The 17 Domain of Cybersecurity Maturity Model Certification CMMC

Posted on June 19, 2021 by Benjamin Bressington

The 17 Domain of Cybersecurity Maturity Model Certification CMMC

The 17 Domain of Cybersecurity Maturity Model Certification CMMC

The Department of Defense's Cybersecurity Maturity Model Certification is an evolving certification system that rates the cyber security maturity of a company based on their efforts to protect controlled unclassified information (CUI) and the defense industrial base. Building off NIST SP 800-171, CMMC provides 3 levels for companies: basic cybersecurity hygiene, dynamic programming with adaptive controls and finally Adaptive Dynamic Programming. The CMMC framework is composed of 17 domains, with each tier layering in more practices and processes for each domain. In this infographic we'll be taking a high-level view of what to expect when working towards meeting your CMMC requirements.

Why do you need Cybersecurity Maturity Model Certification CMMC

The Cybersecurity Maturity Model Certification (CMMC) model measures cybersecurity maturity with five levels and from basic cyber hygiene to intermediate cyber hygiene.

It is estimated that cybercrime drains over $600 billion annually from the global GDP. Relying on the vast network of contractors to execute its mission means that the Department of Defense is entrusting each one of them with critical data, which may increase risk for all parties involved in handling

Against a backdrop of uncertainty, the Department of Defense has developed CMMC certification to encourage more rigorous cybersecurity practices among its global contractors.

Controlled Unclassified Information (CUI)

Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526.

Federal Contract Information (FCI)

Information, not intended for public release and generated by a company in accordance with the government's requests to develop or deliver products is now classified as top secret.

Information that underlies company contracts will be protected from disclosure if it was created specifically for this purpose or if the contract requires such information to be kept confidential

What is the goal of CMMC?

CMMC provides a framework for organizations to improve their cybersecurity by establishing standards and practices, measuring progress against those standards through CMMI-LTM maturity levels, executing CMCC gap analysis exercises.

What is the cybersecurity maturity model certification (CMMC)?

The CMMC, or Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense in order to measure their readiness and sophistication in cybersecurity. This model is designed on top of existing cybersecurity standards such as NIST, FAR, DFRARs.

As an organization moves up the Cybersecurity Maturity Model Certification (CMMC) model, they are better able to secure their systems and protect data from cyberattacks. The NIST SP 800-171 or NIST 800 171 certification is a perfect example of this process in action.

Cybersecurity is a complicated and expansive topic but how much do you know about them? We will explore the five levels of cybersecurity maturity as well as what it takes to achieve each level.

What is NIST SP 800 171?

NIST SP 800-171 is the federal standard that CMMC uses to measure cybersecurity maturity.

The CMMI for Lifecycle Product (CMLCP) has been developed by CMCC and CMAC in collaboration with NIST and other stakeholders to provide a detailed overview of how organizations can use CMARs as part of their overall enterprise risk.

The CMMC framework is composed of 17 domains, with each tier layering in more practices and processes for each domain.

The CMMC Domain

Access Control (AC) - This domain requires organizational skills for the people who have access to your company's systems and what their requirements are. It also helps determine who has remote access, internal access, and limitations of their role system.

Asset Management - This domain requests you to locate, identify, and log inventory of the assets in your organization.

Audit & Accountability - This domain requires that you have a process in place to track users who access your organization’s CUI, and perform audits of those logs to make sure they are held accountable for their behavior. In order to do this, you must define the requirements of each audit, have a method for performing the audit as well as protect and secure the results

Awareness Training - This domain requires that you have training programs in place for all personnel and conduct security awareness activities.

Configuration Management (CM) - This domain guarantees that your system will maintain a proper baseline and do all audits to ensure the accuracy of each assessment on the operational posture.

Identification & Authentication - This domain ensures the proper roles within organizations have the right level of access and can be authenticated for accountability purposes.

Incident Response (IR) - This domain, your organization needs to have an incident response plan. You'll need the ability to detect and report events, develop and implement a response to a declared incident, perform post-incident reviews and run tests in order for your entity to be prepared when faced with cyberattacks.

Maintenance - This domain requires you have a maintenance system in place to maintain and effectively operate your system.

Media Protection (MP) - This domain requires the organization to identify its media and demonstrate that they are appropriately labeled for ease of access. They also need to provide evidence of a protection protocol, sanitation protocol, and needs transportation in place.

Personnel Security - To ensure personnel security, your employees will be screened (including background checks) and should be provided with the means to protect CUI during staff activity or employee turnover.

Physical Protection - Your organization will need to provide evidence of the physical security surrounding your assets and prove that they are protected.

Recovery - This domain requires that you keep and log backups of media necessary to your organization, these need to be logged for the purpose of continuity among backups and mitigrate lost data.

Risk Management - This domain is the process of identifying and evaluating your vulnerability by conducting periodic risk assessments as well as ongoing vulnerability scans. This includes assessing not just your own organization's risks but also those of your vendors.

Security Assesment - For this domain, you will need a security plan in place. Additionally, you will need to define and manage control remote system access and perform code reviews for your organization.

Situational Awareness (SA) - You will need a threat monitoring system. This can help supplement other domains and keep you organization secure in the event of a cyber incident.

System & Communications Protection - To ensure security at each system and communication channel, you will need to define your organization's security requirements. Furthermore, you need to maintain evidence that your organization is able to control internal system access communications at the boundaries of every system as well as provide authorization mechanisms for these channels.

System & Information Integrity - In order to ensure system and information integrity, you must identify, manage flaws within your system; your network and system monitoring to identify hazardous and malicious content.

Are you worried that your company is vulnerable to ransomware?

The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture. Using the latest in breach and attack simulation our team can show you which ransomware and malware attacks would cripple your company regardless of the cybersecurity protections you already have in place!

Who is ChatFortress

ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.

Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business