Major cuts were made to CMMC Levels 4 and 5, but slight adjustments were made across the board. As promised previously by the CMMC team, a "Discussion and Clarification" was provided for Levels 2 and 3 in the Appendix similar to Level 1 provided in 0.6. Below is a key excerpt on timeline from latest release of CMMC (0.7).
"CMMC Versions 0.4 and 0.6 were released for public review in September and November 2019, respectively. CMMC Version 0.7 includes Level 4-5 practices and modifies some maturity processes and Level 1-3 practices.
The DoD is releasing this draft version to support the public’s continued review of the draft model in preparation for the release of the CMMC Model Version 1.0 at the end of January 2020."
Specific "Capabilities" were added within the 17 domains listed in Table 2: List of Capabilities for Each Domain.
Manage asset inventory (Added)
Manage information security continuity (Added)
|Risk Management||Manage supply chain risk (Added)|
Detailed changes are broken out by CMMC level.
CMMC Levels 1-3
Starting with the descriptions, there is one major change of note. The following sentence was added to CMMC Level 3: "Note that organizations subject to DFARS clause 252.204-7012 will have to meet additional requirements such as incident reporting." This has been a point of confusion and discrepancy over the previous months, and is in large part a leading reason for many businesses transitioning to Office 365 GCC High. The specific mention of DFARS 7012 seems to address the union of CMMC and DFARS rather than replacement of one over the other. The DoD/Defense Industrial Base (DIB) must take a true Stockton (CMMC) and Malone (DFARS) approach for cybersecurity and compliance coverage. Don't forget Malone (DFARS).
.Another distinction was made for CMMC Level 3 pertaining to CUI. A company's policies and practices associated with Level 2 and 3 requirements will need to apply for CUI as they do FCI.
Practice numbers were also slightly effected. Level 1 remained the same, Level 2 dropped from 58 to 55, and Level 3 increased from 56 to 59. The three practices promoted to Level 3 were P1012, P1014, and P1177 of the Access Control (AC) domain..
P1012 “Protect Wireless access using authentication and encryption”
P1014 “Employ cryptographic Mechanisms to protect the confidentiality of remote access sessions”
P1177 “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI”
CMMC Levels 4-5
In CMMC 0.6 the writing team promised updates for 0.7, and they delivered. Level 4 practices were slashed from 62 to 26, and Level 5 dropped from 26 to 16. Despite large reductions, some of the additional capabilities include practices added to Levels 4 and 5. For example, Asset Management (AM) added P1226 to Level 4 "Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory."
Also, P1140 was added to Level 5 Recovery (RE) "Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements." P1148 was added to Level 4 of Risk Management (RM) "Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain."
What will getting CMMC Certified Require?
- Level 1: 17 NIST 800-171 Requirements
- Level 2: 65 NIST 800-171 Requirements PLUS 7 Other Practices
- Level 3: 110 NIST 800-171 Requirements PLUS 21 Other Practices
- Level 4: 110 NIST 800-171 Requirements PLUS 47 Additional Practices
- Level 5: 110 NIST 800-171 Requirements PLUS 63 Additional Practices
Follow us on LinkedIn for future content and videos like these: