Overview of CMMC 2.0 Cybersecurity Maturity Model Certification

Slide Note
Embed
Share

The CMMC 2.0 introduces a streamlined model with three levels, focusing on protecting controlled unclassified information (CUI) with requirements aligned with NIST standards. Assessments vary for each level, including self-assessments for Level 1 and third-party assessments for Level 2. Government officials will assess Level 3, easing requirements for companies not handling prioritized acquisitions.

shiv
shiv Follow

Uploaded on Jul 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Cybersecurity Maturity Model Certification Version 2.0 Overview Briefing March 2022 DISTRIBUTION A. Approved for public release

  2. CMMC 2.0 Overview Briefing Note: The information in this presentation reflects the Department s strategic intent with respect to the CMMC program. The Department will be engaging in rulemaking and internal resourcing as part of implementation, and program details are subject to change during these processes. DISTRIBUTION A. Approved for public release

  3. CMMC 2.0 Model CMMC 2.0 model is streamlined to three versus five levels Eliminates CMMC 1.0 Levels 2 and 4: Developed as transition levels and never intended to be assessed requirements Establishes three progressively sophisticated levels, depending on the type of information: Level 1 (Foundational) for companies with FCI only; information requires protection but is not critical to national security Level 2 (Advanced) for companies with CUI Level 3 (Expert) for the highest priority programs with CUI Requirements will mirror NIST SP 800-171 and NIST SP 800-172 Eliminates all CMMC unique practices and maturity processes: Work with NIST to address identified gaps in the NIST SP 800-171 Aligns Level 2 with NIST SP 800-171 Level 3 will use a subset of NIST SP 800-172 requirements Simplifies the CMMC standard for companies, while safeguarding critical Department information DISTRIBUTION A. Approved for public release

  4. CMMC 2.0 Assessments CMMC Level 1 (Foundational) will require DIB company self-assessments CMMC Level 2 (Advanced) may require third-party or self-assessments, depending on the type of information Requires third-party assessments for prioritized acquisitions: Companies will be responsible for obtaining an assessment and certification prior to contract award Requires self-assessments for other non-prioritized acquisitions: Companies will complete and report a CMMC Level 2 self-assessment and submit senior official affirmations to SPRS CMMC Level 3 (Expert) will be assessed by government officials Eases assessment requirements for companies not handling information related to prioritized acquisitions DISTRIBUTION A. Approved for public release

  5. Allowance of POA&Ms and Waivers CMMC 2.0 will allow limited use of POA&Ms Strictly time-bound: Potentially 180 days; Contracting Officers can use normal contractual remedies to address a DIB contractor s failure to meet their cybersecurity requirements after the defined timeline Limited use: Will not allow POA&Ms for highest-weighted requirements; will establish a minimum score requirement to support certification with POA&Ms Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk Only allowed in select mission critical instances: Government program office will submit the waiver request package including justification and risk mitigation strategies Strictly time bound: Timing to be determined on a case-by-case basis; Contracting Officers can use normal contractual remedies to address a DIB contractor s failure to meet their cybersecurity requirements after the defined timeline Will require senior DoD approval to minimize potential misuse of the waiver process Limited use of POA&Ms and waivers could allow the Department and DIB companies flexibility to meet evolving threats and make risk-based decisions DISTRIBUTION A. Approved for public release

  6. Rulemaking Codifying CMMC 2.0 Changes will be released through a interim rule. A 60-day public comment period and concurrent congressional review will be included prior to the rule becoming effective DoD has mandatoryrulemaking obligations for CMMC that must be addressed as part of the CMMC 2.0 implementation Rulemaking under 32 CFR is required to establish the CMMC program Rulemaking under 48 CFR is required to update the contractual requirements in the DFARS to implement the CMMC 2.0 program The DoD is suspending the CMMC Piloting effort and mandatory CMMC certification Timeline to complete all rulemaking requirements will be 9 to 24 months; includes a mandatory 60-day public comment period and concurrent congressional review The DoD will continue to encourage the DIB sector to enhance their cybersecurity posture during the interim period The Department is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC 2.0 Level 2 certification in the interim period Until rulemaking formally implements CMMC 2.0, the DIB s participation in CMMC will be voluntary DISTRIBUTION A. Approved for public release

  7. CMMC 2.0 tailors model and assessment requirements to the type of information being handled Model Assessments 110+ Triennial Gov t-led LEVEL 3 Expert CUI, highest priority programs practices based on NIST SP 800-172 CUI, prioritized acquisitions 110 Triennial Third-Party LEVEL 2 Advanced practices aligned with NIST SP 800-171 CUI, non-prioritized acquisitions Annual LEVEL 1 Foundational 17 Self-Assessment practices FCI, not critical to national security Note: The information in this presentation reflects the Department s strategic intent with respect to the CMMC program. The Department will be engaging in rulemaking and internal resourcing as part of implementation, and program details are subject to change during these processes. DISTRIBUTION A. Approved for public release

  8. Questions? DISTRIBUTION A. Approved for public release

Related


Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

emmitt
C2M2 Version 2.1 Cybersecurity Model Overview

C2M2 Version 2.1 Cybersecurity Model Overview

giana
Digital Competency Maturity Model 2.0 for Accounting Firms - Overview and Implementation

