2643 - Cybersecurity Maturity Model Certification (CMMC) Professional
Course Description
WHAT IS CMMC?
In 2019 the Department of Defense (DoD) announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to govern the Defense Industrial Base (DIB). Cybersecurity Maturity Model Certification (CMMC) puts an end to self-assessment and requires a third-party assessor to verify the cybersecurity maturity level.
The CMMC builds from NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturity model and the role of third-party assessors.
On November 4, 2021 the Department of Defense unveiled an update to the Cybersecurity Maturity Model Certification framework – CMMC 2.0 – to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.
INTRODUCTION TO CYBERSECURITY MATURITY MODEL CERTIFICATION
In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self-reporting of cyber hygiene that used to govern the Defense Industrial Base (DIB). CMMC puts an end to self-assessment and requires a third-party assessor to verify the cybersecurity maturation level.
The CMMC builds from NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third-party assessors.
The CMMC defines 17 domains of cyber hygiene that are comprised of hundreds of objectives. In fact you need to meet 705 objectives at CMMC Level Three. Many of these objectives, up to 70% do not rely on or require a technical solution.
In this module we will learn and explore the aspects and elements of CMMC and explain its overall importance to different stakeholders by asking:
- What kind of sensitive data does CMMC seek to protect?
- How did CMMC become federal policies?
- What foundational documents and regulations spell out the requirements for CMMC?
HISTORY AND PLAYERS OF CMMC
On February 24th, 2021, President Biden signed an Executive Order to protect our supply chains. CMMC seeks to protect the global Defense supply chain by creating a baseline of cybersecurity.
This baseline began to unfold in the Federal Information Management Security Act (FISMA) passed in 2002. In this module we will trace the history of CMMC, from the regulations to the players in the ecosystem from FISMA to today.
SECURING SENSITIVE DATA
Compliance with CMMC requires the protection of two types of data: Federal Contract Information and Controlled Unclassified Information. Understanding how these data work help ensure CMMC compliance.
In this module we will learn the differences between types of data and the legal responsibilities of authorized holders. You will write sample policies and examine procedures to protect controlled unclassified information (CUI).
CYBERSECURITY ETHICS
Cybersecurity Maturity Model Certification will have massive impacts on businesses. Millions of dollars in contracting can vanish if a company fails an assessment. This makes ethics an utmost concern of the CMMC-AB.
In this module we will trace the roots of cybersecurity ethics. We will then review specific policies of the CMMC-AB and consider malicious and accidental internal threats around Conflict of Interest.
KNOWING YOUR SCOPE
A Certified CMMC Professional will need to provide scoping guidance to Organizations Seeking Certification (OSC). Understanding data flow diagrams and how sensitive data transverse your people, processes, and technologies will impact the bottom line.
In this module we will define three levels of scoping, we will then discuss elements of network diagramming, and scoping using a segmented zone approach.
CMMC METHODOLOGY
As a Certified CMMC Professional (CCP) you will want to coach an OSC on the CMMC Assessment Process. This involves four phases designed to assess an OSC over a period of six to eight weeks.
In this module we will go through the four phases, identify key levers at each phase and then build a fictional assessment team.
IDENTITY AND ACCESS MANAGEMENT
The Department of Defense (DoD)'s Cybersecurity Maturity Model Certification (CMMC) is the latest step in the DoD's program to protect controlled unclassified information (CUI), the defense industrial base (DIB), and the DoD's supply chain.
Controlling access to your network is an essential foundation for security. The domains in this chapter are all intended to help you control access to your networked environment. Controlling access is fundamental to ensuring CUI and other information is appropriately protected.
In this module we'll examine:
- WHO has access to your network?
- WHAT systems can be access?
- HOW is access to information controlled?
- WHERE can you confirm your control measures are being effective?
PEOPLE AND PROCEDURES
Technology changes and evolves constantly; the specific security measures taken to protect any given technology must also evolve with it. One element in the security equation, however, remains constant: the human element. As humans, we have the ability to make mistakes or do something unexpected.
A number of studies have shown that between 50% and 80% of all cybersecurity breaches are caused by human error. This number includes cases where a human was tricked into engaging with a malicious actor without realizing it. Training, awareness, and proper understanding of the risks associated with an activity are all important parts of protecting sensitive information.
In this module we'll examine:
- What is the difference between awareness and training?
- What elements make up a good personnel security plan?
- How can you apply the findings of security and risk assessments to building a solid security program?
TECHNICAL SYSTEMS
Protecting data isn't just preventing unauthorized access; protecting data also requires making that data available to the people and processes that need it. Indeed, two of the three elements of the CIA triad, Integrity and Availability, are both descriptive of the timely usefulness of that data.
The domains discussed in this module are all focused on ensuring that the data you have is accessible and useful when it is needed.
In this module we'll examine:
- How do you plan for the unexpected, such as a natural disaster?
- What are the best practices to ensure you can bring backup data online within your own time requirements?
- What are your options in backing up and recovering stored data?
GOVERNANCE
Into every life a little rain must fall. In the cybersecurity world, it is really a matter of WHEN a breach will occur rather than IF a breach will occur. Indeed, three of the five functions of the NIST Cybersecurity Framework deal with a breach which is already occurring: Detect, Respond, and Recover.
The domains discussed in this module prepare you to respond to an incident, and to quickly detect and quantify any events that could indicate an incident is in progress.
In this module we'll examine:
- What are the key elements of an incident response plan?
- What systems and processes need to be in place prior to an incident occurring?
- How do you maintain situational awareness so that an incident is caught as early as possible?