The Cybersecurity Maturity Model Certification (CMMC) helps to provide structure to protect sensitive government information. In my last video, I spoke more on its practices, standards, and processes that help keep contractors’ information safe. Especially those in the public sector. For more information on the history of CMMC and the differences between its past framework and the structure we have today, check out that video. I’ll link it below. But for today, let’s further breakdown the framework of today’s CMMC 2.0.
This program contains three levels, with the sensitivity of the data decided on what level of compliance your organization must meet:
* Level 1 (Foundational).
* Level 2 (Advanced).
* Level 3 (Expert).
Level 1 is what you might expect it to be: the basic elements of cybersecurity. This includes annual self-assessments and annual affirmations. By doing this, businesses in the level 1 CMMC 2.0 category can reach certification.
Contractors perform these self-assessments against distinct and clearly stated cybersecurity standards. Note that it is not uncommon for organizations to practice this level in an “as needed” manner as opposed to relying on keeping strict documentation. Businesses and contractors at this level focus on the protection of federal contract information (FCI).
While assessment processes usually pivot around the CMMC-AB’s Certified Third-Party Assessor Organization (C3PAOs), this isn’t necessary for maturity level 1 organizations. Instead, the basic safeguarding of level 1 must align with the requirements listed in 48 CFR 52.204-21. Anyone who deals with “information not intended for public release” must adhere to CMMC level 1 standards. Information provided by the Government under a contract, either to develop or deliver a product or service, will need this certification.
Having organizations document their processes in hopes of better guiding security efforts is the pinnacle to achieving CMMC level 2 maturity. At this level, documentation must be present for employees to repeat the same processes. Doing so will lead to CMMC level 2 certification. This progression between levels 1 and 3 involves advanced cyber hygiene practices.
CMMC 2.0 level 2 is essentially equivalent to CMMC 1.02 level 3. NIST SP 800-171 sets the standard for level 2, which includes all 14 domains as well as 110 security controls of the previous process. However, 20 of the previous level 3 practices and procedures which are unique to CMMC 1.02 are not included.
Level 2 assessment requirements depend on whether controlled unclassified information (CUI) data consists of critical or non-critical national security information. Any organization that handles this critical data must function under level 2 assessment requirements to be compliant. These organizations must pass a higher-level third-party assessment (C3PAOs). Every 3 years, organizations must conduct these assessments, as opposed to non-prioritized acquisitions with non-critical data.
Using the level 3 CMMC model helps to reinforce your organization’s security structure. This level qualifies as good cyber hygiene practice as it focuses on protecting CUI. It reduces a system's vulnerabilities to advanced persistent threats (APTs). This is through contractors establishing, maintaining, and resourcing plans to manage important cybersecurity processes.
These plans might cover topics such as:
* Goals.
* Missions.
* Projects.
* Resourcing.
* Training.
* The involvement of stakeholders.
These plans also cover all of the security requirements listed in NIST SP 800-171. As well as the 20 other processes added for CMMC level 2. Requirements beyond NIST SP 800-171 include DFARS clause 252.204-7012, which helps to better report any security incidents. CMMC level 3 applies to contractors and companies that handle CUI.
Specifically for those The U.S. The Department of Defense programs with the highest priority and security clearance. Note that the requirements of level 3 are overall based on SP 800-171’s 110 controls, as well as a subset of NIST SP 800-172.
If you’d like to learn more about CMMC 2.0, reach out to Etactics. And you already made it this far into the video, so you might as well like it, share it, and comment below.
►Reach out to Etactics @ www.etactics.com​
►Subscribe: rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: / etactics-inc
►Find us on Facebook: / ​
#CUI #ControlledUnclassifiedInformation