In the last decade, we have witnessed an alarming amount of damaging cyber-attacks that have cost billions in loss to cybersecurity breaches in the US defense industry. To improve the cybersecurity posture of the Defense Industrial Base (DIB) the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC). This necessary cyber security framework provides resilient requirements to protect all controlled unclassified information (CUI) and Federal Contract Information (FCI). With the help of research centers and other stakeholders from both public and private sectors CMMC is a soundproof cyber security model.
The CMMC accreditation body, or the “CMMC-AB”, is in the process of authorizing certified third-party assessor organizations, or “C3PAOs”, to audit and certify DIB organizations for the appropriate CMMC level certification required as defined by each future award. Each C3PAO will have the authority to audit an organization that wants to achieve their CMMC certification. The only way to become certified in each CMMC level is to meet the processes and practices required for each level. There are a total of five levels with each increasing in complexity, and a total of 17 domains 43 capabilities and 171 practices. These domains come from the well-established NIST 800-171 documentation.
To break it down further, domains are your guidelines to becoming CMMC certified. The CMMC framework consists of 17 cybersecurity domains. A domain is a distinct set or group of security practices (controls) which have similar attributes to each other. These domains are the foundation in protecting FCI and CUI.
Check out some of the domains and the capabilities that go with them below.
- Access Control (AC) has 4 capabilities: I. Establish system access requirements II. Control internal system access III. Control remote system access IV. Limit data access to authorized users and processes.Access Control spans across all CMMC levels and contains a total of 26 practices. Access control is significant because it limits the access of user and device authorization, and is part of the CUI transmission process within an organization.
- Asset Management (AM) 2 capabilities: I. Identify and document assets II. Manage asset inventory.
Asset management is an important part of protecting CUI, so it will be a vital part of CMMC levels 3 and 4. Your assets are anything from your data, hardware, software, etc. Utilizing this domain will help prepare an organization for system vulnerabilities by backing up data on both on prem or cloud environments.
- Awareness & Training (AT) 2 capabilities: I. Conduct security awareness activities II. Conduct training.
The Awareness and Training domain starts at CMMC level 2 and the requirements of training increases in complexity with each level of certification. The awareness and training aspect typically comes as a prerequisite for additional domains in CMMC practices and requires that all contractors have some sort of training program established.
- Audit & Accountability (AU) 4 capabilities: I. Define audit requirements II. Perform auditing III. Identify and protect audit information IV. Review and manage audit logs.
This domain holds 14 practices across levels 2-5 and allows for organizations to take action to audit events involving their systems information and CUI. With audit and accountability in place you will trace all secure transactions from start to finish that align with your policies.
- Configuration Management (CM) 2 capabilities: I. Establish configuration baselines II. Perform configuration and change management.
Configuration Management holds 11 practices across levels 2-5. This domain requires all software, hardware, databases, and firmware to be securely configured. Ideally, each user would have a baseline of security on individual devices including the same operating systems, anti-virus, and anti-malware software.
- Identification & Authentication (IA) 1 capability: I. Grant access to authenticated entities.
With the one capability, Identification and Authentication has packed in 11 capabilities that all revolve around access to government information as an approved user on an approved device, and how to identify these. Since there is currently no clear step by step process aside from what you find in the practices in NIST, this domain is one of the many reasons working with an RPO (Registered Provider Organization) will help you achieve your CMMC needs.
- Incident Response (IR) 5 capabilities: I. Plan incident response II. Detect and report events III. Develop and implement a response to a declared incident IV. Perform post incident reviews V. Test incident response.
Incident Response domain protects your organization from attacks by holding you accountable for planning, detecting, responding, reviewing, and testing for incidents. The plan in place includes an assigned individual within an organization that receives incident reports delivered by device alerts.
- Maintenance (MA) 1 capability I:. Manage maintenance. As mentioned previously, your organization has many assets.
When applying the Maintenance domain, you are tracking the performance of these assets to ensure that you stay protected. Maintenance includes patching and updates on devices to maintain appropriate and up to-date anti-virus and anti-malware software.
- Media Protection (MP) 4 capabilities: I. Identify and market media II. Protect and control media III. Sanitize media IV. Protect media during transport.
With Media Protection you are adhering to 8 practices that control, protect, limit, destroy, and prohibit all digital and physical media when necessary. his includes punch cards, analogs, CDs, tapes, and any other media.
Each level in CMMC has a specific domain, capability, and practice in place. Level 1 is the only level in CMMC that has no maturity process yet still has strict requirements in certification. Additionally, each level has specific practices pertaining to each capability and domain. Each level share domains but change in the capability and or practices required. Each increasing level of certification increases in total practices per domain.
CMMC is in roll out phase and will continue through September 2025. Get ahead on your certification process and educate yourself with resources like this on our website. We want to hear from you. Reach out to the team at SoundWay to tell us where you are in your process and what questions you have about your cyber compliance.