Cooey Wiki - User contributions [en]

SPA Objectives - Password Manager

2025-09-10T14:47:01Z

Uncouth: /* Assessment Objectives to Assess */

== When is a Password Manager an SPA? ==
When a password manager is organizationally managed or provisioned for use within the scope of the CUI information system then the password manager should be scoped as an SPA.

When users choose to use a password manager (such as one built-in to their browser on their in-scope computers), then these are not considered an SPA, since the protection of the password is the responsibility of the user, not the organization.

== Assessment Objectives to Assess ==
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b]

* Password manager will need to securely store the passwords [a] and securely transmit them [b].

PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b]

* Ensuring that access to passwords that grant access to sensitive information are protected during and after personnel actions is likely to be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs.

SC.L2-3.13.10 - KEY MANAGEMENT [b]

* May be used to manage cryptographic keys if password manager provides said functionality.

== Assessment Objectives that won't likely be Assessed ==
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d]

* Password complexity is typically enforced on the system containing CUI or its identity provider, not the password manager.

IA.L2-3.5.8 – PASSWORD REUSE [b]

* Password reuse is typically enforced on the system containing CUI or its identity provider, not the password manager.

IA.L2-3.5.9 – TEMPORARY PASSWORDS [a]

* Temporary passwords are typically enforced on the system containing CUI or its identity provider, not the password manager.

48 CFR Parts 204, 212, 217, and 252 Proposed Rule

2025-03-21T12:52:45Z

Uncouth: drafty mcdraftface

DRAFT. Review! I think this should also include an assumed rollout schedule, phase 1 likely beginning around Jun 2025. What contracts are affected, what types of assessments are available vs. required, etc.

The 48 CFR Parts 204, 212, 217 and 252 are part of a '''proposed rule that will be added to the Defense Federal Acquisition Regulation Supplement (DFARS)'''. The DFARS contains the regulations for how the DoD purchases goods and services. This proposed rule outlines how CMMC requirements will be integrated into DoD contracts. This is often referred to as the '''48 CFR CMMC rule''' because the DFARS is part of Title 48 of the Code of Federal Regulations (CFR).

Key aspects of this proposed rule:

* '''Integrating CMMC into Contracts:''' This rule will enable the DoD to '''specify a required CMMC level in its contracts and solicitations (requests for bids)'''. Consequently, if a contract mandates a particular CMMC level, a company will likely need to achieve that level to be eligible for the contract award.
* '''Pre-Award Requirements:''' If a contract includes a CMMC requirement, the company bidding on the contract will generally need to have their '''CMMC status (either a formal certification or a self-assessment) confirmed in the Supplier Performance Risk System (SPRS)''' before the contract can be awarded. They will also be required to affirm their continuous compliance with these security requirements in SPRS. This is generally required '''at the time of award'''.
* '''Different CMMC Levels:''' The '''specific CMMC level required for a contract will be clearly stated in the contract and related solicitation documents'''.
* '''Handling Sensitive Information:''' The CMMC requirements apply to '''information systems that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during the performance of the contract'''. '''CUI is government information that requires protection'''.
* '''Responsibilities Post-Contract Award:''' Companies that are awarded contracts with CMMC requirements will need to '''maintain their required CMMC level for the entire duration of the contract'''. They are also obligated to notify the DoD of any lapses in their information security or changes in their CMMC status. Furthermore, they must complete an affirmation of continuous compliance in SPRS on an annual basis or when their CMMC compliance status changes. They should only transmit data on information systems that have the required CMMC level.
* '''Subcontractor Compliance:''' If a prime contractor (the main company with the DoD contract) engages subcontractors who will handle FCI or CUI, those '''subcontractors will also be required to meet appropriate CMMC levels'''. The prime contractor is responsible for ensuring that their subcontractors comply with the necessary CMMC requirements before awarding a subcontract. The required CMMC level for subcontractors will depend on the sensitivity of the information being shared with them.
* '''Exemption for Basic Commercial Items:''' Generally, contracts that are '''solely for the acquisition of Commercially Available Off-the-Shelf (COTS) items are excluded from CMMC requirements'''. The term "exclusively COTS" refers to awards solely for items that fall within the definition provided in the Federal Acquisition Regulation (FAR) at 2.101.
* '''Implementation Timeline:''' CMMC requirements will be implemented through a '''phased rollout over a three-year period'''. Initially, CMMC requirements will be included in specific contracts as directed by the CMMC Program Office. After the three-year phase-in, CMMC will apply more broadly to all relevant DoD solicitations and contracts valued above the micro-purchase threshold.
* '''Verification System:''' The '''Supplier Performance Risk System (SPRS)''' will serve as the system used by the DoD to '''verify a contractor's CMMC status'''. Contractors will be required to post the results of their CMMC self-assessments and, for Level 2 and 3, their certificates into this system. Apparently successful offerors will also need to provide DoD Unique Identifiers (UIDs) issued by SPRS for their information systems that will handle FCI or CUI. Contracting officers will use SPRS to verify the contractor's CMMC level and affirmation of continuous compliance prior to award, option exercise, or extension of performance.
* '''Relationship with Other Cybersecurity Requirements:''' CMMC assessments are '''not intended to duplicate efforts from other comparable DoD assessments''', except in rare circumstances. The rule clarifies that '''DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and 252.204-7021 (CMMC Compliance) have distinct purposes and are not duplicative'''. Clause 252.204-7012 imposes cybersecurity requirements, while clause 252.204-7021 requires an assessment of how well a contractor is meeting those requirements.

Self-Assessment and Certification

2025-03-05T01:04:26Z

Uncouth: re-worded a bunch in sections 1-3, section 4 and beyond should still be looked at

In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]) have adequate cybersecurity measures in place.

=== 1. CMMC Overview: ===

The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base ([[DIB]]). It is divided into three levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 3. The CMMC ensures that contractors meet specific security standards, particularly those outlined in [[NIST 800-171]] and enhanced security practices beyond that.

