Framework

Protecting FCI and CUI across the DIB

The CMMC framework is built of 4 elements; security domains, capabilities, practices and processes and when combined they build best practice for the protection of an organisation and associated FCI and CUI.  These elements form the five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) which comprise the CMMC framework.  With Level 1 being the least mature and level 5 the most mature.

Cyber domains

The CMMC framework consist of 17 cyber security domains.  A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination.  The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.

Access Control
(AC)
Asset Management
(AM)
Audit and Accountability
(AU)
Awareness and Training
(AT)
Configuration Management
(CM)
Identification and Authentication
(IA)
Incident response
(IR)
Maintenance
(MA)
Media Protection
(MP)
Personnel Security
(PS)
Physical Protection
(PE)
Recovery
(RE)
Risk Management
(RM)
Security Assessment
(CA)
Situational Awareness
(SA)
System Communications Protection
(SC)
Systems Information Integrity
(SI)

Capabilities

Each domain comprises several capabilities which an organisation is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable.  Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviours, when working together enable an organisation to protect FCI and CUI.

C001
Establish system access requirements
C002
Control internal system access
C003
Control remote system access
C004
Limit data access to authorized users and processes
C005
Identify and document assets
C006
Manage asset inventory
C007
Define audit requirements
C008
Perform auditing
C009
Identify and protect audit information
C010
Review and manage audit logs
C011
Conduct security awareness activities
C012
Conduct training
C013
Establish configuration baselines
C014
Perform configuration and change management
C015
Grant access to authenticated entities
C016
Plan incident response
C017
Detect and report events
C018
Develop and implement a response to a declared incident
C019
Perform post incident reviews
C020
Test incident response
C021
Manage maintenance
C022
Identify and mark media
C023
Protect and control media
C024
Sanitize media
C025
Protect media during transport
C026
Screen personnel
C027
Protect federal contract information during personnel actions
C028
Limit physical access
C029
Manage back-ups
C030
Manage information security continuity
C031
Identify and evaluate risk
C032
Manage risk
C033
Manage supply chain
risk
C034
Develop and manage a system security plan
C035
Define and manage controls
C036
Perform code reviews
C037
Implement threat monitoring
C038
Define security requirements for systems and communications
C039
Control communications at system boundaries
C040
Identify and manage information system flaws
C041
Identify malicious content
C042
Perform network and system monitoring
C043
Implement advanced email protections

Practices

In total (at Level 5) the CMMC framework identifies 171 practices, associated with the 17 security domains, mapped across the 5 maturity levels.  Practices applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI).  Practices applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defence information and cyber Incident reporting.

Cybersecurity practices applied to each maturity level

Maturity Processes

To ensure that security domains, capabilities and practices are implemented effectively and institutionalised.  5 maturity processes spanning levels 1, 2, 3, 4 and 5 are applied.  The processes are implemented to all security domains and to each of the 5 levels of cybersecurity maturity (Level 1, 2, 3, 4 and 5).  The processes describe the expected state of the practices applied at each level.  From the 17 practices being applied at level 1, through to the 171 practices being applied, documented, established, effective and optimised at level 5.

Maturity LevelLevel DescriptionProcess
ML 1Performed• There are no (Maturity) processes assessed at level 1.
• An organisation performs level 1 practices but they are not institutionalised.
ML 2Documented• Policies are established for each ‘security domain’ identified as required under level 2.
• CMMC practices are documented to implement the policy defined under level 2.
ML 3Managed• Practices are established, maintained, resourced and a plan of action is in place for their management.
ML 4Reviewed• The effectiveness of the practices are reviewed and measured.
ML 5Optimising• Practices are standardised and optimised across all organisational units.

Levels

The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers.  A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity.  Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land, and sea-based systems.   A cybersecurity maturity model is the most appropriate solution to achieve this. 

The CMMC comprises of 5 levels of cyber maturity.  Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice.  They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5.  The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will managed, FCI or CUI and the perceived threat to the DoD.  With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.