DIB Frameworks

Compliance Frameworks

Federal Acquisition Regulation Clause (FAR)

  • 15 Practices
  • Self Attestation

Defense Federal Acquisition Regulation Supplement DFARS

  • NIST 800-171
  • Self Attestation
  • SSP & POAM

The Federal Information Security Management Act (FISMA)

  • NIST 800-53

CMMC

  • Cybersecurity framework and maturity model that combines the above + additional practices identified by the DOD and industry
  • CMMC-AB 

CMMC Levels

5 CMMC Levels

Level 1 – Basic Cyber Hygiene

  • Federal Contract Information
    • 17 Practices

Level 2 – Intermediate Cyber Hygiene

  • Federal Contract Information
    • 72 Practices (L1 + 55 Practices)

Level 3 – Good Cyber Hygiene

  • Controlled Unclassified Information
    • 130 Practices (L2 + Practices)

Level 4 – Proactive

  • CUI + Controlled Technical Information
    • 156 – (L3 + 26 Practices)

Level 5 – Advanced/Progressive

  • CUI + Controlled Technical Information
    • 171 (L4  + 15 Practices)

CMMC

Cyber Security Maturity Model

CMMC is a cybersecurity framework and maturity model

  • Combination of maturity processes + cybersecurity best practices
  • Co-developed by DOD and industry
  • Primarily combines FARS -21 & DFARS 7012
  • Additional practices defined by DOD and Industry
  • CMMC is broken into 5 maturity Levels, spanning 17 domains (originating from FIPS) and 171 practices
  • CMMC-AB is the governing body Formal Assessments Required