Cybersecurity Maturity Model Certification (CMMC)

Questions and Answers

Which entity within the CMMC ecosystem is primarily responsible for conducting official CMMC assessments?

• Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
• CMMC Third-Party Assessment Organizations (C3PAOs) (correct)
• Registered Provider Organizations (RPOs)
• Organizations Seeking Certification (OSCs)

What is the primary role of Registered Practitioners (RPs) within the CMMC ecosystem?

• Providing advice, consulting, and recommendations to clients on CMMC implementation (correct)
• Conducting certified CMMC assessments
• Developing CMMC training materials
• Certifying CMMC Assessors

Which of the following is a key responsibility of the Office of the Undersecretary of Defense (OUSD) in the context of CMMC?

• Providing CMMC training to assessors
• Developing and maintaining cybersecurity standards and best practices for the Defense Industrial Base (correct)
• Conducting CMMC assessments of defense contractors
• Overseeing the accreditation of C3PAOs

What is the main purpose of Licensed Training Providers (LTPs) within the CMMC ecosystem?

To provide training and educational resources to individuals seeking CMMC certifications (B)

Which role within a CMMC assessment team is typically responsible for drafting the final assessment findings?

CMMC Lead Assessor (C)

A CMMC Third-Party Assessment Organization (C3PAO) discovers a conflict of interest during an assessment. According to the CMMC-AB Code of Professional Conduct, what is the appropriate course of action?

Disclose the conflict to all relevant parties and recuse themselves from the assessment if necessary (A)

According to the CMMC-AB Code of Professional Conduct, what is the primary responsibility of a CMMC assessor regarding information obtained during an assessment?

To maintain strict confidentiality of all sensitive information (A)

In the CMMC-AB Code of Professional Conduct, what does 'respect for intellectual property' primarily entail for a Certified CMMC Professional?

Properly attributing and not misusing copyrighted materials or methods (D)

A CMMC assessor is offered a significant financial incentive by an organization seeking certification to ensure a favorable assessment outcome. What ethical principle is most directly challenged by this scenario?

Objectivity (C)

Which of the following is a key component of 'professionalism' as defined in the CMMC-AB Code of Professional Conduct?

Maintaining competence, integrity, and respect in all professional activities (B)

According to DFARS Clause 252.204-7012, what standard must contractors implement to protect Controlled Unclassified Information (CUI)?

NIST SP 800-171 (D)

Which document provides an overview of the 17 basic safeguarding requirements that align with CMMC Level 1?

FAR Clause 52.204-21 (A)

What is the primary purpose of the US Department of Justice's Civil Cyber-Fraud Initiative?

To pursue civil actions against those who knowingly violate cybersecurity requirements (D)

Which regulation defines Federal Contract Information (FCI)?

Section 4.1901 of the Federal Acquisition Regulation (FAR) (C)

Which document gives the government authority for identifying and marking Controlled Unclassified Information (CUI)?

Executive Order 13556 (A)

In the context of CMMC, what does the practice numbering scheme indicate?

The domain, level, and specific practice within the CMMC model (B)

Which CMMC domain focuses on establishing, documenting, and disseminating system security procedures?

Configuration Management (CM) (A)

Which CMMC practice relates to limiting physical access to systems, equipment, and the facility where information systems are housed?

PE.L1-3.10.1 (C)

In CMMC, what does the System and Information Integrity (SI) domain primarily address?

Protecting against and mitigating malicious code (D)

What are the three assessment methods used for CMMC practices?

Examine, Interview, and Test (D)

What should an assessor consider when determining if evidence is 'adequate' for a CMMC practice?

Whether the evidence supports the practice's objectives (D)

During the 'Plan and Prepare Assessment' phase, what is a key responsibility of the CCP in the CMMC Assessment Process?

Analyzing CMMC practice requirements (D)

Which activity best describes how a CCP supports the Assessment Team during the 'Conduct Assessment' phase?

