CCP Blueprint: Difference between revisions
Jump to navigation
Jump to search
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''Source of Reference: The [https://cyberab.org/ | '''Source of Reference: The CCP blueprint document from [https://cyberab.org/CMMC-Ecosystem/Ecosystem-roles/Assessing-and-Certification Cybersecurity Maturity Model Certification Accreditation Body, Inc.]''' | ||
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | ||
Line 268: | Line 268: | ||
|2. CMMC-AB Code of Professional Conduct (CoPC) | |2. CMMC-AB Code of Professional Conduct (CoPC) | ||
|- | |- | ||
| | |3B, 4A | ||
|2.1.3 | |2.1.3 | ||
|3. ISO/IEC | |3. ISO/IEC | ||
Line 308: | Line 308: | ||
|12. Lawful and ethical practices | |12. Lawful and ethical practices | ||
|- | |- | ||
|4B | |4A, 4B, 7A, 10B | ||
|2.1.13 | |2.1.13 | ||
|13. Contracts and non-disclosure agreements | |13. Contracts and non-disclosure agreements | ||
Line 443: | Line 443: | ||
| | | | ||
::(2) Advanced/Level 2 (previous level 3) | ::(2) Advanced/Level 2 (previous level 3) | ||
:::( | |- | ||
:::: | |3A, 7B | ||
|3.1.2.C.2.a | |||
| | |||
:::(a) NIST SP 800-171 (Requirements) | |||
|- | |||
|3A, 7B, 9A | |||
|3.1.2.C.2.a.i | |||
| | |||
::::i. Provide overview of the 110 NIST SP 800-171 requirements and how they are applied within the CMMC Level 2 practices/assessment framework | |||
|- | |||
|3B, 3C | |||
|3.1.2.D | |||
| | |||
:D. Self-Assessments vs. Third-Party Assessments | :D. Self-Assessments vs. Third-Party Assessments | ||
|- | |||
|3B, 3C | |||
|3.1.2.D.1 | |||
| | |||
::(1) Define different criteria for various assessment type under CMMC v2.0 framework | ::(1) Define different criteria for various assessment type under CMMC v2.0 framework | ||
|- | |- | ||
|3C | |||
|3.1.3 | |||
|3. Consequences of non-compliance: | |3. Consequences of non-compliance: | ||
|- | |||
|3C | |||
|3.1.3.A | |||
| | |||
:A. Failure to receive an award of contract | :A. Failure to receive an award of contract | ||
|- | |||
|3C | |||
|3.1.3.B | |||
| | |||
:B. Contractual liability | :B. Contractual liability | ||
|- | |||
|3C | |||
|3.1.3.C | |||
| | |||
:C. False Claims Act | :C. False Claims Act | ||
|- | |||
|3C | |||
|3.1.3.C.1 | |||
| | |||
::(1) US Department of Justice, | ::(1) US Department of Justice, | ||
|- | |||
|3C | |||
|3.1.3.C.1.a | |||
| | |||
:::(a) Civil Cyber-Fraud Initiative | :::(a) Civil Cyber-Fraud Initiative | ||
|} | |} | ||
=== Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). === | === Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|2A | |||
|3.2.1 | |||
|1. Importance of data classification, collection, and analysis | |1. Importance of data classification, collection, and analysis | ||
|- | |||
|2A | |||
|3.2.1.A | |||
| | |||
:A. CUI Basic versus Specified | :A. CUI Basic versus Specified | ||
|- | |- | ||
|2A | |||
|3.2.2 | |||
|2. Contractor sensitive data categories | |2. Contractor sensitive data categories | ||
|- | |||
|2A | |||
|3.2.2.A | |||
| | |||
:A. Federal Contract Information (FCI) | :A. Federal Contract Information (FCI) | ||
|- | |||
|2A | |||
|3.2.2.A.1 | |||
| | |||
::(1) Section 4.1901 of the Federal Acquisition Regulation (FAR) | ::(1) Section 4.1901 of the Federal Acquisition Regulation (FAR) | ||
