The Defense Department has released the assessment guide for level two of its Cybersecurity Maturity Model Certification program, making changes to the initial model through the removal of processes as well as 20 controls that go beyond the initial standard developed by NIST.
The level two guide is an update to the initial assessment publication for CMMC level three released in 2020. DOD announced significant changes to the CMMC program on Nov. 4, including the consolidation of the maturity levels from five to three and eliminating third-party assessments at level one.
“This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The CMMC levels and the associated set of practices are cumulative,” the Pentagon said in the level two assessment guide published on Friday.
The guide says, “More specifically, in order for a Defense Industrial Base (DIB) contractor to achieve CMMC Level 2 certification, it must demonstrate achievement of all Level 1 and Level 2 practices.”
Level two is focused on controlled unclassified information. The assessment guide is closely aligned with NIST Special Publication 800-171 and the assessment security procedures outlined in NIST Special Publication 800-171A.
The guide says, “A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC Level 2 standard. Contractors requiring a CMMC Level 2 certification must have a CMMC Level 2 assessment conducted by CMMC Third-Party Assessment Organization (C3PAO) and Certified Assessor. DIB contractors using this guide to perform CMMC Level 2 self-assessment, will not result in a CMMC Level 2 certification.”
DOD is establishing a bifurcated process for level two where “triennial third-party assessments” are needed for contracts involving “critical national security information” and an “annual self-assessment for select programs,” according to the Pentagon’s maturity model overview publication.
The level two publication says, “This guide is intended for Certified Assessors, contractors, as well as information technology (IT) and cybersecurity professionals who secure data and systems with responsibilities for information risk management and governance, system development, security assessment and monitoring, and security implementation and operations. Contractors can use this document to prepare for a CMMC assessment to include but not limited to a self-assessment.”
The guide has four sections:
* Assessment and Certification: provides an overview of the CMMC assessment and certification process, guidance around contractor size, and the assessment scope.
* Assessment Criteria and Methodology: provides guidance on the criteria and methodology (i.e., interview, examine, and test) Certified Assessors will employ during a CMMC assessment, as well as practice findings.
* CMMC-Specific Terms: provides clarification of the intent and scope of specific terms as used in the context of CMMC.
* Practice Descriptions: provides the assessment requirements and specifics for each CMMC practice.
Under the practice descriptions, DOD details assessment objectives for each control, potential assessment methods and objects, examples and potential assessment considerations.