In November, the DoD released the newest draft of the Cybersecurity Maturity Model Certification (CMMC), version 0.6. CMMC Version 0.6 revised Levels 1-3. Levels 4-5 are expected to be addressed in the next version.
Key points on FCI and CUI
- Levels 1 and 2 are not intended for Controlled Unclassified Information (CUI). Instead, Levels 1 and 2 are intended for FCI (Federal Contract Information). Of note, the Federal Acquisition Regulation (FAR) clause 48 CFR 52.204-21, which has been in effect since 2016, requires the protection of FCI.
- CUI must be protected at Level 3.
- “CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI.”
Key Points on Levels 1-3 Security Controls
- Overall, the number of security controls associated with Levels 1-3 have been reduced.
- Explanations and examples of the Level 1 controls are provided in Appendix B. This is a new clarification.
Key Points on Level 3 vs NIST 800-171
- NIST SP 800-171 has 110 controls. CMMC Level 3 has 131 controls.
- 21 controls go above and beyond the NIST 800-171 requirements.
- Many of the additional CMMC controls are expansions of 800-171 controls. For instance, take “P1036: Define procedures for the handling of CUI data.” This control is not found in 800-171. However, it’s a good practice and we recommend it.
- There are several controls which are not addressed in 800-171, including:
|P113||Regularly perform and test data back ups
|P1139||Regularly perform complete and comprehensive data back-ups and store them off-site and offline
|P1162||Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements
|P1192||Implement Domain Name System (DNS) filtering services
|P1219||Implement DNS or asymmetric cryptography email protections
We highly recommend that you read the entire document and provide feedback to the CMMC team as this will be critical to you and your business.
More in-depth analysis can be found in Sera-Brynn’s November 25, 2019 webinar. It can be viewed here.
The author, Colin Glover, is a principal and senior security analyst at Sera-Brynn, a Virginia-based cyber risk management firm.