|- | |||
|2A | |||
|3.2.2.B | |||
| | |||
:B. Controlled Unclassified Information (CUI) | :B. Controlled Unclassified Information (CUI) | ||
|- | |||
|2A, 2B | |||
|3.2.2.B.1 | |||
| | |||
::(1) Part 2002 of Title 32 CFR, 2002.4(h) | ::(1) Part 2002 of Title 32 CFR, 2002.4(h) | ||
|- | |- | ||
|2A, 2B | |||
|3.2.3 | |||
|3. Government authority for identifying and marking CUI | |3. Government authority for identifying and marking CUI | ||
|- | |||
|2A, 2B | |||
|3.2.3.A | |||
| | |||
:A. Executive Order 13556 | :A. Executive Order 13556 | ||
|- | |||
|2A, 2B | |||
|3.2.3.B | |||
| | |||
:B. 32 Code of Federal Regulations, Part 2002 (Implementing Directive) | :B. 32 Code of Federal Regulations, Part 2002 (Implementing Directive) | ||
|- | |||
|2A, 2B | |||
|3.2.3.C | |||
| | |||
:C. DoD Instruction 5200.48, Controlled Unclassified Information (CUI) | :C. DoD Instruction 5200.48, Controlled Unclassified Information (CUI) | ||
|- | |- | ||
|2B | |||
|3.2.4 | |||
|4. Contractor/Authorized holders’ responsibilities in handling CUI | |4. Contractor/Authorized holders’ responsibilities in handling CUI | ||
|- | |||
|2B | |||
|3.2.4.A | |||
| | |||
:A. DoDI 5200.48 | :A. DoDI 5200.48 | ||
|- | |||
|1B, 2B | |||
|3.2.4.B | |||
| | |||
:B. Part 2002 of Title 32 CFR | :B. Part 2002 of Title 32 CFR | ||
|} | |} | ||
=== Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents. === | === Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|3A | |||
|3.3.1 | |||
|1. CMMC Source Documents | |1. CMMC Source Documents | ||
|- | |||
|3A, 7B | |||
|3.3.1.A | |||
| | |||
:A. CMMC Model Overview | :A. CMMC Model Overview | ||
|- | |||
|7A, 7B | |||
|3.3.1.B | |||
| | |||
:B. CMMC Level 1 Assessment Guide | :B. CMMC Level 1 Assessment Guide | ||
|- | |||
|7A, 7B | |||
|3.3.1.C | |||
| | |||
:C. CMMC Level 2 Assessment Guide | :C. CMMC Level 2 Assessment Guide | ||
|- | |||
|5A | |||
|3.3.1.D | |||
| | |||
:D. CMMC Level 1 Scoping Guidance | :D. CMMC Level 1 Scoping Guidance | ||
|- | |||
|5A | |||
|3.3.1.E | |||
| | |||
:E. CMMC Level 2 Scoping Guidance | :E. CMMC Level 2 Scoping Guidance | ||
|- | |||
|3A, 7A, 10B, 10C, 10D, 10E | |||
|3.3.1.F | |||
| | |||
:F. CMMC Assessment Process (CAP) | :F. CMMC Assessment Process (CAP) | ||
|- | |||
|3A | |||
|3.3.1.G | |||
| | |||
:G. CMMC Glossary | :G. CMMC Glossary | ||
|- | |||
|3A, 10D | |||
|3.3.1.H | |||
| | |||
:H. CMMC Artifact Hashing Tool User Guide | :H. CMMC Artifact Hashing Tool User Guide | ||
|- | |- | ||
|2A | |||
|3.3.2 | |||
|2. ISOO CUI Registry | |2. ISOO CUI Registry | ||
|- | |||
|2A | |||
|3.3.2.A | |||
| | |||
:A. NARA administers the CUI Registry | :A. NARA administers the CUI Registry | ||
|- | |||
|2A | |||
|3.3.2.A.1 | |||
| | |||
::(1) Types of labeled information on documents such as: | ::(1) Types of labeled information on documents such as: | ||
|- | |||
|2A | |||
|3.3.2.A.1.a | |||
| | |||
:::(a) Export Controlled (SP-EXPT) | :::(a) Export Controlled (SP-EXPT) | ||
|- | |||
|2B | |||
|3.3.2.A.1.b | |||
| | |||
:::(b) Specified marking/labeling using NARA CUI Marking Handbook | :::(b) Specified marking/labeling using NARA CUI Marking Handbook | ||
|- | |- | ||
|2A | |||
