What happens when a group of cybersecurity practitioners has a dark sense of humor and too much time on their hands? Well... this is it! This is not affiliated with the DoD, CMMC-AB or CMMC-COE. This is an independent project to help those dealing with Cybersecurity Maturity Model Certification (CMMC) compliance issues. We support any effort to fix CMMC and transform it into a viable, scalable Supply Chain Risk Management (SCRM) solution for the US Defense Industrial Base (DIB).
On a serious note, we've seen a "money grab" as CMMC has become its own cottage industry and we wanted to do something to help those in the DIB by providing a starting point to understand what possible technology options exist.
This information is "use at your own risk" so you are fully-expected to do your own due diligence and due care when selecting any product or service, otherwise you are an idiot and you seriously should not be supporting the DIB in the first place! Seriously.
CMMC Center of Awesomeness (CMMC-COA)
The CMMC Center of Awesomeness (CMMC-COA) project is a volunteer effort. We received a lot of input and recommendations from cybersecurity practitioners who are very experienced in NIST SP 800-171 and CMMC. These valuable insights are what made this project useful, since what might work for PCI DSS, HIPAA, SOC 2, etc. does not necessarily mean it will work for CMMC, based on the data-centric nature of protecting regulated data, which is Federal Contract Information (FCI) for CMMC Level 1 and Controlled Unclassified Information (CUI) & FCI for CMMC Levels 2-3.
The CMMC-COA is an attempt to help the DIB attain CMMC awesomeness! This is a free resource to help those in the DIB get pointed in the right direction. The idea behind the way information is presented is that the size of an Organization Seeking Certification (OSC) best determines the budget/staffing/complexity more than any other single aspect. That is why the technology solutions are proposed according to the following organization size guidelines:
Micro-small (<20 employees/staff)
Enterprise (2,000+ - think Fortune 500 expectations)
CMMC 2.0 Level 2 Scoping Guide
DoD released the CMMC 2.0 Level 2 scoping guide - https://www.acq.osd.mil/cmmc/docs/Scope_Level2_V2.0_FINAL_20211203.pdf
We developed a scoping tree to help walk you through that content. Click on the image for a PDF version. Enjoy!
In some ways, it is going to be a waiting game to see how the DoD and CMMC-AB roll out "CMMC 2.0" but it is imperative that you take this time to educate yourself. First, start with the DoD's website about CMMC 2.0. The following graphics are meant to help break down some of the basic concepts about the remaining 3 levels of CMMC 2.0 that will exist, which essentially are made up of pre-existing standards:
Level 1 has 17 controls that are sourced directly from the 15 basic cybersecurity controls in FAR 52.204-21.
Level 2 has 110 controls that are sourced directly from NIST SP 800-171. However, do not forget the expected 61 Non-Federal Organization (NFO) controls in Appendix E of NIST SP 800-171 (those essentially function the same as CMMC 1.0 processes).
Level 3 has all the tantalizing goodness of Level 2, but adds some form of requirements from NIST SP 800-172. This could be all or a subset of the 35 controls found in NIST SP 800-172.
Preparing For Your CMMC Assessment? In Need Of Sage Advice?
Your goal is to pass a CMMC assessment and it is imperative that you do not make unforced errors. In audits/assessments, unforced errors are primarily due to the assessee lacking the ability to answer a question in a concise and straightforward manner. That is sometimes easier said than done.
The good news for you is we made something awesome to help with our "CMMC Assessment Preparation Guide" (or How I Learned To Shut The Fuck Up When Dealing With DIBCAC / C3PAO Assessors & Embrace Awkward Silences).
This guide will help you prepare for a DIBCAC or C3PAO assessment by getting in the right mindset!
Neutral Explanation of What CMMC Is
If you are new to CMMC and want to get a neutral explanation of what it is without any Fear, Uncertainty & Doubt (FUD) marketing, you can click on the image to the left to read the "Defense Acquisitions: DOD’s Cybersecurity Maturity Model Certification Framework" from the Congressional Research Services (CRS). This document is meant to help educate members of Congress on CMMC, so it is about as neutral as anyone could expect an overview to be.
It is full of references that you can go read on your own to gain mastery of this subject. The better educated you are, the better the DIB is in general. We want you to educate yourself, so that when you start looking at solutions to become compliant or speak with consultants, you are fully educated on the subject and will not be taken advantage by some douchebag claiming to solve all your CMMC issues with their magical solution or services. They are out there, so education is your best defense!
To wrap your head around CMMC, it is worth your time to watch the video below. This is "A Banquet of Consequences: The Story of CUI, DFARS & CMMC" by Jacob Horne. This is an excellent, in-depth look into the origins of CMMC that proves the point that CMMC was not "sprung upon the DIB" without warning... a nearly two decades-long glacier that "suddenly appeared" out of nowhere.
"Good Security" Follows The CIAS Quadrant Model
Just to make it painfully clear, we feel it is important to point out that NIST SP 800-171 and CMMC only focus on the CONFIDENTIALITY and INTEGRITY of regulated data (specifically CUI and FCI). This does not equate to "good security" for the overall organization, just minimal requirements for an OSC to contractually fulfill its obligation to protect its client's data (e.g., DoD's FCI and CUI data).
The four pillars of a modern cybersecurity program are Confidentiality, Integrity, Availability and Safety and that should be the guiding concept that you use when evaluating and selecting any technology solutions for your organization:
Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
Availability addresses ensuring timely and reliable access to and use of information.
Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
CMMC Focuses On "Good IT Hygiene" Practices
NIST SP 800-171 and CMMC are more focused on good IT practices more than hardcore cybersecurity practices. This is quite evident when you breakdown the various processes and practices to People, Processes & Technology (PPT) :
Tasks Assigned To Application/Asset/Process Owner
Tasks Assigned To Cybersecurity Personnel
Tasks Assigned To IT Personnel
Configuration or Software or Hardware or Outsourced Solution
Configuration or Software Solution
Software or Hardware Solution
Technical Configurations (e.g., security settings)