SlideShare a Scribd company logo

CMMC briefing

Ulrik Holm Nielsen
Ulrik Holm Nielsen

The document summarizes the Cybersecurity Maturity Model Certification (CMMC) version 1.0, which establishes a unified cybersecurity standard for Department of Defense acquisitions. The CMMC model includes 17 capability domains, 43 capabilities, and 171 practices across 5 levels to measure technical capabilities. It incorporates processes and cybersecurity best practices from sources like NIST SP 800-171r1 and Draft NIST SP 800-171B. The 5 levels align with basic to advanced cybersecurity focus areas like protecting controlled unclassified information and reducing risks of advanced persistent threats. Appendices provide the full CMMC model, descriptions of processes and practices, and mapping of model elements to source materials.

Business
1 of 15
Download to read offline
Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION A. Approved for public release
2 Cost Schedule Performance Cost, Schedule, and Performance CYBERSECURITY Cost Schedule Performance are only effective in a SECURE ENVIRONMENT Without a Secure Foundation All Functions are at Risk Cybersecurity DISTRIBUTION A. Approved for public release
CMMC Level Practices Processes Level 1 17 - Level 2 55 2 Level 3 58 1 Level 4 26 1 Level 5 15 1 CMMC Model v1.0 Overview 3 • CMMC is a unified cybersecurity standard for future DoD acquisitions • CMMC Model v1.0 encompasses the following: – 17 capability domains; 43 capabilities – 5 processes across five levels to measure process maturity – 171 practices across five levels to measure technical capabilities CMMC Model v1.0: Number of Practices and Processes Introduced at each Level DISTRIBUTION A. Approved for public release
CMMC Model Framework 4 • CMMC model framework organizes processes and cybersecurity best practices into a set of domains – Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that: − An organization will continue to perform the activity – including under times of stress – and − The outcomes will be consistent, repeatable and of high quality. – Practices are activities performed at each level for the domain Model Practices Model encompasses multiple domains For a given capability,there are one or more practices that span a subset of the 5 levels For a given domain,there are processes that span a subset of the 5 levels Capabilities Processes For a given domain,there are one or more capabilities that span a subset of the 5 levels Domains DISTRIBUTION A. Approved for public release
CMMC Model Structure 5 Access Control (AC) Asset Management (AM) Awareness and Training (AT) Audit and Accountability (AU) Configuration Management (CM) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Personnel Security (PS) System and Information Integrity (SI) System and Communications Protection (SC) Situational Awareness (SA) Security Assessment (CA) Physical Protection (PE) Risk Management (RM) 17 Capability Domains (v1.0) Recovery (RE) CMMC Model with 5 levels measures cybersecurity maturity DISTRIBUTION A. Approved for public release
6 LEVEL 1 PERFORMED LEVEL 2 DOCUMENTED LEVEL 3 MANAGED LEVEL 4 REVIEWED LEVEL 5 OPTIMIZING 0 PROCESSES  Select practices are documented where required 2 PROCESSES  Each practice is documented, including Level 1 practices  A policy exists that includes all activities 3 PROCESSES  Each practice is documented, including lower levels  A policy exists that cover all activities  A plan exists, is maintained, and resourced that includes all activities* 4 PROCESSES  Each practice is documented, including lower levels  A policy exists that covers all activities  A plan exists that includes all activities*  Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management) 5 PROCESSES  Each practice is documented, including lower levels  A policy exists that covers all activities  A plan exists that includes all activities*  Activities are reviewed and measured for effectiveness  There is a standardized, documented approach across all applicable organizational units CMMC Maturity Process Progression *Planning activities may include mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders DISTRIBUTION A. Approved for public release
