diff --git a/content/software-security/compliance/cmmc-2/CMMC-level.jpg b/content/software-security/compliance/cmmc-2/cmmc-2-levels/CMMC-level.jpg similarity index 100% rename from content/software-security/compliance/cmmc-2/CMMC-level.jpg rename to content/software-security/compliance/cmmc-2/cmmc-2-levels/CMMC-level.jpg diff --git a/content/software-security/compliance/cmmc-2/cmmc-2-levels.md b/content/software-security/compliance/cmmc-2/cmmc-2-levels/index.md similarity index 85% rename from content/software-security/compliance/cmmc-2/cmmc-2-levels.md rename to content/software-security/compliance/cmmc-2/cmmc-2-levels/index.md index 7700fcd557..8e0e2215a3 100644 --- a/content/software-security/compliance/cmmc-2/cmmc-2-levels.md +++ b/content/software-security/compliance/cmmc-2/cmmc-2-levels/index.md @@ -4,7 +4,7 @@ description: "Learn about the differences between CMMC 2.0's maturity levels" lead: "Learn about the differences between CMMC 2.0's maturity levels" type: "article" date: 2024-08-09T19:10:09+00:00 -lastmod: 2024-08-09T19:10:09+00:00 +lastmod: 2024-08-15T19:10:09+00:00 contributors: [] draft: false tags: ["compliance", "CMMC 2.0", "standards"] @@ -16,65 +16,65 @@ weight: 002 toc: true --- -The **Cybersecurity Maturity Model Certification (CMMC) 2.0 ** integrates various cybersecurity standards and best practices into a unified model that encompasses three maturity levels. Each level builds upon the previous one, with increasing rigor in cybersecurity practices and processes. In this article, we’ll provide an overview of the three levels of maturity and example practices that are representative of their requirements. +The **Cybersecurity Maturity Model Certification (CMMC) 2.0** integrates various cybersecurity standards and best practices into a unified model that encompasses three maturity levels. Each level builds upon the previous one, with increasing rigor in cybersecurity practices and processes. In this article, we’ll provide an overview of the three levels of maturity and example practices that are representative of their requirements. -![Overview of CMMC Model 2.0 showing three levels: Level 3 (Expert) with over 110 practices based on NIST SP 800-172 and triennial government-led assessments, Level 2 (Advanced) with 110 practices aligned with NIST SP 800-171 and a mix of triennial third-party assessments and annual self-assessments, and Level 1 (Foundational) with 17 practices and annual self-assessment.](./CMMC-level.jpg) +![Overview of CMMC Model 2.0 showing three levels: Level 3 (Expert) with over 110 practices based on NIST SP 800-172 and triennial government-led assessments, Level 2 (Advanced) with 110 practices aligned with NIST SP 800-171 and a mix of triennial third-party assessments and annual self-assessments, and Level 1 (Foundational) with 17 practices and annual self-assessment.](CMMC-level.jpg) ## Level 1: Foundational Contractors and subcontractors who handle only [Federal Contract Information](https://isoo.blogs.archives.gov/2020/06/19/%E2%80%8Bfci-and-cui-what-is-the-difference/) (FCI) typically need this level of certification. This is particularly relevant for small businesses that provide basic products or services without dealing with sensitive information. For example, a company supplying standard office supplies to a government agency would fall under this category. The focus at this level is on maintaining basic safeguards by implementing 17 fundamental cybersecurity practices. These practices are primarily derived from the Federal Acquisition Regulation (FAR) 52.204-21, a set of rules for government procurement in the United States. They are designed to protect FCI by ensuring that essential, straightforward protections are in place. -**Documentation Requirements** +### Documentation Requirements At Level 1, the documentation requirements are minimal, focusing on basic cyber hygiene through the implementation of 17 foundational cybersecurity practices. The purpose is to establish essential protections without the need for extensive documentation. For example, organizations may maintain basic policies and procedures for access control, media protection, and physical security, along with records of security awareness training. The emphasis at this level is on demonstrating that these fundamental practices are in place, rather than producing detailed documentation, as required in higher levels. -**Example Level 1 Practices:** +### Example Level 1 Practices - Limiting information system access to authorized users. - Conducting background checks on employees. - Implementing basic measures such as antivirus and firewalls. -### Level 2: Advanced +## Level 2: Advanced Contractors and subcontractors who handle [Controlled Unclassified Information](https://www.ftc.gov/policy-notices/controlled-unclassified-information) (CUI) but are not involved in critical defense programs typically need Level 2 certification. This is relevant for companies involved in more complex projects that deal with sensitive, though not highly classified, data. For instance, a contractor providing technical support for military communication systems, where sensitive but not classified information is exchanged, would require this level. Level two consists of implementing a subset of the security requirements specified in NIST SP 800-171, totaling 110 practices. This level is designed as a transitional step for organizations aiming to achieve Level 3, building upon the foundational practices established in Level 1. -**Documentation Requirements** +### Documentation Requirements At Level 2, the documentation requirements are moderate, reflecting the need for intermediate cyber hygiene and addressing a subset of the NIST SP 800-171 requirements. Organizations must maintain a System Security Plan (SSP) that outlines security strategies and vulnerability assessment and remediation plans. They must also create a Plan of Action and Milestones (POA&M) addressing any aspects of the organization which are note yet implemented. Other Level 2 documentation requirements may include audit logs, incident response reports, inventory of the organization’s systems, location of [Controlled Unclassified Information](https://www.ftc.gov/policy-notices/controlled-unclassified-information) (CUI) in the organization’s environment, and other documents related to the implementation and management of cybersecurity practices. -**Example Level 2 Practices:** +### Example Level 2 Practices - Implementing multifactor authentication. - Conducting regular vulnerability assessments. - Establishing and maintaining an operational incident-handling capability for organizational systems. -### Level 3: Expert +## Level 3: Expert Contractors handling highly sensitive CUI and involved in critical defense programs typically require this level of certification. This applies to large defense contractors developing advanced military technologies, such as a company designing next-generation fighter jets for the DoD. The focus at this level is on advanced and proactive cyber hygiene, requiring organizations to implement all 110 practices from NIST SP 800-171, along with additional practices from a subset of NIST SP 800-172. This level demands advanced security measures to protect CUI against advanced persistent threats (APTs), such as cyber-espionage campaigns, zero-day exploits, and coordinated attacks targeting vulnerabilities in critical infrastructure. It requires three government-led assessments a year to maintain compliance. -**Documentation Requirements** +### Documentation Requirements Level 3 requires the same documentation requirements as Level 2, including the [System Security Plan](https://csrc.nist.gov/glossary/term/system_security_plan) (SSP) and [Plan of Action and Milestones](https://csrc.nist.gov/glossary/term/poaandm) (POA&M). Further documentation requirements will be clear once the DoD determines which additional practices from NIST SP 800-172 will also be required. -**Example Practices:** +### Example Level 3 Practices At the time of publication, specific Level 3 practices are still being determined. However, the Department of Defense has indicated that they will be pulled from a subset of NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. Each CMMC level builds upon the previous one, ensuring that as organizations progress through the levels, their cybersecurity posture becomes more robust and capable of addressing increasingly sophisticated threats. This tiered approach allows organizations of varying sizes and capabilities to incrementally improve their cybersecurity measures while meeting the specific requirements necessary to handle sensitive information. To learn more about the specific required practices of CMMC 2.0, continue to the [Overview of CMMC 2.0 Practice/Control Groups](./cmmc-practices.md). -## Browse all CMMC 2.0 articles: +## Browse all CMMC 2.0 Articles -- [Introduction to CMMC 2.0](./intro-cmmc-2.md) +- [Introduction to CMMC 2.0](/software-security/compliance/cmmc-2/intro-cmmc-2/) - (Current article) CMMC 2.0 Maturity Levels -- [Overview of CMMC 2.0 Practice/Control Groups](./cmmc-practices.md) -- [How Chainguard Can Help With CMMC 2.0](./cmmc-chainguard.md) +- [Overview of CMMC 2.0 Practice/Control Groups](/software-security/compliance/cmmc-2/cmmc-practices/) +- [How Chainguard Can Help With CMMC 2.0](/software-security/compliance/cmmc-2/cmmc-chainguard/) -**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips)** +**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)** \ No newline at end of file diff --git a/content/software-security/compliance/cmmc-2/cmmc-chainguard.md b/content/software-security/compliance/cmmc-2/cmmc-chainguard.md index c544d2d29b..4b2a71bf08 100644 --- a/content/software-security/compliance/cmmc-2/cmmc-chainguard.md +++ b/content/software-security/compliance/cmmc-2/cmmc-chainguard.md @@ -4,7 +4,7 @@ description: "Chainguard Images reduce the time and effort