The CMMC framework is designed to protect sensitive unclassified information that is shared by DoD and ensure accountability while minimizing barriers to compliance with DoD requirements. The rulemaking process and timelines can take 9-24 months starting from November 2021.ĬMMC 2.0 builds upon the initial CMMC 1.0 framework to dynamically enhance DIB cybersecurity against evolving threats. Once CMMC 2.0 is codified through rulemaking, DoD will require DIB contractors to adhere to the revised CMMC framework according to requirements set forth in regulation. DoD does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. In November 2021, DoD published an advanced notice of proposed rulemaking, disclosing significant changes to the CMMC program designated as CMMC 2.0. CMMC requires an evaluation of the contractor’s technical security controls, documentation, policies, and processes to ensure security and resiliency. CMMC requirements are subject to change as the framework is being finalized.ĬMMC certification will become a pre-requisite for DoD contract award. A DIB contractor who provides a cloud-based solution must ensure that the underlying cloud services platform maintains a minimum of FedRAMP Moderate authorization. Instead, CMMC is intended to assess a DIB contractor's implementation of processes and practices associated with the achievement of a target cybersecurity level. A prime contractor must validate appropriate levels of subcontractor compliance to reinforce security across the entire supply chain prior to contract award.ĬMMC is not applicable directly to cloud services, which is why there is no corresponding certification for a cloud services platform such as Azure. CMMC requirements are evolving as the framework is still being finalized.ĬMMC introduces stronger accountability for the prime contractor to ensure that appropriate security requirements are met across their supply chain. The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of CUI in nonfederal information systems and organizations. It represents an evolution of DoD efforts to safeguard federal contract information (FCI) and controlled unclassified information (CUI) processed by the DIB. CMMC expands upon DFARS 252.204-7012 while adding a third-party audit and certification requirement. The audits are conducted by independent CMMC third-party assessor organizations (C3PAO) accredited by the Cyber AB (formerly CMMC Accreditation Body). The Cybersecurity Maturity Model Certification is a new framework developed by the US Department of Defense (DoD) that requires formal third-party audits of defense industrial base (DIB) contractor cybersecurity practices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |