filmov
tv
Everything You Need to Know About CMMC Level 2 Requirements
Показать описание
As if working in the Defense Industrial Base (DIB) wasn’t stressful enough already, the entire ecosystem is in the midst of a massive shake-up. Of course, what I’m referring to is the Cybersecurity Maturity Model Certification (CMMC).
LINKS:
____________________________________________
____________________________________________
If this is the first time you’ve heard that phrase, I wouldn’t say you’re “in trouble”...you still have a little bit of time to prepare. That preparation window is starting to close, though.
Maybe you’re already familiar with the acronym and heard that the DoD recently pushed out the massive update, CMMC 2.0.
Or, you knew what level your organization needed to pursue in the first version, saw the changes proposed in the second and don’t know where you land anymore.
If the DoD hasn’t finalized CMMC yet, is it even worth putting energy towards figuring it out right now? That’s a great question and the answer is…yes.
Even though CMMC isn’t set in stone yet, it’s going to be a requirement listed on contracts with the DoD. In its first iteration, the DoD planned to place it on its contracts by October 1, 2025.
As it stands now after the introduction of 2.0, the original cutoff date no longer exists. All we know is that final rulemaking could happen between July 2022 and December 2023.
Even without a new date, if the DoD originally gave a 5-year window for its contractors to achieve the certification…it takes a long time to achieve it. Hence why you need to start now.
However, you can’t start your journey towards CMMC without understanding what level you need to achieve.
This is a great place for me to say that Level 3 is now Level 2. If you don’t know what that means, don’t worry…just know that the majority of DIB organizations are going to fall under Level 1 or Level 2.
Before anything else, we need to establish some common ground…which is why I’m going to start with an overview of CMMC 2.0.
The CMMC 2.0 model categorizes contractors and suppliers into levels. Levels change based on the types of information involved in performing the contracts. There are 3 Levels in CMMC 2.0.
Let’s look at the differences.
Under CMMC 2.0, companies will most likely need to hire a certified third-party assessor organization (C3PAO). C3PAO's certify implementation.
Level 1 is for any contractor or supplier who receives Federal Contract Information (FCI). The basic cybersecurity requirements for Level 1 are currently listed in FAR 52.204-21.
Level 2 requirements are for any contractor or supplier who receives or generates Controlled Unclassified Information (CUI). The advanced requirements come from the 110 practices in NIST SP 800-171.
Level 3 will add a subset of expert requirements from NIST SP 800-172. But, it will only be for large integrators who receive or generate CUI deemed most critical to national security. A team of assessors from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will certify the implementation of these expert controls. DoD estimated that as few as 160 companies will fall into this category.
Now that we’re on the same page, let’s talk about what you can explain with CMMC level 2.
The Level 2 Scoping Guide released in December 2021 is a good starting point.
Identifying the people, facilities and technologies within the scope is a key part of your journey. Doing so ensures that you’re including documentation for all assets that are within scope as you document practices.3
There are 110 controls for CMMC Level 2 that come directly from NIST SP 800-171.
However, assessors will evaluate the implementation of these controls using NIST SP 800-171A, That version contains 320 assessment objectives derived from these 110 controls.
Some objectives refer to specific categories of assets within scope, including…People, Facilities, Equipment, and Processes.
Meanwhile, other objectives cover multiple categories.
Now…let’s talk about practice. CMMC level 2 practices that is.
The practices listed in CMMC Level 2 come from NIST SP 800-171 Rev 2, which grouped 110 security controls into 14 domains.Access Control (AC): 22 practices…Awareness Training (AT): 3 practices…Audit and Accountability (AU): 9 practices…Configuration Management (CM): 9 practices…Identification and Authentication (IA): 11 practices…Incident Response (IR): 3 practices…Maintenance (MA): 6 practices…Media Protection (MP): 9 practices…Personnel Security (PS): 2 practices…Physical Protection (PE): 6 practices…Risk Assessment (RA): 3 practices…Security Assessment (CA): 4 practices…System and Communications Protection (SC): 16 practices…and System and Information Integrity (SI): 7 practices.