7 LEVEL 1 BASIC CYBER HYGIENE LEVEL 2 INTERMEDIATE CYBER HYGIENE LEVEL 3 GOOD CYBER HYGIENE LEVEL 4 PROACTIVE LEVEL 5 ADVANCED / PROGRESSIVE 17 PRACTICES 72 PRACTICES 130 PRACTICES 156 PRACTICES 171 PRACTICES  Comply with the FAR  Encompasses all practices from NIST SP 800-171 r1  Includes a select subset of 4 practices from Draft NIST SP 800-171B  Includes an additional 11 practices to demonstrate an advanced cybersecurity program CMMC Practice Progression DISTRIBUTION A. Approved for public release  Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21  Comply with the FAR  Includes a select subset of 48 practices from the NIST SP 800- 171 r1  Includes an additional 7 practices to support intermediate cyber hygiene  Comply with the FAR  Encompasses all practices from NIST SP 800-171 r1  Includes an additional 20 practices to support good cyber hygiene  Comply with the FAR  Encompasses all practices from NIST SP 800-171 r1  Includes a select subset of 11 practices from Draft NIST SP 800-171B  Includes an additional 15 practices to demonstrate a proactive cybersecurity program
+ 15 Practices LEVEL 5 171 PRACTICES ADVANCED / PROGRESSIVE LEVEL 3 130 PRACTICES GOOD CYBER HYGIENE + 58 Practices LEVEL 4 156 PRACTICES PROACTIVE + 26 Practices LEVEL 2 72 PRACTICES INTERMEDIATE CYBER HYGIENE + 55 Practices LEVEL 1 17 PRACTICES BASIC CYBER HYGIENE CMMC Practices Per Level DISTRIBUTION A. Approved for public release
CMMC Level Total Number Practices Introduced per CMMC Level Source 48 CFR 52.204-21 NIST SP 800-171r1 Draft NIST SP 800-171B ** Other Level 1 17 15* 17* - - Level 2 55 - 48 - 7 Level 3 58 - 45 - 13 Level 4 26 - - 11 15 Level 5 15 - - 4 11 • Model leverages multiple sources and references – CMMC Level 1 only addresses practices from FAR Clause 52.204-21 – CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others – CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others – Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model CMMC Model v1.0 Source Counts 9 Draft CMMC Model v1.0: Number of Practices per Source * Note: 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, and in turn, 17 practices in CMMC ** Note: 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0 DISTRIBUTION A. Approved for public release
Summary • CMMC establishes cybersecurity as a foundation for future DoD acquisitions • CMMC levels align with the following focus: – Level 1: Basic safeguarding of FCI – Level 2: Transition step to protect CUI – Level 3: Protecting CUI – Levels 4-5: Protecting CUI and reducing risk of APTs 10 DISTRIBUTION A. Approved for public release
Backups 11 DISTRIBUTION A. Approved for public release
Supporting Documentation Summary 12 • CMMC Model v1.0 document consists of the following: – Introduction, CMMC Model, and Summary – Appendix A: CMMC Model v1.0 – Appendix B: Process and Practice Descriptions – Appendix C: Glossary – Appendix D: Abbreviations and Acronyms – Appendix E: Source Mapping – Appendix F: References DISTRIBUTION A. Approved for public release
Appendix A: CMMC Model v1.0 13 • Appendix A provides the model in tabular form with all practices organized by Domain (DO), Capability, and Level (L) – Practices are numbered as DO.L.###, with a unique number ### – Each practice includes up to nine sources • Appendix A also includes maturity level processes – Processes are generalized but apply to all domains – Processes are numbered as ML.L.99# Appendix A Practices Appendix A Processes DISTRIBUTION A. Approved for public release
Appendix B: Process and Practice Descriptions 14 • Appendix B Process and Practice Descriptions include: – Discussion, derived from source material where available – Clarification with examples – A list of references • Same framework as model – Processes are generalized but apply to all domains – Practices are ordered by domain and level Appendix B Practice & Process Descriptions DISTRIBUTION A. Approved for public release
Appendix E: Source Mapping 15 • Appendix E Source Mapping summarizes the list of sources for all five processes and 171 practices • Sources include: – FAR Clause 52.204-21 – NIST SP 800-171 Rev 1 – Draft NIST SP 800-171B – CIS Controls v7.1 – NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 – CERT Resilience Management Model (CERT RMM) v1.2 – NIST SP 800-53 Rev 4 – Others such as CMMC, UK NCSC Cyber Essentials, or AU ACSC Essential Eight Appendix E Source Mapping DISTRIBUTION A. Approved for public release

