Cybersecurity Maturity Model Certification (CMMC)

In 2019, the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self-reporting of cyber hygiene used to govern the DIB.  CMMC ends self-assessment and requires a third-party assessor to verify the cybersecurity maturation level.

The CMMC builds from NIST 800-171 but includes controls from other cybersecurity frameworks. CMMC differs in both the maturation model and the role of third-party assessors.

The CMMC defines 17 domains of cyber hygiene that are comprised of hundreds of objectives. In fact, you need to meet 705 objectives at CMMC Level Three. Many of these objectives, up to 70%, do not rely on or require a technical solution.

In this module, we will learn and explore the aspects and elements of CMMC and explain its overall importance to different stakeholders by asking:

• What kind of sensitive data does CMMC seek to protect?

• How did CMMC become federal policies?

• What foundational documents and regulations spell out the requirements for CMMC?

On February 24^th, 2021, President Biden signed an Executive Order to protect our supply chains. CMMC seeks to protect the global Defense supply chain by creating a baseline of cybersecurity.

This baseline began to unfold in the Federal Information Management Security Act passed in 2002. In this module we will trace the history of CMMC, from the regulations to the players in the ecosystem from FISMA to today.

Compliance with CMMC requires protecting two types of data: federal contract information and controlled unclassified information. Understanding how these data work helps ensure CMMC compliance.

This module will teach you the differences between data types and authorized holders' legal responsibilities. You will write sample policies and examine procedures to protect CUI.

View Reading Chapter Sample

Cybersecurity Maturity Model Certification will have massive impacts on businesses. Millions of dollars in contracting can vanish if a company fails an assessment. This makes ethics an utmost concern of the CMMC-AB.

In this module we will trace the roots of cybersecurity ethics. We will then review specific policies of the CMMC-AB and consider malicious and accidental internal threats around Conflict of Interest.

A Certified CMMC Professional will need to provide scoping guidance to Organizations Seeking Certification. Understanding data flow diagrams and how sensitive data transverse your people, processes, and technologies will impact the bottom line.

In this module we will define three levels of scoping, we will then discuss elements of network diagramming, and scoping using a segmented zone approach.

As a CCP, you will want to coach an Organization Seeking Certification on the CMMC Assessment Process. This involves four phases designed to assess an OSC over a period of six to eight weeks.

In this module, we will go through the four phases, identify key levers at each phase, and then build a fictional assessment team.

The Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) is the latest step in the DoD’s program to protect controlled unclassified information (CUI), the defense industrial base (DIB), and the DoD’s supply chain.

Controlling access to your network is an essential foundation for security. The domains in this chapter are all intended to help you control access to your networked environment. Controlling access is fundamental to ensuring CUI and other information is appropriately protected.
In this module we’ll examine:

• Who has access to your network?

• What systems can be accessed?

• How is access to information controlled?

• Where can you confirm your control measures are being effective?

Technology changes and evolves constantly; the specific security measures taken to protect any given technology must also evolve with it. However, one element in the security equation remains constant: the human element. As humans, we have the ability to make mistakes or do something unexpected.

A number of studies have shown that between 50% and 80% of all cybersecurity breaches are caused by human error. This number includes cases where a human was tricked into engaging with a malicious actor without realizing it. Training, awareness, and proper understanding of the risks associated with an activity are all important parts of protecting sensitive information.
In this module we’ll examine:

• What is the difference between awareness and training?

• What elements make up a good personnel security plan?

• How can you apply the findings of security and risk assessments to building a solid security program?

Protecting data isn’t just preventing unauthorized access; it also requires making it available to the people and processes that need it. Indeed, two of the three elements of the CIA triad, Integrity, and Availability, are both descriptive of the timely usefulness of that data.

The domains discussed in this module are all focused on ensuring that the data you have is accessible and useful when it is needed.

In this module we’ll examine:

• How do you plan for the unexpected, such as a natural disaster?

• What are the best practices to ensure you can bring backup data online within your own time requirements?

• What are your options for backing up and recovering stored data?

Into every life, a little rain must fall. In the cybersecurity world, it is a matter of when a breach will occur rather than if it will occur. Indeed, three of the five functions of the NIST Cybersecurity Framework deal with a breach already occurring: Detect, Respond, and Recover.

The domains discussed in this module prepare you to respond to an incident and quickly detect and quantify any events indicating an incident is in progress.

In this module we’ll examine:

• What are the key elements of an incident response plan?

• What systems and processes need to be in place before an incident occurs?

• How do you maintain situational awareness to catch an incident as early as possible?