Cybersecurity Maturity Model Certification
What is Cybersecurity Maturity Model Certification?
加强对供应链中联邦合同信息(FCI)和受控非机密信息(CUI)的保护, the U.S. Department of Defense (DoD) is working with DoD stakeholders, university-affiliated research centers, 联邦政府资助的中心和整个行业开发网络安全成熟度模型认证(CMMC), 一个过程,衡量公司在国防工业基础(DIB)部门保护FCI和CUI的能力. CMMC还增加了一个认证元素来验证网络安全要求的实施,认证将需要由施耐德唐斯等认可的第三方执行.
CMMC旨在为国防部提供保证,确保DIB承包商能够在与风险相称的水平上充分保护CUI,并在多层供应链中向分包商流动. CMMC将在2020年被纳入rfi和rfp,并最终成为所有国家的强制性标准.
要了解更多关于潜在成本以及贵组织如何为CMMC做准备的信息,请下载我们的 Cybersecurity Maturity Model Certification (CMMC) Guide.
The CMMC Model Framework
CMMC模型框架按域对网络安全最佳实践进行最高级别的分类.
每个领域通过一组功能和成就进一步细分,以确保在每个领域内实现网络安全目标. 公司将通过展示对实践和过程的遵守来进一步验证对所需功能的遵从性,这些实践和过程已经被映射到五个成熟度级别(如下所述)。. Within this context, 实践将度量满足给定能力需求所需的技术活动, while processes will measure the maturity of a companyâs processes.
CMMC Levels
The CMMC model has five defined levels, each with a set of supporting practices and processes, 从解决基本网络卫生的第1级到主动和高级的第4级和第5级. In parallel, processes range from being performed at Level 1, documented at Level 2 and optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:
- Level 1 Requires an organization to demonstrate basic cyber hygiene. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, CMMC 1级组织的网络安全成熟度可能有限或不一致. At this level, organizations may be provided with FCI, 哪些资讯并非为公开发布,而是由政府根据合约提供或为政府提供产品或bet9平台游戏.
- Level 2 Requires an organization to demonstrate intermediate cyber hygiene. At this level, 期望组织建立并记录标准操作程序, 指导实施其网络安全计划的政策和战略计划. At Level 2, organizations may be provided with FCI.
- Level 3 要求组织展示良好的网络卫生和有效的NIST SP 800-171 Rev 1安全要求. For process maturity, 期望3级组织充分提供资源并审查与遵守政策和程序有关的活动, and demonstrate management of practice implementation. 需要访问CUI和/或生成CUI的组织应该达到第3级.
- Level 4 and 5 At Levels 4 and 5, an organization has a substantial and proactive cybersecurity program, 有能力调整他们的保护和维持活动,以应对不断变化的战术, techniques and procedures (TTPs) in use by APTs. For process maturity, 组织应审查和记录活动的有效性,并向高层管理人员通报任何问题, 以及确保过程实现在整个组织中得到了普遍的优化.
CMMC Domains
The CMMC model consists of 17 domains, 其中大部分来自FIPS 200安全相关领域和NIST SP 800-171控制系列. The domains are as follows:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IDA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PP)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (SAS)
- Situational Awareness (SA)
- System and Communications Protections (SCP)
- System and Information Integrity (SII)
CMMC Timeline and Cost
While draft versions of the CMMC are currently available for review, the final version of CMMC is not expected to be released until January 2020. CMMC is set to start appearing in RFIs in June 2020, and the expectation is that it will start appearing in RFPs in September 2020.
As it relates to price, the FAQ section of the CMMC webpage notes that, the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Given that, 我们期望未来的rfi和rfp将允许主承包商、分包商将合规成本纳入其投标中.
CMMC Assessments
日前,施耐德唐斯公司成功完成了第三方认证评估机构(C3PAO)的认证流程,并申请了由美国国防合同管理局(DCMA)国防工业基地网络安全评估中心(DIBCAC)执行的CMMC ML-3评估。. Schneider Downs is a Candidate C3PAO and pending a successful CMMC ML-3 assessment, 施耐德唐斯公司将被授权为美国国防部的网络安全成熟度模型认证(CMMC)项目提供认证评估.
How Can Schneider Downs Help?
Schneider Downs is a Candidate C3PAO. 我们的团队目前作为注册提供商组织(RPO)提供CMMC准备和咨询bet9平台游戏。. 我们的团队中有几位成员目前正在申请CMMC认证评估员的身份. osc应注意,一家公司不能根据cmc - ab标准为单个客户提供咨询和审计bet9平台游戏. In the meantime, until such requirements are made public, 我们可以根据NIST 800-171框架进行评估,帮助贵组织为CMMC做准备. To learn more about our CMMC services download our CMMC Service Overview.
For more information, please email Eric Wright.
