The Cybersecurity Maturity Model Certification (CMMC) aims to properly secure the Defense Industrial Base (DIB) by addressing the oversight and assurance gaps within DFARS 252.204-7012 for CUI data and extends the scope of oversight to encompass both CUI and Federal Contract Information (FCI) as specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21, and incorporating into Defense Federal Acquisition Regulation Supplement (DFARS) to become a requirement for contract award.

The CMMC framework consist of 17 cybersecurity domains.  A domain is a distinct set or group of security practices (controls) which have similar attributes to each other.  These domains are core to the success of the protection of FCI and CUI. Cybersecurity capabilities are another important component for the protection of FCI and CUI data.  Capabilities are not single outcomes but a combination of processes, skills, knowledge, tools and behaviors which work together to enable an organization to deliver a specific security outcome. 

The CMMC framework defines 43 cybersecurity capabilities associated with 17 security domains which should be achieved by an organization for each level of maturity (Level 1, 2, 3, 4 or 5), if the associated cybersecurity practices are deployed and managed appropriately. These 17 security domains and associated 43 security capabilities are detailed below:

Access Control (AC) – is a fundamental security domain and set of security principles. The principles of access control are applied to both physical and logical assets.  To physical assets such as buildings, fences, gates and doors and logical access principles applied to IT assets like servers, laptops, PC’s, network communication devices, logic controllers, operating systems, applications and databases.  Core principles of access control are ‘least privilege’ and ‘zero trust’, only allowing access to assets based upon appropriate, authorized and regular assessment, through the use of role-based access control (RBAC) constructs. Identity and access management (IAM) systems are often used for access control in technology related assets. We also use privilege access management (PAM) solutions for privileged accounts.

Example:  When a new employee joins a company, they should have a job description which defines their roles and responsibilities, the department in which they work, the activities they are expected to undertake as part of their job and the main location of employment.  They should be given access to physical locations and IT systems based upon their job role and profile e.g. if an employee works within the engineering department, they would not require access to finance systems for the fulfilment of invoicing, purchase orders and payments or payroll.  They will require physical access to the engineering department and may require access to areas of production.  They would not require access to server rooms or data centers.  It is important to confirm that all staff (including permanent, contractors and third party-users) have appropriate access only to those systems they need for their jobs.  Administrator accounts should only be provisioned in exceptional circumstances.

Associated security capabilities include • C001 – Establish system access requirements; • C002 – Control internal system access; • C003 – Control remote system access;• C004 – Limit data access to authorized users and processes.

Asset Management (AM) – is a building block of cybersecurity, as organizations are built from many types of tangible and intangible assets.  Assets include buildings, people, PCs, laptops, patents and data.  Assets can spread between regions and countries, within offices and departments.  The more assets a company has the more points of entry exist, the broader the ‘attack surface’ and the more opportunities there are to cause damage should assets be compromised, destroyed, ransomed or stolen by a cyber-attack. For any organization to successfully manage cybersecurity it must have a clear view of all of its assets, their location, use and owner.  This requires an asset management process which includes an up to date asset register.  Reflecting each asset class and the risk and impact to the security of the organization if the assets are compromised, so that the most appropriate security practices can be applied to them.  Without an up to date asset register an organization cannot identify all the points of entry and secure them.

Example: The organization has acquired 50 new PCs as part of a refresh programme.  The new assets are added to the asset register and include the specific asset identification number, configuration and build details, applications installed and security configuration.  Changes to the assets are added to the register through the life of the assets.  The old assets are collected and identified on the asset register.  Certificates of asset destruction are provided by the appropriate certified asset destruction firm and added to the asset register as proof of assets destruction and the assets are marked on the asset register as end of life.

Associated security capabilities include • C005 – Identify and document assets; • C006 – Manage asset inventory.

Audit and Accountability (AU) – IT systems are a complex interconnected architecture of physical assets, operating systems, databases and applications, where users, people and systems are granted access through logical access permissions.  Audit logs are required to oversee users and transactions, trace and track their activities. They are an important requirement for system governance, and provide the evidence of what users do, on what system and when for all system transactions including systems access, files transfer and communication records and are retained over a period of time.  Automated logging is the only realistic method to track and trace user activity, which has proven to be important during the digital forensic investigations, including those during and following a cyber-attack.

Example: The organization has employed a Security Operations Centre (SOC) provider to monitor IT systems logs across their critical systems, including their communications gateways (Routers and switches), servers and shop floor machine tools.  Data is sent on a regular basis to the SOC who interrogates it against its database of known threats and threat actors.  It identifies a query from an IP address which originates from a country known to target companies in their market sector from a PC on the shop floor.  The SOC correlates this back to firewall logs which confirms that a large amount of data was sent out of the company to the same IP address.  This allowed the company to shut down the relevant IT and run system scans to check their networks and prevent further data losses and in the worst case a potential ransomware.

Associated security capabilities include • C007 – Define audit requirements; • C008 – Perform auditing; • C009 – Identify and protect audit information; • C010 – Review and manage audit logs.

Awareness and Training (AT) – Forewarned is forearmed, or to put it simply if an organization is going to manage cyber related risks it should be aware of what they are and trained to identify them.  Cyber is a business, not a technology risk and everyone in an organization has a part to play in protecting the assets and securing the finances of the company.   Everyone from the board room to the shop floor needs to be made aware of what cyber risk management is and what part they play daily in protecting the organization. Basic cyber hygiene can protect an organization from approximately 60% of cyber related threats.  There are some simple things which can be implemented.  This requires an organization to implement a cyber aware culture, which requires regular cybersecurity awareness and training.

Example:  You are a member of staff in the finance department.  You receive an email but you don’t recognize the sender.  It contains a link with an attachment and asks you to change the bank details of a payment instruction.  What do you do?

Associated security capabilities include • C011 – Conduct security awareness activities; • C012 – Conduct training.

Configuration Management (CM) – When an organization deploys systems such as hardware, software and databases they are configured to operate in certain way.  This could be different depending upon who, when and how the system was implemented and this creates many security challenges.  If devices are configured with different operating systems, antivirus, patch management and administrator settings, the security profile across the enterprise varies, resulting in some systems being more vulnerable than others.  It also makes systems management more complex.  It is important to standardize the configuration of technology across the organization. It reduces operating costs, simplifies maintenance and improves security. The purpose of configuration management is to establish a consistent, controlled and audited process to manage system changes and subsequently system security, performance and functionality.  In the case of cybersecurity, it is applied to systems to ensure that they are built and hardened consistently and that system changes are managed under change control.

Example:  A company has no configuration management policy to set the baseline configuration for laptops.  As a result, when IT engineers deploy a new installation of Anti-Virus (AV) software it does not work effectively due to differences in operating system and device configurations.  Engineers also do not configure consistent timings for AV signature updates. As a result, AV is not effective on 40% of the company laptops and where it is effective the signatures are not updated daily, exposing the company to unnecessary risks associated with new malware.

Associated security capabilities include • C013 – Establish configuration baselines;• C014 – Perform configuration and change management.

Identification and Authentication (IA) – It is important that all users are identified and authenticated, before they are allowed to access organization systems. This enables organizations to keep their systems secure by allowing only those users they have identified and authenticated to access systems appropriately. This can include systems such as PCs, servers, routers switches, firewalls, operating systems, applications, databases and websites.  Identification is the ability to identify uniquely a user of a system or an application.  Authentication is then the ability to prove that the user or application is genuinely who that user or what that application claims to be.

Example:  Following a process which confirms that a new user works for the company, they are given a user ID and password to log into their PC on the company’s network.  When the user logs into their computer they are identified using their user ID, which is checked to confirm that it is valid. The user enters his password and is also asked to use 2 Factor Authentication (FA).  This is used to authenticate the user, and confirm that he is the person associated with the User ID.  User is granted access to their PC and to systems on the company network, agreed as part of the Access Control process, only if the User ID, password and 2 FA match.