Collecting and examining evidence (A)

During which phase of the CMMC Assessment Process does the Lead Assessor submit the assessment report?

Report Assessment Results (C)

What is the primary purpose of a Plan of Action and Milestones (POA&M) in the CMMC assessment process?

To provide a roadmap for addressing identified gaps in CMMC compliance (B)

In the context of organizational scoping for CMMC, what is a 'Host Unit'?

The specific department or division within an organization that handles CUI (D)

Which of the following is considered an 'out-of-scope' asset in a CMMC assessment?

A printer used exclusively for printing publicly available documents (A)

What is the definition of Federal Contract Information (FCI) in the context of CMMC scoping?

Information provided by or generated for the government under a contract, not intended for public release (D)

Which of the following assets would be categorized as a 'Specialized Asset' under CMMC scoping guidelines?

Internet of Things (IoT) devices used in manufacturing processes (C)

During a CMMC scoping activity, what aspect does the 'People' component primarily refer to?

The training and awareness of personnel handling CUI (D)

According to the lecture, what is a primary task for CMMC professionals during scoping?

Analyzing the organization environment to generate an appropriate scope for FCI Assets (A)

During a CMMC scoping exercise, an organization identifies systems that process, store, or transmit CUI. How should these systems be categorized?

CUI Assets (C)

When dealing with multiple business units within a large enterprise, what should a CMMC professional consider while scoping to meet CMMC requirements, as emphasized in the lecture?

Scoping carefully to avoid including unnecessary systems, which can increase costs and complexity (B)

As highlighted in the lecture, what should organizations prioritize during the implementation of CMMC controls when facing resource constraints?

Prioritizing controls that have the most significant impact on security and compliance (B)

If a high-level assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) discovers non-compliance, what consequences might a contractor face, according to the lecture?

Revocation of contracts, financial penalties, or other corrective actions (D)

What did the lecture recommend as a key action for CMMC implementation based on feedback from assessments?

Implementing changes and improvements based on collected feedback (A)

According to the instructor, what guidance can trainees take from the CMMC blueprint?

The primary guide for what specifics will be on the exam (D)

Flashcards

OSC

Organization seeking CMMC certification.

C3PAO

Certified CMMC Third-Party Assessment Organization.

RPO

Registered Provider Organization offering CMMC advice, consulting, and recommendations.

RP

Registered Practitioner that provides advice, consulting, and recommendations to clients.

Licensed Partner Publisher (LPP)

Organization that develops and distributes CMMC training materials.

Licensed Training Provider (LTP)

Organization offering CMMC training courses.

Provisional Assessor (PA)

Individual working towards becoming a certified CMMC assessor

Provisional Instructor (PI)

Individual working toward becoming a certified CMMC instructor

Certified CMMC Professional (CCP)

CMMC professional involved in the CMMC ecosystem. A passing score is required for assessor/instructor certifications

Certified CMMC Assessor (CCA)

Individual certified to conduct CMMC assessments.

Certified CMMC Instructor (CCI)

Individual certified to instruct CMMC courses.

Federal Contract Information (FCI)

Information provided by or generated for the government under a contract that is not intended for public release.

Controlled Unclassified Information (CUI)

Information that requires safeguarding or dissemination controls pursuant to law, regulations, or government-wide policies.

FAR 52.204-21

Basic safeguarding of covered contractor information systems.

DFARS 252.204-7012

Safeguarding covered defense information and cyber incident reporting.

CMMC Level 1

Basic safeguarding requirements for contractor information systems that process, store, or transmit FCI.

CMMC

Designed to enhance the protection of FCI and CUI within the Defense Industrial Base (DIB)

Scoping

The process of identifying and defining the boundaries of an information system processing FCI or CUI.

CUI Assets

Systems or components that directly process, store, or transmit CUI.

Security Protection Assets

Systems or components that protect or manage access to CUI assets.

