Draft CMMC v0.7 Has Been Released
Draft CMMC v0.7 is now available. Highlights: the addition of levels 4 and 5, discussions and clarification for level 2 and 3 practices and clarification on the CMMC Maturity Process.
The Official Draft is available here.
Levels 4 and 5 Have Been Added to the Draft
Not much has changed for the sections that were included in Draft v0.6. The Domains, Capabilities and Practices for Levels 1, 2 and 3 have remained the same. They have, however, included the practices for Levels 4 and 5 in v0.7.
The number of practices has decreased significantly from the practices included in Draft v0.4. v0.4 included a staggering 138 practices for levels 4 and 5. The new draft has slimmed that number down to. This was to be expected as we saw a similar downsize for levels 1, 2 and 3 from v.04 to v0.6.
There is no indication at this time that any of the versions will include discussions and clarifications for Levels 4 and 5, given the complex nature of the practices found in those levels.
Discussions and Clarification on Levels 2 and 3 are Now Included
Similar to how discussions and clarifications were included for Level 1 in Draft V0.6, the newest iteration includes discussions and clarifications for Levels 2 and 3 as well. These can be found in appendixes B, C and D of Draft CMMC v0.7.
These appendixes include references, discussions, clarifications and examples of practices found in each of the 3 levels.
Each practice includes a reference. The reference refers to which standard or framework the practice can be mapped back to. For example, P1213 can be referenced to 48 CFR 52.204-21 and NIST SP 800-171.
– 48 CFR 52.204-21 b.1.xv
– NIST SP 800-171 3.14.5
Draft v0.7 has excluded all practices that can map back to NIST 800-171 from the Level 3 discussions and clarifications.
The discussion sections found for each practice include the reasoning and breakdown of what is being required of your organization. Here’s an example of what that looks like for P1213:
Clarifications and Examples
Clarifications are provided to give guidance on how to apply the practice to your organization. The discussion is there to tell you what to do, while the clarification is there to tell you how to do it. The clarifications also include examples to give contractors a practical view of how to implement the practice. The examples are not meant for guidance but rather to help explain the practice. Here’s another example from P1213 of what the clarification looks like:
Clarification on the CMMC Maturity Process
The new draft also includes an appendix on clarification of what the CMMC Process Maturity looks like.
We can see that there are 9 processes found within Maturity Levels 2, 3, 4 and 5. Appendix E includes references, discussions and certifications for all 9 of those process. Examples are not included.
All 9 of the processes reference CERT RMM V1.2.
CERT RMM v1.2 GG3.GP2
Just like the discussions for practices, the discussion for processes also give insight into what exactly the process is expecting from you. Here’s an example from MP001:
This section will describe what specifically should be included in that policy, plan or procedure as well as what needs to be done to implement the process. Here’s another example from MP001:
The clarification that Draft V0.7 gives for the processes included in the Process Maturity Levels appear to be quite valuable. CMMC can, in a way, be viewed as two types of requirements: Practices and Processes. While the previous iterations of the draft have provided clarity on what the practices look like, this version has brought that same clarity to the processes side of the CMMC.
CMMC Model Version 1.0 is still scheduled to be released in late January 2020.