cybersecurity maturity model certification cmmc
play

Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 - PowerPoint PPT Presentation

Nov 21, 2023 •322 likes •481 views

Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION A. Approved for public release Without a Secure Foundation All Functions are at Risk Cost, Schedule, and Performance are only effective in a SECURE

  1. Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION A. Approved for public release

  2. Without a Secure Foundation All Functions are at Risk Cost, Schedule, and Performance are only effective in a SECURE ENVIRONMENT Performance Schedule Cybersecurity Performance Schedule Cost Cost CYBERSECURITY DISTRIBUTION A. Approved for public release 2

  3. CMMC Model v1.0 Overview • CMMC is a unified cybersecurity standard for future DoD acquisitions • CMMC Model v1.0 encompasses the following: – 17 capability domains; 43 capabilities – 5 processes across five levels to measure process maturity – 171 practices across five levels to measure technical capabilities CMMC Model v1.0: Number of Practices and Processes Introduced at each Level CMMC Level Practices Processes Level 1 17 - Level 2 55 2 Level 3 58 1 Level 4 26 1 Level 5 15 1 DISTRIBUTION A. Approved for public release 3

  4. CMMC Model Framework Model Domains Model encompasses multiple domains For a given domain, there are processes Processes that span a subset of the 5 levels For a given domain, there are one or more capabilities Capabilities that span a subset of the 5 levels For a given capability, there are one or more practices Practices that span a subset of the 5 levels • CMMC model framework organizes processes and cybersecurity best practices into a set of domains – Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that: − An organization will continue to perform the activity – including under times of stress – and − The outcomes will be consistent, repeatable and of high quality. – Practices are activities performed at each level for the domain DISTRIBUTION A. Approved for public release 4

  5. CMMC Model Structure CMMC Model with 5 levels 17 Capability Domains (v1.0) measures cybersecurity maturity Incident Risk Access Control Response Management (AC) (IR) (RM) Asset Security Maintenance Management Assessment (MA) (AM) (CA) Awareness and Situational Media Protection Training Awareness (MP) (AT) (SA) Audit and Personnel System and Accountability Security Communications (AU) (PS) Protection (SC) Configuration Physical System and Management Protection Information (CM) (PE) Integrity (SI) Identification and Recovery Authentication (RE) (IA) DISTRIBUTION A. Approved for public release 5

  6. CMMC Maturity Process Progression LEVEL 5 OPTIMIZING LEVEL 4 REVIEWED LEVEL 3 5 PROCESSES  Each practice is MANAGED LEVEL 2 documented, 4 PROCESSES DOCUMENTED  Each practice is including lower levels LEVEL 1 documented, 3 PROCESSES  A policy exists that  Each practice is including lower levels PERFORMED covers all activities 2 PROCESSES documented,  Each practice is  A policy exists that including lower levels  A plan exists that documented, covers all activities 0 PROCESSES includes all activities*  A policy exists that  Select practices are including Level 1  A plan exists that practices cover all activities documented where  Activities are includes all activities* required  A policy exists that  A plan exists, is reviewed and  Activities are measured for includes all activities maintained, and effectiveness resourced that reviewed and measured for includes all activities*  There is a effectiveness (results standardized, of the review is documented shared with higher approach across all level management) applicable *Planning activities may include mission, organizational units goals, project plan, resourcing, training needed, and involvement of relevant stakeholders DISTRIBUTION A. Approved for public release 6

  7. CMMC Practice Progression LEVEL 5 ADVANCED / PROGRESSIVE LEVEL 4 PROACTIVE LEVEL 3 171 PRACTICES LEVEL 2  Comply with the FAR GOOD CYBER HYGIENE INTERMEDIATE CYBER 156 PRACTICES  Encompasses all HYGIENE LEVEL 1 practices from NIST  Comply with the FAR 130 PRACTICES SP 800-171 r1 BASIC CYBER HYGIENE  Encompasses all 72 PRACTICES  Comply with the FAR  Includes a select practices from NIST SP subset of 4 practices 17 PRACTICES 800-171 r1  Comply with the FAR  Encompasses all from Draft NIST SP practices from NIST 800-171B  Equivalent to all SP 800-171 r1  Includes a select practices in Federal  Includes a select  Includes an Acquisition Regulation subset of 11 practices subset of 48 practices additional 11 (FAR) 48 CFR 52.204- from Draft NIST SP  Includes an additional from the NIST SP 800- practices to 21 800-171B 171 r1 20 practices to demonstrate an support good cyber advanced  Includes an additional  Includes an additional hygiene cybersecurity 15 practices to 7 practices to support program demonstrate a intermediate cyber proactive hygiene cybersecurity program DISTRIBUTION A. Approved for public release 7

