Department of Defense DoD contractors must successfully pass a third-party assessment to gain accreditation under the Cybersecurity Maturity Model Certification (CMMC) 1.0 program. The Department of Defense has developed two CMMC assessment guidelines, which are essential resources for both evaluators and vendors to use when evaluating compliance to the CMMC framework. This blog article is aimed for DoD contractors that need more information as they prep for a CMMC evaluation. It will lead you through the assessment guidelines, explain core CMMC ideas and definitions, and present different explanations of specific activities. The purpose is to assist persons who are inexperienced with cybersecurity requirements in understanding the CMMC procedures and processes.
The CMMC program is a certification program designed to enhance security of supply in the defense industrial base (DIB). The DoD will eventually require all DIB enterprises to be accredited at one of the 5 CMMC tiers, which encompass both technological security controls and maturity procedures outlined in the Cybersecurity Maturity Model paradigm.
The DoD’s CMMC Evaluation Guide – Level 1 and CMMC Evaluation Guide – Level 3 are the defining papers for understanding the specifics of CMMC certification. The instructions will be used by assessors during the certification program, and vendors can use them to plan for it.
What became of Level 2? It is regarded as a transitional stage. Although it is acknowledged as a step toward progressing from Level 1 to Level 3, it is not likely to be a prerequisite in DoD contracts. CMMC also sets standards for Levels 4 and 5, however the examination guidelines for those levels have not yet been published.
Regulated Unclassified Data, Public Information, and Federal Contract Information
What Does This Mean for You?
CMMC Level Public Information is Determined by Data Types – No CMMC Certification Necessary
Public information does not need any specific processing or restrictions, and CMMC does not handle it. You do not require CMMC certification if you simply work with public data in your DoD contract. Public information is data labeled “Public Release Approved” or anything equivalent, or it is unlabeled information obtained from an unregulated, publicly accessible government source.
Certification and evaluation
The section on Assessment and Certification is brief, but it covers two crucial concepts. The first is that CMMC rules are meant to extend to all DoD companies organizations, irrespective of their “scale, restrictions, or complexity.” The evaluation scope is another concept. The evaluation guide acknowledges it, but no specifics are provided until the next update of the guideline is released. Take note of the scope definition when it is developed and presented in future iterations of the inspection guides. Determining the scope of the examination is critical for effective assessment planning.
What This Means for You: Consider the Scope of Your Assessment.
Even though the official description of CMMC range is still being defined, you can begin with the activity below. Make a network diagram that shows where FCI or CUI data is handled, transferred, or stored. For the purposes of the evaluation, this image will aid in determining the breadth and bounds of your network. Document these limits, then utilize them in your talks with your CMMC assessor. All through the examination preparation and execution phase, review the paperwork to identify what is and is not within the purview of the examination. This procedure ensures that only required sites, systems, and assets are included in the evaluation.
Criteria for Evaluation and Methodology
The Evaluation Guidelines and Methodology portion of the guidelines outlines the evaluation criteria that CMMC assessors must adhere to. It outlines the assessment items (specifications, procedures, actions, and personnel) and methods (query, inspect, and assess) that an examiner may need to check practice adherence.…