Recommended

SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
Filippo Ferri
 
Software Engineering (Testing techniques)
Software Engineering (Testing techniques)Software Engineering (Testing techniques)
Software Engineering (Testing techniques)
ShudipPal
 
Software Engineering (Testing Activities, Management, and Automation)
Software Engineering (Testing Activities, Management, and Automation)Software Engineering (Testing Activities, Management, and Automation)
Software Engineering (Testing Activities, Management, and Automation)
ShudipPal
 
Modernization Lessons Learned -Part 2
Modernization Lessons Learned -Part 2Modernization Lessons Learned -Part 2
Modernization Lessons Learned -Part 2
Emerson Exchange
 
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksMichael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
TEST Huddle
 
Modernization Lessons Learned - Part 1
Modernization Lessons Learned - Part 1Modernization Lessons Learned - Part 1
Modernization Lessons Learned - Part 1
Emerson Exchange
 
Software Engineering (Software Process: A Generic View)
Software Engineering (Software Process: A Generic View)Software Engineering (Software Process: A Generic View)
Software Engineering (Software Process: A Generic View)
ShudipPal
 
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
ShudipPal
 

Recommended

SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
Filippo Ferri
 
Software Engineering (Testing techniques)
Software Engineering (Testing techniques)Software Engineering (Testing techniques)
Software Engineering (Testing techniques)
ShudipPal
 
Software Engineering (Testing Activities, Management, and Automation)
Software Engineering (Testing Activities, Management, and Automation)Software Engineering (Testing Activities, Management, and Automation)
Software Engineering (Testing Activities, Management, and Automation)
ShudipPal
 
Modernization Lessons Learned -Part 2
Modernization Lessons Learned -Part 2Modernization Lessons Learned -Part 2
Modernization Lessons Learned -Part 2
Emerson Exchange
 
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksMichael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
TEST Huddle
 
Modernization Lessons Learned - Part 1
Modernization Lessons Learned - Part 1Modernization Lessons Learned - Part 1
Modernization Lessons Learned - Part 1
Emerson Exchange
 
Software Engineering (Software Process: A Generic View)
Software Engineering (Software Process: A Generic View)Software Engineering (Software Process: A Generic View)
Software Engineering (Software Process: A Generic View)
ShudipPal
 
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
ShudipPal
 
Software Engineering (Process Models)
Software Engineering (Process Models)Software Engineering (Process Models)
Software Engineering (Process Models)
ShudipPal
 
Agile lifecycle handbook by bhawani nandan prasad
Agile lifecycle handbook by bhawani nandan prasadAgile lifecycle handbook by bhawani nandan prasad
Agile lifecycle handbook by bhawani nandan prasad
Bhawani N Prasad
 
Software Engineering (Testing Overview)
Software Engineering (Testing Overview)Software Engineering (Testing Overview)
Software Engineering (Testing Overview)
ShudipPal
 
Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)
ShudipPal
 
sairam_CV
sairam_CVsairam_CV
sairam_CVMUSHIINI LAKSHMI VENKATA SAIRAM
 
Software Engineering (Software Configuration Management)
Software Engineering (Software Configuration Management)Software Engineering (Software Configuration Management)
Software Engineering (Software Configuration Management)
ShudipPal
 
software maintenance
software maintenancesoftware maintenance
software maintenance
rajshreemuthiah
 
Scm
ScmScm
Scm
Syed Muhammad Hammad
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
AbuulHassan2
 
Combat Systems Engineering Crash Course : Part 2
Combat Systems Engineering Crash Course : Part 2Combat Systems Engineering Crash Course : Part 2
Combat Systems Engineering Crash Course : Part 2
Bryan Len
 
Asgkit prog2
Asgkit prog2Asgkit prog2
Asgkit prog2Alexandra Silva
 
Implementing Technical Performance Measures
Implementing Technical Performance MeasuresImplementing Technical Performance Measures
Implementing Technical Performance Measures
Glen Alleman
 
Aplication of on line data analytics to a continuous process polybetene unit
Aplication of on line data analytics to a continuous process polybetene unitAplication of on line data analytics to a continuous process polybetene unit
Aplication of on line data analytics to a continuous process polybetene unit
Emerson Exchange
 
Software maintenance
Software maintenanceSoftware maintenance
Software maintenance
NancyBeaulah_R
 
Quality Standard
Quality StandardQuality Standard
Quality Standard
Vidya-QA
 
Availability tactics
Availability tacticsAvailability tactics
Availability tactics
ahsan riaz
 
Cmmc overview arrington_20200903
Cmmc overview arrington_20200903Cmmc overview arrington_20200903
Cmmc overview arrington_20200903
aegamemnon
 
CMMC Overview Arrington_20200903
CMMC Overview Arrington_20200903CMMC Overview Arrington_20200903
CMMC Overview Arrington_20200903
aegamemnon
 
Topic 5 capability maturity model
Topic 5 capability maturity modelTopic 5 capability maturity model
Topic 5 capability maturity model
Jenny Coloma
 
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
LeClubQualiteLogicielle
 
Measurement News Webinar
Measurement News WebinarMeasurement News Webinar
Measurement News Webinar
Glen Alleman
 
Cmmi bp-aids
Cmmi bp-aidsCmmi bp-aids
Cmmi bp-aids
jmaal49
 

More Related Content

What's hot

Software Engineering (Process Models)
Software Engineering (Process Models)Software Engineering (Process Models)
Software Engineering (Process Models)
ShudipPal
 
Agile lifecycle handbook by bhawani nandan prasad
Agile lifecycle handbook by bhawani nandan prasadAgile lifecycle handbook by bhawani nandan prasad
Agile lifecycle handbook by bhawani nandan prasad
Bhawani N Prasad
 
Software Engineering (Testing Overview)
Software Engineering (Testing Overview)Software Engineering (Testing Overview)
Software Engineering (Testing Overview)
ShudipPal
 
Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)
ShudipPal
 
Software Engineering (Software Configuration Management)
Software Engineering (Software Configuration Management)Software Engineering (Software Configuration Management)
Software Engineering (Software Configuration Management)
ShudipPal
 
software maintenance
software maintenancesoftware maintenance
software maintenance
rajshreemuthiah
 
Scm
ScmScm
Scm
Syed Muhammad Hammad
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
AbuulHassan2
 
Combat Systems Engineering Crash Course : Part 2
Combat Systems Engineering Crash Course : Part 2Combat Systems Engineering Crash Course : Part 2
Combat Systems Engineering Crash Course : Part 2
Bryan Len
 
Implementing Technical Performance Measures
Implementing Technical Performance MeasuresImplementing Technical Performance Measures
Implementing Technical Performance Measures
Glen Alleman
 
Aplication of on line data analytics to a continuous process polybetene unit
Aplication of on line data analytics to a continuous process polybetene unitAplication of on line data analytics to a continuous process polybetene unit
Aplication of on line data analytics to a continuous process polybetene unit
Emerson Exchange
 
Software maintenance
Software maintenanceSoftware maintenance
Software maintenance
NancyBeaulah_R
 
Quality Standard
Quality StandardQuality Standard
Quality Standard
Vidya-QA
 
Availability tactics
Availability tacticsAvailability tactics
Availability tactics
ahsan riaz
 

What's hot (16)

Software Engineering (Process Models)
Software Engineering (Process Models)Software Engineering (Process Models)
Software Engineering (Process Models)
 
