DoD Publishes CMMC Draft Version 0.7
The Department of Defense ("DoD") recently published its Draft Cybersecurity Maturity Model Certification ("CMMC") Version 0.7 (dated December 6, 2019). DoD posted the following note with the release:
DoD is releasing this latest version (v0.7) so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. This document includes CMMC Levels 1-5 as well as the associated discussion and clarification for a subset of practices and processes in Appendices B - E.
CMMC Version 0.7 modifies some of the maturity process and Levels 1-3 practices and includes new practices for Levels 4 and 5. As many are aware, Draft CMMC Version 0.6 did not contain practices for Levels 4 and 5.
As for the number of practices, Level 1 stayed the same and has 17 practices. Level 2 dropped three practices and now has 55 practices. Level 3 added three practices and now has 59 practices. Level 4 has 26 practices and Level 5 has 16 practices.
As defined in the CMMC, a practice is "[a] specific technical activity or activities that are required and performed to achieve a specific level of cybersecurity maturity for a given capability within a domain." Notably, practices are cumulative. In other words, once a practice is introduced within a CMMC level, the practice is required for all higher CMMC levels as well.
As a reminder, contractors that are assessed at CMMC Level 3 are those that meet the requirements of NIST SP 800-171 Rev 1 and demonstrate "good cyber hygiene" and "effective implementation of controls."
Notably, DoD is still targeting a late January 2020 release of CMMC Version 1.0, and it appears that DoD will introduce the CMMC into RFI's sometime in June 2020. Given that there are roughly 300,000+ contractors within the defense industrial base, it will be interesting to see if DoD has any rhyme or reason governing that process.
. . .