Cybersecurity Maturity
Model Certification

What is Cybersecurity Maturity Model Certification?

加强对供应链内联邦合同信息(FCI)和受控非机密信息(CUI)的保护, the U.S. Department of Defense (DoD) is working with DoD stakeholders, university-affiliated research centers, 联邦资助的中心和整个行业来开发网络安全成熟度模型认证(CMMC), 一个衡量国防工业基地(DIB)部门内公司保护FCI和CUI能力的过程. CMMC还增加了认证元素，以验证网络安全要求的实施，认证将需要由认可的第三方(如施耐德唐斯)执行.

CMMC旨在为国防部提供保证，确保DIB承包商能够在与风险相称的水平上充分保护CUI，并考虑在多层供应链中流向分包商的问题. 2020年，CMMC将被纳入RFIs和rfp，并最终成为所有人的强制性.

要了解更多关于潜在成本和您的组织如何准备CMMC的信息，请下载我们的 Cybersecurity Maturity Model Certification (CMMC) Guide. 

The CMMC Model Framework

CMMC模型框架按域在最高级别上将网络安全最佳实践分类.

每个领域都被一组能力和成就进一步细分，以确保每个领域内的网络安全目标得到满足. 公司将进一步验证所需能力的遵从性，通过演示对已映射到五个成熟度级别的实践和过程的遵从性(如下所述). Within this context, 实践将度量实现给定能力需求所需的技术活动, while processes will measure the maturity of a companyâs processes.

CMMC Levels

The CMMC model has five defined levels, each with a set of supporting practices and processes, 从处理基本网络卫生的1级到主动和高级的4级和5级. In parallel, processes range from being performed at Level 1, documented at Level 2 and optimized across the organization at Level 5. To meet a specific CMMC level, 组织必须满足该级别及以下的实践和过程. Levels are described as follows:

• Level 1 Requires an organization to demonstrate basic cyber hygiene. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, 一个CMMC级别1的组织可能具有有限的或不一致的网络安全成熟度. At this level, organizations may be provided with FCI, 哪些信息不打算公开发布，但在开发或交付产品或bwin手机客户端给政府的合同下由政府提供或生成.
• Level 2 Requires an organization to demonstrate intermediate cyber hygiene. At this level, 组织应建立并记录标准操作程序, 指导其网络安全项目实施的政策和战略计划. At Level 2, organizations may be provided with FCI.
• Level 3 要求组织证明良好的网络卫生和有效的NIST SP 800-171 Rev 1安全要求. For process maturity, a 3级组织应充分提供资源并审查与遵守政策和程序有关的活动, and demonstrate management of practice implementation. 需要访问CUI和/或生成CUI的组织应该达到级别3.
• Level 4 and 5 At Levels 4 and 5, an organization has a substantial and proactive cybersecurity program, 有能力调整其保护和维持活动，以应付不断变化的战术, techniques and procedures (TTPs) in use by APTs. For process maturity, 组织应审查和记录活动的有效性，并将任何问题通知高层管理, 以及确保流程实现在整个组织中得到了总体优化.

CMMC Domains

The CMMC model consists of 17 domains, 其中大部分来自FIPS 200安全相关地区和NIST SP 800-171控制家庭. The domains are as follows:

• Access Control (AC)
• Asset Management (AM)
• Audit and Accountability (AA)
• Awareness and Training (AT)
• Configuration Management (CM)
• Identification and Authentication (IDA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PP)
• Recovery (RE)
• Risk Management (RM)
• Security Assessment (SAS)
• Situational Awareness (SA)
• System and Communications Protections (SCP)
• System and Information Integrity (SII)

CMMC Timeline and Cost

While draft versions of the CMMC are currently available for review, CMMC的最终版本预计要到2020年1月才会发布. CMMC is set to start appearing in RFIs in June 2020, 预计2020年9月它将开始出现在rfp中.

As it relates to price, the FAQ section of the CMMC webpage notes that, the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, 如果你的组织没有获得认证，你可能会被取消参加资格. Given that, 我们期望未来的rfi和rfp将允许主承包商、分包商将合规成本纳入他们的投标.

CMMC Assessments

施耐德唐斯成功完成了认证第三方评估机构(C3PAO)的认证过程，并申请了由国防合同管理机构(DCMA)国防工业基地网络安全评估中心(DIBCAC)执行的CMMC ML-3评估。. 施耐德唐斯是C3PAO候选人，并等待成功的CMMC ML-3评估, 施耐德唐斯将被授权为国防部(DoD)网络安全成熟度模型认证(CMMC)计划提供认证评估.