Updating documentation for CMMC Model v1.0 to correct administrative

errors◦ More accessible version of the model (i.e. tabular format in Excel)◦ No substantive nor critical changes to the model relative to v1.0.

15

CMMC Enforcement Timelines

◦ The current timelines (as of May 2020) are:◦ Mid 2020: 3rd party auditors begin applying for accreditation◦ Late 2020: DoD contractors start getting audited◦ Early 2021: New Requests for Proposals (RFPs) begin requiring

CMMC certification

16

CMMC Updates from OSD A&S

CMMC Third Party Assessment Organizations (C3PAOs) and CMMC Training◦ Requirements for becoming a CMMC Third Party Assessment Organization

(C3PAO) are not yet established. ◦ No third-party entities at this time that have been credentialed to conduct a

CMMC assessment◦ Only training materials or presentations provided by the Department will reflect

the Department’s official position with respect to the CMMC program.

17

FAQ’s◦ How will my organization become certified?

◦ The CMMC Accreditation Body (AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.

◦ The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs◦ DIB companies will be able to select an approved C3PAOs and schedule a CMMC assessment for a specific level.

◦ Will there be a self-certification?◦ No. DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment.

◦ Who will perform CMMC assessments?◦ Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by

the CMMC AB will perform CMMC assessments.

◦ How often does my organization need to be reassessed?◦ In general, a CMMC certificate will be valid for 3 years.

◦ What if my organization cannot afford to be certified?◦ The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts

that require CMMC you may be disqualified from participating if your organization is not certified.

18

AUDITOR CERTIFICATION

19

CMMC-AB Credentialled Professionals Hierarchy

20

CMMC-AB Credentials◦ CMMC-AB Certified Professional (CP)

◦ Baseline course for all CMMC professionals will take.◦ Pre-requisite for other CMMC-AB certifications.◦ Cannot certify an contractor’s network for CMMC, but they can advise and help remediate prior to an audit.

◦ CMMC-AB Certified Assessor Maturity Level 1 (CA1)◦ Requires a test.◦ Allows assessment of systems up to Level 1.

◦ CMMC-AB Certified Assessor Maturity Level 3 (CA3)◦ Requires more experience and will be more difficult to obtain.◦ Can certify organizations for CMMC Level 1 , 2, or 3.

◦ CMMC-AB Certified Assessor Maturity Level 5 (CA5)◦ Must have achieved all lower levels.◦ Intent is to have many professionals at lower levels and fewer at higher levels.◦ Training/certification cost will increase as the levels increase.◦ Can certify organizations for CMMC Level 1 , 2, 3, 4, or 5.

21

Resources◦ Official presentation to introduce CMMC: https://www.ndia.org/-/media/sites/policy-issues/cmmc-

brief.pdf

◦ Official homepage for CMMC: https://www.acq.osd.mil/cmmc/index.html

◦ Official homepage of the CMMC Accreditation Body: https://www.cmmcab.org/

◦ CMMC Audit Preparation: https://www.cmmcaudit.org/

22

23

HYPE OR HELP?