Associated security capabilities include • C015 – Grant access to authenticated entities.

Incident Response (IR) – In the event that an organization suffers a cyber-attack, it is critical that they are prepared to deal with it.  An Incident Response (IR) plan establishes a clear set of actions to detect, respond and recover from an attack. The IR plan can be used to address issues like cyber-crime, data loss, and service outages that threaten operations. It is important that incident response plans are owned by the executive leadership team and test the measures that an organization could and should take to reduce the impact of a breach from external and internal threats. The IR plan should be tested frequently to confirm that it is effective and successfully address the range of possible threats an organization faces.

Example: The CEO receives a call from the head of marketing; their computer screen is displaying a strange message ‘This is hacker group espionage, we have been inside your network for the past 6 months and have identified all your critical systems and data.  We have now encrypted all your critical systems.  Pay 100 bitcoins within 24 hours to receive the encryption keys.  If you do not pay within 24 hours our demands will double and then double every 24 hours until you meet our demands.’ What do you do now?

Associated security capabilities include • C016 – Plan incident response; • C017 – Detect and report events; • C018 – Develop and implement a response to a declared incident; • C019 – Perform post incident reviews; • C020 – Test incident response.

Maintenance (MA) – Regular systems maintenance ensures the smooth running of operations and reduces the risk of break down.  Maintenance procedures that address system speed and performance, can help identify inappropriate processes running on devices, unpatched software and programs that could make devices unstable and more likely to fail, causing disruption to operations.  System maintenance identifies vulnerabilities with operating systems, hardware and software, which if left unresolved can result in systems being compromised by hackers through recognized vulnerabilities.

Example:  You have been given a copy of your company’s most recent maintenance report which identified that your VPN software required patching to close a ‘break-out vulnerability’.  Coincidentally you have been given an up to date ‘Threat assessment report’ which identifies that a well-known group of hackers are using a ‘VPN exploit’ to target remote access.  Affecting the same software your company uses to securely access remote services.

Associated security capabilities include • C021 – Manage maintenance.

Media Protection (MP) – Organizations would not be able to operate without data and information. Examples of data include contracts, personnel records, designs, logistics (ERP and PDM), manufacturing instructions, applications and code, sales, invoices, procurement and finance records and postings. Data is a very important IP for the company. If the data is Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) then it must be identified, marked appropriately and secured throughout the life-cycle of its use in whatever form it takes – logical or physical.

Example: The company has won a contract to design, deliver and maintain a mission critical product for a land-based fighting vehicle.  The contract has been signed and must be DFARS 252.204-7012 compliant, requiring the protection of CUI.  All CUI related media must be identified, marked appropriately and secured following NIST 800-171 principles. Therefore, the company must apply media protection principles – identifying, marking and securing CUI data across all aspects of the creation, storage and transmission of CUI data related to the design, manufacture, third party supply chain management, delivery and on-going maintenance programs for the product concerned.

Associated security capabilities include • C022 – Identify and mark media; • C023 – Protect and control media; • C024 – Sanitize media; • C025 – Protect media during transport.

Personnel Security (PS) – People are an organizations most important assets, they create the IP upon which companies depend.  They also pose one of the largest risks to the security of data and information, 60% of data breaches occur from insiders. Employee screening is an important activity, it can be used to validate personal skills and experience, to confirm the presence of a criminal record, evaluate reputation, confirm legal compliance (some regulators and suppliers expect employee screening). It is important therefore that organizations ensure that their staff have been screened appropriately, if they are to come into contact with sensitive data such as FCI or CUI.

Example:  Your organization was conducting research into new technology which has the potential to significantly reduce the weight of an air frame, allowing for an increased payload and improve aerodynamic stability.  Twelve months after the completion of the project you receive reports that an international competitor has developed technology which with all intents and purposes looks very similar to that which your company created.

Associated security capabilities include • C026 – Screen personnel; • C027 – Protect CUI during personnel actions.

