Self-Assessment and Certification - Revision history

Uncouth: re-worded a bunch in sections 1-3, section 4 and beyond should still be looked at

2025-03-05T01:04:26Z

re-worded a bunch in sections 1-3, section 4 and beyond should still be looked at

← Older revision		Revision as of 01:04, 5 March 2025
Line 1:		Line 1:
	In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations ~~(especially defense contractors)~~ use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]) have adequate cybersecurity measures in place.		In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]) have adequate cybersecurity measures in place.

	=== 1. CMMC Overview: ===		=== 1. CMMC Overview: ===
Line 11:		Line 11:
	'''Level 1 Self-Assessments:'''		'''Level 1 Self-Assessments:'''

	* Level 1 focuses on basic cyber hygiene, covering 17 controls designed to protect Federal Contract Information (FCI), such as using antivirus software, ~~regular password changes~~, and ~~access controls~~.		* Level 1 focuses on basic cyber hygiene, covering 17 controls designed to protect Federal Contract Information (FCI), such as using antivirus software, implementing access controls, and protecting communications.

	* Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:		* Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:
	** Complete a self-assessment based on the specified practices.		** Complete a self-assessment based on the specified practices.
	** Submit their score (from the self-assessment) to the Supplier Performance Risk System ([[SPRS]]), a DoD-managed system.		** Submit their score (from the self-assessment) to the Supplier Performance Risk System ([[SPRS]]), a DoD-managed system.
	** ~~Self-assessments are valid for up to one year, meaning organizations need to reassess~~ and resubmit their status annually.		** Reassess and resubmit their status annually.

	~~'''Benefits of Self-Assessments:'''~~

	*Cost-Effective: Self-assessments eliminate the need to hire a third-party assessor, reducing costs for smaller companies with basic cybersecurity needs.

	*Simpler Compliance Process: The self-assessment process is less formal and less time-consuming compared to full certification audits.

	*Focus on Basic Practices: Since Level 1 focuses on basic cybersecurity practices, the controls are less complex, making it feasible for companies to evaluate themselves.

	~~'''Risks of Self-Assessments:'''~~

	* Accuracy and Accountability: Without third-party validation, there is a risk that companies may not fully or accurately assess their compliance, leading to potential vulnerabilities.

	*Audit Potential: The DoD can audit self-assessment results at any time, and companies found to be non-compliant may face penalties, including loss of contract eligibility.

	=== 3. Third-Party Certification in CMMC: ===		=== 3. Third-Party Certification in CMMC: ===

	For Level 2 and above~~, especially for companies handling CUI~~, third-party assessments are required to validate compliance. Certification levels vary depending on the ~~type~~ of information being protected:		For Level 2 and above, third-party assessments are required to validate compliance. Certification levels vary depending on the sensitivity of the information being protected:

	'''CMMC Level 2:'''		'''CMMC Level 2:'''

	* Level 2 represents a transition between basic and more advanced cybersecurity practices, containing 110 ~~controls (mapped to~~ NIST SP 800-171).		* Level 2 represents a transition between basic and more advanced cybersecurity practices, containing 110 requirements from NIST SP 800-171 rev2.

	* For contractors handling CUI, third-party certification from a C3PAO (Certified Third-Party Assessor Organization) is required.

	* ~~In cases where only Federal Contract Information~~ (~~FCI~~) is ~~handled~~, a self-~~assessment may suffice~~, ~~but~~ for ~~CUI~~, ~~external validation is necessary~~.		* For contractors handling CUI, third-party certification from a C3PAO (Certified Third-Party Assessor Organization) is required, although during the phased rollout some self-assessments will be allowed.
			* When third-party certification is mandatory, the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process.
			* Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

	'''CMMC Level 3:'''		'''CMMC Level 3:'''

	* Level 3 involves increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).		* Level 3 involves increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs). 24 additional requirements from NIST SP 800-172 are included in Level 3.

	* Third-~~party certification is mandatory, and the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process~~.