Digital Competency Maturity Model 2.0 for Accounting Firms - Overview and Implementation

aman
Leveraging Maturity Models in Accessibility Community Meetings

Leveraging Maturity Models in Accessibility Community Meetings

hollie
Cybersecurity Career Path Overview

Cybersecurity Career Path Overview

rusty
Audit Quality Maturity Model (AQMM) - Overview and Implementation Guidelines

Audit Quality Maturity Model (AQMM) - Overview and Implementation Guidelines

aleia
Ensuring Business Security: Cybersecurity Webinar Insights

Ensuring Business Security: Cybersecurity Webinar Insights

amelia
Stop, Think, and Be Mature: Understanding and Demonstrating Maturity in Personal Skills and Professionalism

Stop, Think, and Be Mature: Understanding and Demonstrating Maturity in Personal Skills and Professionalism

alastair
Understanding SEICMM - Software Engineering Institute Capability Maturity Model

Understanding SEICMM - Software Engineering Institute Capability Maturity Model

sol
Understanding the Capability Maturity Model Integration (CMMI) for Process Improvement

Understanding the Capability Maturity Model Integration (CMMI) for Process Improvement

kahlani
Pursuing Spiritual Maturity: A Journey of Growth in Christ

Pursuing Spiritual Maturity: A Journey of Growth in Christ

evanthe
SUD Life Century Gold - Individual Saving Life Insurance Plan

SUD Life Century Gold - Individual Saving Life Insurance Plan

mariah
Understanding Maturity Indices of Fruits and Vegetables

Understanding Maturity Indices of Fruits and Vegetables

zachariah
Which and How of Cybersecurity Frameworks

Which and How of Cybersecurity Frameworks

castor
Initial Teacher Certification Webinar Overview

Initial Teacher Certification Webinar Overview

minerva
Capability Maturity Model Cascade and Viral Load Testing Stages

Capability Maturity Model Cascade and Viral Load Testing Stages

olympia
Cybersecurity Tabletop Exercise Overview

Cybersecurity Tabletop Exercise Overview

rudi
CYBERSECURITY AWARENESS MONTH 2023

CYBERSECURITY AWARENESS MONTH 2023

ben
Instrument human capital cybersecurity mkb bedrijven

Instrument human capital cybersecurity mkb bedrijven

myron
Cybersecurity Industry Call for Innovation (CyberCall)

Cybersecurity Industry Call for Innovation (CyberCall)

nomi
REWIRE Cybersecurity Skills Alliance

REWIRE Cybersecurity Skills Alliance

eabha
Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement

Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement

yousef
Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics

Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics

bloom
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses

Adversarial Machine Learning in Cybersecurity: Challenges and Defenses

thirza

More Related Content

Challenges in Cybersecurity Implementation: A Philippine Perspective
Challenges in Cybersecurity Implementation: A Philippine Perspective
Cybersecurity Risk Management in K-12 Education: Challenges and Strategies
Cybersecurity Risk Management in K-12 Education: Challenges and Strategies
Empowering Women in Cyber: CyberFirst Girls Competition
Empowering Women in Cyber: CyberFirst Girls Competition
Cybersecurity Expert Shiva V. Parasram - Profile and Advice
Cybersecurity Expert Shiva V. Parasram - Profile and Advice
Cybersecurity Risks for Remote CISTAR Facilities Study
Cybersecurity Risks for Remote CISTAR Facilities Study
Exploring Adversarial Machine Learning in Cybersecurity
Exploring Adversarial Machine Learning in Cybersecurity
Enhancing California's Election Cybersecurity Readiness
Enhancing California's Election Cybersecurity Readiness
Cybersecurity Entrepreneurship Workshop Highlights
Cybersecurity Entrepreneurship Workshop Highlights
Understanding Manufacturing Readiness Levels (MRLs) in Defense Technology
Understanding Manufacturing Readiness Levels (MRLs) in Defense Technology
Accelerating Additive Manufacturing Certification with Model-Based Tools
Accelerating Additive Manufacturing Certification with Model-Based Tools
MTM Certification Process
MTM Certification Process
Transforming Buildings with EDGE Certification
Transforming Buildings with EDGE Certification
New York Peer Specialist Certification Board Updates and Certification Levels
New York Peer Specialist Certification Board Updates and Certification Levels
GovTech Maturity Index Trends in Digital Governance
GovTech Maturity Index Trends in Digital Governance
Managing Product Life Cycle: Growth, Maturity, Decline Stages
Managing Product Life Cycle: Growth, Maturity, Decline Stages
Understanding Puberty and Religious Obligations After Maturity
Understanding Puberty and Religious Obligations After Maturity
Understanding Manufacturing Readiness Levels (MRLs) in Defense Acquisition
Understanding Manufacturing Readiness Levels (MRLs) in Defense Acquisition
Enhance Software Security with SAMM 2.0 Dashboard
Enhance Software Security with SAMM 2.0 Dashboard
Understanding Zero-Coupon Bonds
Understanding Zero-Coupon Bonds
Understanding Data Governance and Data Analytics in Information Management
Understanding Data Governance and Data Analytics in Information Management
Product Life Cycle Stages and Examples
Product Life Cycle Stages and Examples
WISEstaff Data Collection and Certification Process Overview
WISEstaff Data Collection and Certification Process Overview
Teacher Certification and Evaluation Program Phases Overview
Teacher Certification and Evaluation Program Phases Overview
New Jersey Educator Certification System Training Overview
New Jersey Educator Certification System Training Overview