PilieroMazza recently wrote about the Department of Defense’s (DoD) release of revision (rev.) 0.6 of its Cybersecurity Maturity Model Certification (CMMC), which only addressed certification Levels 1–3. DoD has now released rev. 0.7. All DoD contractors will be required to obtain CMMC certification in the coming months to show their IT systems’ capabilities with respect to protecting DoD sensitive information. Rev. 0.7 gives updates at all Levels. Additionally, rev. 0.7 contains new discussion and clarifications for Levels 1–3 and for the application of maturity levels to different capability domains. Below, we decipher primary concerns for DoD contractors.
Rev. 0.7’s biggest change to Levels 1–3 lies not in changes made directly to the Levels, but in the materials surrounding the Levels. Specifically, rev. 0.7 now contains discussions and clarifications for Levels 1–3. These discussions and clarifications contain helpful models of how the practices in those Levels might look when applied to real-life situations; for example, a Level 2 access control practice states that contractors should “employ the principle of least privilege.” The clarification notes that this may look like assigning everyone a basic IT user role which does not allow them to modify system configurations, and only assigning privileged access to users who truly need it, such as IT staff. However, rev. 0.7 points out that the clarifications are not “guidance” and are merely examples of how contractors in the DoD supply chain might apply CMMC requirements to their own systems. Additionally, the clarifications for Level 3 only discuss those Level 3 practices that do not already appear in NIST 800-171 Rev. 1; CMMC Level 3 incorporates all the NIST 800-171 Rev. 1 standards, so contractors can look to the NIST discussions for additional information on the CMMC Level 3 requirements.
Rev. 0.7 has fleshed out the requirements for Levels 4 and 5 specifically, providing new summaries of the practices and processes required for those Levels. Like rev. 0.6, rev. 0.7 also significantly streamlines these practices and processes. In particular, rev. 0.7 has removed 36 practices from Level 4 and removed 10 practices from Level 5.
The introduction to rev. 0.7 also clarifies that a contractor may meet a CMMC level across its entire enterprise network, or only in “particular segments(s) or enclave(s).” Previous releases of the CMMC did not explicitly indicate that the CMMC would be implemented in this manner. This means that contractors will be able to “cordon off” the segments of their IT systems that handle DoD sensitive material and apply certification only to those segments, thereby saving time and expense associated with bringing their entire enterprise’s IT infrastructure up to the CMMC Level required.
The discussion and clarifications for the maturity levels also contain helpful examples of real-life application; however, because the maturity levels will be assessed with respect to each domain individually, the discussions and clarifications are broadly applicable to many domains instead of detailing a specific practice. In other words, they provide examples of types of documentation contractors can use to fulfill process maturity requirements, such as crafting standard operating procedures to help apply the CMMC’s required security practices enterprise-wide.