We explain the terminology and acronyms throughout the CMMC to help you better understand the new framework and how it will impact your business.
FIRST THINGS FIRST
Before we dive into the details, it’s important to start with the term that serves as the jumping off point for the rest.
Cybersecurity Maturity Model Certification (CMMC)
Designed to help business protect sensitive information from malicious cyber activity like intellectual property theft, this certification framework is the latest requirement for businesses fulfilling or seeking to fulfill any type of Department of Defense contract.
WHO IS INVOLVED
There are several parties involved in the creation, governance, and execution of the CMMC from start to finish. Here are a few of the most notable characters.
Defense Industrial Base (DIB)
A term to describe the industry sector and supply chain related to products and services for the nation’s armed forces. The CMMC is designed to protect the DIB.
Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))
This is the body that developed the CMMC, alongside DoD stakeholders, University Affiliated Research Centers, Federally Funded Research and Developement Centers, and the DIB.
CMMC Accreditation Body (CMMC-AB)
The governing body of CMMC and the entity that issues licenses to qualified assessors and third-party organizations.
CMMC Third-Party Assessment Organizations (C3PAOs)
A third-party organization licensed to evaluate how contractors measure up to the framework’s outlined requirements; defense contractors will only obtain certification through a C3PAO.
WHAT CMMC AIMS TO PROTECT
The CMMC was developed to improve defense contractors’ ability to protect against the latest malicious cyber threats. There are two main areas of information specified in CMMC that the DoD aims to protect.
Federal Contract Information (FCI)
Information provided by or generated for the government under contract not intended for public release.
Controlled Unclassified Information (CUI)
Information that requires intentional safeguarding pursuant to and consistent with the law, regulations, and government-wide policies.
HOW CMMC IS STRUCTURED
Now we’ll dive into the nuts and bolts of CMMC – understanding these terms will get you one step closer to tackling the requirements outlined in the framework.
The core of CMMC (and most information security frameworks), this is the set of characteristics, attributes, indicators, or patterns that represent capability and progress in a particular area.
The CMMC includes 17 different domains, or broad categories of cybersecurity every organization should have a strategy for.
A narrower grouping of practices to ensure cybersecurity objectives are met within each domain. For any given domain, there are one or more capabilities that span the different levels.
The individual cybersecurity best practices required to be implemented by certified organizations. Each practice is related to a capability. There are 171 practices required for level 5 but only 17 for level 1.
Additional assurances that practices are implemented effectively. Processes evaluate how engrained the practices are within the certified organization. For example, level 2 requires written policies and documentation that include all applicable domains and practices.
The levels build upon each other, meaning if you are required to reach Level 3, you will also need to meet the requirements of Levels 1 and 2.
Each level has the following primary focus:
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Serve as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI)
- Level 3: Protect Controlled Unclassified Information (CUI)
- Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (ATPs)
For more information about CMMC and how you should tackle it, contact our Cyber Risk Management team today. We’re happy to talk through any questions you have about how it works and how it will impact your business.