CMMC Ecosystem
This government organization oversees the implementation and enforcement of the CMMC program.
What is the Department of Defense (DoD)?
This process determines which systems, assets, and environments are subject to CMMC requirements.
What is scoping?
The CMMC Assessment Process is organized into this number of distinct phases.
What are four phases?
The CMMC Model is based on this NIST publication, which outlines security requirements for protecting Controlled Unclassified Information (CUI).
What is NIST SP 800-171?
This is public-private cybersecurity partnership designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.
What is the Defense Industrial Base Net (DIBNET)?
This entity is responsible for training and certifying assessors in the CMMC ecosystem.
What is the Cyber AB (formerly the CMMC Accreditation Body)?
These types of assets are directly involved in storing, processing, or transmitting Controlled Unclassified Information (CUI).
What are CUI assets?
This individual is responsible for ensuring the accuracy and completeness of assessment documentation prior to upload into CMMC eMASS.
What is the CMMC Quality Assurance Professional (CQAP)?
The CMMC Model includes practices and processes that are mapped to these maturity levels.
What are Levels 1, 2, and 3?
This explains the legal requirements for handling CUI on non-federal systems and created by Executive Order 13556.
What is CFR 32 Part 2002?
These organizations conduct formal assessments of companies seeking CMMC certification.
What are Certified Third-Party Assessment Organizations (C3PAOs)?
These assets provide security or support functions for systems handling CUI but do not directly process CUI themselves
What are security protection assets?
This phase of the CMMC Assessment Process involves verifying the adequacy and sufficiency of evidence to determine whether practices meet the required standard.
What is Phase 2: Conduct the Assessment?
This many domains make of level 2 of the CMMC Model.
What are 14 domains?
These important parts make up Part 48 of the CFR.
What is key definitions, adequate security, and incident response?
This type of professional provides consulting and guidance on CMMC requirements, but does not conduct official assessments.
What is a Registered Practitioner (RP)?
This type of network segmentation can be used to isolate in-scope systems from out-of-scope systems.
What is logical segmentation?
This phase of the CMMC Assessment Process involves delivering final recommended findings and submitting assessment results to CMMC eMASS.
What is Phase 3: Report Assessment Results?
Level 1 has this many domains
What is 6 domains?
This is also commonly referred to as the FAR Clause and applies to level 1.
What is 48 CFR 52.204-21?
This office within the Department of Defense owns the CMMC Model and assigns the DFARS 252.204-7021 clause to contracts.
What is the Office of Under Secretary of Defense for Acquisition and sustainment (OUSD A&S).
These assets are considered government property, test equipment, restricted information systems, and Internet of Things (IOT).
What are specialized assets?
This document must be updated regularly during Phase 1 to reflect changes in assessment scope, dates, or team composition.
What is the Pre-Assessment Data Form?
These are the names of the 6 domains of level 1.
What are Access Control (AC), Identification and Authentication (IA), Media Protection (MP), Physical Protection (PE), System and Communications Protection (SC), System and Information Integrity (SI)?
These clauses cover cloud computing.
What is DFARS 7008/9/10?