Contractor Risk Managed Assets (CRMA)

Systems that do not process CUI but are within the same environment.

Out of Scope Assets

Assets that do not interact with or affect CUI or FCI in any way.

Assessment Process

Evaluates whether the scoped systems meet required CMMC security controls.

CMMC Assessment Guide

Provide detailed criteria for evaluating each control.

C3PAO (CMMC Third-Party Assessment Organization)

Conducts the assessment.

preparation

Ensures necessary documentation, policies, and procedures are in place

Conducting the assessment:

Review documentation, conduct interviews, and perform testing.

scoring and certification

Based on the findings, the assessor scores the organization’s compliance

Gap Analysis

Analyzes where organization’s practices fall short of the CMMC standards

action plans

Action plan to address identified gaps

System Security Plan (SSP)

Formal document that outlines the security requirements for a system and the controls in place to meet those requirements

Supplier Performance Risk System (SPRS)

A DoD database where contractors submit their NIST SP 800-171 self-assessment scores

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

conducts high level assessments of contractors, particularly those handling more sensitive CUI

Variability in DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) Assessments

One of the major challenges in the CMMC assessment process is the variability in how DIBCAC teams conduct assessments. Different DIBCAC teams may apply the standards slightly differently, leading to inconsistent outcomes.

Study Notes

• The exam verifies a candidate’s knowledge of the Cybersecurity Maturity Model Certification (CMMC) and related legal/regulatory requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
• A passing score is required to get Certified CMMC Assessor and Certified CMMC Instructor certifications.
• The Department of Defense (DOD) is the authoritative source for CMMC documentation.

Intended Audience

• Employees of Organizations Seeking CMMC Certification (OSC)
• Information Technology (IT) and Cybersecurity Professionals
• Regulatory Compliance Officers
• Legal and Contract Compliance Professionals
• Management Professionals
• Cybersecurity and Technology Consultants
• Federal Employees
• Candidate CMMC Assessment Team Members

Exam Prerequisites

• A college degree in a cyber or information technical field
• OR 2+ years of related experience or education
• 2+ years of equivalent experience in a cyber, information technology, or assessment field, including military experience
• Suggested CompTIA A+ or equivalent knowledge/experience is suggested
• Completion of a Certified CMMC Professional Class offered by a Licensed Training Provider (LTP)
• Pass DOD CUI Awareness Training within three months before the exam

Exam Specifications

• There will be 170 multiple choice questions
• The exam will take 3.5 hours
• A passing score is 500 points
• This is not an open book exam

Domains

• CMMC Ecosystem - 5%
• CMMC-AB Code of Professional Conduct (Ethics) - 5%
• CMMC Governance and Sources Documents - 15%
• CMMC Model Construct and Implementation Evaluation - 35%
• CMMC Assessment Process (CAP) - 25%
• Scoping - 15%

CMMC Ecosystem

• It is important to identify and compare roles/responsibilities/requirements of authorities across the CMMC Ecosystem.

Authorities

• Office of the Undersecretary of Defense (OUSD)
• Cybersecurity standards and best practices
• Regulation (DFARS 252.204-7012) adding a verification component to cybersecurity requirements

CMMC Ecosystem

• Includes different types of entities
• Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)

Organizations

• Organizations Seeking Certification (OSC)
• OSC is an entity that needs to be CMMC certified
• They have requirements and benefits of OSC involvement in the ecosystem
• CMMC Third-Party Assessment Organizations (C3PAO)
• Registered Provider Organizations (RPO)
• Requirements and Benefits of RPO
• RPs provide advice, consulting, and recommendations to their clients
• RPs are implementers and consultants, but do not participate in Certified CMMC Assessments
• CMMC Assessors and Instructors Certification Organization (CAICO)

Licensed Partner Publishers(LPP)

• Purpose, requirements, and benefits of LPPs

Licensed Training Providers(LTP)

• Purpose, requirements, and benefits of LTPs

Provisional Assessors (PA)