Agile lifecycle handbook by bhawani nandan prasad
Agile lifecycle handbook by bhawani nandan prasadAgile lifecycle handbook by bhawani nandan prasad
Agile lifecycle handbook by bhawani nandan prasad
 
Software Engineering (Testing Overview)
Software Engineering (Testing Overview)Software Engineering (Testing Overview)
Software Engineering (Testing Overview)
 
Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)
 
sairam_CV
sairam_CVsairam_CV
sairam_CV
 
Software Engineering (Software Configuration Management)
Software Engineering (Software Configuration Management)Software Engineering (Software Configuration Management)
Software Engineering (Software Configuration Management)
 
software maintenance
software maintenancesoftware maintenance
software maintenance
 
Scm
ScmScm
Scm
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
 
Combat Systems Engineering Crash Course : Part 2
Combat Systems Engineering Crash Course : Part 2Combat Systems Engineering Crash Course : Part 2
Combat Systems Engineering Crash Course : Part 2
 
Asgkit prog2
Asgkit prog2Asgkit prog2
Asgkit prog2
 
Implementing Technical Performance Measures
Implementing Technical Performance MeasuresImplementing Technical Performance Measures
Implementing Technical Performance Measures
 
Aplication of on line data analytics to a continuous process polybetene unit
Aplication of on line data analytics to a continuous process polybetene unitAplication of on line data analytics to a continuous process polybetene unit
Aplication of on line data analytics to a continuous process polybetene unit
 
Software maintenance
Software maintenanceSoftware maintenance
Software maintenance
 
Quality Standard
Quality StandardQuality Standard
Quality Standard
 
Availability tactics
Availability tacticsAvailability tactics
Availability tactics
 

Similar to CMMC briefing

Cmmc overview arrington_20200903
Cmmc overview arrington_20200903Cmmc overview arrington_20200903
Cmmc overview arrington_20200903
aegamemnon
 
CMMC Overview Arrington_20200903
CMMC Overview Arrington_20200903CMMC Overview Arrington_20200903
CMMC Overview Arrington_20200903
aegamemnon
 
Topic 5 capability maturity model
Topic 5 capability maturity modelTopic 5 capability maturity model
Topic 5 capability maturity model
Jenny Coloma
 
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
LeClubQualiteLogicielle
 
Measurement News Webinar
Measurement News WebinarMeasurement News Webinar
Measurement News Webinar
Glen Alleman
 
Cmmi bp-aids
Cmmi bp-aidsCmmi bp-aids
Cmmi bp-aids
jmaal49
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
CP7301 Software Process and Project Management notes
CP7301 Software Process and Project Management notesCP7301 Software Process and Project Management notes
CP7301 Software Process and Project Management notes
AAKASH S
 
Manual testing by reddy
Manual testing by reddyManual testing by reddy
Manual testing by reddy
Krishna Gurjar
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
ssmarar
 
DTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect SessionDTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect Session
Sanjeev Sharma
 
Quality Management and Quality Standard
Quality Management and Quality StandardQuality Management and Quality Standard
Quality Management and Quality Standard
Murageppa-QA
 
Cmmi Dev 2
Cmmi Dev 2Cmmi Dev 2
Cmmi Dev 2
kmpeter
 
chapter2-softwareprocessmodels-190805164811.pdf
chapter2-softwareprocessmodels-190805164811.pdfchapter2-softwareprocessmodels-190805164811.pdf
chapter2-softwareprocessmodels-190805164811.pdf
somnathmule3
 
Chapter 2 software process models
Chapter 2 software process modelsChapter 2 software process models
Chapter 2 software process models
Golda Margret Sheeba J
 
2. Software process
2. Software process2. Software process
2. Software process
Ashis Kumar Chanda
 
Pwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learnedPwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learned
Avi Kumar
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 

Similar to CMMC briefing (20)

