Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification Standard:

A bar graph showing how each successive CMMC level builds on the cybersecurity practices of the previous level.

Table 1 — CMMC Practices Per Level

The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The CMMC standard:

Will be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and become a requirement for contract award. An implementation date has yet to be released by the Federal Government (as of April 8, 2020).
Is a unified cybersecurity standard for future Department of Defense (DoD) acquisitions.
Measures cybersecurity maturity with five levels. Each level has a set of practices:

Level 1 – 17 Practices
Level 2 – 72 Practices (17 Level 1 Practices + 55 Level 2 Practices)
Level 3 – 130 Practices (17 Level 1 Practices + 55 Level 2 Practices + 58 Level 3 Practices)
Level 4 – 156 Practices (17 Level 1 Practices + 55 Level 2 Practices + 58 Level 3 Practices + 26 Level 4 Practices)
Level 5 – 171 Practices (17 Level 1 Practices + 55 Level 2 Practices + 58 Level 3 Practices + 26 Level 4 Practices + 15 Level 5 Practices)
Table 1 is from the CMMC version 1.02, dated March 18, 2020. This table summarizes how the CMMC practices build upon each maturity level:

The following links provide a detailed breakdown of the practices required based on CMMC Levels 1 -3:

Cybersecurity Maturity Model Certification and its relation to Controlled Unclassified Information:

A table listing the number of practices introduced at each CMMC level and how many of those standards come from various sources

Table 2 — Source for CMMC Practices Per Level

Controlled Unclassified Information (CUI) is defined as: Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the AtomicEnergy Act of 1954, as amended.

At the University of Hawaii, if you work with CUI, this data is considered Regulated Data.

The CMMC incorporates NIST SP 800-171 Rev 2’s 110 controls for organizations working with CUI for maturity levels 1 to 3 along with 20 additional practices:

Level 1 – 17 Practices (17 NIST SP 800-171 Rev 2 Controls)
Level 2 – 55 Practices (48 NIST SP 800-171 Rev 2 Controls; 7 Additional CMMC Practices)
Level 3 – 58 Practices (45 NIST SP 800-171 Rev 2 Controls; 13 Additional CMMC Practices)

Table 2 is from the CMMC version 1.02, dated March 18. 2020. This table summarizes how the NIST SP 800-171 Rev 2’s 110 controls are broken out by CMMC Levels. Please note the table references NIST SP 800-171 Rev 1. The control numbers and descriptions have not changed in NIST SP 800-171 Rev 2.

References:

CMMC Main Page: https://www.acq.osd.mil/cmmc/index.html
CMMC Model v1.02 [PDF]: https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
CMMC Model overview briefing [PDF]: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf
CMMC Model v1.02 Appendices [PDF]: https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf
CMMC FAQs: https://www.acq.osd.mil/cmmc/faq.html
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST Special Publication 800-171 Revision 2 [PDF]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf