The U.S. Department of Defense (DOD) updated its new contractor cybersecurity certification program, including version 0.7 of its expected model and a progress report on the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body. The primary purpose of this interim release was to detail the data security controls required to achieve the two highest levels of CMMC – levels 4 and 5. As expected, a number of these practices are derived from draft NIST SP 800-171B, though many controls are based on other information security standards or are unique to CMMC.
As contractors who have implemented NIST SP 800-171 know, many of the controls are ambiguous and open ended, leaving uncertainty as to whether a specific security practice meets the control. CMMC v0.7 has taken steps to address this for Levels 1-3 by including appendices that provide additional guidance in the form of “Clarifications” and “Examples.”