	* ~~These higher levels~~ of ~~certification require a formal audit by~~ a [[C3PAO~~]], where the assessor evaluates the organization's implementation of required cybersecurity controls~~.		* DIBCAC performs assessments of the 24 requirements in Level 3 after completion of a C3PAO Level 2 assessment.

	* Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).		* Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

Marieramsay at 00:07, 2 March 2025

2025-03-02T00:07:55Z

Uncouth: /* 4. Steps in the Certification Process: */

2025-02-28T16:21:53Z

4. Steps in the Certification Process:

← Older revision		Revision as of 16:21, 28 February 2025
Line 85:		Line 85:
	* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.		* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.

	==CMMC Levels Summary:==		==CMMC Levels Summary==

	'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.		'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.
Line 93:		Line 93:
	'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.		'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.

	==Challenges and Considerations:==		==Challenges and Considerations==

	'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.		'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.

			'''Choosing the right support''': Some organizations might choose to work with consultants, or engage in pre-assessments to gauge their readiness prior to assessment. Choosing knowledgeable and capable organizations to support you is very important. Some guidance on picking this support is below:

			* [[Identifying a Managed Service Provider]]
			* [[Identifying a Consultant]]
			* [[Identifying a Certified Third Party Assessing Organization (C3PAO)]]

	'''Continuous Compliance:''' Certification is not a one-time event. Organizations must continuously maintain their cybersecurity posture, as lapses in compliance can lead to a loss of certification or future contract eligibility.		'''Continuous Compliance:''' Certification is not a one-time event. Organizations must continuously maintain their cybersecurity posture, as lapses in compliance can lead to a loss of certification or future contract eligibility.
Line 101:		Line 107:
	'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.		'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.

	==CMMC 2.0 Update:==		==CMMC 2.0 Update==

	The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.		The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.

	== Conclusion:==		== Conclusion==

	In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.		In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.

Marieramsay: Found "CMMB-AB" and replaced with "The Cyber AB" where possible

2024-12-23T22:53:26Z

Found "CMMB-AB" and replaced with "The Cyber AB" where possible

← Older revision		Revision as of 22:53, 23 December 2024
Line 48:		Line 48:
	* Level 3 through Level 5 involve increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).		* Level 3 through Level 5 involve increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).

	* Third-party certification is mandatory, and the [[CMMC-AB]] (CMMC Accreditation Body) oversees this process.		* Third-party certification is mandatory, and the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process.

	* These higher levels of certification require a formal audit by a [[C3PAO]], where the assessor evaluates the organization's implementation of required cybersecurity controls.		* These higher levels of certification require a formal audit by a [[C3PAO]], where the assessor evaluates the organization's implementation of required cybersecurity controls.
Line 66:		Line 66:
	'''2. Assessment by C3PAO:'''		'''2. Assessment by C3PAO:'''

	* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the ~~CMMC-~~AB to conduct assessments.		* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the The Cyber AB to conduct assessments.
	* Assessors are guided by the CAP, [https://www.cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3D%3D found on the Cyber AB's website here], and [[CAP\|discussed on this Wiki here]].		* Assessors are guided by the CAP, [https://www.cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3D%3D found on the Cyber AB's website here], and [[CAP\|discussed on this Wiki here]].

Line 75:		Line 75:
	'''3. Certification:'''		'''3. Certification:'''

	* If the organization passes the assessment, the C3PAO submits its findings to ~~the CMMC-~~AB, which then issues the certification.		* If the organization passes the assessment, the C3PAO submits its findings to The Cyber AB, which then issues the certification.

	* Certification is valid for three years at Levels 2-5, after which the organization must undergo re-certification.		* Certification is valid for three years at Levels 2-5, after which the organization must undergo re-certification.

Marieramsay: Referenced the CAP under section "Steps in the Certification Process"

2024-12-23T22:32:05Z

Referenced the CAP under section "Steps in the Certification Process"

← Older revision		Revision as of 22:32, 23 December 2024
Line 67:		Line 67:

	* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the CMMC-AB to conduct assessments.		* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the CMMC-AB to conduct assessments.
			* Assessors are guided by the CAP, [https://www.cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3D%3D found on the Cyber AB's website here], and [[CAP\|discussed on this Wiki here]].

