With the release of Draft CMMC Model v0.6, the industry is one step closer to seeing how the upcoming CMMC requirements are going to affect business with the Department of Defense in the future. Some interesting things to note from this publication is the absence of levels 4 and 5 from the model. The updates for these missing levels are expected to be included with the next public release, which is expected sometime in Mid-December, between the 11th and 13th.
The Death of a Domain
A particularly interesting change to note is the complete removal of the Cybersecurity Governance Domain. The exclusion of this domain leads to some potential concern as its primary focus was on identifying cyber goals and ensuring that cybersecurity is established and prioritized within the organization. Understanding the model’s purpose, it is not entirely unsurprising of a removal. CMMC at its core requires commitment and support companywide; any organization that intends to disregard the performance activities necessary to meet the requirements of CMMC in their IT department is doomed to fail. Additionally, the Domain was overwhelmingly policy heavy and may have ended up redundant with the requirements of other CMMC maturity processes. For context, the structure of CMMC includes several “capabilities” with various “practices” that form the actual requirements of the model. These practices are supported by a “maturity capability” with supporting “processes” that will apply to each domain. These processes will largely take the form of documentation to formalize the approaches used to meet the requirements. Because of this structure, there likely would have been a lot of redundancy between the Maturity requirements, and the Cybersecurity Governance Domain. With v0.6’s focus being on reducing the redundancy present in v0.4, it makes sense that the domain was axed.
A Little Clarification…
One of the most interesting things included with v0.6 is the clarifications included for the level 1 requirements. The section goes through each of the requirements providing a discussion and clarification for the purpose of the requirement, including examples of how a company might meet each of the requirements. This section is extremely helpful for determining how each of the requirements is to be interpreted, which removes a lot of the ambiguity present in other frameworks like NIST SP 800.171. The more definitive guidance that can be included in the model, the more effective implementations with defense contractors will be. We at Kreative hope that the DoD will provide additional clarification for all the requirements at each Maturity level in future publications so that as little as possible will be left up to interpretation, minimizing confusion by anyone seeking to meet the requirements. Ambiguity in requirement expectation is where gaps in security form, so eliminating it is key in enforcing a strong security environment.
FCI, The New Kid in Town
Another observation regarding v0.6 is the identification of Federal Contract Information (FCI) as a classification of protected information in addition to the already established Controlled Unclassified Information (CUI). FCI is the intended classification for any contract related information given by the government. The anticipated protections required of FCI are expected to be similar to those required for CUI, but it’s worth noting the choice to identify them differently. It’s also worth noting that an organization’s CMMC level is expected to be protected information, with companies that publish their awarded level being at risk of losing the certification altogether.
A Look Ahead
A lot more information is still being discussed with the development of CMMC, but this publication gives us a better idea of what we can expect it to look like. Currently, the formation of the Accreditation Body (AB) is taking place, with members of the industry working together to form the AB and determine how auditors will be trained and how CMMC will be maintained years down the road. A lot is still up in the air on how everything will come together, but Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition (ASD(A) for Cyber) and her team have made it very clear that there will be no delays to their timeline. Be sure to stay tuned in to Kreative for all updates and information regarding CMMC as it comes out. We’ll make sure you stay informed on all the latest CMMC news!
#CMMC #cybersecurity #maturity