In November 2021, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v2.0 of the Cybersecurity Maturity Model Certification (CMMC), a comprehensive framework designed to protect the defense industrial base from increasingly frequent and complex cyberattacks. Version 2.0 simplifies the model by streamlining certification levels from five (5) to three (3), eliminating proprietary maturity layers, and adjusting assessment responsibilities. This post summarizes what’s new in v2.0, including how Prevalent can help simplify the CMMC assessment process.
CMMC is a U.S. federal government certification against cybersecurity and controlled unclassified information (CUI) handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. CMMC aims to ensure that our entire national defense supply chain (DIBS – defense industrial base suppliers) is secure and resilient.
All DoD suppliers will eventually be required to be certified at one of three levels, from Level 1 (Foundational) to Level 3 (Expert). This represents a change from version 1.0 that featured five certification levels. Version 2.0 certification levels are derived from the basic safeguarding requirements for Federal Contract Information (FCI) specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for controlled unclassified information (CUI) specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and additional controls from NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
Navigate the TPRM Compliance Landscape
The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.
Please see the table below for a summary of CMMC requirements by level, organized by NIST SP 800-171r2 Relevant Security Controls, that are included as built-in questionnaires in the Prevalent Platform. Information on Level 3 will be released by the US DoD at a later date and will contain a subset of the security requirements specified in NIST SP 800-172.
Access Control | |
---|---|
Level 1 3.1.1 Authorized Access Control |
Level 2 3.1.3 Control CUI Flow |
Awareness & Training | |
Level 1 N/A |
Level 2 3.2.1 Role-Based Risk Awareness |
Audit & Accountability | |
Level 1 N/A |
Level 2 3.3.1 System Auditing |
Configuration Management | |
Level 1 N/A |
Level 2 3.4.1 System Baselining |
Identification and Authentication | |
Level 1 3.5.1 Identification |
Level 2 3.5.3 Multi-factor Authentication |
Incident Response | |
Level 1 N/A |
Level 2 3.6.1 Incident Handling |
Maintenance | |
Level 1 N/A |
Level 2 3.7.1 Perform Maintenance |
Media Protection | |
Level 1 3.8.3 Media Disposal |
Level 2 3.8.1 Media Protection |
Personnel Security | |
Level 1 N/A |
Level 2 3.9.1 Screen Individuals |
Physical Protection | |
Level 1 3.10.1 Limit Physical Access |
Level 2 3.10.2 Monitor Facility |
Risk Assessment | |
Level 1 N/A |
Level 2 3.11.1 Risk Assessments |
Security Assessment | |
Level 1 N/A |
Level 2 3.12.1 Security Control Assessment |
System and Communications Protection | |
Level 1 3.13.1 Boundary Protection |
Level 2 3.13.2 Security Engineering |
System and Information Integrity | |
Level 1 3.14.1 Flaw Remediation |
Level 2 3.14.3 Security Alerts & Advisories |
The Prevalent Third-Party Risk Management Platform has built-in questionnaires for Level 1 and Level 2, enabling suppliers to assess themselves and auditors to assess their clients against each level. When Level 3 certification requirements have been published, Prevalent will add the appropriate questionnaire to the Platform.
C3PAOs can:
Any DoD supplier can conduct a Level 1 or Level 2 self-assessment to:
For more information on how Prevalent helps to secure the DoD supply chain, visit our CMMC compliance page, download our compliance white paper, or request a demo of the Prevalent Platform today.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024