• Purpose, requirements, and benefits of PAs
• There is a timeline for sunsetting

Provisional Instructors (PI)

• Purpose, requirements, and benefits of PIs
• There is a timeline for sunsetting

Certified CMMC Professional (CCP)

• Purpose, requirements, and benefits of CCPs’ active involvement in the ecosystem
• There is a Timeline for CCP certification and assessments

Certified CMMC Assessor (CCA)

• Purpose, requirements, and benefits of CCAs’ active involvement in the ecosystem
• There is a Timeline for CCA certification and assessments

Certified CMMC Instructor (CCI)

• Purpose, requirements, and benefits of CCIs’ active involvement in the ecosystem
• There is a Timeline for CCI certification and assessments

Assessment Team Member

• CCP and CCA roles on the Assessment Team

CMMC Lead Assessor

• Lead Assessor role on the Assessment Team
• There is a timeline for Lead Assessor certification

CMMC-AB Code of Professional Conduct (Ethics)

• It is important to identify and apply knowledge of the Guiding Principles and Practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements.

Ethical Topics

• General ethics topics
• CMMC-AB Code of Professional Conduct (CoPC)
• ISO/IEC
• Department of Defense (DoD) requirements
• Professionalism
• Objectivity
• Confidentiality
• Proper use of methods
• Information integrity
• Conflicts of interest
• Respect for intellectual property
• Lawful and ethical practices
• Contracts and non-disclosure agreements

CMMC Governance and Source Documents

• It is important to demonstrate understanding of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-federal unclassified networks.

DoD Cybersecurity Efforts, Regulations, and Executive Orders

• Part 32 of the Code of Federal Regulations (C.F.R.)
• Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R
• DFARS Clause 252.204-7012
• National Institute of Standards and Technology (NIST) SP 800-171
• Technical Data (DFARS 252.227-7013)
• FedRAMP

CMMC Framework Tenets

• Critical requirements
• Alignment with widely accepted standards
• Reliable Assessments
• Reduced assessment costs
• Higher accountability
• Flexible Implementation
• Collaboration
• Flexibility and speed

Rulemaking and timeline

• Incentives, Assessments, and 9–24-month rule making

Levels of CMMC assessments and requirements

• Foundational/Level 1 (same as previous CMMC v1.0 level 1)
• FAR Clause 52.204-21
• Provides overview of the 17 basic safeguarding requirements and how procedures are applied within the CMMC L1/L2 practices/assessment framework
• Advanced/Level 2 (previous level 3)
• NIST SP 800-171 (Requirements)
• Provides overview of the 110 NIST SP 800-171 requirements and how they are applied within the CMMC Level 2 practices/assessment framework
• Self-Assessments vs. Third-Party Assessments
• Defines different criteria for various assessment type under CMMC v2.0 framework

Consequences of non-compliance

• Failure to receive an award of contract
• Contractual liability
• False Claims Act
• US Department of Justice
• Civil Cyber-Fraud Initiative

FCI and CUI

• It is important to determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
• Important to have data classification, collection, and analysis
• Include CUI Basic versus Specified

Sensitive data categories

• Federal Contract Information (FCI)
• According to Section 4.1901 of the Federal Acquisition Regulation (FAR)
• Controlled Unclassified Information (CUI)
• According to Part 2002 of Title 32 CFR, 2002.4(h)

Government authority for identifying and marking CUI

• Executive Order 13556
• 32 Code of Federal Regulations, Part 2002 (Implementing Directive)
• DoD Instruction 5200.48, Controlled Unclassified Information (CUI)

Contractor responsibilities in handling CUI

• According to DoDI 5200.48
• According to Part 2002 of Title 32 CFR

CMMC Source and Supplementary documents

• Critical to demonstrate understanding

CMMC Source Documents

• CMMC Model Overview
• CMMC Level 1 Assessment Guide
• CMMC Level 2 Assessment Guide
• CMMC Level 1 Scoping Guidance
• CMMC Level 2 Scoping Guidance
• CMMC Assessment Process (CAP)
• CMMC Glossary
• CMMC Artifact Hashing Tool User Guide