=== 2. Self-Assessments in CMMC:===

At lower CMMC levels, specifically for Level 1 and in some cases Level 2, companies are allowed to conduct self-assessments of their cybersecurity practices and controls. Here’s how it works:

'''Level 1 Self-Assessments:'''

* Level 1 focuses on basic cyber hygiene, covering 17 controls designed to protect Federal Contract Information (FCI), such as using antivirus software, implementing access controls, and protecting communications.

* Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:
** Complete a self-assessment based on the specified practices.
** Submit their score (from the self-assessment) to the Supplier Performance Risk System ([[SPRS]]), a DoD-managed system.
** Reassess and resubmit their status annually.

=== 3. Third-Party Certification in CMMC: ===

For Level 2 and above, third-party assessments are required to validate compliance. Certification levels vary depending on the sensitivity of the information being protected:

'''CMMC Level 2:'''

* Level 2 represents a transition between basic and more advanced cybersecurity practices, containing 110 requirements from NIST SP 800-171 rev2.

* For contractors handling CUI, third-party certification from a C3PAO (Certified Third-Party Assessor Organization) is required, although during the phased rollout some self-assessments will be allowed.
* When third-party certification is mandatory, the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process.
* Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

'''CMMC Level 3:'''

* Level 3 involves increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs). 24 additional requirements from NIST SP 800-172 are included in Level 3.

* DIBCAC performs assessments of the 24 requirements in Level 3 after completion of a C3PAO Level 2 assessment.

* Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

=== 4. Steps in the Certification Process:===

For companies required to undergo third-party certification, the following steps are typically involved:

'''1. Preparation:'''

* Companies conduct a gap analysis to determine where their current cybersecurity posture aligns with the CMMC level they are aiming to achieve.

* Many contractors hire consultants or use tools to help them prepare for the formal assessment by ensuring that their processes and systems meet the necessary standards.

'''2. Assessment by C3PAO:'''

* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the The Cyber AB to conduct assessments.
* Assessors are guided by the CAP, [https://www.cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3D%3D found on the Cyber AB's website here], and [[CAP|discussed on this Wiki here]].

* The C3PAO reviews the organization's policies, procedures, security controls, and their implementation to ensure compliance with the required CMMC level.

* The assessment may include interviews with personnel, documentation review, and technical testing of the organization's systems.

'''3. Certification:'''

* If the organization passes the assessment, the C3PAO submits its findings to The Cyber AB, which then issues the certification.

* Certification is valid for three years at Levels 2-3, after which the organization must undergo re-certification.

'''4. Post-Certification Monitoring:'''

* Certified companies must continue to maintain and update their cybersecurity controls throughout the certification period.

* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.

==CMMC Levels Summary==

'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.

'''CMMC Level 2 (Intermediate Cyber Hygiene):''' Transition level, self-assessment may be allowed for FCI; third-party certification required for CUI.

'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.

==Challenges and Considerations==

'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.

'''Choosing the right support''': Some organizations might choose to work with consultants, or engage in pre-assessments to gauge their readiness prior to assessment. Choosing knowledgeable and capable organizations to support you is very important. Some guidance on picking this support is below:

* [[Identifying a Managed Service Provider]]
* [[Identifying a Consultant]]
* [[Identifying a Certified Third Party Assessing Organization (C3PAO)]]

'''Continuous Compliance:''' Certification is not a one-time event. Organizations must continuously maintain their cybersecurity posture, as lapses in compliance can lead to a loss of certification or future contract eligibility.

'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.

==CMMC 2.0 Update==

The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.

== Conclusion==

In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.

CMMC Overview

2025-03-05T00:52:51Z

Uncouth: re-wording, adding more future pages, etc.

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance cybersecurity practices across the Defense Industrial Base ([[DIB]]). It applies to any organization within the supply chain (receiving specific [[DFARS]] flow-down) that works on contracts with the Department of Defense ([[DoD]]), ensuring these companies can safeguard Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]).

In November 2021, in response to industry feedback, CMMC 2.0 was introduced to simplify the original model, making compliance more achievable while maintaining strong security standards. This updated framework reduces the original five certification levels down to three:

Level 1: Basic cyber hygiene practices, for the protection of [[Federal Contract Information (FCI)]]. Organizations must implement 15 practices aligned with Federal Acquisition Regulation ([[FAR]]) [https://www.acquisition.gov/far/52.204-21 52.204-21].

Level 2: Aligned with NIST SP 800-171 Rev 2, this level applies to [[Covered contractor information system|covered contractor information systems]] that handle CUI. It includes 110 security controls and 320 assessment objectives required by [[NIST 800-171]].

Level 3: Intended for companies with more sensitive CUI, Level 3 includes all NIST SP 800-171 requirements and enhances those requirements with 24 additional practices from [[NIST SP 800-172]], focusing on defending against advanced persistent threats ([[APT]]s).

=== [[Self-Assessment and Certification]]: ===

Under CMMC 2.0, organizations handling only FCI at Level 1 will be required to conduct annual self-assessments. For Level 2, companies handling critical CUI must undergo third-party assessments or self-attest depending on the criticality of the contract. Level 3 requires a CMMC Level 2 C3PAO assessment followed by a Level 3 assessment performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

=== Why CMMC is Important ===

The DoD created CMMC to ensure that companies in the DIB have adequate protections in place to secure sensitive information and defend against cyber threats. Compliance with CMMC 2.0 helps protect national security, secure supply chains, and build trust between the DoD and its contractors.

For organizations in the defense supply chain, preparing for CMMC 2.0 requires:

* Implementing controls based on NIST 800-171 Rev 2 (for Level 2),

* Engaging in [[continuous monitoring]] and [[security improvements]],

* And obtaining certification through third-party or self-assessments, depending on the level of compliance required.

Self-Assessment and Certification

2025-02-28T16:21:53Z

Uncouth: /* 4. Steps in the Certification Process: */

In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations (especially defense contractors) use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]) have adequate cybersecurity measures in place.

=== 1. CMMC Overview: ===

The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base ([[DIB]]). It is divided into five levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 5. The CMMC ensures that contractors meet specific security standards, particularly those outlined in [[NIST 800-171]] and enhanced security practices beyond that.

=== 2. Self-Assessments in CMMC:===

At lower CMMC levels, specifically for Level 1 and in some cases Level 2, companies are allowed to conduct self-assessments of their cybersecurity practices and controls. Here’s how it works:

'''Level 1 Self-Assessments:'''

* Level 1 focuses on basic cyber hygiene, covering 17 controls designed to protect Federal Contract Information (FCI), such as using antivirus software, regular password changes, and access controls.

* Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:
** Complete a self-assessment based on the specified practices.
** Submit their score (from the self-assessment) to the Supplier Performance Risk System ([[SPRS]]), a DoD-managed system.
** Self-assessments are valid for up to one year, meaning organizations need to reassess and resubmit their status annually.

'''Benefits of Self-Assessments:'''

*Cost-Effective: Self-assessments eliminate the need to hire a third-party assessor, reducing costs for smaller companies with basic cybersecurity needs.

*Simpler Compliance Process: The self-assessment process is less formal and less time-consuming compared to full certification audits.

*Focus on Basic Practices: Since Level 1 focuses on basic cybersecurity practices, the controls are less complex, making it feasible for companies to evaluate themselves.

'''Risks of Self-Assessments:'''

* Accuracy and Accountability: Without third-party validation, there is a risk that companies may not fully or accurately assess their compliance, leading to potential vulnerabilities.

*Audit Potential: The DoD can audit self-assessment results at any time, and companies found to be non-compliant may face penalties, including loss of contract eligibility.

=== 3. Third-Party Certification in CMMC: ===

For Level 2 and above, especially for companies handling CUI, third-party assessments are required to validate compliance. Certification levels vary depending on the type of information being protected:

'''CMMC Level 2:'''

* Level 2 represents a transition between basic and more advanced cybersecurity practices, containing 110 controls (mapped to NIST SP 800-171).

* For contractors handling CUI, third-party certification from a C3PAO (Certified Third-Party Assessor Organization) is required.

* In cases where only Federal Contract Information (FCI) is handled, a self-assessment may suffice, but for CUI, external validation is necessary.

'''CMMC Level 3 and Above:'''

* Level 3 through Level 5 involve increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).

* Third-party certification is mandatory, and the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process.

* These higher levels of certification require a formal audit by a [[C3PAO]], where the assessor evaluates the organization's implementation of required cybersecurity controls.

* Certification at these levels is valid for up to three years before re-certification is needed.

=== 4. Steps in the Certification Process:===

For companies required to undergo third-party certification, the following steps are typically involved:

'''1. Preparation:'''

* Companies conduct a gap analysis to determine where their current cybersecurity posture aligns with the CMMC level they are aiming to achieve.

* Many contractors hire consultants or use tools to help them prepare for the formal assessment by ensuring that their processes and systems meet the necessary standards.

'''2. Assessment by C3PAO:'''

* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the The Cyber AB to conduct assessments.
* Assessors are guided by the CAP, [https://www.cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3D%3D found on the Cyber AB's website here], and [[CAP|discussed on this Wiki here]].

* The C3PAO reviews the organization's policies, procedures, security controls, and their implementation to ensure compliance with the required CMMC level.

* The assessment may include interviews with personnel, documentation review, and technical testing of the organization's systems.

'''3. Certification:'''

* If the organization passes the assessment, the C3PAO submits its findings to The Cyber AB, which then issues the certification.

* Certification is valid for three years at Levels 2-5, after which the organization must undergo re-certification.

'''4. Post-Certification Monitoring:'''

* Certified companies must continue to maintain and update their cybersecurity controls throughout the certification period.

* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.

==CMMC Levels Summary==

'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.

'''CMMC Level 2 (Intermediate Cyber Hygiene):''' Transition level, self-assessment may be allowed for FCI; third-party certification required for CUI.

'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.

==Challenges and Considerations==

'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.

'''Choosing the right support''': Some organizations might choose to work with consultants, or engage in pre-assessments to gauge their readiness prior to assessment. Choosing knowledgeable and capable organizations to support you is very important. Some guidance on picking this support is below:

* [[Identifying a Managed Service Provider]]
* [[Identifying a Consultant]]
* [[Identifying a Certified Third Party Assessing Organization (C3PAO)]]

'''Continuous Compliance:''' Certification is not a one-time event. Organizations must continuously maintain their cybersecurity posture, as lapses in compliance can lead to a loss of certification or future contract eligibility.

'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.

==CMMC 2.0 Update==

The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.

== Conclusion==

In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.

32 CFR Part 170 Key Takeaways

2025-02-26T00:51:19Z

Uncouth:

== Introduction ==
On October 15, 2024 32 CFR Part 170 also known as the "CMMC Final Rule" was published to the Federal Register. Effective 60 days later, the CMMC program became in effect.

Below are some key considerations, changes, and details to know with this rule's publication. This page's intent is to capture key differences, address changes between the draft rule and final published version.

Link to the PDF: https://public-inspection.federalregister.gov/2024-22905.pdf

Link to the FAR: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program

== Timelines ==
The Final Rule codifies that [[Joint Surveillance Voluntary Assessment (JSVA)|Joint Surveillance Voluntary Assessments (JSVAs)]] will equate to a CMMC Level 2 certification, assuming the organization received a perfect 110 score.

DoD projects a 7-year timeline with a 4-year phased roll-out, initially.

In FY2025, DoD will primarily be requiring self-assessments. There will be approximately 500 expected third-party certifications required on contracts the first year.

CMMC self-assessments must have a score of 88 or more to "pass" and be compliant. The [[Affirming Official]] (formerly a "Senior Official" will need to affirm that the reporting is accurate. Affirming this score carries personal criminal fraud risk, and affirmations may be verified in a third party assessment later.

In FY2026, that 500 grows to about 2500 and by FY2027, about 9000. By FY2028, DoD anticipates 16,000 third-party certifications needed a year.

By the end of the rollout, the numbers projected by DoD are 4,000 self-assessed and 76,000 assessed by a [[Certified Third Party Assessment Organization (C3PAO)]].

Many DIB contractors (and sub-contractors) can expect to be required to self-assessment, per contract and purchase order flow-down requirements.

It's important to note that DoD has the discretion to delay the certification requirement to an option period instead of the condition of "upon contract award." While it's not expected this will be taken advantage of often, this does give DoD flexibility on specific programs that may have unique challenges to supply chain partners becoming certified.

Additionally:

''"The CMMC Program’s assessment phase-in plan, as described in § 170.3, does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts."''

== Security Protection Data ==
When Cloud Service Providers (CSPs) only handle security protection data (SPD), and not CUI, the application or service would be treated like a security protection asset (SPA).

== Security Protection Assets ==
The Final Rule now suggests that Security Protection Assets (SPAs) will be assessed against security requirements that are "relevant to the capabilities provided."

''"If an OSA utilizes an ESP, including a Cloud Service Provider (CSP), that does not process, store, or transmit CUI, the ESP does not require its own CMMC assessment. The services provided by the ESP are assessed as part of the OSC’s assessment as Security Protection Assets."''

== External Service Providers ==
The Final Rule clarifies the difference between [[Cloud Service Provider (CSP)|Cloud Service Providers (CSPs)]], [[External Service Provider (ESP)|External Service Providers (ESPs)]], and [[Managed Service Provider (MSP)|Managed Service Providers (MSPs)]].

The requirement for ESPs (regardless of the services it provides) to be CMMC-Certified is no longer a requirement. However, an MSP, acting as an ESP, may choose to become CMMC-Certified.

The Final Rule suggests that Organizations Seeking Certification (OSC) may inherit controls for External Service Providers (ESPs) in scope when the ESP is CMMC-Certified.

== Managed Service Providers ==
The Final Rule clarifies that Managed Service Providers (MSPs) do not need FedRAMP Moderate to support an Organization Seeking Certification (OSC).

The Rule also allows MSPs to get CMMC certified to avoid being re-assessed for every client.

== FedRAMP & Equivalency ==
[[FedRAMP Moderate]] authorization is required when CUI is stored, processed, or transmitted in a cloud service offering.

There is still some question on the commentary and verbiage, but there is clarity in that a CSP only handles security protection data (SPD), and not CUI, therefore, the application or service would be treated like a security protection asset (SPA).

== Virtual Desktop Infrastructure ==
[[Virtual Desktop Infrastructure (VDI)]] language was added to remove the endpoint from scope if the endpoint is not processing, storing, or transmitting CUI.

Assuming appropriate technical controls prevent data transfer, the "dumb client" (or the computer you open the virtual desktop from) can be kept out of scope. It was previously assumed that they would need to be at least a [[Contractor Risk Managed Asset (CRMA)]].

== Assessors and the Training Community ==
The minimum number of assessors per third-party assessment has been expanded from 2 to 3. Additionally, at Lead [[CMMC Certified Assessor (CCA)]] is required and at least one other CCA. This will likely increase the projected costs of assessments.

CMMC instructors are now prohibited to also consult. Additional clarification is expected on this.

Contact

2025-02-25T20:38:30Z

Uncouth: unbreaking markdown

=== Contact Us ===
This wiki is created and maintained by a team of volunteers who are dedicated to providing accurate and helpful insights for the Defense Industrial Base (DIB) on their CMMC journey. While we strive for accuracy, this resource is provided '''as-is''', with '''no guarantees or warranty'''.

=== Need Help? ===
This wiki does '''not''' offer technical support. However, if you're looking for guidance or have general CMMC-related questions, we recommend checking out these community resources:

* [https://cooey.life Cooey CoE] – A valuable resource for collaboration and expert insights. -
* [https://www.reddit.com/r/cmmc r/cmmc] – A community-driven space for discussions and Q&A. -
* [https://www.cmmc-coa.com CMMC Center of Awesomeness]

=== Questions About This Wiki? ===
If you have questions specifically about this wiki, the best way to get in touch is through the [https://cooey.life Cooey CoE]. Someone there will be able to direct your inquiry to the right person.

''Please note:'' This wiki is not directly associated with r/CMMC or the Cooey CoE. These resources are listed solely as potential avenues for community support.

We appreciate your engagement and contributions to improving CMMC awareness and compliance across the DIB!

Contact

2025-02-25T20:34:39Z

Uncouth: Created page with "# Contact Us This wiki is created and maintained by a team of volunteers who are dedicated to providing accurate and helpful insights for the Defense Industrial Base (DIB) on their CMMC journey. While we strive for accuracy, this resource is provided **as-is**, with **no guarantees or warranty**. ### Need Help? This wiki does **not** offer technical support. However, if you're looking for guidance or have general CMMC-related questions, we recommend checking out these..."

# Contact Us

This wiki is created and maintained by a team of volunteers who are dedicated to providing accurate and helpful insights for the Defense Industrial Base (DIB) on their CMMC journey. While we strive for accuracy, this resource is provided **as-is**, with **no guarantees or warranty**.

### Need Help?
This wiki does **not** offer technical support. However, if you're looking for guidance or have general CMMC-related questions, we recommend checking out these community resources:

- [Cooey Center of Excellence (CoE)](https://cooey.life) – A valuable resource for collaboration and expert insights.
- [r/CMMC Subreddit](https://www.reddit.com/r/cmmc/) – A community-driven space for discussions and Q&A.
- [CMMC Center of Awesomeness](https://www.cmmc-coa.com)

### Questions About This Wiki?
If you have questions specifically about this wiki, the best way to get in touch is through the [Cooey CoE](https://cooey.life). Someone there will be able to direct your inquiry to the right person.

