After giving CMMC v0.4 a bit of a butchering in September of last year, I thought it only fair to revisit the Cybersecurity Maturity Model Certification being proposed by the US DoD, that all third party contractors will have to adhere to from June 2020.
I have to say I am pleasantly surprised with the outcome. This is not so much an incremental improvement, rather a fundamental rewrite. The two versions have no similar features whatsoever. The v0.4 has been confined to the trash and a proper piece of work has taken its place.
There are arguments to be made about the scoring of some items, but fundamentally it is a good model and one that should add significant value to the US DoD when their contractors meet these requirements.
V1.0 provides a detailed explanation of the logic used to determine the maturity of various controls and the framework that underpins them. Once again, a few tweaks here and there would make it a better overall document from a user point of view. But considering v0.4 needed a fundamental rewrite, I am glad that the feedback given has been accepted with good grace, and a really good piece of work has resulted.
The best bits
The CMMC v1.0 allows the organisation to define a scope for the certification. Much like the ISO 27001 and ISO 27701 certifications, you are allowed to compartmentalise your network in order to zone off the area within which DoD work will be undertaken.
For an organisation what does military and non-military work, this allows for some savings to be made if applying all the controls across your entire organisation is prohibitive. You can argue whether this makes sense from a cybersecurity perspective, but the flexibility is appreciated.
There is also a clear mapping of the data classification levels that each maturity level is designed to protect. In theory, this allows for multiple zones to be created in the DoD side of the organisation’s network, to provide a controlled environment for FCI (Federal Contract Information) and another more secure zone for CUI (Controlled Unclassified Information).
Possible improvements – Controls Distribution
Figure 6. in the CMMC v1.0 document shows the distribution of the controls by the level of maturity, against each category of control. It starkly highlights the disproportionate balance of controls across the multiple categories.
Access Control (AC) has 26 controls identified. Along with the 27 controls in Systems and Communications Protection (SC) this represents 30% of the total controls (out of a total of 171).
In contrast, Risk Management(RM) gets 12, Incident Response (IR) gets 13, whilst Recovery (RE) gets 4 controls and Asset Management (AM) only gets 2.
I would suggest this points to a heavy technical controls bias to the detriment of process controls. Hopefully, this will be more effectively balanced in the years to come as more value is placed on knowing what you need to do, rather than simply buying a tool.
CMMC v1.0 is certainly good enough now to leave the building and I can see that the framework logic will allow this certification to have a decent lifespan in the industry.