Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News

C2M2-CMMC Supplemental Guidance published for users pursuing CMMC certification to meet DoD requirements

February 06, 2024
C2M2-CMMC Supplemental Guidance published for users pursuing CMMC certification to meet DoD requirements

The C2M2-CMMC Supplemental Guidance was recently published to help Cybersecurity Capability Maturity Model (C2M2) users prepare to meet the Department of Defense’s (DoD) recently published Cybersecurity Maturity Model Certification (CMMC) Proposed Rule. Developed with asset owner partners, the C2M2-CMMC Supplemental guidance can help C2M2 users leverage their previous C2M2 experience and identify additional activities to pursue in preparation for meeting CMMC requirements.

While the CMMC is in the process of FAR and DFARS rulemaking, which must be completed before CMMC requirements are included in DoD contracts, the DoD is encouraging companies to implement CMMC in advance of mandatory requirements. The Department of Energy (DOE) created C2M2 to provide organizations with a method to evaluate and plan cybersecurity program improvements. Although created by the energy sector, C2M2 applies across various sectors. 

The three levels of CMMC are designed to protect different levels of unclassified material and systems. Level 1 focuses on protecting Federal Contract Information (FCI); Level 2 includes all requirements outlined in NIST SP 800-171 and will apply when adequate safeguarding of CUI is necessary based on the applicability of DFARS 252.204-7021; and Level 3 adds additional controls from NIST SP 800-172 and is designed for the protection of CUI with national security implications.  

Although CMMC is not yet in effect, DIB (Defense Industrial Base) contractors must meet other, related DoD contractual requirements: DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7020. Because of the alignment of CMMC and the current NIST SP 800-171 DoD requirements, any effort expended for a CMMC certification will directly translate to helping meet the current DFARS requirements. Conversely, addressing a gap with NIST SP 800-171 will help achieve future CMMC compliance requirements. 

The 168-page C2M2-CMMC Supplemental Guidance is published for C2M2 users who are pursuing a CMMC certification to meet DoD contractual requirements. The guidance is intended to help C2M2 users both leverage previous C2M2 experience and identify additional activities that may be necessary to meet CMMC certification requirements. Additionally, the document is written from the perspective of CMMC Level 2, but could also apply to organizations seeking CMMC Level 1.  

The document outlines that C2M2 and CMMC have structural similarities, such as the logical arrangement of practices into domains. “Although both models have scaled levels, there is no direct correlation between the maturity indicator levels (MILs) in C2M2 and the CMMC levels. In C2M2, organizations use MILs to measure the maturity of their cybersecurity capabilities, as well as the level of institutionalization (i.e., how ingrained the capabilities are in an organization’s operations). The levels in CMMC are sets of cybersecurity requirements that align with the basic safeguarding requirements for FCI and security requirements for CUI,” it added. 

Organizations use the C2M2 primarily to measure the current state of their cybersecurity capabilities; identify gaps between their current state and a defined target state; and plan improvements that will enable them to reach their target state. Organizations may choose to implement the practices in CMMC as a means of implementing best practices for protecting information. However, they would likely be seeking CMMC certification as part of meeting requirements when contracting with the DoD.  

The C2M2 was designed to be a self-evaluation, during which an organization selects a facilitator who can help guide a workshop of assembled subject matter experts (SMEs). For each practice, SMEs provide a consensus response regarding the level of implementation of cybersecurity activities. Organizations that choose to use C2M2 to evaluate their cybersecurity capabilities may use the results to plan improvements.

In contrast, DIB contractors will be required to meet CMMC requirements as a condition of contract or option year award. The CMMC certification level that an organization is required to achieve is based on the sensitivity of the information to be safeguarded or the program with which it is associated.

Another key difference between C2M2 and CMMC is the assessment methodology. C2M2 self-evaluation tools capture workshop participant responses for the implementation level of each of practice through a facilitated one-day workshop. Preparation for a C2M2 self-evaluation typically includes the determination of the scope, selection of workshop participants, and handling of workshop logistics.

The C2M2-CMMC Supplemental Guidance identified that before conducting a C2M2 self-evaluation workshop, an organization should determine the scope–known as the function–of the self-evaluation. “The function is used as an input into selection of self-evaluation participants and assets to be considered when selecting implementation-level responses for each practice. Organizations have flexibility when choosing the function, and may choose a very focused scope, such as electric generation, or scope the function at a higher organizational or enterprise level.”

It added that the selection of the function for a C2M2 self-evaluation, or the assessment scope for CMMC, determines the assets that an organization must consider. 

“The C2M2 model covers all information technology (IT), operational technology (OT), and information assets used for the delivery of the function or that could impact the function if compromised by an attacker. CMMC takes a similar approach, but an organization should carefully consider the requirements for the defined asset categories detailed in CMMC Scoping Guidance,” according to the C2M2-CMMC Supplemental Guidance. “In-scope CMMC assessment assets include those that process, store, or transmit CUI, security protection assets, contractor risk-managed assets and specialized assets. All assets must be documented in three locations: in an asset inventory, in the contractor’s SSP, and in a network diagram.” 

Additionally, the C2M2-CMMC Supplemental Guidance identifies that contractor risk-managed assets and specialized assets are reviewed during an assessment to ensure that the contractor has sufficient risk-based policies, procedures, and practices. “However, these assets are not assessed against the CMMC requirements. Contractor risk-managed assets include assets that can, but are not intended to, process, store, or transmit CUI. Specialized assets include assets that may or may not process, store, or transmit CUI. These include internet-of-things (IoT) devices, OT assets, restricted information systems, and test equipment.”

It also added that for an asset to be considered outside the scope of a CMMC assessment, it must be physically or logically separated from CUI assets. 

CMMC documentation requirements differ from those necessary to complete a C2M2 self-evaluation. Some C2M2 practices describe the implementation of policies or procedures but, because a C2M2 self-evaluation is not evidence-based, an organization is not required to substantiate its practice responses as an artifact. 

Furthermore, when preparing for a CMMC assessment, organizations may find they have similar documentation in place already but should review the CMMC Assessment Guide to determine additional documentation that may be necessary in preparation for a CMMC assessment.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape