Framework
Protecting FCI and CUI across the DIB
The CMMC framework is built of 4 elements; security domains, capabilities, practices and processes and when combined they build best practice for the protection of an organisation and associated FCI and CUI. These elements form the five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) which comprise the CMMC framework. With Level 1 being the least mature and level 5 the most mature.
Cyber domains
The CMMC framework consist of 17 cyber security domains. A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination. The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.
| Access Control (AC) | Asset Management (AM) | Audit and Accountability (AU) | Awareness and Training (AT) | Configuration Management (CM) |
| Identification and Authentication (IA) | Incident response (IR) | Maintenance (MA) | Media Protection (MP) | Personnel Security (PS) |
| Physical Protection (PE) | Recovery (RE) | Risk Management (RM) | Security Assessment (CA) | Situational Awareness (SA) |
| System Communications Protection (SC) | Systems Information Integrity (SI) |
Capabilities
Each domain comprises several capabilities which an organisation is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable. Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviours, when working together enable an organisation to protect FCI and CUI.
| C001 Establish system access requirements | C002 Control internal system access | C003 Control remote system access | C004 Limit data access to authorized users and processes | C005 Identify and document assets |
| C006 Manage asset inventory | C007 Define audit requirements | C008 Perform auditing | C009 Identify and protect audit information | C010 Review and manage audit logs |
| C011 Conduct security awareness activities | C012 Conduct training | C013 Establish configuration baselines | C014 Perform configuration and change management | C015 Grant access to authenticated entities |
| C016 Plan incident response | C017 Detect and report events | C018 Develop and implement a response to a declared incident | C019 Perform post incident reviews | C020 Test incident response |
| C021 Manage maintenance | C022 Identify and mark media | C023 Protect and control media | C024 Sanitize media | C025 Protect media during transport |
| C026 Screen personnel | C027 Protect federal contract information during personnel actions | C028 Limit physical access | C029 Manage back-ups | C030 Manage information security continuity |
| C031 Identify and evaluate risk | C032 Manage risk | C033 Manage supply chain risk | C034 Develop and manage a system security plan | C035 Define and manage controls |
| C036 Perform code reviews | C037 Implement threat monitoring | C038 Define security requirements for systems and communications | C039 Control communications at system boundaries | C040 Identify and manage information system flaws |
| C041 Identify malicious content | C042 Perform network and system monitoring | C043 Implement advanced email protections |
Practices
In total (at Level 5) the CMMC framework identifies 171 practices, associated with the 17 security domains, mapped across the 5 maturity levels. Practices applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI). Practices applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defence information and cyber Incident reporting.
Cybersecurity practices applied to each maturity level
Maturity Processes
To ensure that security domains, capabilities and practices are implemented effectively and institutionalised. 5 maturity processes spanning levels 1, 2, 3, 4 and 5 are applied. The processes are implemented to all security domains and to each of the 5 levels of cybersecurity maturity (Level 1, 2, 3, 4 and 5). The processes describe the expected state of the practices applied at each level. From the 17 practices being applied at level 1, through to the 171 practices being applied, documented, established, effective and optimised at level 5.
| Maturity Level | Level Description | Process |
|---|---|---|
| ML 1 | Performed | • There are no (Maturity) processes assessed at level 1. • An organisation performs level 1 practices but they are not institutionalised. |
| ML 2 | Documented | • Policies are established for each ‘security domain’ identified as required under level 2. • CMMC practices are documented to implement the policy defined under level 2. |
| ML 3 | Managed | • Practices are established, maintained, resourced and a plan of action is in place for their management. |
| ML 4 | Reviewed | • The effectiveness of the practices are reviewed and measured. |
| ML 5 | Optimising | • Practices are standardised and optimised across all organisational units. |
Levels
The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers. A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity. Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land, and sea-based systems. A cybersecurity maturity model is the most appropriate solution to achieve this.
The CMMC comprises of 5 levels of cyber maturity. Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice. They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5. The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will managed, FCI or CUI and the perceived threat to the DoD. With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.
