This post results from the project “AMsec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). The project AMsec focusses on CMMC topics in the context of Additive Manufacturing”.
The U.S. Department of Defense released the highly anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. This model serves as a unified standard for implementing cybersecurity controls across the defense industrial base which applies to over 300,000 entities across the country. With the increasing amount of supply chain attacks disrupting and compromising sensitive information concerning national security, the CMMC seeks to rectify major malpractice via this uniformed model.
From the official CMMC Government Portal: “The Cybersecurity Maturity Model Certification framework includes a comprehensive and scalable certification element to verify the processes and practices associated with the achievement of a cybersecurity maturity level. CMMC can adequately protect sensitive unclassified information, accounting for flow down to subcontractors in a multi-tier supply chain.”
The current CMMC framework is based on a variety of pre-existing standards including the highly influential ISO 27001 and NIST SP 800-171, which both pertain to the protection of controlled unclassified information in non-federal organizations as well as general best practices when handling sensitive information of any kind that does not belong to you or the organization you may represent. The idea of a maturity model stems from the tier-based approach to compliance in which 5 total levels of maturity can be reached, each broken up into a variety of best practices and controls:
These best practices make up a total of 17 Capability Domains including Access Control, Risk Management, Media Protection, Incident Response, and more. The CMMC Accreditation Board breaks down these domains into the 171 best practices depicted in the graph I’ve created above.
With the topic of supply chain risk becoming increasingly relevant, and with the new Biden Administration revisiting and amplifying current Cybersecurity controls and measures, such as the CMMC, we will continue to explore the topic of federal compliance over the coming weeks, breaking down these aforementioned controls even further and helping you to understand where you may fall into this complex framework.
Follow us for more updates on this project!
For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de
Written By: Austin Grupposo’23 // Digital Forensics & Cybersecurity