**Please note:** This wiki is **not directly associated** with **r/CMMC** or the **Cooey CoE**. These resources are listed solely as potential avenues for community support.

We appreciate your engagement and contributions to improving CMMC awareness and compliance across the DIB!

MediaWiki:Sidebar

2025-02-25T20:29:43Z

Uncouth:

MediaWiki:Sidebar

2025-02-25T20:29:20Z

Uncouth:

CMMC Overview

2025-02-25T20:04:42Z

Uncouth: Removed the 800-171 families, to be re-done at a later date

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance cybersecurity practices across the Defense Industrial Base ([[DIB]]). It applies to any organization within the supply chain (receiving specific [[DFARS]] flow-down) that works on contracts with the Department of Defense ([[DoD]]), ensuring these companies can safeguard Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]).

In November 2021, in response to industry feedback, CMMC 2.0 was introduced to simplify the original model, making compliance more achievable while maintaining strong security standards. This updated framework reduces the original five certification levels down to three:

Level 1: Basic cyber hygiene practices, primarily protecting FCI. Organizations must implement 17 practices aligned with Federal Acquisition Regulation ([[FAR]]) 52.204-21.

Level 2: Aligned with NIST SP 800-171 Rev 2, this level applies to companies that handle CUI. It includes 110 security controls required by [[NIST 800-171]], emphasizing areas such as access control, incident response, and system security.

Level 3: Designed for companies with the highest cybersecurity requirements, Level 3 incorporates advanced practices beyond NIST SP 800-171 and will be aligned with a subset of controls from [[NIST SP 800-172]], focusing on defending against advanced persistent threats ([[APT]]s).

=== [[Self-Assessment and Certification]]: ===

Under CMMC 2.0, organizations handling only FCI at Level 1 can conduct annual self-assessments. For Level 2, companies handling critical CUI must undergo third-party assessments or self-attest depending on the criticality of the contract. Level 3 requires comprehensive third-party assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

=== Why CMMC is Important ===

The DoD created CMMC to ensure that companies in the DIB have adequate protections in place to secure sensitive information and defend against cyber threats. Compliance with CMMC 2.0 helps protect national security, secure supply chains, and build trust between the DoD and its contractors.

For organizations in the defense supply chain, preparing for CMMC 2.0 requires:

* Implementing controls based on NIST 800-171 Rev 2 (for Level 2),

* Engaging in [[continuous monitoring]] and [[security improvements]],

* And obtaining certification through third-party or self-assessments, depending on the level of compliance required.

FAQ

2024-11-04T16:49:41Z

Uncouth: /* What should I do if my customer requests my SPRS score? */

The DoD CIO has published their own FAQ here: https://dodcio.defense.gov/CMMC/FAQs/

____________________________________________________

The COE Discord and CMMC Reddit pages are free resources led by the community. Some of the most common questions are listed below, along with some of the answers offered.

''NOTE: Depending on your own situation, these answers may not work for your environment. Work with your own compliance or legal team to ensure your implementation and interpretation is acceptable for compliance.''

=== How much does compliance cost? ===
ANSWERS HERE

=== How do I know if I have CUI? ===
It should be marked by the person who sent it to you. If it's not, but if your purchase order or contract flow-down requires you to protect the data as if it were CUI, contact your buyer/customer and ask for clarification.

Have you watched Ryan Bonner's [https://www.youtube.com/watch?v=IEy-TkmKMt8 video] on this?

=== Are machine files (like CAD models) CUI if I create them as the manufacturer? ===
ANSWERS HERE

=== How do I convince management to be compliant? ===
ANSWERS HERE

=== What can I expect during a CMMC assessment? ===
ANSWERS HERE

=== Do all of my Security Protection Assets (SPA)s need to be CMMC-compliant? ===
ANSWERS HERE

=== How do I choose a C3PAO? ===
ANSWERS HERE

=== What options are out there for training to become a CCP/CCA? ===
ANSWERS HERE

=== What should my System Security Plan (SSP) look like, what should it include, and how long should it be? ===
ANSWERS HERE

=== What is the difference between Plan of Actions and Milestones (POAM) and Operational Plan of Action (OPOA)? ===
Items put on POAM must be closed out within 180 days, and must be one of the allowable items.

Items on a OPOA are items that were acceptable before, but are temporarily not compliant for some reason.

=== Is Department of Defense (DoD) the only government agency that requires CMMC? ===
As of right now (November 2024), yes. Department of Energy, and others, may call out NIST 800-171, but at this time, DoD is the only government agency that is poised to require third party assessments to confirm compliance.

=== What's the difference between a Registered Practitioner (RP) and a CCP? ===
ANSWERS HERE

=== Are phones in scope of a CMMC audit? ===
If phones (mobile devices) are capable of accessing the information system that stores FCI or CUI, yes.

=== What do I do if I'm sent CUI by my customer? ===
There's not much to do when a sender doesn't follow directions pertinent to your environment.

The best thing is to have policies in place on what to do when it actually happens.

Arguably, small businesses that rely on big primes business have a harder time telling their customers that they're not following directions, and expecting not to become the problem child as a result.

One small business owner says: "Early on in the process, we sent out a memo to all of our aerospace customers, reminding them of CUI sharing responsibilities per flow down. We did it under the guise that we just wanted them to be aware that we were compliant in our practices.

It allowed us the opportunity to remind them on proper sharing practices."

If some small businesses had to file a report for every single time CUI was inadvertently shared unencrypted through email, by its big customer who should arguably know better, those small businesses would have no business.

It's helpful to consider "what is it that we're trying to do here?" It's helpful to get grounded here and there.

You can only control your own environment, and your own team. If the best you can do is over communicate and remain hyper aware once data is in your environment, then you're light years ahead of most.