	* The C3PAO reviews the organization's policies, procedures, security controls, and their implementation to ensure compliance with the required CMMC level.		* The C3PAO reviews the organization's policies, procedures, security controls, and their implementation to ensure compliance with the required CMMC level.

Marieramsay at 17:26, 30 September 2024

2024-09-30T17:26:53Z

← Older revision		Revision as of 17:26, 30 September 2024
Line 84:		Line 84:
	* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.		* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.

	===CMMC Levels Summary:===		==CMMC Levels Summary:==

	'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.		'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.
Line 92:		Line 92:
	'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.		'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.

	===Challenges and Considerations:===		==Challenges and Considerations:==

	'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.		'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.
Line 100:		Line 100:
	'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.		'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.

	===CMMC 2.0 Update:===		==CMMC 2.0 Update:==

	The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.		The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.

	=== Conclusion:===		== Conclusion:==

	In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.		In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.

Marieramsay at 17:25, 30 September 2024

2024-09-30T17:25:36Z

← Older revision		Revision as of 17:25, 30 September 2024
Line 84:		Line 84:
	* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.		* If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.

	~~'''5.~~ CMMC Levels Summary:~~'''~~		===CMMC Levels Summary:===

	'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.		'''CMMC Level 1 (Basic Cyber Hygiene):''' Self-assessment allowed, focused on FCI protection.
Line 92:		Line 92:
	'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.		'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.

	~~'''6.~~ Challenges and Considerations:~~'''~~		===Challenges and Considerations:===

	'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.		'''Cost:''' Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.
Line 100:		Line 100:
	'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.		'''Supply Chain Impact:''' Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.

	~~'''7.~~ CMMC 2.0 Update:~~'''~~		===CMMC 2.0 Update:===

	The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.		The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.

Marieramsay at 02:22, 30 September 2024

2024-09-30T02:22:40Z

← Older revision		Revision as of 02:22, 30 September 2024
Line 91:		Line 91:

	'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.		'''CMMC Level 3 (Good Cyber Hygiene):''' Third-party certification required, covers NIST SP 800-171.

	~~'''CMMC Level 4 (Proactive):''' Focused on advanced security practices to protect against APTs; requires third-party certification.~~

	~~'''CMMC Level 5 (Advanced/Progressive):''' Requires the highest level of protection, especially for critical national security projects; requires third-party certification.~~

	'''6. Challenges and Considerations:'''		'''6. Challenges and Considerations:'''

Marieramsay at 23:18, 29 September 2024

2024-09-29T23:18:27Z

← Older revision		Revision as of 23:18, 29 September 2024
Line 58:		Line 58:
	For companies required to undergo third-party certification, the following steps are typically involved:		For companies required to undergo third-party certification, the following steps are typically involved:

	'''1. Preparation:''''		'''1. Preparation:'''

	* Companies conduct a gap analysis to determine where their current cybersecurity posture aligns with the CMMC level they are aiming to achieve.		* Companies conduct a gap analysis to determine where their current cybersecurity posture aligns with the CMMC level they are aiming to achieve.
Line 64:		Line 64:
	* Many contractors hire consultants or use tools to help them prepare for the formal assessment by ensuring that their processes and systems meet the necessary standards.		* Many contractors hire consultants or use tools to help them prepare for the formal assessment by ensuring that their processes and systems meet the necessary standards.

	'''2. Assessment by C3PAO:''''		'''2. Assessment by C3PAO:'''

	* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the CMMC-AB to conduct assessments.		* Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the CMMC-AB to conduct assessments.

Marieramsay at 23:17, 29 September 2024

2024-09-29T23:17:57Z

← Older revision		Revision as of 00:07, 2 March 2025
Line 3:		Line 3:
	=== 1. CMMC Overview: ===		=== 1. CMMC Overview: ===

	The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base ([[DIB]]). It is divided into ~~five~~ levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 5. The CMMC ensures that contractors meet specific security standards, particularly those outlined in [[NIST 800-171]] and enhanced security practices beyond that.		The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base ([[DIB]]). It is divided into three levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 3. The CMMC ensures that contractors meet specific security standards, particularly those outlined in [[NIST 800-171]] and enhanced security practices beyond that.