  8. CMMC Practices Per Level LEVEL 5 ADVANCED / PROGRESSIVE LEVEL 4 171 PRACTICES PROACTIVE 156 PRACTICES + 15 Practices LEVEL 3 GOOD CYBER HYGIENE 130 PRACTICES + 26 Practices LEVEL 2 INTERMEDIATE CYBER HYGIENE + 58 Practices 72 PRACTICES LEVEL 1 BASIC CYBER HYGIENE 17 PRACTICES + 55 Practices DISTRIBUTION A. Approved for public release

  9. CMMC Model v1.0 Source Counts • Model leverages multiple sources and references – CMMC Level 1 only addresses practices from FAR Clause 52.204-21 – CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others – CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others – Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model Draft CMMC Model v1.0: Number of Practices per Source Total Number Source CMMC Practices Level Introduced per 48 CFR NIST Draft NIST Other CMMC Level 52.204-21 SP 800-171r1 SP 800-171B ** Level 1 17 15* 17* - - Level 2 55 - 48 - 7 Level 3 58 - 45 - 13 Level 4 26 - - 11 15 Level 5 15 - - 4 11 * Note: 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, and in turn, 17 practices in CMMC ** Note: 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0 DISTRIBUTION A. Approved for public release 9

  10. Summary • CMMC establishes cybersecurity as a foundation for future DoD acquisitions • CMMC levels align with the following focus: – Level 1: Basic safeguarding of FCI – Level 2: Transition step to protect CUI – Level 3: Protecting CUI – Levels 4-5: Protecting CUI and reducing risk of APTs DISTRIBUTION A. Approved for public release 10

  11. Backups DISTRIBUTION A. Approved for public release 11

  12. Supporting Documentation Summary • CMMC Model v1.0 document consists of the following: – Introduction, CMMC Model, and Summary – Appendix A: CMMC Model v1.0 – Appendix B: Process and Practice Descriptions – Appendix C: Glossary – Appendix D: Abbreviations and Acronyms – Appendix E: Source Mapping – Appendix F: References DISTRIBUTION A. Approved for public release 12

  13. Appendix A: CMMC Model v1.0 • Appendix A provides the model in tabular form with all practices organized by Domain (DO), Capability, and Level (L) – Practices are numbered as DO.L.###, with a unique number ### – Each practice includes up to nine sources • Appendix A also includes maturity level processes – Processes are generalized but apply to all Appendix A Practices domains – Processes are numbered as ML.L.99# Appendix A Processes DISTRIBUTION A. Approved for public release 13

  14. Appendix B: Process and Practice Descriptions • Appendix B Process and Practice Descriptions include: – Discussion, derived from source material where available – Clarification with examples – A list of references • Same framework as model – Processes are generalized but apply to all domains – Practices are ordered by domain and level Appendix B Practice & Process Descriptions DISTRIBUTION A. Approved for public release 14

  15. Appendix E: Source Mapping • Appendix E Source Mapping summarizes the list of sources for all five processes and 171 practices • Sources include: – FAR Clause 52.204-21 – NIST SP 800-171 Rev 1 – Draft NIST SP 800-171B – CIS Controls v7.1 – NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 – CERT Resilience Management Model (CERT RMM) v1.2 – NIST SP 800-53 Rev 4 – Others such as CMMC, UK NCSC Cyber Essentials, or Appendix E Source Mapping AU ACSC Essential Eight DISTRIBUTION A. Approved for public release 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR April 24, 2020 4/24/20 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online

1.16k views • 89 slides
HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR March 20, 2020 3/20/20 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online

1.1k views • 73 slides
HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR May 29, 2020 5/29/20 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online