for establishing CMMC lead: "Chainguard Images reduce the time and effort for establishing CMMC 2.0 compliance" type: "article" date: 2024-08-09T19:10:09+00:00 -lastmod: 2024-08-09T19:10:09+00:00 +lastmod: 2024-08-15T19:10:09+00:00 contributors: [] draft: false tags: ["compliance", "CMMC 2.0", "standards"] @@ -37,11 +37,12 @@ STIG-hardened FIPS images are highly beneficial for achieving CMMC 2.0 complianc By leveraging Chainguard’s resources, organizations can accelerate their path to CMMC 2.0 certification while effectively managing and reporting on critical security controls. Our integrated approach not only ensures that compliance requirements are met but also enhances overall security posture, allowing organizations to focus on their core operations with confidence. -## Browse all CMMC 2.0 articles: +## Browse all CMMC 2.0 Articles -- [Introduction to CMMC 2.0](./intro-cmmc-2.md) -- [CMMC 2.0 Maturity Levels](./cmmc-2-levels.md) -- [Overview of CMMC 2.0 Practice/Control Groups](./cmmc-practices.md) +- [Introduction to CMMC 2.0](/software-security/compliance/cmmc-2/intro-cmmc-2/) +- [CMMC 2.0 Maturity Levels](/software-security/compliance/cmmc-2/cmmc-2-levels/) +- [Overview of CMMC 2.0 Practice/Control Groups](/software-security/compliance/cmmc-2/cmmc-practices/) - (Current article) How Chainguard Can Help With CMMC 2.0 -**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips)** + +**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)** \ No newline at end of file diff --git a/content/software-security/compliance/cmmc-2/cmmc-practices.md b/content/software-security/compliance/cmmc-2/cmmc-practices.md index 906547ab2e..0442a5ee98 100644 --- a/content/software-security/compliance/cmmc-2/cmmc-practices.md +++ b/content/software-security/compliance/cmmc-2/cmmc-practices.md @@ -4,7 +4,7 @@ description: "Learn about the 14 differenct domains of practices required for CM lead: "Learn about the 14 differenct domains of practices required for CMMC 2.0" type: "article" date: 2024-08-09T19:10:09+00:00 -lastmod: 2024-08-09T19:10:09+00:00 +lastmod: 2024-08-15T19:10:09+00:00 contributors: [] draft: false tags: ["compliance", "CMMC 2.0", "standards"] @@ -53,10 +53,11 @@ Physics Laboratory LLC and funded by the Department of Defense (DoD). To learn more about requirements for tracking compliance, continue to the next article in our guide, [CMMC 2.0 Documentation Requirements](./cmmc-documentation.md) -## Browse all CMMC 2.0 articles: -- [Introduction to CMMC 2.0](./intro-cmmc-2.md) -- [CMMC 2.0 Maturity Levels](./cmmc-2-levels.md) +## Browse all CMMC 2.0 Articles + +- [Introduction to CMMC 2.0](/software-security/compliance/cmmc-2/intro-cmmc-2/) +- [CMMC 2.0 Maturity Levels](/software-security/compliance/cmmc-2/cmmc-2-levels/) - (Current article) Overview of CMMC 2.0 Practice/Control Groups -- [How Chainguard Can Help With CMMC 2.0](./cmmc-chainguard.md) +- [How Chainguard Can Help With CMMC 2.0](/software-security/compliance/cmmc-2/cmmc-chainguard/) -**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips)** +**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)** diff --git a/content/software-security/compliance/cmmc-2/intro-cmmc-2.md b/content/software-security/compliance/cmmc-2/intro-cmmc-2.md index b64e753d31..5e72af7921 100644 --- a/content/software-security/compliance/cmmc-2/intro-cmmc-2.md +++ b/content/software-security/compliance/cmmc-2/intro-cmmc-2.md @@ -4,7 +4,7 @@ description: "How to prepare your organization to meet the requirements of CMMC lead: "How to prepare your organization to meet the requirements of CMMC 2.0" type: "article" date: 2024-08-09T19:10:09+00:00 -lastmod: 2024-08-09T19:10:09+00:00 +lastmod: 2024-08-15T19:10:09+00:00 contributors: [] draft: false tags: ["compliance", "CMMC 2.0", "standards"] @@ -47,11 +47,11 @@ Failure to comply with CMMC 2.0 can have several significant impacts: Achieving compliance with CMMC 2.0 is not just a regulatory requirement but a critical step in safeguarding national security and contracting with the DoD. To prepare your organization for CMMC 2.0, continue on to the next section of our guide, [CMMC 2.0 Maturity Levels](./cmmc-2-levels.md), or read about [how Chainguard Images can help simplify fulfilling CMMC 2.0 requirements](./cmmc-chainguard.md). -## Browse all CMMC 2.0 articles: +## Browse all CMMC 2.0 Articles - (Current article) Introduction to CMMC 2.0 -- [CMMC 2.0 Maturity Levels](./cmmc-2-levels.md) -- [Overview of CMMC 2.0 Practice/Control Groups](./cmmc-practices.md) -- [How Chainguard Can Help With CMMC 2.0](./cmmc-chainguard.md) +- [CMMC 2.0 Maturity Levels](/software-security/compliance/cmmc-2/cmmc-2-levels/) +- [Overview of CMMC 2.0 Practice/Control Groups](/software-security/compliance/cmmc-2/cmmc-practices/) +- [How Chainguard Can Help With CMMC 2.0](/software-security/compliance/cmmc-2/cmmc-chainguard/) -**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips)** +**[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)**