	=== 2. Self-Assessments in CMMC:===		=== 2. Self-Assessments in CMMC:===
Line 44:		Line 44:
	* In cases where only Federal Contract Information (FCI) is handled, a self-assessment may suffice, but for CUI, external validation is necessary.		* In cases where only Federal Contract Information (FCI) is handled, a self-assessment may suffice, but for CUI, external validation is necessary.

	'''CMMC Level 3 ~~and Above~~:'''		'''CMMC Level 3:'''

	* Level 3 ~~through Level 5 involve~~ increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).		* Level 3 involves increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).

	* Third-party certification is mandatory, and the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process.		* Third-party certification is mandatory, and the [[CMMC-AB]] / The Cyber AB (CMMC Accreditation Body) oversees this process.
Line 52:		Line 52:
	* These higher levels of certification require a formal audit by a [[C3PAO]], where the assessor evaluates the organization's implementation of required cybersecurity controls.		* These higher levels of certification require a formal audit by a [[C3PAO]], where the assessor evaluates the organization's implementation of required cybersecurity controls.

	* Certification at ~~these~~ levels is valid for up to three years before re-certification is needed.		* Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

	=== 4. Steps in the Certification Process:===		=== 4. Steps in the Certification Process:===
Line 77:		Line 77:
	* If the organization passes the assessment, the C3PAO submits its findings to The Cyber AB, which then issues the certification.		* If the organization passes the assessment, the C3PAO submits its findings to The Cyber AB, which then issues the certification.

	* Certification is valid for three years at Levels 2-5, after which the organization must undergo re-certification.		* Certification is valid for three years at Levels 2-3, after which the organization must undergo re-certification.

	'''4. Post-Certification Monitoring:'''		'''4. Post-Certification Monitoring:'''

← Older revision		Revision as of 23:17, 29 September 2024
Line 1:		Line 1:
	In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations (especially defense contractors) use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) have adequate cybersecurity measures in place.		In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations (especially defense contractors) use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information ([[CUI]]) and Federal Contract Information ([[FCI]]) have adequate cybersecurity measures in place.

	=== 1. CMMC Overview: ===		=== 1. CMMC Overview: ===

	The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base (DIB). It is divided into five levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 5. The CMMC ensures that contractors meet specific security standards, particularly those outlined in NIST 800-171 and enhanced security practices beyond that.		The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base ([[DIB]]). It is divided into five levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 5. The CMMC ensures that contractors meet specific security standards, particularly those outlined in [[NIST 800-171]] and enhanced security practices beyond that.

	=== 2. Self-Assessments in CMMC:===		=== 2. Self-Assessments in CMMC:===
Line 15:		Line 15:
	* Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:		* Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:
	** Complete a self-assessment based on the specified practices.		** Complete a self-assessment based on the specified practices.
	** Submit their score (from the self-assessment) to the Supplier Performance Risk System (SPRS), a DoD-managed system.		** Submit their score (from the self-assessment) to the Supplier Performance Risk System ([[SPRS]]), a DoD-managed system.
	** Self-assessments are valid for up to one year, meaning organizations need to reassess and resubmit their status annually.		** Self-assessments are valid for up to one year, meaning organizations need to reassess and resubmit their status annually.

Line 48:		Line 48:
	* Level 3 through Level 5 involve increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).		* Level 3 through Level 5 involve increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs).

	* Third-party certification is mandatory, and the CMMC-AB (CMMC Accreditation Body) oversees this process.		* Third-party certification is mandatory, and the [[CMMC-AB]] (CMMC Accreditation Body) oversees this process.

	* These higher levels of certification require a formal audit by a C3PAO, where the assessor evaluates the organization's implementation of required cybersecurity controls.		* These higher levels of certification require a formal audit by a [[C3PAO]], where the assessor evaluates the organization's implementation of required cybersecurity controls.

	* Certification at these levels is valid for up to three years before re-certification is needed.		* Certification at these levels is valid for up to three years before re-certification is needed.