Protecting FCI and CUI across the DIB
The CMMC framework is built of 4 elements; security domains, capabilities, practices and processes and when combined they build best practice for the protection of an organisation and associated FCI and CUI. These elements form the five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) which comprise the CMMC framework. With Level 1 being the least mature and level 5 the most mature.
The CMMC framework consist of 17 cyber security domains. A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination. The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.
|Audit and Accountability|
|Awareness and Training |
|Identification and Authentication|
|System Communications Protection|
|Systems Information Integrity
Each domain comprises several capabilities which an organisation is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable. Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviours, when working together enable an organisation to protect FCI and CUI.
Establish system access requirements
Control internal system access
Control remote system access
Limit data access to authorized users and processes
Identify and document assets
Manage asset inventory
Define audit requirements
Identify and protect audit information
Review and manage audit logs
Conduct security awareness activities
Establish configuration baselines
Perform configuration and change management
Grant access to authenticated entities
Plan incident response
Detect and report events
Develop and implement a response to a declared incident
Perform post incident reviews
Test incident response
Identify and mark media
Protect and control media
Protect media during transport
Protect federal contract information during personnel actions
Limit physical access
Manage information security continuity
Identify and evaluate risk
Manage supply chain
Develop and manage a system security plan
Define and manage controls
Perform code reviews
Implement threat monitoring
Define security requirements for systems and communications
Control communications at system boundaries
Identify and manage information system flaws
Identify malicious content
Perform network and system monitoring
Implement advanced email protections
In total (at Level 5) the CMMC framework identifies 171 practices, associated with the 17 security domains, mapped across the 5 maturity levels. Practices applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI). Practices applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defence information and cyber Incident reporting.
Cybersecurity practices applied to each maturity level
To ensure that security domains, capabilities and practices are implemented effectively and institutionalised. 5 maturity processes spanning levels 1, 2, 3, 4 and 5 are applied. The processes are implemented to all security domains and to each of the 5 levels of cybersecurity maturity (Level 1, 2, 3, 4 and 5). The processes describe the expected state of the practices applied at each level. From the 17 practices being applied at level 1, through to the 171 practices being applied, documented, established, effective and optimised at level 5.
|Maturity Level||Level Description||Process|
|ML 1||Performed||• There are no (Maturity) processes assessed at level 1.
• An organisation performs level 1 practices but they are not institutionalised.
|ML 2||Documented||• Policies are established for each ‘security domain’ identified as required under level 2.
• CMMC practices are documented to implement the policy defined under level 2.
|ML 3||Managed||• Practices are established, maintained, resourced and a plan of action is in place for their management.|
|ML 4||Reviewed||• The effectiveness of the practices are reviewed and measured.|
|ML 5||Optimising||• Practices are standardised and optimised across all organisational units.|
The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers. A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity. Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land, and sea-based systems. A cybersecurity maturity model is the most appropriate solution to achieve this.
The CMMC comprises of 5 levels of cyber maturity. Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice. They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5. The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will managed, FCI or CUI and the perceived threat to the DoD. With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.