ISOO CUI Registry

• NARA administers the CUI Registry and the types of labeled information on documents, such as:
• Export Controlled (SP-EXPT)
• Specified marking/labeling using NARA CUI Marking Handbook

DoD CUI Registry

• Types of labeled information on documents
• Naval Nuclear Propulsion Information (NNPI)
• NNPI marking/labeling using DoD CUI Marking Aid

CMMC Model Construct and Implementation Evaluation

• It is important to apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices.
• At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam

Model Architecture

• Model Levels:
• Cumulative Nature
• Characteristics
• Levels required for specific contracts
• Level 1
• Level 2

Practices

• Practices Descriptions
• Practice Numbering Scheme
• Objectives
• Assessment Methods and Objects

Domains

• Access Control (AC)
• AC.L1-3.1.1 – Authorized Access Control
• AC.L1-3.1.2 – Transaction & Function Control
• AC.L1-3.1.20 – External Connections
• AC.L1-3.1.22 – Control Public Information
• Audit & Accountability (AU)
• Awareness & Training (AT)
• Configuration Management (CM)
• Identification & Authentication (IA)
• IA.L1-3.5.1 – Identification
• IA.L1-3.5.2 – Authentication
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• MP.L1-3.8.3 – Media Disposal
• Personnel Security (PS)
• Physical Protection (PE)
• PE.L1-3.10.1 – Limit Physical Access
• PE.L1-3.10.3 – Escort Visitors
• PE.L1-3.10.4 – Physical Access Logs
• PE.L1-3.10.5 – Manage Physical Access
• Risk Assessment (RA)
• Security Assessment (CA)
• System & Communications Protection (SC)
• SC.L1-3.13.1 – Boundary Protection
• SC.L1-3.13.5 – Public-Access System Separation
• System & Information Integrity (SI)
• SI.L1-3.14.1 – Flaw Remediation
• SI.L1-3.14.2 – Malicious Code Protection
• SI.L1-3.14.4 – Update Malicious Code Protection
• SI.L1-3.14.5 – System & File Scanning

CMMC Assessment Criteria and Methodology

• It is important to apply knowledge to the appropriate CMMC practices.
• Know the definition of each practice
• Know the Assessment Objectives
• Know the Assessment Methods (Examine, Interview, and Test) to use for the practices
• Know what information to look for in practice discussion
• Key References and their applicability to the practices:
• Navigating and using the CMMC Assessment Guide(s) content
• Determining the assessment method(s) that would be best for gathering sufficient and accurate evidence

Evidence

• It is important to analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence.
• Appraised Evidence is adequate
• Measure if the Evidence is sufficient

CMMC Assessment Process

• It is important to choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment).
• Validation criteria of OSC’s assessment evidence
• Analyzing the CMMC practice requirements
• What needs to be included in a CMMC Assessment Plan
• The CMMC Readiness Review Process

CCP and CMMC Assessment Process Requirements

• It is important to apply the requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment).
• How to assist/support the Assessment Team during an assessment
• The three possible assessment methods (Examine, Interview, and Test) and scoring evidence successfully for each practice
• Know communication skills to interview or observe tests/demonstrations for assessment practices
• How Assessment Team Members rate practices and validate preliminary results
• How Assessment Team Members assist in the preparation of final findings
• How to score practices that are on a Plan of Action and Milestone (POA&M)

Assessment Report

• It is important to demonstrate comprehension of the CCP role in the preparation of this report (Phase 3 – Report Assessment Results).
• The evidence presented for each practice
• How Assessment Team Members score practices, validate, and deliver assessment preliminary results
• How the Assessment Lead drafts and scores the final findings
• How the final findings and associated information are incorporated into the Assessment Report
• How the Lead Assessor submits the assessment report, including the review process, submitting to the C3PAO and the OSC
• How to package and archive the assessment results for a record to support any future questions that maybe asked