=== What should I do if my customer requests my SPRS score? ===
If you are prime on the contract, your Contract Officer has the ability to see your score in SPRS, provided that you have submitted a score. If you are a subcontractor, your customer cannot see your score in SPRS. They may request you provide evidence of your submission, and may also request details of the score or even a copy of your SSP. You do not have a DoD contractual obligation to provide this information, however your mileage may vary when it comes to how much you can push back on providing this information.

=== Do all of my applications have to be FedRAMP to be CMMC compliant? ===
ANSWERS HERE

Joint Surveillance Voluntary Assessment (JSVA)

2024-10-25T14:55:53Z

Uncouth: Created page with "Joint Surveillance Voluntary Assessment (JSVA) are assessments performed by a CMMC Certified 3rd Party Assessor (C3PAO) and witnessed by DIBCAC, who also performs a DFARS compliance verification. As the name implies, these assessments are voluntary."

Joint Surveillance Voluntary Assessment (JSVA) are assessments performed by a CMMC Certified 3rd Party Assessor (C3PAO) and witnessed by DIBCAC, who also performs a DFARS compliance verification. As the name implies, these assessments are voluntary.

FAQ

2024-10-25T14:49:32Z

Uncouth: Created page with "The DoD CIO has published their own FAQ here: https://dodcio.defense.gov/CMMC/FAQs/"

The DoD CIO has published their own FAQ here: https://dodcio.defense.gov/CMMC/FAQs/

32 CFR Part 170 Key Takeaways

2024-10-14T13:54:31Z

Uncouth: /* Virtual Desktop Infrastructure */

== Introduction ==
On October 15, 2024 32 CFR Part 170 also known as the "CMMC Final Rule" is published to the Federal Register. Effective 60 days later, the CMMC program is in effect.

Below are some key considerations, changes, and details to know with this rule's publication. This page's intent is to capture key differences, address changes between the draft rule and final published version.

Link to the PDF: https://public-inspection.federalregister.gov/2024-22905.pdf

Link to the FAR: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program

== Timelines ==
The Final Rule codifies that [[Joint Surveillance Voluntary Assessment (JSVA)|Joint Surveillance Voluntary Assessments (JSVAs)]] will equate to a CMMC Level 2 certification, assuming the organization received a perfect 110 score.

DoD projects a 7-year timeline with a 4-year phased roll-out, initially.

In FY2025, DoD will primarily be requiring self-assessments. There will be approximately 500 expected third-party certifications required on contracts the first year.

CMMC self-assessments must have a score of 88 or more to "pass" and be compliant. The [[Affirming Official]] (formerly a "Senior Official" will need to affirm that the reporting is accurate. Affirming this score carries personal criminal fraud risk, and affirmations may be verified in a third party assessment later.

In FY2026, that 500 grows to about 2500 and by FY2027, about 9000. By FY2028, DoD anticipates 16,000 third-party certifications needed a year.

By the end of the rollout, the numbers projected by DoD are 4,000 self-assessed and 76,000 assessed by a [[Certified Third Party Assessment Organization (C3PAO)]].

Many DIB contractors (and sub-contractors) can expect to be required to self-assessment, per contract and purchase order flow-down requirements.

It's important to note that DoD has the discretion to delay the certification requirement to an option period instead of the condition of "upon contract award." While it's not expected this will be taken advantage of often, this does give DoD flexibility on specific programs that may have unique challenges to supply chain partners becoming certified.

Additionally:

''"The CMMC Program’s assessment phase-in plan, as described in § 170.3, does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts."''

== Security Protection Data ==
When Cloud Service Providers (CSPs) only handle security protection data (SPD), and not CUI, the application or service would be treated like a security protection asset (SPA).

== Security Protection Assets ==
The Final Rule now suggests that Security Protection Assets (SPAs) will be assessed against security requirements that are "relevant to the capabilities provided."

''"If an OSA utilizes an ESP, including a Cloud Service Provider (CSP), that does not process, store, or transmit CUI, the ESP does not require its own CMMC assessment. The services provided by the ESP are assessed as part of the OSC’s assessment as Security Protection Assets."''

== External Service Providers ==
The Final Rule clarifies the difference between [[Cloud Service Provider (CSP)|Cloud Service Providers (CSPs)]], [[External Service Provider (ESP)|External Service Providers (ESPs)]], and [[Managed Service Provider (MSP)|Managed Service Providers (MSPs)]].

The requirement for ESPs (regardless of the services it provides) to be CMMC-Certified is no longer a requirement. However, an MSP, acting as an ESP, may choose to become CMMC-Certified.

The Final Rule suggests that Organizations Seeking Certification (OSC) may inherit controls for External Service Providers (ESPs) in scope when the ESP is CMMC-Certified.

== Managed Service Providers ==
The Final Rule clarifies that Managed Service Providers (MSPs) do not need FedRAMP Moderate to support an Organization Seeking Certification (OSC).

The Rule also allows MSPs to get CMMC certified to avoid being re-assessed for every client.

== FedRAMP & Equivalency ==
[[FedRAMP Moderate]] authorization is required when CUI is stored, processed, or transmitted in a cloud service offering.

There is still some question on the commentary and verbiage, but there is clarity in that a CSP only handles security protection data (SPD), and not CUI, therefore, the application or service would be treated like a security protection asset (SPA).

== Virtual Desktop Infrastructure ==
[[Virtual Desktop Infrastructure (VDI)]] language was added to remove the endpoint from scope if the endpoint is not processing, storing, or transmitting CUI.

Assuming appropriate technical controls prevent data transfer, the "dumb client" (or the computer you open the virtual desktop from) can be kept out of scope. It was previously assumed that they would need to be at least a [[Contractor Risk Managed Asset (CRMA)]].

== Assessors and the Training Community ==
The minimum number of assessors per third-party assessment has been expanded from 2 to 3. Additionally, at Lead [[CMMC Certified Assessor (CCA)]] is required and at least one other CCA. This will likely increase the projected costs of assessments.

CMMC instructors are now prohibited to also consult. Additional clarification is expected on this.