1.26k views • 100 slides
CYBERSECURITY MATURITY MODEL CERTIFICATION V1.0 PRESENTED TO: DEFENSE ALLIANCE OF NC S&T

CYBERSECURITY MATURITY MODEL CERTIFICATION V1.0 PRESENTED TO: DEFENSE ALLIANCE OF NC S&T

NORTH CAROLINA MILITARY BUSINESS CENTER CYBERSECURITY MATURITY MODEL CERTIFICATION V1.0 PRESENTED TO: DEFENSE ALLIANCE OF NC S&T FORUM 13 FEB 2020 WWW.NCMBC.US What is CMMC? Unified cybersecurity standard for DoD acquisition

390 views • 22 slides
DOD Clarifies Contractor Cybersecurity Certification Process By Amy Conant Hoang and Sarah Burgart

DOD Clarifies Contractor Cybersecurity Certification Process By Amy Conant Hoang and Sarah Burgart

DOD Clarifies Contractor Cybersecurity Certification Process By Amy Conant Hoang and Sarah Burgart On Nov. 8, the U.S. Department of Defense publicly released an updated draft of the Cybersecurity Maturity Model Certification, or CMMC,

249 views • 7 slides
DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies and Sarah Burgart On Dec. 12, the U.S. Department of Defense publicly released an updated draft of the Cybersecurity Maturity Model Certification, or

253 views • 4 slides
KLU Building a Maturity Model A Maturity Model WHAT ARE MATURITY MODELS? Maturity means

KLU Building a Maturity Model A Maturity Model WHAT ARE MATURITY MODELS? Maturity means

KLU Building a Maturity Model A Maturity Model WHAT ARE MATURITY MODELS? Maturity means ripeness and describes the transition from an initial to a more advanced state of a process, project, etc. Maturity Models reflect the degree to

399 views • 26 slides
CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network

CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network

CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network workers needed from 2008 to 2018 1 ; 433 New Mexico IT job postings in 2012 for security- specific positions 2 ; 110,000 information assurance

144 views • 11 slides
Organizing for Innovation Excellence Introduction to an International Innovation Maturity Model

Organizing for Innovation Excellence Introduction to an International Innovation Maturity Model

Organizing for Innovation Excellence Introduction to an International Innovation Maturity Model Product Development and Management Association 1 Why should organizations implement an Innovation Maturity Model? Commoditization is

428 views • 25 slides
Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Framework for Improving Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans Education & Training Publishing April 5, 2016 Conferences & Exhibits 1 A Brief Commercial Interruption

507 views • 31 slides
MEMBERSHIP OPPORTUNITIES & ENGAGEMENTS Working Groups Certification Policy

MEMBERSHIP OPPORTUNITIES & ENGAGEMENTS Working Groups Certification Policy

MEMBERSHIP OPPORTUNITIES & ENGAGEMENTS Working Groups Certification Policy Automotive Cybersecurity Connected Vehicle Certification Tolling Certification Emerging Technologies Events Plugfests

681 views • 17 slides
Cybersecurity Capacity Assessment of the Republic of Kosovo

Cybersecurity Capacity Assessment of the Republic of Kosovo

Cybersecurity Capacity Assessment of the Republic of Kosovo Lara Pace Kosovo June 2015 CMM - Five Dimensions Levels of Maturity

898 views • 23 slides
https://www.nasa.gov/aamnationalcampaign UAM Maturity Levels (UML) UAM Framework and Barriers NC

https://www.nasa.gov/aamnationalcampaign UAM Maturity Levels (UML) UAM Framework and Barriers NC

https://www.nasa.gov/aamnationalcampaign UAM Maturity Levels (UML) UAM Framework and Barriers NC Series Focus Vehicles Airspace Community Late-Stage Certification Testing and Operational Demonstrations in Limited Environments Aircraft

683 views • 15 slides
INFORMS Analytics Maturity Model Rocky Mountain INFORMS Chapter Meeting Denver CO| May 28, 2014

INFORMS Analytics Maturity Model Rocky Mountain INFORMS Chapter Meeting Denver CO| May 28, 2014

INFORMS Analytics Maturity Model Rocky Mountain INFORMS Chapter Meeting Denver CO| May 28, 2014 Norm Reitter, Director of Analytics CANA Advisors, nreitter@canallc.com INFORMS AMM Committee Chair 1 INFORMS Analytics Maturity Agenda

