Understanding the CMMC model

Introduction

The threat of cybercrime has always been a concern for businesses of every size and across all industries, especially with losses linked to cybercrime are expected to exceed $5 trillion by 2024. And perhaps nowhere is the threat the largest and most complex than across the United States’ Defense Industrial Base, a network that includes more than 300,000 organizations that range from universities to specialized weapon systems engineers producing cutting-edge technology for the United States military.

To better protect every phase of the procurement cycle and each link of the supply chain from low-level cybercriminals to advanced nation-state threats, the US Department of Defense (DoD) began, in 2018, requiring organizations with controlled unclassified information (CUI) to follow the 110 security controls outlined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Unfortunately, data leaks and systems breaches still occurred at a rate and scale that the DoD decided that more needed to be done to mitigate the security risk to the country. Therefore, in March 2019, the DoD launched the Cybersecurity Maturity Model Certification (CMMC), which outlined the required cybersecurity standards needed to better protect CUI. 

CMMC overview

The CMMC model was developed in coordination with Johns Hopkins University’s Applied Physics Lab, the Carnegie Mellon University’s Software Engineering Institute, the DIB Sector Coordinating Council, the Office of Small Business Programs and many other stakeholders. At a high level, the CMMC model spans 18 domains that range from access control, configuration management, authentication and identity management, incident response and more. 

Within each domain, the CMMC model lays out capabilities, which then break out into processes and practices that are needed to manage the technology environment that contains CUI. Additionally, the CMMC attempts to classify information further into different levels of sensitivity, understanding that not (Read more…)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Patrick Mallory. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/sxSAyk3d-68/