CMMC is an assessment standard designed to ensure that defense contractors comply with current cybersecurity requirements. This way, the DoD can ensure its contractors are protecting sensitive defense information. CMMC 2.0 compliance has 3 main objectives at its core: Protect sensitive defense information from cyber-attacks and nation-state actors… Create a unifying cybersecurity standard for defense contractors… and Ensure accountability for defense companies that are responsible for protecting government data. So what are the certifications levels and who needs to become certified?

LINKS:
____________________________________________

[ Ссылка ]
___________________________________________

CMMC 2.0 has three levels of compliance. This is much simpler than the 5 levels of CMMC 1.2. Version 2.0 does this by cutting the old levels 2 and 4. These were originally developed as transition levels. The new CMMC 2.0 levels distinguish themselves from one another based on the type of information DIB companies handle.

Level 1 applies to companies that focus on the protection of Federal Contract Information, or FCI. The basis of this is on the 17 controls found in FAR 52.204-21, or Basic Safeguarding of Covered Contractor Information. The 6 Far 52.204-21 Families are… Access Control… Identification and Authentication… Media Protection… Physical Protection… System and Communication Protections… and System and Information Integrity. The controls look to protect covered contractor information systems. It also limits access to authorized users.

Companies should be compliant with CMMC’s level 2 if they deal with CUI. This level is comparable to CMMC 1.0’s level 3. Level 2 will mirror NIST SP 800-171. All practices and maturity processes that used to be unique to CMMC 1.0 are now gone. Instead, level 2 aligns with the 14 control families and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. The 14 NIST 800-171 Families are… Access Control… Media Protection… Awareness and Training… Personnel Security… Audit and Accountability… Physical Protection… Configuration Management… Risk Assessment… Identification and Authentication… Security Assessment… Incident Response… System and Communications Protection… Maintenance… and System and Information.

Level 3 has a focus on reducing the risk of Advanced Persistent Threats, or APTs. This level is for companies working with CUI on the Dod’s highest priority programs. The DoD is still trying to determine the specific security requirements for level 3. That said, it indicated that the requirements will relate to NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls, making for a total of 130 controls. These 130 controls will align with the same 14 control families in NIST 800-171, with the 20 additional controls coming from NIST 800-172.

► Reach out to Etactics @ [ Ссылка ]
►Subscribe: [ Ссылка ] to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: [ Ссылка ]
►Find us on Facebook: [ Ссылка ]

#CMMC #CMMCCompliance

свернуть