Cmmc overview arrington_20200903
Cmmc overview arrington_20200903Cmmc overview arrington_20200903
Cmmc overview arrington_20200903
 
CMMC Overview Arrington_20200903
CMMC Overview Arrington_20200903CMMC Overview Arrington_20200903
CMMC Overview Arrington_20200903
 
Topic 5 capability maturity model
Topic 5 capability maturity modelTopic 5 capability maturity model
Topic 5 capability maturity model
 
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
20080115 03 - Qualimétrie et CMMi dans les applications temps réel embarquées
 
Measurement News Webinar
Measurement News WebinarMeasurement News Webinar
Measurement News Webinar
 
Cmmi bp-aids
Cmmi bp-aidsCmmi bp-aids
Cmmi bp-aids
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
2
22
2
 
2
22
2
 
CP7301 Software Process and Project Management notes
CP7301 Software Process and Project Management notesCP7301 Software Process and Project Management notes
CP7301 Software Process and Project Management notes
 
Manual testing by reddy
Manual testing by reddyManual testing by reddy
Manual testing by reddy
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
 
DTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect SessionDTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect Session
 
Quality Management and Quality Standard
Quality Management and Quality StandardQuality Management and Quality Standard
Quality Management and Quality Standard
 
Cmmi Dev 2
Cmmi Dev 2Cmmi Dev 2
Cmmi Dev 2
 
chapter2-softwareprocessmodels-190805164811.pdf
chapter2-softwareprocessmodels-190805164811.pdfchapter2-softwareprocessmodels-190805164811.pdf
chapter2-softwareprocessmodels-190805164811.pdf
 
Chapter 2 software process models
Chapter 2 software process modelsChapter 2 software process models
Chapter 2 software process models
 
2. Software process
2. Software process2. Software process
2. Software process
 
Pwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learnedPwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learned
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 

Recently uploaded

7 Benefits of Using Tradeasia’s Premium Paint Chemicals
7 Benefits of Using Tradeasia’s Premium Paint Chemicals7 Benefits of Using Tradeasia’s Premium Paint Chemicals
7 Benefits of Using Tradeasia’s Premium Paint Chemicals
jeffmilton96
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdfDigital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Jos Voskuil
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
Bojamma2
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
taqyed
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
awaisafdar
 
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deckPitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
HajeJanKamps
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
creerey
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
zechu97
 
Presentation: PLM loves Innovation PI 2013 Berlin
Presentation: PLM loves Innovation PI 2013 BerlinPresentation: PLM loves Innovation PI 2013 Berlin
Presentation: PLM loves Innovation PI 2013 Berlin
Jos Voskuil
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
BIS Hallmark Certificate for jewellery business in India.pdf
BIS Hallmark Certificate for jewellery business in India.pdfBIS Hallmark Certificate for jewellery business in India.pdf
BIS Hallmark Certificate for jewellery business in India.pdf
Agile Regulatory
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Lviv Startup Club
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
dylandmeas
 
Using Generative AI for Content Marketing
Using Generative AI for Content MarketingUsing Generative AI for Content Marketing
Using Generative AI for Content Marketing
Chuck Aikens
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 

Recently uploaded (20)

7 Benefits of Using Tradeasia’s Premium Paint Chemicals
7 Benefits of Using Tradeasia’s Premium Paint Chemicals7 Benefits of Using Tradeasia’s Premium Paint Chemicals
7 Benefits of Using Tradeasia’s Premium Paint Chemicals
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdfDigital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
 
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deckPitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
 
Presentation: PLM loves Innovation PI 2013 Berlin
Presentation: PLM loves Innovation PI 2013 BerlinPresentation: PLM loves Innovation PI 2013 Berlin
Presentation: PLM loves Innovation PI 2013 Berlin
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
BIS Hallmark Certificate for jewellery business in India.pdf
BIS Hallmark Certificate for jewellery business in India.pdfBIS Hallmark Certificate for jewellery business in India.pdf
BIS Hallmark Certificate for jewellery business in India.pdf
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
 
