CMMC—Securing the DIB Supply Chain
Created March 2020
Malicious cyber activity—the theft of intellectual property and sensitive information—poses an increasing and serious threat to national and economic security. The Department of Defense (DoD) called on our experts in the CERT Division to help create the Cybersecurity Maturity Model Certification (CMMC) program to combat cybercrime in the Defense Industrial Base (DIB) sector, its trusted supply chain of more than 300,000 organizations globally that provide essential military operation products and services.
The DIB Sector Is at Risk
From the largest DIB sector company to its smallest subcontractor, every entity throughout the supply chain is vulnerable to attacks, which increased 78 percent in 2019. In its need to make the sector more secure, the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) turned to the SEI’s CERT Division to help focus efforts on protecting controlled unclassified information (CUI) that resides on DoD partner unclassified networks. The CMMC program is the result of this collaboration.
We built the initial versions of CMMC in collaboration with Johns Hopkins University Applied Physics Laboratory, a university affiliated research center, as well as with our industry and government partners.
Security Is Foundational to DoD Acquisition
Like cost, schedule, and performance, security is foundational to DoD acquisition. CMMC is a certification program based on a framework designed to improve supply chain security. CMMC will enhance the protection of FCI and CUI within the supply chain, which will enable the DoD to make risk-informed decisions when it shares information with its DIB contractors.
When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security controls and maturity processes. Companies will receive an assessment of all CMMC practices and processes, and be granted a certification by an independent CMMC Third Party Assessment Organization (C3PAO).
Our Expertise in Process Maturity, Resilience, and Cybersecurity
CMMC changes the way the DIB sector approaches security from a compliance-based checklist to a maturity model approach. At the heart of CMMC maturity progression are the CMMC processes, which measure an organization’s maturity, or its ability to institutionalize CMMC practices. The SEI has a long and accomplished history with process maturity and measurement. We developed Capability Maturity Model Integration (CMMI), which organizations have used for more than 25 years to help achieve repeatable and sustainable results. This seminal work measures the performance of a range of critical business capabilities.
We combined our CMMI work with the SEI’s deep expertise in resilience and cybersecurity to develop the CERT Resilience Management Model, or CERT-RMM. CERT-RMM defines the practices and metrics needed to manage operational resilience.
The CERT-RMM is the basis for planning, communicating, and evaluating improvements across an enterprise. It is foundational in the design and development of the CMMC architecture and process maturity.
CMMC is the product of these two long-validated SEI cybersecurity models. And, CMMC takes into consideration the needs and resources of all companies that make up the DIB sector, so that even small businesses can achieve a necessary baseline of maturity, and help strengthen the security of the entire supply chain.