Cybersecurity Maturity Model Certification (CMMC) Program – Part 3
Cybersecurity Maturity Model Certification (CMMC) 2.0 is a certification framework implemented by the US Department of Defence (DoD) to protect the information and ingenuity pertinent to the national security of the US used in the process and for the sake of procurement by independent contractors.
Depending on the type of accessed and processed information contractors are required to acquire relevant level certification prescribed by the requirements and model of assessment from the three available tiers.
Tier 1 (level 1 – foundational) is an annual self-assessment encompassing 17 practices.
Tier 2 (level 2 – advanced) is a triannual third-party assessment for critical national security information with annual self-assessment for selected programs
The scope of assessment at level 2 covers resources/systems processing, storing, or transferring the Controlled Unclassified Information (CUI). Additionally to resources covered by level1, such areas as automation and IoT devices are audited.
Aligned with NIST 800-171, compliance with 110 security practices is verified. This encompasses areas covered in level 1 enhanced by i.e., backup management, vulnerability scans, cryptographic key management, and incident management.
Prior to conducting a CMMC assessment, the contractor must specify the CMMC Assessment Scope. The CMMC Assessment Scope informs which assets within the contractor’s environment will be assessed and the details of the assessment. To determine the CMMC Assessment Scope, contractors will map their assets into the following five categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets.
The table below provides an overview of these asset categories, contractor requirements, and assessment implications.