CCP Lesson 3 Flashcards
Maturity Model
A model that assesses how institutionalized critical practices and processes are in an organization and helps determine what capabilities they need in order to continue to improve their performance.
Domain
A grouping of like practices based on the 14 control families set forth in NIST SP 800-171
Practice
An activity or set of activities that are performed to meet the defined CMMC objectives
Assessment Objective (AO)
Identifies the specific set of objectives that must be met to receive MET for the practice as defined in NIST SP 800-171A
Self-assessment
Assessing your organization’s compliance to the practice requirements
Self-attestation
Making an official declaration that something complies with regulations without independent substantiating evidence
Maturity Model
Measures how well you perform a checklist practice consistently
Cybersecurity Maturity Model Certification (CMMC) Model 2.0
Identifies 3 levels of practices that lead to increasingly stronger cyber hygiene
Cybersecurity Maturity Model Certification (CMMC) Taxonomy
Cybersecurity Maturity Model Certification Model –> Domains –> Practices –> Assessment Objectives
Cybersecurity Maturity Model Certification (CMMC) Domains
14 Domains:
Access Control
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communication Protection
System and information Integrity
Cybersecurity Maturity Model Certification (CMMC) Practice
One or more activities that an organization regularly performs, demonstrating a particular cybersecurity capability
Cybersecurity Maturity Model Certification (CMMC) Practice Numbering System
Practice number indicate:
Domain
Level
Requirement number
Example: AC.L1-3.1.1
Access Control (AC) Domain
Manage who accesses your network and systems
Level 1 - 4 practices
Level 2 - 22 practices
Audit and Accountability (AU) Domain
Create logs and review them frequently
Level 1 - 0 practices
Level 2 - 9 practices
Awareness and Training (AT) Domain
Ensure your people are trained appropriately
Level 1 - 0 practices
Level 2 - 3 practices
Configuration Management (CM) Domain
Ensure baselines and other configurations are kept up to date
Level 1 - 0 practices
Level 2 - 9 practices
Identification and Authentication (IA) Domain
Know you is requesting access and authenticate appropriately
Level 1 - 2 practices
Level 2 - 11 practices
Incident Response (IR) Domain
Be able to recover once an incident occurs
Level 1 - 0 practices
Level 2 - 3 practices
Maintenance (MA) Domain
Keep your systems up to date and patched
Level 1 - 0 practices
Level 2 - 6 practices
Media Protection (MP) Domain
Ensure mobile media is protected against theft or loss
Level 1 - 1 practice
Level 2 - 9 practices
Personnel Security (PP) Domain
Manage risks to your environment by insiders
Level 1 - 0 practices
Level 2 - 2 practices
Physical Protection (PE) Domain
Employ physical protection mechanisms to prevent access to physical devices
Level 1 - 4 practices
Level 2 - 6 practices
Risk Assessment (RA) Domain
Have a process for identifying and managing enterprise risk
Level 1 - 0 practices
Level 2 - 3 practices
Security Assessment (CA) Domain
Independently verify your security posture
Level 1 - 0 practices
Level 2 - 4 practices
System and Communications Protection (SC) Domain
Manage security tools and processes related to system security
Level 1 - 2 practices
Level 2 - 16 practices
System and Information Integrity (SI) Domain
Monitor and protect the information system against malicious content
Level 1 - 4 practices
Level 2 - 7 practices
Cybersecurity Maturity Model Certification (CMMC) Documentation
Cybersecurity Maturity Model Certification (CMMC) Model Overview
Cybersecurity Maturity Model Certification (CMMC) Model Overview
Model framework and background for the creation of the Cybersecurity Maturity Model Certification (CMMC) Model
Cybersecurity Maturity Model Certification (CMMC) Self-Assessment Guide Level 1
assessment criteria and methodology used by Organization Seeking Certification (OSC) to conduct self-assessment
Cybersecurity Maturity Model Certification (CMMC) Assessment Guide Level 2
