search menu icon-carat-right cmu-wordmark

CMMC—Securing the DIB Supply Chain

Created March 2020

Malicious cyber activity—the theft of intellectual property and sensitive information—poses an increasing and serious threat to national and economic security. The Department of Defense (DoD) called on our experts in the CERT Division to help create the Cybersecurity Maturity Model Certification (CMMC) program to combat cybercrime in the Defense Industrial Base (DIB) sector, its trusted supply chain of more than 300,000 organizations globally that provide essential military operation products and services.

The DIB Sector Is at Risk

From the largest DIB sector company to its smallest subcontractor, every entity throughout the supply chain is vulnerable to attacks, which increased 78 percent in 2019. In its need to make the sector more secure, the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) turned to the SEI’s CERT Division to help focus efforts on protecting controlled unclassified information (CUI) that resides on DoD partner unclassified networks. The CMMC program is the result of this collaboration.

Our Collaborators

We built the initial versions of CMMC in collaboration with Johns Hopkins University Applied Physics Laboratory, a university affiliated research center, as well as with our industry and government partners.

CMMC Collaborators image

Security Is Foundational to DoD Acquisition

Like cost, schedule, and performance, security is foundational to DoD acquisition. CMMC is a certification program based on a framework designed to improve supply chain security. CMMC will enhance the protection of FCI and CUI within the supply chain, which will enable the DoD to make risk-informed decisions when it shares information with its DIB contractors.

When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five  CMMC levels, which includes both technical security controls and maturity processes. Companies will receive an assessment of all CMMC practices and processes, and be granted a certification by an independent CMMC Third Party Assessment Organization (C3PAO).

Our Expertise in Process Maturity, Resilience, and Cybersecurity

CMMC changes the way the DIB sector approaches security from a compliance-based checklist to a maturity model approach. At the heart of CMMC maturity progression are the CMMC processes, which measure an organization’s maturity, or its ability to institutionalize CMMC practices. The SEI has a long and accomplished history with process maturity and measurement. We developed Capability Maturity Model Integration (CMMI), which organizations have used for more than 25 years to help achieve repeatable and sustainable results. This seminal work measures the performance of a range of critical business capabilities.

We combined our CMMI work with the SEI’s deep expertise in resilience and cybersecurity to develop the CERT Resilience Management Model, or CERT-RMM. CERT-RMM defines the practices and metrics needed to manage operational resilience.

The CERT-RMM is the basis for planning, communicating, and evaluating improvements across an enterprise. It is foundational in the design and development of the CMMC architecture and process maturity.

CMMC is the product of these two long-validated SEI cybersecurity models. And, CMMC takes into consideration the needs and resources of all companies that make up the DIB sector, so that even small businesses can achieve a necessary baseline of maturity, and help strengthen the security of the entire supply chain.

Learn More

Optimizing Process Maturity in CMMC Level 5

Optimizing Process Maturity in CMMC Level 5

October 13, 2020 Podcast
Katie C. StewartAndrew F. Hoover

Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 5 process maturity requirements, which are standardizing and optimizing a documented approach for CMMC.

learn more
Reviewing and Measuring Activities for Effectiveness in CMMC Level 4

Reviewing and Measuring Activities for Effectiveness in CMMC Level 4

October 08, 2020 Podcast
Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss reviewing and communicating CMMC activities and measuring those activities for effectiveness, which are requirements of Level 4 of the model.

learn more
Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)

September 16, 2020 Collection

These publications describe Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) program to protect Controlled Unclassified Information (CUI) by bolstering the cybersecurity of the Defense Industrial Base (DIB) sector.

view
Follow the CUI: Setting the Boundaries for Your CMMC Assessment

Follow the CUI: Setting the Boundaries for Your CMMC Assessment

September 16, 2020 Webinar
Matthew TrevorsGavin Jurecko

In this webcast, Model Architects Gavin Jurecko and Matt Trevors reviewed several steps for identifying CUI exposure in terms of their critical services and the assets that support them.

watch
Developing an Effective CMMC Policy

Developing an Effective CMMC Policy

August 25, 2020 Podcast
Andrew F. HooverKatie C. Stewart

Andrew Hoover and Katie Stewart, architects of the Cybersecurity Maturity Model Certification (CMMC), present guidelines for developing an effective CMMC policy.

learn more
Follow the CUI: 4 Steps to Starting Your CMMC Assessment

Follow the CUI: 4 Steps to Starting Your CMMC Assessment

August 24, 2020 Blog Post
Matthew Trevors

One of the primary drivers of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is the congressional mandate to reduce the risk of accidental disclosure of controlled unclassified information (CUI). However, a full CMMC assessment can seem daunting...

read
Beyond NIST SP 800-171: 20 Additional Practices in CMMC

Beyond NIST SP 800-171: 20 Additional Practices in CMMC

June 22, 2020 Blog Post
Andrew Hoover

Katie Stewart co-authored this blog post. In November, defense contractors will be required to meet new security practices outlined in the Cybersecurity Maturity Model Certification (CMMC). As this post details, while the primary source of security practices in the CMMC...

read
CMMC—Securing the DIB Supply Chain with the Cybersecurity Maturity Model Certification Process

CMMC—Securing the DIB Supply Chain with the Cybersecurity Maturity Model Certification Process

June 03, 2020 Fact Sheet

This document explains the concept of process maturity, how it applies to cybersecurity, and the steps an organization can take to navigate the five CMMC levels of process maturity.

read
Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity

June 01, 2020 Blog Post
Andrew Hoover

Katie Stewart co-authored this blog post. Process maturity represents an organization's ability to institutionalize their practices. Measuring process maturity determines how well practices are ingrained in the way work is defined, executed, and managed. Process maturity represents an organization's commitment...

read
An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

An Introduction to the Cybersecurity Maturity Model Certification (CMMC)

March 30, 2020 Blog Post
Katie C. Stewart

Andrew Hoover co-authored this blog post. A recent study predicted that business losses due to cybercrime will exceed $5 trillion by 2024. The threat to the defense industrial base (DIB)--the network of more than 300,000 businesses, organizations, and universities that...

read