CMMC—Securing the DIB Supply Chain
Created March 2020
Malicious cyber activity—the theft of intellectual property and sensitive information—poses an increasing and serious threat to national and economic security. The Department of Defense (DoD) called on our experts in the CERT Division to help create the Cybersecurity Maturity Model Certification (CMMC) program to combat cybercrime in the Defense Industrial Base (DIB) sector, its trusted supply chain of more than 300,000 organizations globally that provide essential military operation products and services.
The DIB Sector Is at Risk
From the largest DIB sector company to its smallest subcontractor, every entity throughout the supply chain is vulnerable to attacks, which increased 78 percent in 2019. In its need to make the sector more secure, the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) turned to the SEI’s CERT Division to help focus efforts on protecting controlled unclassified information (CUI) that resides on DoD partner unclassified networks. The CMMC program is the result of this collaboration.
We built the initial versions of CMMC in collaboration with Johns Hopkins University Applied Physics Laboratory, a university affiliated research center, as well as with our industry and government partners.
Security Is Foundational to DoD Acquisition
Like cost, schedule, and performance, security is foundational to DoD acquisition. CMMC is a certification program based on a framework designed to improve supply chain security. CMMC will enhance the protection of FCI and CUI within the supply chain, which will enable the DoD to make risk-informed decisions when it shares information with its DIB contractors.
When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security controls and maturity processes. Companies will receive an assessment of all CMMC practices and processes, and be granted a certification by an independent CMMC Third Party Assessment Organization (C3PAO).
Our Expertise in Process Maturity, Resilience, and Cybersecurity
CMMC changes the way the DIB sector approaches security from a compliance-based checklist to a maturity model approach. At the heart of CMMC maturity progression are the CMMC processes, which measure an organization’s maturity, or its ability to institutionalize CMMC practices. The SEI has a long and accomplished history with process maturity and measurement. We developed Capability Maturity Model Integration (CMMI), which organizations have used for more than 25 years to help achieve repeatable and sustainable results. This seminal work measures the performance of a range of critical business capabilities.
We combined our CMMI work with the SEI’s deep expertise in resilience and cybersecurity to develop the CERT Resilience Management Model, or CERT-RMM. CERT-RMM defines the practices and metrics needed to manage operational resilience.
The CERT-RMM is the basis for planning, communicating, and evaluating improvements across an enterprise. It is foundational in the design and development of the CMMC architecture and process maturity.
CMMC is the product of these two long-validated SEI cybersecurity models. And, CMMC takes into consideration the needs and resources of all companies that make up the DIB sector, so that even small businesses can achieve a necessary baseline of maturity, and help strengthen the security of the entire supply chain.
October 08, 2020 Podcast
Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss reviewing and communicating CMMC activities and measuring those activities for effectiveness, which are requirements of Level 4 of the model.learn more
September 16, 2020 Collection
These publications describe Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) program to protect Controlled Unclassified Information (CUI) by bolstering the cybersecurity of the Defense Industrial Base (DIB) sector.view
June 22, 2020 Blog Post
Katie Stewart co-authored this blog post. In November, defense contractors will be required to meet new security practices outlined in the Cybersecurity Maturity Model Certification (CMMC). As this post details, while the primary source of security practices in the CMMC...read
June 03, 2020 Fact Sheet
This document explains the concept of process maturity, how it applies to cybersecurity, and the steps an organization can take to navigate the five CMMC levels of process maturity.read
June 01, 2020 Blog Post
Katie Stewart co-authored this blog post. Process maturity represents an organization's ability to institutionalize their practices. Measuring process maturity determines how well practices are ingrained in the way work is defined, executed, and managed. Process maturity represents an organization's commitment...read
March 30, 2020 Blog Post
Andrew Hoover co-authored this blog post. A recent study predicted that business losses due to cybercrime will exceed $5 trillion by 2024. The threat to the defense industrial base (DIB)--the network of more than 300,000 businesses, organizations, and universities that...read