The Cybersecurity Maturity Model Certification (CMMC) is the new cyber security framework from the Department of Defense (DoD). CMMC aims to better protect controlled unclassified information (CUI) and mitigate risks posed to the DoD’s supply chain. It is comprised of five levels and 17 domains (a newer version of NIST’s control families).
The maturity level required of an organization is based on the sensitivity of the data that is being processed. Many of the domains reflect control families seen in NIST SP 800-171, with three new ones added. The new domains include Asset Management (AM), Recovery (RE), and Situational Awareness (SA).
The 17 domains are as follows:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
But where does your organization start? Only 6 of the 17 domains are required for level 1, so even if you are eventually required to be level 2, 3, or greater, level 1 is a logical starting point.
The six foundational domains are:
This domain requires that access to systems be defined for users. It also details the requirements for those systems to operate. This includes internal system access, remote system access, and limiting data access to authorized users and processes. This domain is important to overall security because it reduces the risk of unauthorized access to data or misuse of accounts.
Identification and Authentication (IA)
Identification and Authentication practices ensure access to systems and information is only possible by identified and approved personnel. This includes requirements such as password complexity and multi-factor authentication. This domain is important because it protects against remote attacks and adds an extra layer of security in general.
Media Protection (MP)
The first part of this domain requires identification and marking of media to assist in its protection and control. In addition, Media Protection requires the encryption of data during transport and a sanitation protocol for sensitive data on media that is to be reused or destroyed. This domain is important because it reduces risks associated with weak security and privacy practices.
Physical Protection (PE)
This domain’s primary function is to limit physical access. The practices limit physical access to data centers, equipment, and worksites. Logging physical access is also a requirement of this domain. Physical Protection is important to overall security because it mitigates the risk of physical incidents and protects personnel.
System and Communications Protection (SC)
This CMMC domain is used to implement requirements for communications systems on the network. It includes practices such as encryption and network traffic rules to further protect sensitive data. This domain is important to overall security because it adds an extra layer of security to protect data.
System and Information Integrity (SI)
The practices in this domain ensure that your organization can identify flaws and hazards in your systems or network and manage them. It also requires that there are protections against email spam and forgery. Lastly, it requires that your organization monitors the network for anomalies or suspicious behavior. This domain is important to overall security because it helps your organization identify and mitigate risks in a timely manner.
CMMC compliance is a fundamental shift in the industry and likely will continue to be a challenge for years to come. By starting with the basics outlined above will set you up to start your CMMC journey. For more questions regarding CMMC, be sure to reach out to an expert at https://www.nuharborsecurity.com/cmmc-certification-compliance.
Follow us on Social Media for more information: