To receive certification under the Cybersecurity Maturity Model Certification (CMMC) program, Department of Defense (DoD) contractors must successfully complete a third-party assessment. The DoD has released two CMMC assessment guides, the fundamental tools for both assessors and contractors to evaluate adherence to the CMMC framework. This blog post is intended for DoD contractors looking for additional clarification as they prepare for a CMMC assessment. It will walk you through the assessment guides, provide basic CMMC concepts and definitions, and introduce alternate descriptions of some practices. The goal is to help those unfamiliar with cybersecurity standards to better understand the CMMC practices and processes.
CMMC is a certification program to improve supply-chain security in the defense industrial base (DIB). Eventually, the DoD will require that all DIB companies be certified at one of the five CMMC levels, which include both technical security controls and maturity processes laid out in the Cybersecurity Maturity Model framework.
CMMC Assessment Guide – Level 1 and CMMC Assessment Guide – Level 3, released by the DoD in November 2020, are the defining documents for learning the details of CMMC certification. Assessors will use the guides during the certification process, and contractors can use them to prepare for it.
What happened to Level 2? It’s considered a transitional level. Though it’s recognized as a milestone for progress from Level 1 to Level 3, it’s not expected to be a requirement in DoD contracts. CMMC also defines requirements for Levels 4 and 5, but those assessment guides haven’t been published yet.
So, what level are you required to achieve? It all depends on what type of data your DoD contract requires you to use.
Public Information, Federal Contract Information, Controlled Unclassified Information What This Means for You: Data Types Determine CMMC Level
Public Information – No CMMC Certification Required
Public information requires no special handling or controls, and CMMC doesn’t address it. If you work with
This article is purposely trimmed, please visit the source to read the full article.
The post How to Use the CMMC Assessment Guides appeared first on Carnegie Mellon University's Software Engineering Institute Blog.