32 CFR Part 170 Key Takeaways

2024-10-11T22:50:49Z

Uncouth:

Main Page

2024-10-11T22:48:29Z

Uncouth: /* Hot Topics */

== Main Wiki Pages ==
*[[CMMC Overview]]
*[[Self-Assessment and Certification]]
*[[CUI]]
*[[Resources and Tools for Compliance]]
*[[Preferred Partners]]
*[[Training and Education]] - (for CCA/CCP/LTP)
*[[FAQ|Frequently Asked Questions]]

== Hot Topics ==

* [[32 CFR Part 170 Key Takeaways]]
* [[48 CFR Parts 204, 212, 217, and 252 Proposed Rule]]

Main Page

2024-10-11T22:46:43Z

Uncouth:

32 CFR Part 170 Key Takeaways

2024-10-11T22:45:51Z

Uncouth: Created page with "== Introduction == On October 15, 2024 32 CFR Part 170 also known as the "CMMC Final Rule" is published to the Federal Register. Effective 60 days later, the CMMC program is in effect. Below are some key considerations, changes, and details to know with this rule's publication. This page's intent is to capture key differences, address changes between the draft rule and final published version. == Timelines == Phased rollout, 48 CFR, blah blah == Security Protection Da..."

Main Page

2024-10-11T22:41:08Z

Uncouth: /* Hot Topics */

== MAIN WIKI PAGES: ==
*[[CMMC Overview]]
*[[Self-Assessment and Certification]]
*[[CUI]]
*[[Resources and Tools for Compliance]]
*[[Preferred Partners]]
*[[Training and Education]] - (for CCA/CCP/LTP)
*[[FAQ|Frequently Asked Questions]]

== Hot Topics ==

* [[32 CFR Part 170 Key Takeaways]]

Main Page

2024-10-11T22:40:49Z

Uncouth:

Access Control

2024-10-10T01:32:34Z

Uncouth:

Access Control is one of the 14 security families in NIST 800-171 Rev 2, which provides guidelines for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. The Access Control family focuses on limiting access to information systems, applications, and data to authorized individuals and ensuring that only those with appropriate permissions can access sensitive information. This helps prevent unauthorized access, which is critical for maintaining the security and confidentiality of CUI.

== Key Access Control Requirements in NIST 800-171 Rev 2:==

The Access Control family contains 22 security requirements. These are summarized below.

===1. Limit System Access to Authorized Users (3.1.1)===

'''Basic Requirement:''' Organizations must limit access to information systems to only authorized users, processes acting on behalf of users, and devices.

'''Key Focus:''' Ensure that only individuals with the proper credentials and roles can access specific systems or data.

===2. Limit Access to the Types of Transactions and Functions (3.1.2)===

'''Basic Requirement:''' Organizations must limit access to only the specific transactions, systems, and functions that authorized users are permitted to perform based on their role.

'''Key Focus:''' Apply role-based access control (RBAC) or similar mechanisms to restrict user access to only the resources needed for their job functions.

===3. Control the Flow of CUI (3.1.3)===

'''Derived Requirement:''' Organizations must control the flow of CUI within their systems and between systems to ensure it is only accessed or transmitted by authorized entities.

'''Key Focus:''' Implement measures like encryption, firewall rules, or traffic filtering to ensure that data is not accessible to unauthorized parties or transferred to unauthorized systems.

===4. Separate the Duties of Individuals (3.1.4)===

'''Derived Requirement:''' Organizations must implement the separation of duties to prevent individuals from having too much control or oversight over key functions, which could lead to security vulnerabilities or fraud.

'''Key Focus:''' Assign different responsibilities and privileges to multiple personnel to avoid conflicts of interest and reduce the risk of malicious activities.

===5. Limit Access to CUI on System Media (3.1.5)===

'''Derived Requirement:''' Access to CUI stored on system media (such as USB drives, CDs, or printed documents) should be limited to authorized users, and organizations must protect these media from unauthorized access.

'''Key Focus:''' Ensure physical and logical access to removable media and printed materials containing CUI is strictly controlled.

===6. Control Access to Systems Connected to External Networks (3.1.6)===

'''Derived Requirement:''' Organizations must control access to their systems, especially when they are connected to external networks or systems outside their organizational control.

'''Key Focus:''' Implement strong controls, such as firewalls, VPNs, or proxies, to manage how internal systems interact with external networks and protect against unauthorized access.

===7. Use of Identification and Authentication for Remote Access (3.1.7)===

'''Derived Requirement:''' Organizations must enforce the use of strong identification and authentication mechanisms (e.g., multi-factor authentication) for users accessing systems remotely.

'''Key Focus:''' Ensure that remote users are authenticated using more than just a password, such as through multi-factor authentication (MFA).

===8. Authorize Remote Execution of Commands and Scripts (3.1.8)===

'''Derived Requirement:''' Organizations must limit the ability to execute remote commands and scripts to authorized users.

'''Key Focus:''' Prevent unauthorized users from executing scripts or commands that could compromise the system or data.

===9. Terminate Inactive Sessions (3.1.9)===

'''Derived Requirement:''' Organizations must configure systems to automatically terminate or lock user sessions after a defined period of inactivity.

'''Key Focus:''' Reduce the risk of unauthorized access if a user leaves a session open and unattended.

===10. Limit Concurrent Sessions (3.1.10)===

'''Derived Requirement:''' Limit the number of concurrent sessions an individual can have open on a system.

'''Key Focus:''' Prevent misuse of multiple sessions and ensure that users do not bypass access controls through simultaneous logins.

===11. Control Access to Mobile Devices (3.1.11)===

'''Derived Requirement:''' Implement policies to control access to systems and CUI through mobile devices such as smartphones, tablets, and laptops.

'''Key Focus:''' Ensure that mobile device usage is secure, including the implementation of encryption and remote wipe capabilities if devices are lost or stolen.

===12. Encrypt CUI on Mobile Devices and Removable Media (3.1.19)===

'''Derived Requirement:''' Protect CUI stored on mobile devices or removable media through encryption or other security measures to prevent unauthorized access.

