Answers to The MOST COMMON CMMC Level 2 Questions скачать в хорошем качестве

Answers to The MOST COMMON CMMC Level 2 Questions

In a previous video I walked you through all of the CMMC Level 2 requirements as they stand today. Yes…I know that final rulemaking hasn’t occurred yet (I also acknowledged that). However, CMMC is going to cause such a massive shakeup to the defense industrial base that it behooves every DoD contractor to start getting a grasp on everything now so that they aren’t blindsided once it has finally arrived. Anyway, if you haven’t watched the other video I’m talking about where I breakdown CMMC level 2 requirements…you should…but only after you watch this one. Other than the requirements themselves with regard to CMMC level 2, there are still a ton of questions that defense industrial base contractors have. It would be great if the CMMC-AB could answer all of those questions, but it’s busy finalizing rulemaking. But that’s why I’m here… LINKS: ____________________________________________ https://etactics.com/blog/cmmc-level-... ____________________________________________ The first and most common question that contractors ask regarding CMMC level 2 is, “How much is it going to cost?” Based off of government-provided figures with the guidance and came up with the following estimates…for Level 2 it’s $18,058, for Level 3 it’s $371,786 - $482-874. We also referenced some unverified self-reported assessment quotes discussed on Reddit. These ranged from $30k to $381k for a single (now Level 2) assessment. We believe the government figures for Level 2 may be in line with the smallest possible scopes. But as scopes increase in size and complexity, so will the cost of an assessment. The next most common question we see asked is, “Who conducts a level 2 assessment?” CMMC introduced the concept of using C3PAOs to conduct assessments for organizations seeking certification (OSC) at Level 2. The CMMC-AB marketplace lists all authorized C3PAOs who’ve passed a Level 2 certification assessment. C3PAOs employ or contract with certified assessors and certified professionals who are the individuals authorized to conduct the actual assessments. Only certified assessors can lead an assessment team. CMMC 2.0 also allows self-assessment. But this only happens based on how the DoD considers the nature of the CUI involved in a contract. More specifically, if the CUI is less critical to national security than other prioritized contracts. The best guidance available may be the statements made by Buddy Dees, the Director of the CMMC Program Management Office at the DoD. During the impromptu November 2021 Town Hall, he discussed the department’s thoughts on bifurcating Level 2 assessments based on risk and criticality of CUI. The third common question I have for you is, “How is the assessment conducted?” Below is an outline of the CMMC assessment process at a high level. First, the OSC submits documentation to the assessment team. Second, a kick-off meeting occurs to review scope, schedule and process. Third, comes the drafting of Security Assessment Plan - defining the actual steps to conduct an assessment. Fourth, includes proposed tools and review techniques. Fifth is drafting of Rules of Engagement - defines the proposed steps for the assessment. Sixth, includes outside testing, interview conduct and inspection requirements. Seventh comes approval of Security Assessment Plan and Rules of Engagement. Eighth,is where the actual assessment is conducted. Ninth is an interview with key personnel. Tenth, comes the observations of the processes and security controls in action. Eleventh, is a security walk-through. Twelfth, testing systems with tools defined in the Security Assessment Plan. Thirteenth…a review of tool findings with OSC for interpretation and evaluation to remove any “false positives” that are externally mitigated. Fourteenth, drafting of the Security Assessment Report. Fifteenth, reviewing Security Assessment Report with OSC for final remediation. Sixteenth and finally…the delivery of certification recommendation with Security Assessment Report. The fourth common question we see a lot of is, “Is CMMC ready for me?” CMMC is still in the process of becoming a rule. To reiterate, the DoD estimates rulemaking to happen sometime between July 2022 and December 2023. The rulemaking will make CMMC a requirement within Titles 32 and 48 of The Code of Federal Regulations (CFR). ► Reach out to Etactics @ https://www.etactics.com​ ►Subscribe: https://rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity. ►Find us on LinkedIn:   / etactics-inc   ►Find us on Facebook:   / ​   #CMMC #CMMC2