Assessment criteria and methodology used by Certified Cybersecurity Maturity Model Certification (CMMC) Assessors (CCA)
Cybersecurity Maturity Model Certification (CMMC) Self-Assessment Scope Level 1
Used by contractors to specify which assets in the environment are in scope prior to self-assessment
Cybersecurity Maturity Model Certification (CMMC) Assessment Scope Level 2
Used by Certified Cybersecurity Maturity Model Certification (CMMC) Professionals (CCPs) and Certified CMMC Assessors (CCAs) to identify assets in the Assessment Scope
Cybersecurity Maturity Model Certification (CMMC) Glossary and Acronyms
Definitions and terms used in the Cybersecurity Maturity Model Certification (CMMC) Model
Cybersecurity Maturity Model Certification (CMMC) Artifact Hashing Tool User Guide
Guidance on creating a cryptographic reference or hash for assessment artifacts to ensure artifact integrity
Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP)
Definitive source for conducting Cybersecurity Maturity Model Certification (CMMC) Assessments. Details critical activities that need to be performed during an assessment
Key Aspects of the Cybersecurity Maturity Model Certification (CMMC) 2.0 Framework
Streamlined Model
Reliable Assessments
Flexible Implementation
Project Spectrum
a platform to help Defense Industry Base (DIB) assess and build their cybersecurity capabilities
Cybersecurity Maturity Model Certification (CMMC) Self-Assessments
Level 1 and a small subset of Level 2
For Organizations Seeking Certification (OSCs) who handle Federal Contract Information (FCI) only
Conducted annually
Senior company official required to sign off
Cybersecurity Maturity Model Certification (CMMC) Third-Party Assessments
Level 2
For Organizations Seeking Certification (OSCs) who handle Controlled Unclassified Information (CUI) critical to national security
CMMC Third-Party Assessor Organization (C3PAO) assess the OSCs compliance with cybersecurity practices and provides an assessment to the DoD
Conducted triennially (every 3 years)
Supplier Performance Risk System (SPRS)
Where self-assessment scores and affirmations are posted
Independent Third-Party Assessment Benefits
Consistency among assessors
Impartial
Experienced and trained
Office of the Undersecretary of Defense for Aquisition and Sustainment (OUSD A&S)
Owner of the Cybersecurity Maturity Model Certification (CMMC) Model and Assessment Guides
Cyber Accreditation Body (AB)
Non-profit organization that operationalizes Cybersecurity Maturity Model Certification (CMMC) assessments and training
CMMC Assessors and Instructors Certification Organization (CAICO)
Future organization designed to be authorized to certify Cybersecurity Maturity Model Certification (CMMC) assessors and instructors
Organizations Under the Authority of The Cyber Accreditation Body (AB)
CMMC Third-Party Assessment Organization (C3PAO)
Registered Practitioner Organization (RPO)
Organization Seeking Certification (OSC)
CMMC Third-Party Assessment Organization (C3PAO)
Authorized to manage the Assessment process for an Organization Seeking Certification (OSC)
Certified to provide consultative advice to an OSC
Registered Practitioner Organization (RPO)
Organization authorized to provide recommendations and consulting advice about Cybersecurity Maturity Model Certification (CMMC) Assessments
Do not conduct Certified CMMC Assessments
Organization Seeking Certification (OSC)
Organization going through Cybersecurity Maturity Model Certification (CMMC) Assessment process
Organizations Under the Authority of the CMMC Assessors and Instructors Certification Organization (CAICO)
Licensed Partner Publisher (LPP)
Licensed Training Provider (LTP)
Licensed Partner Publisher (LPP)
Purpose is to create accredited content for use by License Training Providers (LTPs)
Licensed Training Provider (LTP)
Purpose is to conduct Certified Cybersecurity Maturity Model Certification (CMMC) classes using Licensed Partner Publisher (LPP) curricula
Organizations Seeking Certification (OSC) Roles and Responsibilities
