CMMC 2.0 Level 3 Requirements скачать в хорошем качестве

CMMC 2.0 Level 3 Requirements

A couple of months ago, we published a video on CMMC level 3 requirements. Naturally, that video was awesome. The problem, though, is that CMMC level 3 requirements have since changed quite a bit since that video was published. LINKS: ____________________________________________ https://etactics.com/blog/cmmc-level-... ____________________________________________ You see, way back when our first video was published, CMMC was at version 1 point 2. A couple of months after we published that video, the CMMC Accreditation Body or AB announced a massive shift in the upcoming certification’s requirements with the introduction of version 2 point 0 in November of 2021. Obviously, we waited a few months after 2.0’s release because we didn’t want to have to quickly remake ANOTHER version of this video. Although final rulemaking hasn’t happened yet, it’s been several months since 2.0 came out and we think that now is the appropriate time to redefine CMMC 2.0 level 3 requirements. Before going through the requirements, I need to explain the biggest systematic change that CMMC 2.0 brought forth. CMMC 2.0 condensed 5 levels of certification into 3. In the older versions, CMMC level 3 was where most of the defense industrial base was going to land. Any level beyond level 3 was for the big boys of the DIB…maybe 5 or so contractors would have to achieve level 5. Well, the old level 3 is now level 2…AND level 4 and 5 are now Level 3. I know that sounds confusing so let me break it down so that it’s a little bit easier to understand. Level 3 of CMMC 2.0 is built on the requirements of level 1 and 2. You can’t just skip right to level 3 without first providing that you’ve met every requirement laid out in levels 1 and 2. Level 1 is the foundational level…17 practices…annual self-assessment. Level 2 is the advanced level…110 practices aligned with NIST SP 800-171…triennial third-party assessments for critical national security information and annual self-assessments for select programs. Level 3 is now the Expert level…110+ practices BASED on NIST SP 800-172 and triennial government-led assessments. Under CMMC 2.0 you must pass an assessment conducted by a certified third-party audit organization (C3PAO) at level 2 before you try to pursue CMMC level 3’s requirements. OK, so what are the requirements for CMMC level 3? The most challenging level to achieve will be Level 3, the “Expert” level. This level is for contractors dealing with the CUI in the highest priority programs. Level 3 builds on the preparatory work of the prior two Levels. In short, its main focus is achieving expert CUI confidentiality and integrity by incorporating NIST SP 800-171 Rev 2 plus other protections. We don’t yet know what additional practices will add, but DoD has said that they will come from the Enhanced Security Requirements for Protecting CUI called NIST SP 800-172. Not super helpful…but what about required CMMC level 3 controls? Alright, perhaps there is a better chance that your organization might fall under CMMC Level 3 than you may have originally thought. If you’re in this camp, your team probably has experience with NIST SP 800-171 and hopefully you’re already feeling confident about the implementation and documentation of these controls. As we take a look at the anticipated controls for Level 3, there are two statements that will guide our analysis. The Office of the Under Secretary of Defense for Acquisition & Sustainment said, “Level 3 will incorporate a subset of NIST SP 800-172 requirements”. And Ron Ross from NIST said, “SP 800-172 is in good shape right now and [NIST] has no plan to update it in 2022” From these statements, we can conclude that all Level 3 requirements will come from NIST SP 800-172 and NIST doesn’t plan on adding any new controls to that framework this year. That gives us a potential for 35 additional practices and 98 assessment objectives from NIST SP 800-172. The original CMMC model sourced 15 practices from NIST SP 800-171B, which was still a draft NIST publication at the time. NIST has since finalized SP 800-171B and published it as SP 800-172 with the assessment guide (NIST SP 800-172A) still in draft status. We looked back at the Level 4 and Level 5 practices from 171B in CMMC v1.02 and found those same 15 practices still match the NIST SP 800-172 publication from February 2021. ► Reach out to Etactics @ https://www.etactics.com​ ►Subscribe: https://rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity. ►Find us on LinkedIn:   / etactics-inc   ►Find us on Facebook:   / ​   #CMMC #CMMC2