|3.3.3 | |||
|3. DoD CUI Registry | |3. DoD CUI Registry | ||
|- | |||
|2A, 2B | |||
|3.3.3.A | |||
| | |||
:A. Types of labeled information on documents such as: | :A. Types of labeled information on documents such as: | ||
|- | |||
|2A, 2B | |||
|3.3.3.A.1 | |||
| | |||
::(1) Naval Nuclear Propulsion Information (NNPI) | ::(1) Naval Nuclear Propulsion Information (NNPI) | ||
|- | |||
|2A, 2B | |||
|3.3.3.A.2 | |||
| | |||
::(2) NNPI marking/labeling using DoD CUI Marking Aid | ::(2) NNPI marking/labeling using DoD CUI Marking Aid | ||
|} | |} | ||
Line 504: | Line 666: | ||
=== Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices. === | === Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices. === | ||
(At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam) | (At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam) | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|3A | |||
|4.1.1 | |||
|1. Model Architecture | |1. Model Architecture | ||
|- | |- | ||
|3A | |||
|4.1.2 | |||
|2. Model Levels: | |2. Model Levels: | ||
|- | |||
|3A, 7B | |||
|4.1.2.A | |||
| | |||
:A. Cumulative Nature | :A. Cumulative Nature | ||
|- | |||
|3A | |||
|4.1.2.B | |||
| | |||
:B. Characteristics | :B. Characteristics | ||
|- | |||
|3B | |||
|4.1.2.C | |||
| | |||
:C. Levels required for specific contracts | :C. Levels required for specific contracts | ||
|- | |||
|3B | |||
|4.1.2.C.1 | |||
| | |||
::(1) Level 1 | ::(1) Level 1 | ||
|- | |||
|3B | |||
|4.1.2.C.2 | |||
| | |||
::(2) Level 2 | ::(2) Level 2 | ||
|- | |- | ||
|3A | |||
|4.1.3 | |||
|3. Practices: | |3. Practices: | ||
|- | |||
|7B | |||
|4.1.3.A | |||
| | |||
:A. Practices Descriptions | :A. Practices Descriptions | ||
|- | |||
|3A | |||
|4.1.3.A.1 | |||
| | |||
::(1) Practice Numbering Scheme | ::(1) Practice Numbering Scheme | ||
|- | |||
|3A | |||
|4.1.3.A.2 | |||
| | |||
::(2) Objectives | ::(2) Objectives | ||
|- | |||
|7B | |||
|4.1.3.A.3 | |||
| | |||
::(3) Assessment Methods and Objects | ::(3) Assessment Methods and Objects | ||
|- | |- | ||
|8A | |||
|4.1.4 | |||
|4. Domains: | |4. Domains: | ||
|- | |||
|3A | |||
|4.1.4.A | |||
| | |||
:A. Access Control (AC) | :A. Access Control (AC) | ||
|- | |||
|8A | |||
|4.1.4.A.1 | |||
| | |||
::(1) AC.L1-3.1.1 – Authorized Access Control | ::(1) AC.L1-3.1.1 – Authorized Access Control | ||
|- | |||
|8A | |||
|4.1.4.A.2 | |||
| | |||
::(2) AC.L1-3.1.2 – Transaction & Function Control | ::(2) AC.L1-3.1.2 – Transaction & Function Control | ||
|- | |||
|8A | |||
|4.1.4.A.3 | |||
| | |||
::(3) AC.L1-3.1.20 – External Connections | ::(3) AC.L1-3.1.20 – External Connections | ||
|- | |||
|8A | |||
|4.1.4.A.4 | |||
| | |||
::(4) AC.L1-3.1.22 – Control Public Information | ::(4) AC.L1-3.1.22 – Control Public Information | ||
|- | |||
|3A | |||
|4.1.4.B | |||
| | |||
:B. Audit & Accountability (AU) | :B. Audit & Accountability (AU) | ||
|- | |||
|3A | |||
|4.1.4.C | |||
| | |||
:C. Awareness & Training (AT) | :C. Awareness & Training (AT) | ||
|- | |||
|3A | |||
|4.1.4.D | |||
| | |||
:D. Configuration Management (CM) | :D. Configuration Management (CM) | ||
|- | |||
|3A | |||
|4.1.4.E | |||
| | |||
:E. Identification & Authentication (IA) | :E. Identification & Authentication (IA) | ||
|- | |||
|8A | |||
|4.1.4.E.1 | |||
| | |||
::(1) IA.L1-3.5.1 – Identification | ::(1) IA.L1-3.5.1 – Identification | ||
|- | |||
|8A | |||
|4.1.4.E.2 | |||
| | |||
::(2) IA.L1-3.5.2 – Authentication | ::(2) IA.L1-3.5.2 – Authentication | ||
|- | |||
|3A | |||
|4.1.4.F | |||
| | |||
:F. Incident Response (IR) | :F. Incident Response (IR) | ||
|- | |||
|3A | |||
|4.1.4.G | |||
| | |||
:G. Maintenance (MA) | :G. Maintenance (MA) | ||
|- | |||
|3A | |||
|4.1.4.H | |||
| | |||
:H. Media Protection (MP) | :H. Media Protection (MP) | ||
|- | |||
|8A | |||
|4.1.4.H.1 | |||
| | |||
::(1) MP.L1-3.8.3 – Media Disposal | ::(1) MP.L1-3.8.3 – Media Disposal | ||
|- | |||
|3A | |||
|4.1.4.I | |||
| | |||
:I. Personnel Security (PS) | :I. Personnel Security (PS) | ||
|- | |||
|3A | |||
|4.1.4.J | |||
| | |||
:J. Physical Protection (PE) | :J. Physical Protection (PE) | ||
|- | |||
|8A | |||
|4.1.4.J.1 | |||
| | |||
::(1) PE.L1-3.10.1 – Limit Physical Access | ::(1) PE.L1-3.10.1 – Limit Physical Access | ||
|- | |||
|8A | |||
|4.1.4.J.2 | |||
| | |||
::(2) PE.L1-3.10.3 – Escort Visitors | ::(2) PE.L1-3.10.3 – Escort Visitors | ||
|- | |||
|8A | |||
|4.1.4.J.3 | |||
| | |||
::(3) PE.L1-3.10.4 – Physical Access Logs | ::(3) PE.L1-3.10.4 – Physical Access Logs | ||
|- | |||
|8A | |||
|4.1.4.J.4 | |||
| | |||
::(4) PE.L1-3.10.5 – Manage Physical Access | ::(4) PE.L1-3.10.5 – Manage Physical Access | ||
|- | |||
|3A | |||
|4.1.4.K | |||
| | |||
:K. Risk Assessment (RA) | :K. Risk Assessment (RA) | ||
|- | |||
|3A | |||
|4.1.4.L | |||
| | |||
:L. Security Assessment (CA) | :L. Security Assessment (CA) | ||
|- | |||
|3A | |||
|4.1.4.M | |||
| | |||
:M. System & Communications Protection (SC) | :M. System & Communications Protection (SC) | ||
|- | |||
|8A | |||
|4.1.4.M.1 | |||
| | |||
::(1) SC.L1-3.13.1 – Boundary Protection | ::(1) SC.L1-3.13.1 – Boundary Protection | ||
|- | |||
|8A | |||
|4.1.4.M.2 | |||
| | |||
::(2) SC.L1-3.13.5 – Public-Access System Separation | ::(2) SC.L1-3.13.5 – Public-Access System Separation | ||
|- | |||
|3A | |||
|4.1.4.N | |||
| | |||
:N. System & Information Integrity (SI) | :N. System & Information Integrity (SI) | ||
|- | |||
|8A | |||
|4.1.4.N.1 | |||
| | |||
::(1) SI.L1-3.14.1 – Flaw Remediation | ::(1) SI.L1-3.14.1 – Flaw Remediation | ||
|- | |||
|8A | |||
|4.1.4.N.1 | |||
| | |||
::(2) SI.L1-3.14.2 – Malicious Code Protection | ::(2) SI.L1-3.14.2 – Malicious Code Protection | ||
|- | |||
|8A | |||
|4.1.4.N.1 | |||
| | |||
::(3) SI.L1-3.14.4 – Update Malicious Code Protection | ::(3) SI.L1-3.14.4 – Update Malicious Code Protection | ||
|- | |||
|8A | |||
|4.1.4.N.1 | |||
| | |||
::(4) SI.L1-3.14.5 – System & File Scanning | ::(4) SI.L1-3.14.5 – System & File Scanning | ||
|} | |} | ||
=== Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices. === | === Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|3A, 7B | |||
|4.2.1 | |||
|1. The definition of each practice | |||
|- | |||
|3A, 7B | |||
|4.2.2 | |||
|2. The Assessment Objectives | |||
|- | |||
|7A, 7B, 8A | |||
|4.2.3 | |||
|3. The Assessment Methods (Examine, Interview, and Test) to use for the practices | |||
|- | |||
|7B | |||
|4.2.4 | |||
|4. What information to look for in practice discussion | |||
|- | |||
|7B | |||
|4.2.5 | |||
|5. The Key References and their applicability to the practices: | |||
|- | |||
|7B | |||
|4.2.5.A | |||
| | |||
::A. Navigating and using the CMMC Assessment Guide(s) content | |||
|- | |||
|7A, 7B | |||
|4.2.5.B | |||
| | | | ||
::B. Determining the assessment method(s) that would be best for gathering sufficient and accurate evidence | |||
: | |||
|} | |} | ||
=== Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence. === | === Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
| | |- | ||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|7A | |||
|4.3.1 | |||
|1. Appraised Evidence is adequate | |||
|- | |||
|7A | |||
|4.3.2 | |||
|2. Measure if the Evidence is sufficient | |||
|} | |} | ||
== Domain 5: CMMC Assessment Process == | == Domain 5: CMMC Assessment Process == | ||
=== Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment). === | === Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment). === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
| | |- | ||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|10B | |||
|5.1.1 | |||
|1. Validation criteria of OSC’s assessment evidence | |||
|- | |||
|7B | |||
|5.1.2 | |||
|2. Analyzing the CMMC practice requirements | |||
|- | |||
|10B | |||
|5.1.3 | |||
|3. What needs to be included in a CMMC Assessment Plan | |||
|- | |||
|10B | |||
|5.1.4 | |||
|4. The CMMC Readiness Review Process | |||
|} | |} | ||
=== Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment). === | === Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment). === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
| | |- | ||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|7B, 10C | |||
|5.2.1 | |||
|1. How to assist/support the Assessment Team during an assessment | |||
|- | |||
|7A, 7B, 10C | |||
|5.2.2 | |||
|2. The three possible assessment methods (Examine, Interview, and Test) and scoring evidence successfully for each practice | |||
|- | |||
|10A, 10C | |||
|5.2.3 | |||
|3. Communication skills to interview or observe tests/demonstrations for assessment practices | |||
|- | |||
|7B, 8C, 10C | |||
|5.2.4 | |||
|4. How Assessment Team Members rate practices and validate preliminary results | |||
|- | |||
|10C | |||
|5.2.5 | |||
|5. How Assessment Team Members assist in the preparation of final findings | |||
|- | |||
|10C | |||
|5.2.6 | |||
|6. How to score practices that are on a Plan of Action and Milestone (POA&M) | |||
|} | |} | ||
=== Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results). === | === Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results). === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
| | |- | ||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
# How the final findings and associated information are incorporated into the Assessment Report | |- | ||
|10D | |||
|5.3.1 | |||
|1. The evidence presented for each practice | |||
|- | |||
|7B, 10C | |||
|5.3.2 | |||
|2. How Assessment Team Members score practices, validate, and deliver assessment preliminary results | |||
|- | |||
|10C | |||
|5.3.3 | |||
|3. How the Assessment Lead drafts and scores the final findings | |||
|- | |||
|10D | |||
|5.3.4 | |||
|4.# How the final findings and associated information are incorporated into the Assessment Report | |||
|- | |||
|10D | |||
|5.3.5 | |||
|5. How the Lead Assessor submits the assessment report, including the review process, submitting to the C3PAO and the OSC | |||
|- | |||
|10D | |||
|5.3.6 | |||
|6. How to package and archive the assessment results for a record to support any future questions that may be asked | |||
|} | |} | ||
=== Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items). === | === Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items). === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|10C | |||
|5.4.1 | |||
|1. The evaluation of assessment POA&M items | |1. The evaluation of assessment POA&M items | ||
|- | |||
|10C | |||
|5.4.1.A | |||
| | |||
:A. DoD Assessment Methodology, POA&M scoring criteria | :A. DoD Assessment Methodology, POA&M scoring criteria | ||
|- | |||
|10C | |||
|5.4.1.A.1 | |||
| | |||
::(1) Minimum assessment score | ::(1) Minimum assessment score | ||
|- | |||
|10C | |||
|5.4.1.A.2 | |||
| | |||
::(2) Qualifying POA&M items | ::(2) Qualifying POA&M items | ||
|- | |||
|10C | |||
|5.4.1.B | |||
| | |||
:B. CMMC AG CA.L2-3.12.2, Plan of Action objectives and requirements | :B. CMMC AG CA.L2-3.12.2, Plan of Action objectives and requirements | ||
|} | |} | ||
=== Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment. === | === Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|10B | |||
|5.5.1 | |||
|1. Plan and Prepare Assessments: | |1. Plan and Prepare Assessments: | ||
|- | |||
|10A | |||
|5.5.1.A | |||
| | |||
:A. CMMC CCP must be able to assist in analyzing requirements. | :A. CMMC CCP must be able to assist in analyzing requirements. | ||
|- | |||
|10A | |||
|5.5.1.B | |||
| | |||
:B. CMMC CCP must be able to assist in developing assessment plan. | :B. CMMC CCP must be able to assist in developing assessment plan. | ||
|- | |||
|10A | |||
|5.5.1.C | |||
| | |||
:C. CMMC CCP must be able to assist in verifying readiness to conduct assessment. | :C. CMMC CCP must be able to assist in verifying readiness to conduct assessment. | ||
|- | |- | ||
|10C | |||
|5.5.2 | |||
|2. Conduct Assessment: | |2. Conduct Assessment: | ||
|- | |||
|10A | |||
|5.5.2.A | |||
| | |||
:A. CMMC CCP must be able to assist in collecting and examining Evidence. | :A. CMMC CCP must be able to assist in collecting and examining Evidence. | ||
|- | |||
|10A | |||
|5.5.2.B | |||
| | |||
:B. CMMC CCP must be able to assist in scoring practices and validating preliminary results. | :B. CMMC CCP must be able to assist in scoring practices and validating preliminary results. | ||
|- | |||
|10A | |||
|5.5.2.C | |||
| | |||
:C. CMMC CCP must be able to assist in generating final assessment results. | :C. CMMC CCP must be able to assist in generating final assessment results. | ||
|- | |- | ||
|10D | |||
|5.5.3 | |||
|3. Report Recommended Assessment Results: | |3. Report Recommended Assessment Results: | ||
|- | |||
|10A | |||
|5.5.3.A | |||
| | |||
:A. CMMC CCP must be able to assist in delivering recommended assessment results. | :A. CMMC CCP must be able to assist in delivering recommended assessment results. | ||
|- | |- | ||
|10E | |||
|5.5.4 | |||
|4. Remediate Outstanding Assessment Issues: | |4. Remediate Outstanding Assessment Issues: | ||
|- | |||
|10A | |||
|5.5.4.A | |||
| | |||
:A. Awareness of the CCP’s Role in the POA&M Process | :A. Awareness of the CCP’s Role in the POA&M Process | ||
|} | |} | ||
Line 635: | Line 1,130: | ||
== Domain 6: Scoping == | == Domain 6: Scoping == | ||
=== Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process. === | === Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|5A | |||
|6.1.1 | |||
|1. Defining organizational scoping | |1. Defining organizational scoping | ||
|- | |||
|5A | |||
|6.1.1.A | |||
| | |||
:A. Organization | :A. Organization | ||
|- | |||
|5A | |||
|6.1.1.B | |||
| | |||
:B. Host Unit | :B. Host Unit | ||
|- | |||
|5A | |||
|6.1.1.C | |||
| | |||
:C. Supporting Units | :C. Supporting Units | ||
|} | |} | ||
=== Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets. === | === Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|5A | |||
|6.2.1 | |||
|1. Defining FCI data in the form of Assets that: | |1. Defining FCI data in the form of Assets that: | ||
|- | |||
|5A | |||
|6.2.1.A | |||
| | |||
:A. Process | :A. Process | ||
|- | |||
|5A | |||
|6.2.1.B | |||
| | |||
:B. Store | :B. Store | ||
|- | |||
|5A | |||
|6.2.1.C | |||
| | |||
:C. Transmit | :C. Transmit | ||
|- | |- | ||
|5A | |||
|6.2.2 | |||
|2. Out-of-Scope Assets | |2. Out-of-Scope Assets | ||
|- | |- | ||
|5A | |||
|6.2.3 | |||
|3. Specialized Assets | |3. Specialized Assets | ||
|- | |||
|5A | |||
|6.2.3.A | |||
| | |||
:A. Government Property | :A. Government Property | ||
|- | |||
|5A | |||
|6.2.3.B | |||
| | |||
:B. Internet of Things (IoT)/ Industrial Internet of Things (IIoT) | :B. Internet of Things (IoT)/ Industrial Internet of Things (IIoT) | ||
|- | |||
|5A | |||
|6.2.3.C | |||
| | |||
:C. Operational Technology (OT) | :C. Operational Technology (OT) | ||
|- | |||
|5A | |||
|6.2.3.D | |||
| | |||
:D. Restricted Information Systems | :D. Restricted Information Systems | ||
|- | |||
|5A | |||
|6.2.3.E | |||
| | |||
:E. Test Equipment | :E. Test Equipment | ||
|- | |- | ||
|5A | |||
|6.2.4 | |||
|4. Scoping Activities | |4. Scoping Activities | ||
|- | |||
|5A | |||
|6.2.4.A | |||
| | |||
:A. People | :A. People | ||
|- | |||
|5A | |||
|6.2.4.B | |||
| | |||
:B. Technology | :B. Technology | ||
|- | |||
|5A | |||
|6.2.4.C | |||
| | |||
:C. Facilities | :C. Facilities | ||
|- | |||
|5A | |||
|6.2.4.D | |||
| | |||
:D. External Service Providers (ESP) | :D. External Service Providers (ESP) | ||
|} | |} |
Latest revision as of 23:23, 8 May 2023
Source of Reference: The CCP blueprint document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Domains
Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:
Objective | Domain | Exam Weight |
---|---|---|
1.0 | 1. CMMC Ecosystem | 5% |
2.0 | 2. CMMC-AB Code of Professional Conduct (Ethics) | 5% |
3.0 | 3. CMMC Governance and Sources Documents | 15% |
4.0 | 4. CMMC Model Construct and Implementation Evaluation | 35% |
5.0 | 5. CMMC Assessment Process (CAP) | 25% |
6.0 | 6. Scoping | 15% |
Domain 1: CMMC Ecosystem
Task 1. Identify and compare roles/responsibilities/requirements of authorities across the CMMC Ecosystem.