Physical Protection (PE) – Physical and logical protection are inextricably linked, without physical protection it is it not possible to protect assets such as the computers, laptops, servers which hold the company’s IP.  If an unauthorized person damages, destroys or steals assets, all of the firewalls, intrusion detector systems, cryptography and other security measures cannot stop them from getting access to the organization’s IP.  It is therefore important that physical security measures are applied to prevent unauthorized users from gaining access to areas within an organization they are not authorized.

Example: The organization’s servers are located in a dedicated temperature controlled and fire resistance room.  Access to the room is from a single door which has a lock, allowing anyone access to the room at any time of day or night.  Whilst on the night shift you are walking past the room and notice the door has been left open.  You open the door and the cleaner is inside the room, sitting at a desk looking at the screen.  You challenge the cleaner, their response is that they had a key to clean the room, unaccompanied.

Associated security capabilities include • C028 – Limit physical access.

Recovery (RE) – IT and system failures are an inevitable part of the operations of an organization, from a hardware failure, natural disaster or a cyber-attack.  It is important that an organization has a disaster recovery plan in place, a plan which identifies and tests various organizational specific disaster scenarios and enables the organization to resume as quickly and seamlessly as possible.  Protecting its assets, IP, FCI and CUI.  The recovery plan identifies all the organization’s critical assets, including data, the necessary contingencies for backup and restore of data, relocation of critical work to alternate sites, and the requirements to hold additional inventory to act as a buffer in the event of an operational outage.  The recovery plan also defines the necessary security requirement to ensure that information security is maintained during recovery.

Example:  The organization relies on a network enabled CNC machine tool to complete 80% of its complex tasks. The tool is connected to the organization’s network using a dedicated secured router supplied by the machine tool manufacturer, as the only means of securely transferring code to the tool.   At the end of the afternoon shift the router fails, with the result that the require NC code cannot be sent to the tool to produce a new batch of product required by the morning shift to complete an order for shipment the following day.  The organization does not have a spare router or a copy of the routing rules embedded into the router, impacting production downstream until a replacement can be found.

Associated security capabilities include • C029 – Manage backups; • C030 – Manage information security continuity.

Risk Management (RM) – Managing cyber-attacks and the consequences of a cyber-attack is an enterprise wide risk management issue.  Cyber-attacks can impact any part of an organization from the board room to the shop floor and extend through the organization’s supply chain.  Attacks can impact ranging from minor disruption with no data theft to ransomware attacks which can bankrupt an organization and lead to the theft of its most critical IP.  With such a range of possible threats and outcomes, it is important that an organization identifies and manages those risks which it believes are the most significant.  Defining its ‘risk appetite’ and identifying those risks, it is willing to accept and those which it is not – helps develop the necessary mitigating actions to manage those risks appropriately.

Example:  The organization has completed an assessment of its cybersecurity using NIST 800-171r2.  It has estimated that to comply fully with all of the identified practices it must spend an additional $10Mn.  A significant investment in technology, people and processes.  In order that the company can identify the most effective way to move forward, it has agreed to identify all of the FCI and CUI data it manages on behalf of its customers and suppliers. Identifying the risks, should this data be stolen, damaged or destroyed, the company can put in place a risk register and associated plan of action and milestones (POAM).  The POAM defines the necessary controls and mitigating actions and appropriate investment to secure the FCI and CUI, based upon the risk to the organization and return on investment (ROI).

Associated security capabilities include • C031 – Identify and evaluate risk; • C032 – Manage risk; • C033 – Manage supply chain risk.

Security Assessment (CA) – Security assessment is an evaluation of the security posture of the organization, based upon ability to manage its cyber risk profile, identifying its inherent risks, assessing the effectiveness of its controls environment and evaluating its residual risk profile. This exercise continually evolves and improves based upon the changing business environment and can be managed through the creation, adoption and management of a systems security plan (SSP). This document describes the security controls in use across organization information system, their effectiveness and method of oversight and assurance. A completed SSP provides a detailed narrative of the roles and responsibilities for security management and reporting within the organization, the security control implementation, detailed system descriptions, component and services inventory and detailed depictions of the system’s data flows within the organization.

