Inside Out Security Blog   /  

Cybersecurity Maturity Model Certification (CMMC) Guide

Cybersecurity Maturity Model Certification (CMMC) Guide

The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification (CMMC) to normalize and standardize cybersecurity preparedness across the federal government’s defense industrial base (DIB). This piece will cover the concept of a maturity model in the context of cybersecurity, key depictions of the DIB, the anatomy of CMMC levels, and how Varonis can fast-track certification.

What is a Maturity Model?

Maturity models are a collection of best practices, the degree of adherence to which progresses organizations along a scale from lower levels of adoption or “maturity” to higher levels of aptitude and certification. Certifying to a maturity model means that a company or organization has committed itself to improving its processes and practices within a model’s domains to a sustainable, measured level of high performance.

Fast Track CMMC with this Free Guide

What is the Cybersecurity Maturity Model Certification?

Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as NIST, FAR, and DFARS.

At a tactical level, the primary goal of the certification is to improve the surety and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. The CMMC program was announced on January 31, 2020.

When Does It Take Effect?

As of September 2020, DoD began issuing a limited number of requests for information that contain CMMC specifications, and it is expected that CMMC will be a requirement of all new DoD requests for proposals beginning in 2026.

To Whom Does CMMC Apply?

The certification is applicable to both “prime” contractors who engage directly with DoD, and to subcontractors who contract with primes to provide fulfilment and execution of those contracts. Although some level of certification will be a requirement of every contract beginning in 2026, DoD has indicated that they intend to issue contract opportunities at all levels of the maturity model, meaning that there will be some number of requests issued that will require only a low level of certification, and some that will require higher levels of certification.

Why Does CMMC Matter?

Depiction of important stats: $600B Annual cybercrime impact, $402B Annual DoD contract value, 300,000 Companies in DIB, 54% Budget allocation to small business

It is estimated that cybercrime drains over $600 billion annually from the global GDP. Relying on the vast network of contractors to execute its mission means that the Department of Defense is entrusting each one of them with critical data that systematically increases the overall risk profile of the DIB. Accordingly, DoD understands the burden and outsize proportion of risk that cybercrime puts upon their base of subcontractors, many of whom are small businesses and lack the resources of their larger, prime counterparts.
It is against this backdrop that DoD has released CMMC, to facilitate the adoption of best practices in cybersecurity with a “defense in depth” strategy across its entire global contractor base.

Know Before: Key CMMC Takeaways

  • Applies to DoD prime contractors and subcontractors
  • Applies to some new contracts starting in 2020 and applies to all contracts beginning in 2026
  • The progressive model covers advancing levels of cybersecurity processes and practices resulting in a certification level
  • Contractors must start at level 1 and certify at each level all the way to the top level 5
  • Varonis is a powerful tool for facilitating all levels of CMMC compliance

The CMMC Framework and 5 Levels

CMMC illustration of a table showing the level requirements

The Cybersecurity Maturity Model Certification is based on an ascending level of preparedness from level 1 (lowest) to level 5 (advanced).

The ultimate goal of CMMC is to ensure the protection of two types of information from disclosure or unauthorized use:

  • Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
  • Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public.

CMMC Certification Levels (Summary)

Each level has a set of Processes and Practices and a qualifier or “goal” for each of those as they relate to the applicable Domains in that level. For example, as seen in the image below, achieving CMMC level 2 means an organization’s goal is to have Processes that are documented and Practices which are consistent with intermediate cyber hygiene.

CMMC illustration of the framework

Framework Components

The CMMC components at play are:

  • Domains
  • Processes
  • Capabilities
  • Practices

As contractors advance in their assessments in each of these components, overall certification to a level is achieved.

Federal prime contractors and subcontractors are assessed for their adherence to the Processes and Practices as they relate to each of the applicable Domains at each level of the model.

NOTE: Not all Domains span all five levels. Domains pertain to a minimum of 1 and a maximum of 5 levels or any contiguous number of levels in between.

Understanding CMMC Levels & Domains

In the chart below, looking top to bottom we see a list of the 17 Domains. Looking left to right we see the number of Practices for each Domain and the number of Practices in that Domain by Level (the bar graph segments by color).

Moving down the chart, we can see that, for example, not all Domains have a presence in level 1 (L1).

A prime or subprime government contractor that delivers the 17 L1 Practices contained in the 6 Domains applicable to L1 should receive Cybersecurity Maturity Model Certification level 1.

Referring back to the levels summary above, contractors with CMMC level 1 practice basic cyber hygiene and their processes are merely performed. Recall that there is no Process assessment at level 1, therefore ML 1 is not required for the level 1 certification.

Advancing further through the model, a contractor would achieve CMMC level 3 when they deliver the 130 L3 Practices contained in the 16 Domains applicable to L3 and earn a Process assessment of ML3 in each of those Domains.

NOTE: Practices are cumulative at each Level. Contractors must certify at each level to move to the subsequent level.

CMMC illustration of the most at-risk industries

Recap of the Framework

The CMMC has a lot of interconnected and moving parts to it, so it can help to summarize the key measures and visualize their relationships as seen in image above.

  • Domains: 17
  • Capabilities: 43 (These are collections of Practices)
  • Practices: 171
  • Processes: Maturity Levels 1 – 5
  • Certification Levels: 5

Processes are assessed for maturity levels corresponding to the certification level. Domains are made up of and Practices (organized by Capabilities) and they encompass the Processes undertaken therein. Certification to a level requires mastery of the Domains in that level which includes their Practices and Processes.

How to Get CMMC Certified

DoD has created the CMMC Accreditation Body (AB) which is a non-profit, independent organization to accredit Third Party Assessment Organizations (3PAOs) in addition to individual assessors. Details are forthcoming about the mechanics of certification, but DoD plans to establish a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification.

Fast-Track CMMC with Varonis

Getting started with CMMC might seem like a daunting task, and the reality is that certification is simply too large of a program to be handled by one person or perhaps even one team within an organization. Nevertheless, certification will be a non-negotiable requirement of DoD contractors going forward, and Varonis can help federal contractors get started right away.

The best place to start when starting to operationalize CMMC is in Domains. Recall that these are “centers of excellence” with tasks and management that must be performed and continuously optimized for organizations to achieve and advance their levels of certification. Recall also that the primary goal of CMMC is the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

The Varonis Data Security Platform can facilitate, execute and automate a large number of the 171 Practices and their related Processes within the CMMC body of requirements.

DatAdvantage

Get real-time visibility and audit trails of files, sensitive data and servers across the Microsoft and UNIX/Linux ecosystems. Get to least privilege quickly with a full suite of reporting to speed up – and keep up – certification.

Data Classification Engine + Policy Pack, Data Classification Labels, Data Transport Engine & Automation Engine

Put the power of machine learning behind your CUI and FCI processes to quickly find and completely clean up data stores on-prem and in the cloud. Varonis has a powerful set of products with built-in classification models for over 60 file types that help federal contractors level up and maintain their CMMC while ensuring business continuity and access to important data.

DatAlert + Edge

Stop threats to CUI and FCI in their tracks with high-fidelity alerting on files, folders, accounts and domains. Use built-in rules or create custom actions to automatically shut down access and remediate exposure at any point in the kill chain.

Varonis Product Mapping to CMMC Domains

Product map key:

  • DatAdvantage
  • DatAlert + Edge
  • DataPrivilege
  • DatAnswers
  • Data Classification Engine + Policy Pack
  • Data Classification Labels
  • Data Transport Engine
  • Automation Engine
  • Professional Services
  • Incident Response Team
Domain Capabilities Varonis Product(s)
AC – Access Control
  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes
DatAdvantage

 

DataPrivilege

AM – Asset Management
  • Identify and document assets
  • Manage asset inventory
Data Classification Engine + Policy Pack
AU – Audit & Accountability
  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs
DatAdvantage

 

Data Transport Engine

AT – Awareness & Training
  • Conduct security awareness activities
  • Conduct training
Professional Services
CM – Configuration Management
  • Establish configuration baselines
  • Perform configuration and change management
DatAdvantage

 

DatAlert + Edge

DataPrivilege

Automation Engine

IA – Identification & Authentication
  • Grant access to authenticated entities
DatAdvantage

 

DataPrivilege

IR – Incident Response
  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post incident reviews
  • Test incident response
DatAdvantage

 

DatAlert + Edge

Incident Response Team

MA – Maintenance
  • Manage maintenance
DatAlert + Edge
MP – Media Protection
  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport
DatAdvantage

 

DataPrivilege

Data Classification Labels

PS – Personnel Security
  • Screen personnel
  • Protect CUI during personnel actions
DatAdvantage

 

DataPrivilege

PE – Physical Protection
  • Limit physical access
 
RE – Recovery
  • Manage backups
  • Manage information security continuity
DatAlert + Edge

 

Data Transport Engine

RM – Risk Management
  • Identify and evaluate risk
  • Manage risk
  • Manage supply chain risk
DatAdvantage

 

DatAlert + Edge

Automation Engine

CA – Security Assessment
  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews
DatAdvantage

 

DatAlert + Edge

Professional Services

SA – Situational Awareness
  • Implement threat monitoring
DatAlert + Edge
SC – System & Communications Protection
  • Define security requirements for systems and communications
  • Control communication at system boundaries
DatAdvantage

 

DatAlert + Edge

SI – System & Information Integrity
  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections
DatAdvantage

 

DatAlert + Edge

We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works