'''Key Focus:''' Encrypt CUI to protect it in case the device or media is lost, stolen, or accessed by unauthorized individuals.

===13. Session Lock (3.1.12)===

'''Derived Requirement:''' Implement a session lock capability for systems that require users to re-authenticate after the system has been idle for a period.

'''Key Focus:''' Automatically lock systems during idle periods to prevent unauthorized access.

===14. Encrypt Remote Access (3.1.13)===

'''Derived Requirement:''' Ensure that remote access to information systems is protected by encryption, safeguarding data from being intercepted by unauthorized parties.

'''Key Focus:''' Use encryption technologies like VPNs or TLS (Transport Layer Security) for remote access connections.

===15. Restrict Access to Privileged Functions (3.1.14)===

'''Derived Requirement:''' Limit access to privileged functions, such as administrative tasks, to only authorized personnel.

'''Key Focus:''' Ensure that users with higher privileges (such as system administrators) have restricted access to sensitive functions based on need.

===16. Prevent Non-Privileged Users from Executing Privileged Commands (3.1.15)===

'''Derived Requirement:''' Ensure that non-privileged users cannot execute privileged commands or functions.

'''Key Focus:''' Use strict access control to prevent unauthorized users from gaining administrative control over the system.

===17. Control Access to Audit Information (3.1.16)===

'''Derived Requirement:''' Limit access to audit logs and audit-related information to prevent tampering or unauthorized review by individuals who are not authorized to see it.

'''Key Focus:''' Only allow authorized personnel to view and manage audit logs to ensure data integrity and accountability.

===18. Separation of User and Privileged Functions (3.1.17)===

'''Derived Requirement:''' Enforce a separation between regular user activities and privileged operations, ensuring that users with administrative privileges do not use them for everyday tasks.

'''Key Focus:''' Limit the use of privileged accounts to only necessary administrative functions.

===19. Prevent Unauthorized Use of Collaborative Computing Devices (3.1.18)===

'''Derived Requirement:''' Implement controls to prevent the unauthorized use of collaborative computing devices, such as video or audio conferencing systems, within information systems.

'''Key Focus:''' Ensure that shared devices used for collaboration are secured and that only authorized users can access them.

===20. Automate Control of Temporary and Emergency Accounts (3.1.20)===

'''Derived Requirement:''' Automatically manage and control the use of temporary or emergency accounts to ensure they are deactivated when no longer needed.

'''Key Focus:''' Ensure that these accounts are monitored and disabled after their purpose has been fulfilled to avoid potential misuse.

===21. Disable Inactive Accounts (3.1.21)===

'''Derived Requirement:''' Disable accounts that are inactive for a specified period to prevent unauthorized use.

'''Key Focus:''' Implement automated processes to detect and disable inactive user accounts.

===22. Control the Use of External Systems (3.1.22)===

'''Derived Requirement:''' Establish policies and controls to limit the use of external systems (such as personal laptops or non-company networks) for accessing CUI.

'''Key Focus:''' Ensure that systems outside the organization’s control cannot access CUI unless authorized and properly secured.
Summary:

Access control in NIST 800-171 Rev 2 emphasizes restricting and managing access to systems and data to ensure only authorized individuals and devices can access CUI. The controls focus on implementing strong authentication, role-based access control, session management, encryption, and least privilege principles, all aimed at minimizing the risk of unauthorized access and ensuring the protection of sensitive information within the organization.

MediaWiki:Sidebar

2024-09-30T15:46:24Z

Uncouth:

MediaWiki:Sidebar

2024-09-30T15:45:24Z

Uncouth:

MediaWiki:Sidebar

2024-09-30T15:44:52Z

Uncouth:

MediaWiki:Sidebar

2024-09-30T15:43:51Z

Uncouth:

MediaWiki:Sidebar

2024-09-30T15:42:58Z

Uncouth:

* navigation
** mainpage|mainpage-description
**CMMC Overview
**Self-Assessment and Certification
**CUI
**Resources and Tools for Compliance
**Preferred Partners
**Training and Education
**FAQ|Frequently Asked Questions
** recentchanges-url|recentchanges
** randompage-url|randompage
** helppage|help-mediawiki
* SEARCH
* TOOLBOX
* LANGUAGES

MediaWiki:Sidebar

2024-09-30T15:40:52Z

Uncouth:

* navigation
** mainpage|mainpage-description
** recentchanges-url|recentchanges
** randompage-url|randompage
** helppage|help-mediawiki
* SEARCH
* TOOLBOX
* LANGUAGES

MediaWiki:Sidebar

2024-09-30T15:40:24Z

Uncouth: Created page with " * navigation ** mainpage|mainpage-description **CMMC Overview **Self-Assessment and Certification **CUI **Resources and Tools for Compliance **Preferred Partners **Training and Education - (for CCA/CCP/LTP) **Frequently Asked Questions ** recentchanges-url|recentchanges ** randompage-url|randompage ** helppage|help-mediawiki * SEARCH * TOOLBOX * LANGUAGES"

* navigation
** mainpage|mainpage-description
**[[CMMC Overview]]
**[[Self-Assessment and Certification]]
**[[CUI]]
**[[Resources and Tools for Compliance]]
**[[Preferred Partners]]
**[[Training and Education]] - (for CCA/CCP/LTP)
**[[FAQ|Frequently Asked Questions]]
** recentchanges-url|recentchanges
** randompage-url|randompage
** helppage|help-mediawiki
* SEARCH
* TOOLBOX
* LANGUAGES

Main Page

2024-09-30T12:25:11Z

Uncouth:

MAIN WIKI PAGES:

*[[CMMC Overview]]
*[[Self-Assessment and Certification]]
*[[CUI]]
*[[Resources and Tools for Compliance]]
*[[Preferred Partners]]
*[[Training and Education]] - (for CCA/CCP/LTP)
*[[FAQ|Frequently Asked Questions]]