Using Generative AI for Content Marketing
Using Generative AI for Content MarketingUsing Generative AI for Content Marketing
Using Generative AI for Content Marketing
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 

CMMC briefing

  • 1. Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION A. Approved for public release
  • 2. 2 Cost Schedule Performance Cost, Schedule, and Performance CYBERSECURITY Cost Schedule Performance are only effective in a SECURE ENVIRONMENT Without a Secure Foundation All Functions are at Risk Cybersecurity DISTRIBUTION A. Approved for public release
  • 3. CMMC Level Practices Processes Level 1 17 - Level 2 55 2 Level 3 58 1 Level 4 26 1 Level 5 15 1 CMMC Model v1.0 Overview 3 • CMMC is a unified cybersecurity standard for future DoD acquisitions • CMMC Model v1.0 encompasses the following: – 17 capability domains; 43 capabilities – 5 processes across five levels to measure process maturity – 171 practices across five levels to measure technical capabilities CMMC Model v1.0: Number of Practices and Processes Introduced at each Level DISTRIBUTION A. Approved for public release
  • 4. CMMC Model Framework 4 • CMMC model framework organizes processes and cybersecurity best practices into a set of domains – Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that: − An organization will continue to perform the activity – including under times of stress – and − The outcomes will be consistent, repeatable and of high quality. – Practices are activities performed at each level for the domain Model Practices Model encompasses multiple domains For a given capability,there are one or more practices that span a subset of the 5 levels For a given domain,there are processes that span a subset of the 5 levels Capabilities Processes For a given domain,there are one or more capabilities that span a subset of the 5 levels Domains DISTRIBUTION A. Approved for public release
  • 5. CMMC Model Structure 5 Access Control (AC) Asset Management (AM) Awareness and Training (AT) Audit and Accountability (AU) Configuration Management (CM) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Personnel Security (PS) System and Information Integrity (SI) System and Communications Protection (SC) Situational Awareness (SA) Security Assessment (CA) Physical Protection (PE) Risk Management (RM) 17 Capability Domains (v1.0) Recovery (RE) CMMC Model with 5 levels measures cybersecurity maturity DISTRIBUTION A. Approved for public release
  • 6. 6 LEVEL 1 PERFORMED LEVEL 2 DOCUMENTED LEVEL 3 MANAGED LEVEL 4 REVIEWED LEVEL 5 OPTIMIZING 0 PROCESSES  Select practices are documented where required 2 PROCESSES  Each practice is documented, including Level 1 practices  A policy exists that includes all activities 3 PROCESSES  Each practice is documented, including lower levels  A policy exists that cover all activities  A plan exists, is maintained, and resourced that includes all activities* 4 PROCESSES  Each practice is documented, including lower levels  A policy exists that covers all activities  A plan exists that includes all activities*  Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management) 5 PROCESSES  Each practice is documented, including lower levels  A policy exists that covers all activities  A plan exists that includes all activities*  Activities are reviewed and measured for effectiveness  There is a standardized, documented approach across all applicable organizational units CMMC Maturity Process Progression *Planning activities may include mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders DISTRIBUTION A. Approved for public release