Identify Cybersecurity Maturity Model Certification (CMMC) Level
Self- assess Level 1 compliance
Seek CMMC Third-Party Assessment Organizations (C3PAO) to conduct level 2 assessments
CMMC Third-Party Assessment Organizations (C3PAO) Roles and Responsibilities
Conduct Cybersecurity Maturity Model Certification (CMMC) assessments
Have a CMMC Certified Assessor on staff
Registered Practitioner Organizations (RPO) Roles and Responsibilities
Provide non-certified consultive services to help the Organization Seeking Certification (OSC)
Licensed Partner Publishers (LPP) Roles and Responsibilities
Create Cybersecurity Maturity Model Certification (CMMC) training curricula based on exam objectives
Licensed Training Providers (LTP) Roles and Respnsibilities
Provide infrastructure to deliver Cybersecurity Maturity Model Certification (CMMC) training to students
Use approved curricula from Licensed Partner Publishers (LPP)
CMMC Assessors and Instructors Certification Organization (CAICO) Individuals - Assessment
Certified CMMC Professionals (CCP)
Certified CMMC Assessor (CCA)
Assessment Team Members
Lead Assessors
Certified CMMC Professionals (CCP)
Individuals credentialed as understanding the requirements of Cybersecurity Maturity Model Certification (CMMC) for a DoD supplier
Certified CMMC Assessor (CCA)
Individuals certified to assess all practices on Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessments
Assessment Team Members
Individuals working under the leadership of a Lead Assessor
Lead Assessors
Individual who oversees and manages a discrete Cybersecurity Maturity Model Certification (CMMC) Assessment Team
Certified CMMC Instructors (CCI)
Authorized to train Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA)
Registered Practitioners (RP)
Deliver a non-advisory service informed by basic training on the Cybersecurity Maturity Model Certification (CMMC) standard
Provisional Assessors (PA)
Provisionally trained to conduct Assessments at Level 2, during the interim period
Provisional Instructors (PI)
Purpose is to establish a cadre of assessors for the Cybersecurity Maturity Model Certification (CMMC) ecosystem during the interim period
Cybersecurity Maturity Model Certification (CMMC) Marketplace
Centralized access point for Organizations Seeking Certification (OSCs)
Phases of a Third-Party Assessment
Plan for coordination and exchange of artifacts
Conduct on-site assessment
Report assessment findings
Level 2 assessment roles and responsibilities - CMMC Third-Party Assessment Organizations (C3PAO)
Contract with members of the Defense Industrial Base (DIB)
Perform initial quality checks on assessment reports
Level 2 assessment roles and responsibilities - Lead Assessor
Lead Cybersecurity Maturity Model Certification (CMMC) Assessment
Task CMMC Certified Professionals (CCPs) and CMMC Certified Assessors (CCAs)
Communicate with the Organization Seeking Certification (OSC) and the CMMC Third-Party Assessment Organization (C3PAO)
Cybersecurity Compliance Requirements Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 Foundational Level 1
Self-assessment
Cybersecurity Compliance Requirements Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 Advanced Level 2
Third-party assessment for contractors with critical national security information
Self-assessment for contractors that do not have information critical to national security
Cybersecurity Compliance Requirements Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 Expert Level 3
Government-led assessment
Self-Assessment Under Cybersecurity Maturity Model Certification (CMMC) 2.0
Required for Level 1 practices
Conducted annually
Reported to Supplier Performance and Risk System (SPRS)
Consequences of Non-Compliance of Self Assessment
Failure to receive award
Contractual Liability
Prosecution under the False Claims Act
Christian Doctrine
States that mandatory procurement clauses are inherent in all federal contracts
False Claims Act
Used to penalize contractors who not in compliance with cybersecurity regulations
Civil Cyber-Fraud Initiative
utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors
