Draft CMMC v0.6 Has Been Released
Draft CMMC v0.6 is now available, and as expected there are several changes to the standard. OUSD released the draft on Friday, November 8th to give industry a better look at what it can expect when the final CMMC revision is published.
The Official Draft is available here.
Reduction, Modification and Clarification.
Based on the feedback received from Draft V0.4, this version significantly reduces the model size, modifies the practices and processes, and provides clarifications and examples for CMMC Level 1 (the examples and recommendations for implementing the practices found in Level 1 are collected in Appendix B).
The Model’s framework has not changed and is still comprised of Domains, Capabilities, and practices and processes. Capabilities are assigned a unique number now (C###), and practices are also designated with an identifier (P1###) as well.
Adherence to CMMC processes and practices is cumulative. Once a practice is introduced in a level, it is a required practice for all levels above. For example, in order to achieve a Level 3 certification, contractors must implement all practices and processes found in Levels 1, 2 and 3. An organization that scores a Level 3 on practice implementation and a Level 2 on process institutionalization will be assigned a CMMC Level of 2. CMMC is still a go/no go decision. You have either implemented and demonstrated all the practices and processes found in a Level to achieve that certification or you will not receive that certification.
One specific practice in v0.6 introduces a bit of confusion. P1159 requires development and implementation of plans of actions (POA&Ms). This requirement doesn’t seem to fit with the Go/No go model.
The new draft includes 17 domains (one has been removed since Draft V0.4). The v0.6 domains contain 40 Capabilities: C001 – C044 (C006, C030, C033 and C038 are missing from the draft).
V0.6 also includes some clarification on what CMMC Process Maturity looks like. For example, a CMMC Level 3 organization must meet both the Level 3 defined practices, as well as the defined processes of Maturity Level (ML) 3. CMMC Version 1.0 will include tailored maturity processes for each domain. Additional assessment guidance and clarification will be provided in future iterations. Note that the nine processes are applied to each domain individually.
Processes for each CMMC Maturity Level (ML)
v0.6 Provides More Detailed Clarification on the Certification Levels.
Level 1 –
Level 1 is considered the foundation for the higher levels of the model. Every contractor and subcontractor will have to have a minimum of level 1 certification. At Level 1 and 2, organizations may be provided with FCI (Federal Contract Information). FCI is sensitive information that is not intended for public release. FCI is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.
Level 1 is primarily comprised of access control and physical protection requirements. Level 1 does not include process maturity, so it is unnecessary for organizations to exhibit process institutionalization.
Level 2 –
At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program. Levels 2 – 5 require organizations to produce and maintain a System Security Plan, similar to NIST 800-171.
Level 2 has more complicated practices and processes including employing FIPS-validated cryptography when used to protect the confidentiality of FCI. The process maturity dimension of the model is introduced at Level 2.
Level 3 –
Level 3 will include all 110 controls found in NIST 800-171 Rev1, and will require full implementation of those controls. This level will be required of ALL organizations that receive and/or generate any CUI (Controlled Unclassified Information).
Level 4 and 5 –
Levels 4 and 5 were not included in the draft v0.6 as they are still undergoing modification based on feedback that was received from draft V0.4. The updates to CMMC Levels 4 and 5 will be included in the next release.
CMMC Model Version 1.0, to be released in late January 2020, will be in document form with clarifications for Levels 1-2. CMMC Model Version 1.0 will also include a mapping to the key references that informed model development.