The Department of Defense has issued a draft version of the Cybersecurity Maturity Model Certification, which sets cyber standards and practices meant to help the defense industrial base reduce exfiltration of controlled unclassified information.
A notice from DoD’s office of the defense undersecretary for acquisition and sustainment says the draft CMMC version 0.4 has five levels ranging from basic cyber hygiene to highly advanced practices. Each level has specific practices and activities that need to be carried out by stakeholders to achieve a capability.
The CMMC model consists of 18 domains, including access control, asset management, configuration management, cybersecurity governance, incident response, personnel security, recovery, risk assessment and situational awareness.
“CMMC levels 4 and 5 are targeted toward a small subset of the DIB sector that supports DoD critical programs and technologies,” according to an overview of the draft CMMC model.
The Pentagon will accept feedback on the CMMC framework through Sept. 25 with plans to release the model's draft version 0.6 for public review in November.
The department plans to release the final framework in January. It also expects the model to be included in requests for information starting in June 2020 and requests for proposals beginning in the fall of next year.
DoD has begun work on CMMC in March in partnership with several organizations including the Johns Hopkins University Applied Physics Laboratory, Defense Industrial Base Sector Coordinating Council, Carnegie Mellon University Software Engineering Institute and the Office of Small Business Programs. Industry associations such as the Professional Services Council, Aerospace Industries Association and the National Defense Industrial Association also supported the effort.