search menu icon-carat-right cmu-wordmark

CMMC—Securing the DIB Supply Chain

Created March 2020

Malicious cyber activity—the theft of intellectual property and sensitive information—poses an increasing and serious threat to national and economic security. The Department of Defense (DoD) called on our experts in the CERT Division to help create the Cybersecurity Maturity Model Certification (CMMC) program to combat cybercrime in the Defense Industrial Base (DIB) sector, its trusted supply chain of more than 300,000 organizations globally that provide essential military operation products and services.

The DIB Sector Is at Risk

From the largest DIB sector company to its smallest subcontractor, every entity throughout the supply chain is vulnerable to attacks, which increased 78 percent in 2019. In its need to make the sector more secure, the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) turned to the SEI’s CERT Division to help focus efforts on protecting controlled unclassified information (CUI) that resides on DoD partner unclassified networks. The CMMC program is the result of this collaboration.

Our Collaborators

We built the initial versions of CMMC in collaboration with Johns Hopkins University Applied Physics Laboratory, a university affiliated research center, as well as with our industry and government partners.

CMMC Collaborators image

Security Is Foundational to DoD Acquisition

Like cost, schedule, and performance, security is foundational to DoD acquisition. CMMC is a certification program based on a framework designed to improve supply chain security. CMMC will enhance the protection of FCI and CUI within the supply chain, which will enable the DoD to make risk-informed decisions when it shares information with its DIB contractors.

When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security controls and maturity processes. Companies will receive an assessment of all CMMC practices and processes, and be granted a certification by an independent CMMC Third Party Assessment Organization (C3PAO).

Our Expertise in Process Maturity, Resilience, and Cybersecurity

CMMC changes the way the DIB sector approaches security from a compliance-based checklist to a maturity model approach. At the heart of CMMC maturity progression are the CMMC processes, which measure an organization’s maturity, or its ability to institutionalize CMMC practices. The SEI has a long and accomplished history with process maturity and measurement. We developed Capability Maturity Model Integration (CMMI), which organizations have used for more than 25 years to help achieve repeatable and sustainable results. This seminal work measures the performance of a range of critical business capabilities.

We combined our CMMI work with the SEI’s deep expertise in resilience and cybersecurity to develop the CERT Resilience Management Model, or CERT-RMM. CERT-RMM defines the practices and metrics needed to manage operational resilience.

The CERT-RMM is the basis for planning, communicating, and evaluating improvements across an enterprise. It is foundational in the design and development of the CMMC architecture and process maturity.

CMMC is the product of these two long-validated SEI cybersecurity models. And, CMMC takes into consideration the needs and resources of all companies that make up the DIB sector, so that even small businesses can achieve a necessary baseline of maturity, and help strengthen the security of the entire supply chain.

Learn More

Overview of Practices and Processes of the CMMC Assessment Guides

Overview of Practices and Processes of the CMMC Assessment Guides

March 03, 2021 White Paper
Douglas Daniel Gardner

This document is intended to help anyone unfamiliar with cybersecurity standards get started with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).

read
An Introduction to CMMC Assessment Guides

An Introduction to CMMC Assessment Guides

December 08, 2020 Podcast
Katie C. StewartAndrew F. Hoover

In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the CMMC assessment guides, how they were developed, and how they can be used.

learn more
The CMMC Level 3 Assessment Guide: A Closer Look

The CMMC Level 3 Assessment Guide: A Closer Look

December 08, 2020 Podcast
Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 3 Assessment Guide for the CMMC and how it differs from the Level 1 Assessment Guide.

learn more
The CMMC Level 1 Assessment Guide: A Closer Look

The CMMC Level 1 Assessment Guide: A Closer Look

December 08, 2020 Podcast
Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 1 Assessment Guide for the CMMC.

learn more
Reviewing and Measuring Activities for Effectiveness in CMMC Level 4

Reviewing and Measuring Activities for Effectiveness in CMMC Level 4

October 08, 2020 Podcast
Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss reviewing and communicating CMMC activities and measuring those activities for effectiveness, which are requirements of Level 4 of the model.

learn more
Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)

September 16, 2020 Collection

These publications describe Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) program to protect Controlled Unclassified Information (CUI) by bolstering the cybersecurity of the Defense Industrial Base (DIB) sector.

view
CMMC—Securing the DIB Supply Chain with the Cybersecurity Maturity Model Certification Process

CMMC—Securing the DIB Supply Chain with the Cybersecurity Maturity Model Certification Process

June 03, 2020 Fact Sheet

This document explains the concept of process maturity, how it applies to cybersecurity, and the steps an organization can take to navigate the five CMMC levels of process maturity.

read
thumb_big_a-hoover_blog_authors_560x560.jpg

Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

June 01, 2020 Blog Post
Andrew Hoover, Katie C. Stewart

Process maturity represents an organization's ability to institutionalize their practices. Measuring process maturity determines how well practices are ingrained in the way work is defined, executed,...

read
Katie C. Stewart

An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

March 30, 2020 Blog Post
Katie C. Stewart, Andrew Hoover

A recent study predicted that business losses due to cybercrime will exceed $5 trillion by 2024. The threat to the Defense Industrial Base (DIB)--the network of more than 300,000 businesses, organizations, and universities...

read