POA&M

• It is important to demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items).
• The evaluation of assessment POA&M items
• DoD Assessment Methodology, POA&M scoring criteria
• Minimum assessment score
• Qualifying POA&M items
• CMMC AG CA.L2-3.12.2, Plan of Action objectives and requirements

CMMC Level 2 Assessment

• It is important that given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/reporting on a CMMC Level 2 Assessment.
• Plan and Prepare Assessments:
• CMMC CCP must be able to assist in analyzing requirements.
• CMMC CCP must be able to assist in developing assessment plan.
• CMMC CCP must be able to assist in verifying readiness to conduct assessment.
• Conduct Assessment:
• CMMC CCP must be able to assist in collecting and examining Evidence.
• CMMC CCP must be able to assist in scoring practices and validating preliminary results.
• CMMC CCP must be able to assist in generating final assessment results.
• Report Recommended Assessment Results:
• CMMC CCP must be able to assist in delivering recommended assessment results.
• Remediate Outstanding Assessment Issues:
• Awareness of the CCP’s Role in the POA&M Process

Scoping

• It is important to understand CMMC High-Level Scoping as described in the CMMC Assessment Process.
• Define organizational scoping
• Organization
• Host Unit
• Supporting Units

FCI Assets

• Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets.
• Define FCI data in the form of Assets that:
• Process
• Store
• Transmit
• Out-of-Scope Assets
• Specialized Assets
• Government Property
• Internet of Things (IoT)/ Industrial Internet of Things (IIoT)
• Operational Technology (OT)
• Restricted Information Systems
• Test Equipment
• Scoping Activities
• People
• Technology
• Facilities
• External Service Providers (ESP)

Introduction

• Overview of the CMMC ecosystem domain
• Exam weighting and scoring details
• Importance of understanding the ecosystem roles and responsibilities

CMMC Ecosystem Overview

• The CMMC ecosystem refers to all the entities involved in the CMMC marketplace
• This includes organizations, authorities, and roles that interact to support the implementation and certification of cybersecurity practices in the Defense Industrial Base (DIB)
• Key authorities within the ecosystem include the Office of the Under Secretary of Defense (OUSD) and Cyber AB (formerly CMMC AB)
• Key participants in the CMMC ecosystem include Organizations seeking certification (OSC), C3PAOs (Certified Third-Party Assessment Organizations), RPOs (Registered Practitioner Organizations), assessors, and instructors

Key Authorities in CMMC Ecosystem

• OUSD oversees the implementation of CMMC policies
• Cyber AB manages the certification and training of assessors, and the accreditation of C3PAOs

CMMC Certification and Examination Process

• Exam structure consists of 170 multiple-choice questions with a 3.5-hour time limit to achieve a minimum score of 500 out of 800 to pass the exam
• The ecosystem domain has a weighting of 5% which is a lower portion on the exam but is still important
• It is important to memorize the roles and responsibilities within the CMMC ecosystem

Roles Within The CMMC Ecosystems

• It is important to discuss roles like CMMC Professionals (CCP and CCA), Licensed Partner Publishers (LPP), Licensed Training Providers (LTP), and Provisional Instructors and Assessors
• Know the certification and training pathways, the requirements for becoming a CCP or CCA, and the process for provisional instructors and assessors

Assessment Processes

• Lead assessors and team members and the requirements for participating in assessments
• Differences between assessments for level one and level two practices
• The role of the CQA (CMMC Quality Assurance Professional) in assessments

Regulations and Compliance

• Overview of relevant regulations like DFARS clauses and NIST SP 800-171
• The importance of System Security Plans (SSPs)
• Overview of the Supplier Performance Risk System (SPRS) and its role in assessments

Challenges and Considerations

• Discuss common challenges in the CMMC assessment process, focusing on variability in DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessments
• Evolving nature of requirements and guidelines, and tips for navigating the CMMC ecosystem like the importance of defensible positions and reasonable assessment practices

CMMC and Federal Regulations

• Federal Contract Information (FCI) does not have a mandatory marking requirement
• Controlled Unclassified Information (CUI) requires safeguarding or dissemination controls
• Within the Department of Defense (DoD), CUI is often referred to as "Covered Defense Information" (CDI)

Regulating contract information

• FAR 52.204-21 mandates basic safeguarding requirements for contractor information systems
• These align with CMMC Level 1, which includes 15 controls.
• DFARS 252.204-7012 requires the implementation of National Institute of Standards and Technology (NIST) Special Publication 800-171 (Rev 2) to protect CUI.
• DFARS 7012 also includes requirements for cyber incident reporting
• For systems not operated on behalf of the government, the security requirements are based on NIST SP 800-171
• CMMC consists of multiple levels, with Level 1 focusing on basic cyber hygiene practices (aligned with FAR 52.204-21)
• The level of CMMC certification required will be specified in the contract
• Both FAR 52.204-21 and DFARS 252.204-7012 include flow-down clauses, requiring contractors to ensure that their subcontractors also implement the necessary safeguarding requirements

Scoping for CMMC

• Scoping refers to the process of identifying and defining the boundaries of an information system that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
• Scoping Considerations
• Avoid including unnecessary systems in the assessment
• Focus in implementing and maintaining the necessary security controls effectively

CMMC Assessment Process

• Once the scope is defined, the assessment process evaluates whether the scoped systems meet the required CMMC security controls
• The assessment is conducted by a C3PAO (CMMC Third-Party Assessment Organization)
• The CMMC assessment follows the CMMC Assessment Guide
• If the organization meets the required standards, they receive a certification for the appropriate CMMC level
• Necessity of in-person assessments may depend on the nature of the controls being assessed

Subcontractors and Flow-Down Requirements

• Prime contractors pass down safeguarding requirements to their subcontractors
• Prime contractors must ensure that subcontractors adhere to the same security standards

Handling Scoping and Assesment

• Properly scoping environments requires careful planning and a clear understanding of where CUI resides and how it flows across the organization
• Recurring theme was the need to balance robust security controls with the operational needs of the business
• Even after receiving CMMC certification, organizations are expected to maintain compliance through continuous monitoring and periodic reassessments
• Compliance is not a one-time activity but an ongoing process

CMMC Implementation

• Levels range from basic cyber hygiene (Level 1) to advanced and progressive practices (Level 5).
• Practices are aligned with existing cybersecurity standards like NIST SP 800-171
• The majority of CMMC Level 2 and Level 3 practices are directly mapped to NIST SP 800-171 controls

Implementing Steps

• Conduct a gap analysis of organization's cybersecurity practices
• Develop action plan to address the organization's gap analysis
• Implement necessary cybersecurity controls across the organization
• Develop policies, procedures, and evidence of control implementation
• All staff members need to understand their roles in protecting FCI and CUI
• Organizations must continuously monitor their systems and processes to ensure that they remain compliant with CMMC standards

Resource Implementation

• Need to prioritize critical controls that have the most significant impact on security and compliance
• Manage compliance across the supply chain

Assesments

• Should leverage cloud services to meet CMMC requirements
• C3PAOs are responsible for conducting the assessments that determine whether a contractor meets the necessary CMMC level
• Thoroughly prepare for the CMMC assessment by conducting internal audits and mock assessments

Supplementary Information

• Familarize CMMC framework, federal regulations, scoping and assessment processes, and ethical considerations for the exam
• FAR 52.204-21 and DFARS 252.204-7012 clauses are foundational to understanding the safeguarding requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
• Understand how to properly scope a CMMC assessment
• Understanding how to conduct a gap analysis and develop an action plan to address gaps