For the past several months the defense contracting industry has been waiting with bated breath to see what would happen with CMMC and what it would require for them. As of September 4th, the Draft Version 0.4 of CMMC has finally been released to the public and the DoD is looking for industry feedback. With this first reveal of the controls there is a lot to unpack, and much of them are expected to be consolidated after the feedback period.
So, What’s New?
In its current state, CMMC contains 370 controls split across 18 domains then further split between each of the 5 maturity levels. As was known prior, the framework is based off the NIST SP 800.171 controls, and all the familiar control families return.
The four new domains are:
- Asset Management – This domain talks about asset discovery tools and maintaining a consistent up to date list of assets and their associations, as well as the identification and labeling of CUI data.
- Cybersecurity Governance – This domain is all about the cybersecurity specific policy, processes, and objectives as well as its enforcement within the company. It’s time to take security seriously!
- Recovery – Backups, backups, backups! The recovery domain covers information backups and information security continuity plans.
- Situational Awareness – This domain details the requirement to stay aware of threat intelligence via online sources as well as through threat hunting and monitoring operations.
All the domains of CMMC are split between 5 levels of intensity, depending on how high of a level you target will determine what controls you will be required to meet.
Yes, you read that right, across all levels of CMMC in its current state there is a whopping total of 370 separate controls. No need to panic though, as many of them build off each other and are expected to be consolidated following industry feedback. Version 0.6 of CMMC is planned for release in November, with Version 1.0 coming in January 2020. By the time 1.0 releases we can expect the amount to reduce significantly. Information on how to give your feedback can be found at the following link: https://www.acq.osd.mil/cmmc/draft.html
DFARS and NIST SP 800.171
It’s important to note that CMMC will NOT be replacing the current DFARS requirements. Currently DFARS compliance is required by law, whereas CMMC is only planned to be a requirement for each individual contract. This means that in addition to achieving the desired CMMC maturity level for their company, defense contractors will still be required to meet the DFARS requirements for the foreseeable future.
For more Information on CMMC, DFARS, and other Security frameworks head to kreativecorp.com and begin your compliance journey today!