30th November, 2019
What is CMMC?
CMMC (Cyber Maturity Model Certification) is a certification process developed by DOD (Department of Defense, USA) for its Contractors to ensure that they have the system for protection of sensitive data including Federal Contract Information and Controlled Unclassified Information. CMMC Model is based on the best-practices of different cyber security standards i.e. NIST 800 Standards, Federal Regulations, Defense Federal Acquisition Regulations Supplement (DFARS), UK’s Cyber Essentials and Australia’s Essential Eight. The CMMC previous version 0.4 was release on 30 August 2019. The New Draft Version 0.6 was released on 7 Nov 2019 with the significant changes in mode. This model is only up to Level 3. CMMC Model Ver. 0.6 contains following 4 Appendixes. Appendix A – CMMC Model 0.6, Appendix B – Level 1 description/clarification, Appendix C – Glossary and Appendix D – Acronym List. The Final Version 1.0 is expected to be released in January 2020.
CMMC Model Framework:
CMMC model framework is with 17 Domains at the top and is further supported by the number of capabilities under it. Each capability has number of process/practices it to be satisfied to achieve compliance (See Picture 1).
17 Domains as mentioned in Model are as Under:
CMMC model is defined with 05 Levels for both practices and processes with Level 1 at the lowest (Basic) and Level 5 as highest (Optimized). The Details of each level is as under:
* Level 4&5 will be included in the future versions of CMMC Model.
The CMMC Model Version 1.0 will be released in January 2020 with clarifications. Regarding Certification under this model currently DOD is developing the process of Accreditation. An RFI was brought out regarding this in previous months. Once the process of Accreditation will be finalized, an RFP for Accreditation Board selection will be brought out. After that the Accreditation Board will be selected. Then, the Accreditation Board will select the process for Third Party Accreditation Organization [TPAO]. This is expected to be complete by June 2020. Further details can be obtained from the FAQ’s on the website of Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification.
Published by CMMI Consultant
Previous PostAs CMMI Consultants, we may come across questions related to the definition of “Risk” and basic concepts on determination of Risk. During a meeting held on Process models like CMMI, we found some questions arising out of Risk Management in CMMI. We decided to clarify the definitions on this topic of “Risk” As CMMI Consultant you may take guidance from the details below:
Rajendra Khare (MD)
DQS Certification India Private Limited
USA Phone: 703-574-4929, 703-574-4962
Rajendra's LinkedIn Profile
Rajendra is a qualified and certified Lead Appraiser and Instructor for the following :