419 views • 14 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Towards development of a toplevel TC/268 maturity model TC268 Working Group 4: Page 1

Towards development of a toplevel TC/268 maturity model TC268 Working Group 4: Page 1

08/03/2018 Towards development of a toplevel TC/268 maturity model TC268 Working Group 4: Page 1 Strategies for smart and sustainable communities Introduction At the Paris meeting of TC/268, the UK suggested that it would be helpful

472 views • 7 slides
EXAMPLE FROM THE NEIGHBOURHOOD Delivery of permissioned serviced building plots in South

EXAMPLE FROM THE NEIGHBOURHOOD Delivery of permissioned serviced building plots in South

EXAMPLE FROM THE NEIGHBOURHOOD Delivery of permissioned serviced building plots in South Cambridgeshire the Vanguard experience Laurence Castle Self / Custom Build Regional Manager WAVE PICTURE w/surfer or nautical Year One Progress

325 views • 16 slides
Pepper cultivation on a substrate consisting of soil, natural zeolite and olive mill waste

Pepper cultivation on a substrate consisting of soil, natural zeolite and olive mill waste

Pepper cultivation on a substrate consisting of soil, natural zeolite and olive mill waste sludge-Changes in soil properties S. Kosmidis 1 , M. K. Doula 2 , A. Assimakopoulou 1 , Ch. Kolovos 2 , Y. Troyanos 2 , A. Papadopoulos 2 , P. Kostopoulos

367 views • 17 slides
Introduction Introduction CBM WATERS CBM WATERS CBM WATERS: CBM WATERS Characterization and

Introduction Introduction CBM WATERS CBM WATERS CBM WATERS: CBM WATERS Characterization and

10/27/2008 Introduction Introduction CBM WATERS CBM WATERS CBM WATERS: CBM WATERS Characterization and Affects on Water Quality Ecosystem Properties pH, EC, SAR, Alkalinity, Trace Elements pH determines acid-base nature of the

255 views • 8 slides
Interim Results Presentation Half Year ended 31 st October 2012 7 th December 2012 Format of

Interim Results Presentation Half Year ended 31 st October 2012 7 th December 2012 Format of

Interim Results Presentation Half Year ended 31 st October 2012 7 th December 2012 Format of presentation Chairman Tony Pidgley Finance Director Nick Simpkin Managing Director Rob Perrins Questions TONY PIDGLEY CHAIRMAN Dividend

758 views • 53 slides
A Failed Rift: A Comprehensive Seismic Investigation of the

A Failed Rift: A Comprehensive Seismic Investigation of the

A Failed Rift: A Comprehensive Seismic Investigation of the Mid-Continent Rift from USArry and SPREE Weisen Shen, Douglas Wiens, Ghassan Aleqabi, Michael Wysession Suzan

618 views • 38 slides
Introduction to The Open Source E-commerce Platform for Rails Monday 23 May 2011 Sean Schofield

Introduction to The Open Source E-commerce Platform for Rails Monday 23 May 2011 Sean Schofield

Introduction to The Open Source E-commerce Platform for Rails Monday 23 May 2011 Sean Schofield CEO of Rails Dog Creator of Spree @uberzealot github.com/schof Monday 23 May 2011 Brian Quinn Senior Developer w/Rails Dog Longtime

944 views • 45 slides
March 3, 2020 2018 Budget O&M and Community Management Increases Facility management

March 3, 2020 2018 Budget O&M and Community Management Increases Facility management

Presented by: Brighton Crossings Operations Board Quarterly Board Meeting March 3, 2020 2018 Budget O&M and Community Management Increases Facility management team began weekly onsite visits & increased YMCA scope in Summer of

243 views • 9 slides
10:40- Using the Regional Volunteer Center as a resource Jason Carroll, Foodlink Volunteer Program

10:40- Using the Regional Volunteer Center as a resource Jason Carroll, Foodlink Volunteer Program

10:40- Using the Regional Volunteer Center as a resource Jason Carroll, Foodlink Volunteer Program Manager 10:45- Non-Emergency Agencies are free to depart 10:55- Group discussion, General Q&A 12:00- Closing Remarks & Complete Surveys

1.12k views • 74 slides

More recommend