  • 7. 7 LEVEL 1 BASIC CYBER HYGIENE LEVEL 2 INTERMEDIATE CYBER HYGIENE LEVEL 3 GOOD CYBER HYGIENE LEVEL 4 PROACTIVE LEVEL 5 ADVANCED / PROGRESSIVE 17 PRACTICES 72 PRACTICES 130 PRACTICES 156 PRACTICES 171 PRACTICES  Comply with the FAR  Encompasses all practices from NIST SP 800-171 r1  Includes a select subset of 4 practices from Draft NIST SP 800-171B  Includes an additional 11 practices to demonstrate an advanced cybersecurity program CMMC Practice Progression DISTRIBUTION A. Approved for public release  Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21  Comply with the FAR  Includes a select subset of 48 practices from the NIST SP 800- 171 r1  Includes an additional 7 practices to support intermediate cyber hygiene  Comply with the FAR  Encompasses all practices from NIST SP 800-171 r1  Includes an additional 20 practices to support good cyber hygiene  Comply with the FAR  Encompasses all practices from NIST SP 800-171 r1  Includes a select subset of 11 practices from Draft NIST SP 800-171B  Includes an additional 15 practices to demonstrate a proactive cybersecurity program
  • 8. + 15 Practices LEVEL 5 171 PRACTICES ADVANCED / PROGRESSIVE LEVEL 3 130 PRACTICES GOOD CYBER HYGIENE + 58 Practices LEVEL 4 156 PRACTICES PROACTIVE + 26 Practices LEVEL 2 72 PRACTICES INTERMEDIATE CYBER HYGIENE + 55 Practices LEVEL 1 17 PRACTICES BASIC CYBER HYGIENE CMMC Practices Per Level DISTRIBUTION A. Approved for public release
  • 9. CMMC Level Total Number Practices Introduced per CMMC Level Source 48 CFR 52.204-21 NIST SP 800-171r1 Draft NIST SP 800-171B ** Other Level 1 17 15* 17* - - Level 2 55 - 48 - 7 Level 3 58 - 45 - 13 Level 4 26 - - 11 15 Level 5 15 - - 4 11 • Model leverages multiple sources and references – CMMC Level 1 only addresses practices from FAR Clause 52.204-21 – CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others – CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others – Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model CMMC Model v1.0 Source Counts 9 Draft CMMC Model v1.0: Number of Practices per Source * Note: 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, and in turn, 17 practices in CMMC ** Note: 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0 DISTRIBUTION A. Approved for public release
  • 10. Summary • CMMC establishes cybersecurity as a foundation for future DoD acquisitions • CMMC levels align with the following focus: – Level 1: Basic safeguarding of FCI – Level 2: Transition step to protect CUI – Level 3: Protecting CUI – Levels 4-5: Protecting CUI and reducing risk of APTs 10 DISTRIBUTION A. Approved for public release
  • 12. Supporting Documentation Summary 12 • CMMC Model v1.0 document consists of the following: – Introduction, CMMC Model, and Summary – Appendix A: CMMC Model v1.0 – Appendix B: Process and Practice Descriptions – Appendix C: Glossary – Appendix D: Abbreviations and Acronyms – Appendix E: Source Mapping – Appendix F: References DISTRIBUTION A. Approved for public release
  • 13. Appendix A: CMMC Model v1.0 13 • Appendix A provides the model in tabular form with all practices organized by Domain (DO), Capability, and Level (L) – Practices are numbered as DO.L.###, with a unique number ### – Each practice includes up to nine sources • Appendix A also includes maturity level processes – Processes are generalized but apply to all domains – Processes are numbered as ML.L.99# Appendix A Practices Appendix A Processes DISTRIBUTION A. Approved for public release
  • 14. Appendix B: Process and Practice Descriptions 14 • Appendix B Process and Practice Descriptions include: – Discussion, derived from source material where available – Clarification with examples – A list of references • Same framework as model – Processes are generalized but apply to all domains – Practices are ordered by domain and level Appendix B Practice & Process Descriptions DISTRIBUTION A. Approved for public release
  • 15. Appendix E: Source Mapping 15 • Appendix E Source Mapping summarizes the list of sources for all five processes and 171 practices • Sources include: – FAR Clause 52.204-21 – NIST SP 800-171 Rev 1 – Draft NIST SP 800-171B – CIS Controls v7.1 – NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 – CERT Resilience Management Model (CERT RMM) v1.2 – NIST SP 800-53 Rev 4 – Others such as CMMC, UK NCSC Cyber Essentials, or AU ACSC Essential Eight Appendix E Source Mapping DISTRIBUTION A. Approved for public release