LINKS:
____________________________________________
____________________________________________
If this is the first time you’ve heard that phrase, I wouldn’t say you’re “in trouble”...you still have a little bit of time to prepare. That preparation window is starting to close, though.
Maybe you’re already familiar with the acronym and heard that the DoD recently pushed out the massive update, CMMC 2.0.
Or, you knew what level your organization needed to pursue in the first version, saw the changes proposed in the second and don’t know where you land anymore.
If the DoD hasn’t finalized CMMC yet, is it even worth putting energy towards figuring it out right now? That’s a great question and the answer is…yes.
Even though CMMC isn’t set in stone yet, it’s going to be a requirement listed on contracts with the DoD. In its first iteration, the DoD planned to place it on its contracts by October 1, 2025.
As it stands now after the introduction of 2.0, the original cutoff date no longer exists. All we know is that final rulemaking could happen between July 2022 and December 2023.
Even without a new date, if the DoD originally gave a 5-year window for its contractors to achieve the certification…it takes a long time to achieve it. Hence why you need to start now.
However, you can’t start your journey towards CMMC without understanding what level you need to achieve.
This is a great place for me to say that Level 3 is now Level 2. If you don’t know what that means, don’t worry…just know that the majority of DIB organizations are going to fall under Level 1 or Level 2.
Before anything else, we need to establish some common ground…which is why I’m going to start with an overview of CMMC 2.0.
The CMMC 2.0 model categorizes contractors and suppliers into levels. Levels change based on the types of information involved in performing the contracts. There are 3 Levels in CMMC 2.0.
Let’s look at the differences.
Under CMMC 2.0, companies will most likely need to hire a certified third-party assessor organization (C3PAO). C3PAO's certify implementation.
Level 1 is for any contractor or supplier who receives Federal Contract Information (FCI). The basic cybersecurity requirements for Level 1 are currently listed in FAR 52.204-21.
Level 2 requirements are for any contractor or supplier who receives or generates Controlled Unclassified Information (CUI). The advanced requirements come from the 110 practices in NIST SP 800-171.
Level 3 will add a subset of expert requirements from NIST SP 800-172. But, it will only be for large integrators who receive or generate CUI deemed most critical to national security. A team of assessors from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will certify the implementation of these expert controls. DoD estimated that as few as 160 companies will fall into this category.
Now that we’re on the same page, let’s talk about what you can explain with CMMC level 2.
The Level 2 Scoping Guide released in December 2021 is a good starting point.
Identifying the people, facilities and technologies within the scope is a key part of your journey. Doing so ensures that you’re including documentation for all assets that are within scope as you document practices.3
There are 110 controls for CMMC Level 2 that come directly from NIST SP 800-171.
However, assessors will evaluate the implementation of these controls using NIST SP 800-171A, That version contains 320 assessment objectives derived from these 110 controls.
Some objectives refer to specific categories of assets within scope, including…People, Facilities, Equipment, and Processes.
Meanwhile, other objectives cover multiple categories.
Now…let’s talk about practice. CMMC level 2 practices that is.
The practices listed in CMMC Level 2 come from NIST SP 800-171 Rev 2, which grouped 110 security controls into 14 domains.Access Control (AC): 22 practices…Awareness Training (AT): 3 practices…Audit and Accountability (AU): 9 practices…Configuration Management (CM): 9 practices…Identification and Authentication (IA): 11 practices…Incident Response (IR): 3 practices…Maintenance (MA): 6 practices…Media Protection (MP): 9 practices…Personnel Security (PS): 2 practices…Physical Protection (PE): 6 practices…Risk Assessment (RA): 3 practices…Security Assessment (CA): 4 practices…System and Communications Protection (SC): 16 practices…and System and Information Integrity (SI): 7 practices.
3:01:58
0:07:22
0:10:14
0:07:38
0:43:21
0:10:33
0:09:03
0:11:14
0:08:00
0:20:25
0:05:02
0:27:26
0:11:15
0:43:57
0:11:27
0:17:43
0:14:19
0:15:16
0:23:16
0:10:46
0:10:01
0:39:25
0:28:55
0:05:33