Скачать или смотреть What "CMMC Compliant" REALLY Means

CMMC is the abbreviation for the Cybersecurity Maturity Model Certification.

“CMMC compliant” means the Accreditation Body (AB) has certified that your organization meets the cybersecurity practice requirements outlined in Level 1, 2, or 3 of the Cybersecurity Maturity Model Certification 2.0 release.

LINKS:
____________________________________________

https://etactics.com/blog/what-is-cmm...
____________________________________________

At the time of this video, there are no CMMC compliant contractors.
The Department of Defense (DoD) has not yet finalized CMMC 2.0. But, DoD has forecasted rulemaking to occur between July 2022 and December 2023.

In the meantime, it’s not a bad idea to get an introductory understanding of what it means to be “CMMC compliant”. If you plan on doing any business with the DoD, it’s a phrase you’re going to have to get familiar with.

But what does “CMMC compliant” actually mean?

To understand what being CMMC compliant means, you need to first understand the ecosystem.

There are a handful of certified third-party assessor organizations (C3PAOs).

These organizations have completed an evaluation proctored by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Over 190 C3PAOs are waiting for the same DIBCAC evaluation.

As it stands, there aren’t any certified assessors (CAs) or certified CMMC professionals (CCPs). Training for CCP started in October 2021, with 20+ Licensed Training Partners now offering CCP training courses in the CMMC Marketplace. Exams for CCP, which will be a prerequisite for CAs, have been delayed with the release of CMMC 2.0. Not everything in the CMMC landscape is still under development, though. There are over 100 provisional assessors (PAs).

PAs completed training provided by the CMMC-AB so those pilot assessments can launch prior to CMMC rulemaking. The release of CMMC 2.0 has put any new pilot assessments on hold for now.
There are now over 500 registered provider organizations (RPOs).
RPOs paid an application fee and went through a basic business background check. In a nutshell, RPOs are consulting companies that help organizations seeking certification (OSCs) prepare.

There are also over 2,000 registered practitioners (RPs). RPs are the consultants who’ve passed a series of CMMC modules and a basic background check. RPs work for RPOs as well as C3PAOs.

The ecosystem is set up to enable RPs to help with preparation efforts. C3PAOs are the only organizations that can contract with an organization seeking certification to conduct a third-party assessment. C3PAOs can provide consulting services, but not to any OSC they’re also assessing.

Now that we have an idea as to the landscape that exists, let’s talk about the pre-assessment readiness review.

Many contractors will likely complete a pre-assessment readiness review before engaging a C3PAO. The readiness review ensures that the client has identified the required evidence.

This process will also help streamline everything, so it’s a necessary step in the entire process. The contractor can perform the pre-assessment readiness review themselves.

When evaluating compliance with the NIST SP 800-171A controls…which is the underlying framework for Level 2 under CMMC 2.0…compliance must be achieved at the assessment objective level for all scoped items. If all items within scope demonstrate compliance with each assessment objective, then the practice is performed.

The CMMC-AB marketplace lists these service provider organizations. They can also use someone not registered or certified in the CMMC ecosystem.

There’s a lot of value in using someone who has completed the certified programs but it’s not required.

The readiness review involves collecting two forms of evidence for each control. These include documentation, interviews, or testing. You should also have a written description of how the evidence shows adoption.

► Reach out to Etactics @ https://www.etactics.com​
►Subscribe: https://rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn:   / etactics-inc  
►Find us on Facebook:   / ​  

#CMMC #CMMC2.0