Example:  The organization is developing its manufacturing to include the manufacture of a new product on behalf of its customer, adding capacity for new design, manufacturing and sales, requiring additional investment in CAD, PDM & ERP and shop floor machine tools.  These new systems will need to be assessed and secured appropriately in alignment with the organization current security practices. The organization SSP must be updated to reflect these additions to the assets and security requirement to protect the CUI they will manage.

Associated security capabilities include • C034 – Develop and manage a system security plan; • C035 – Define and manage controls; • C036 – Perform code reviews.

Situational Awareness (SA) – Organizations are under a constant threat from cyber-attacks that can originate from the nation states, criminals, insiders or script kiddies, using tools created by nation states and used by state sponsored actors, or cyber tools bought as a service such as DDoS or ransomware.  It is critical that organizations identify the threats to their business either directly or indirectly through dedicated or commercial threat reports, keeping up-to-date with what is happening in the market.  It is equally important to recognize that companies identify vulnerabilities within the software and hardware, published by vendors that cause damage if they are not fixed and patched appropriately.

Example: The cyber threat assessment organization has identified that companies within the defense sector are being targeted by a ransomware called SNAKE.  A piece of malicious software which can cause damage to shop floor equipment and ransom applications and data.  The organization has deployed anti-virus software across its networks, which is updated daily with new signatures to identify different strains of malicious code, including SNAKE.  Unfortunately, the update feature has been inadvertently switched off by an IT engineer, preventing the antivirus software from maintaining an up to date list of malicious code signature, and identifying and quarantining malicious known code. – Leading to an increased risk that if the SNAKE malware were to get inside the company it may not be detected.

Associated security capabilities include • C037 – Implement threat monitoring.

System Communications Protection (SC) – Organizations use a wide variety of technology devices to conduct their business operations.  Devices are connected together to form an ecosystem for the creation, transmission, consumption and servicing of data, unique to their business operations.  All of these devices, networks, communications, and data need to be secured appropriately. Organization must have a clear view of its perimeter, including technology, processes, people and data, the maturity of the security solutions across these domains and has appropriate designs in place to leverage all the security solutions available to provide an adequate level of security such as network security, access management, data loss prevention, code security, encryption and sand-boxing amongst other practices.

Example: The organization is subcontracting the manufacture of a component required as part of a contract with the DoD, to a third-party supplier.  This requires the regular transmission of CUI between both parties.  The organization will need to identify the data flows between both parties and the systems which will create, transmit and secure the relevant CUI throughout the life cycle of the product procurement, design, manufacture, delivery and maintenance. The organization will also need to ensure that the appropriate controls have been applied to secure the data through its lifestyle between itself and the third-party supplier.

Associated security capabilities include • C038 – Define security requirements for systems and communications; • C039 – Control communications at system boundaries.

System Information Integrity (SI) – Information integrity is a critical requirement to maintaining the confidentiality, integrity and availability of FCI and CUI in our primary goal of information security and cyber risk management.  It requires the adoption of a broad range of security practices including the remediation of known software flaws (security by design, vulnerability scanning and patch management), the identification and management of malicious software (Anti-Virus), SPAM protection (the identification and removal of known sources of SPAM at all entry points), systems monitoring (the identification and alert of changes in systems security), the oversight of security alerts, advisories and directives (the assessment of security threats), information output handling and retention (information is handled in line with federal laws).

Example:  A member of staff receives a SPAM email, which contains a link to a malicious website.  They click on the link which subsequently downloads malicious code to their laptop.  The antivirus software on their laptop was not updated for several weeks and therefore did not detect the payload which was installed on the employee laptop, and enabled the Remote Desktop Protocol (RDP) on the device, giving the hacker direct access to the laptop and enabling them to control the device remotely and gaining a foothold on to the network.

Associated security capabilities include • C040 – Identify and manage information system flaws; • C041 – Identify malicious content; • C042 – Perform network and system monitoring; • C043 – Implement advanced email protections.