One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1979161 |
| Date de publication | 2020-10-15 17:08:00 (vue: 2020-10-15 19:13:24) |
| Titre | CMMC compliance explained: what is the Cybersecurity Maturity Model Certification? |
| Texte | With an escalating cybersecurity threat risk that doesn’t appear to be slowing down, the Department of Defense (DoD) has taken proactive measures in creating the Cybersecurity Maturity Model Certification (CMMC). The CMMC will soon be a requirement for any defense contractors or other vendors that are, or wish to be, working with the DoD . What is CMMC compliance? The primary goal of the Cybersecurity Maturity Model Certification is to safeguard what is referred to as Controlled Unclassified Information (CUI) across the DoD supply chain. The DoD’s definition of CUI refers to any information or data created or possessed by the government or another entity on the government’s behalf. The interpretation of data is broad here — and can take into account financial, legal, intelligence, infrastructure, export controls, or other information and data. The CMMS framework incorporates the processes, practices, and approaches for the purpose of standardizing the assessment of a DoD vendor’s capabilities. The requirements for CMMC certification, broken into practices and processes, are dependent on the level of certification. Each certification level builds upon the requirements from levels beneath it; for example, a level 3 certification would include requirements for levels 1 and 2. Here is a brief description of each certification level: Level 1 demonstrates “Basic Cyber Hygiene” – DoD contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 rev1. Level 2 demonstrates “Intermediate Cyber Hygiene” – Here, DoD contractors must implement another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls. Level 3 demonstrates “Good Cyber Hygiene” – To achieve level 3 certification, the final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be implemented Level 4 demonstrates “Proactive” cybersecurity – In addition to the controls in levels 1 through 3, 11 more controls of NIST 800-171 Rev2 plus 15 new “Other” controls must be implemented Level 5 demonstrates “Advanced / Progressive” cybersecurity – To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new “Other” controls To achieve each certification level, contractors and vendors must meet the requirements for practices and processes associated with that level across 43 different capabilities spanning 17 capability domains. The capability domains are as follows: Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM) Maintenance (MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC) Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Recovery (RE) Who does CMMC directly affect? Any contractor or vendor doing business with the DoD is affected, and will eventually be required to obtain a CMMC certification. The definition of contractor or vendor includes all suppliers across every tier of the supply chain, small businesses, foreign suppliers and commercial item contractors. The certification process is handled by the CMMC Accreditation Body (CMMC-AB), who coordinates directly with the DoD |
| Envoyé | Oui |
| Condensat | $500 “achieve “advanced “basic “good “intermediate any 000 162 171 2020/2021 2025 800 access account accountability accredit accreditation achieve across addition additional affect affected agility all already also although another any appear application applies approaches approximately are assessing assessment assessments assessors asset associated audit authentication average awarded awareness based been begins behalf beneath between body brief broad broken buffer builds business businesses c3pao can capabilities capability cases certification certify chain challenged cheap choose choosing clarify clearly cmmc cmmc's cmms commercial communications companies company compliance conduct configuration consultant consulting contract contractor contractors contractors' contracts control controlled controls coordinates cost costs cots covers cp3aos created creating cui cyber cybersecurity data defense definition demonstrate demonstrates department dependent description details determine developed dib different directly documenting dod dod’s does doesn’t doing domains down each easy ecosystem effective employee ensuring enterprise entire entity equation escalating especially essential essentially estimates evaluate evaluating eventually every example exempt expected experienced expertise explained: export fact fast final financial first follows: foreign four framework from gaps get given goal good government government’s great guidance guidelines handbook handled handles has have head help here highest house how however hygiene” identification imminent implement implementation implemented important importantly incident include included includes incorporates independent information infrastructure initial integrity intelligence interpretation it’s it; item its journey lack learn least legal level level: levels listed long look lot maintenance managed management many marketplace maturity may measures media meet meeting met model money monitored months more most mssp mssps must necessary needs network new new newly nist nist’s not note: obtain off offering once one ongoing only operating order organization organizations other outsource outsourcing part particular party pass passing path per perform period personnel physical plan planned plus position possessed possible practices prepare preparedness primary proactive procedures process processes produce products progressive” proposal protected protection provider providers providing purpose qualified range ready recovery referred refers regarding registered request required requirement requirements requires resources respond response responsible rev rev1 rev2 rev2 plus risk road rpo safeguard said save security segments self service services seven shelf should situational six slowing small solely solicitations soon spanning specialize specializes specific specifically specify staff standardizing standards start states step steps stored stronger subcontractor sufficient supplier suppliers supply system take taken task technical term therefore third those threat through tier time together training trustworthy ultimately unclassified under understand understanding unlike until upon valid valuable vendor vendor’s vendors waiting what where which who will wish without work working would year |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.