Lesson Topic | Objective | Objective Description |
---|---|---|
3B | 1.1.1 | 1. Authorities: |
3B | 1.1.1.A | A. Office of the Undersecretary of Defense (OUSD) |
1B, 3A, 7A, 8A | 1.1.1.A.1 |
|
1B, 3B, 3C | 1.1.1.A.2 |
|
3B | 1.1.1.B | B. CMMC Ecosystem and the different types of entities participating in it |
3B | 1.1.1.B.1 |
|
3B | 1.1.1.B.1.a |
|
3B | 1.1.1.B.1.a.1 |
|
3B | 1.1.1.B.1.a.1.1 |
|
3B | 1.1.1.B.1.a.2 |
|
3B | 1.1.1.B.1.a.3 |
|
3B | 1.1.1.B.1.a.3.1 |
|
3B | 1.1.1.B.1.b |
|
3B | 1.1.1.B.1.b.1 |
|
3B | 1.1.1.B.1.b.1.1 |
|
3B | 1.1.1.B.2 |
|
3B | 1.1.1.B.2.a |
|
3B | 1.1.1.B.2.a.1 |
|
3B | 1.1.1.B.2.a.1.1 |
|
3B | 1.1.1.B.2.a.2 |
|
3B | 1.1.1.B.2.a.2.1 |
|
3B | 1.1.1.B.2.b |
|
3B | 1.1.1.B.2.b.1 |
|
3B | 1.1.1.B.2.b.1.1 |
|
3B | 1.1.1.B.2.b.1.2 |
|
3B | 1.1.1.B.2.b.2 |
|
3B | 1.1.1.B.2.b.2.1 |
|
3B | 1.1.1.B.2.b.2.2 |
|
3B | 1.1.1.B.2.b.3 |
|
3B | 1.1.1.B.2.b.3.1 |
|
3B | 1.1.1.B.2.b.3.2 |
|
3B | 1.1.1.B.2.b.4 |
|
3B | 1.1.1.B.2.b.4.1 |
|
3B | 1.1.1.B.2.b.4.2 |
|
3B | 1.1.1.B.2.b.5 |
|
3B | 1.1.1.B.2.b.5.1 |
|
3B | 1.1.1.B.2.b.5.2 |
|
3B, 10A | 1.1.1.B.2.b.6 |
|
3B, 10A | 1.1.1.B.2.b.6.1 |
|
3B, 10A | 1.1.1.B.2.b.7 |
|
3B, 10A | 1.1.1.B.2.b.7.1 |
|
3B | 1.1.1.B.2.b.7.2 |
|
Domain 2: CMMC-AB Code of Professional Conduct (Ethics)
Task 1. Identify and apply knowledge of the Guiding Principles and Practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements.
Lesson Topic | Objective | Objective Description |
---|---|---|
4B | 2.1.1 | 1. General ethics topics |
4B | 2.1.2 | 2. CMMC-AB Code of Professional Conduct (CoPC) |
3B, 4A | 2.1.3 | 3. ISO/IEC |
4B | 2.1.4 | 4. Department of Defense (DoD) requirements |
4B | 2.1.5 | 5. Professionalism |
4B | 2.1.6 | 6. Objectivity |
4B | 2.1.7 | 7. Confidentiality |
4B | 2.1.8 | 8. Proper use of methods |
4B | 2.1.9 | 9. Information integrity |
4B | 2.1.10 | 10. Conflicts of interest |
4B | 2.1.11 | 11. Respect for intellectual property |
4B | 2.1.12 | 12. Lawful and ethical practices |
4A, 4B, 7A, 10B | 2.1.13 | 13. Contracts and non-disclosure agreements |
Domain 3. CMMC Governance and Source Documents
Task 1. Demonstrate understanding of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-federal unclassified networks.
Lesson Topic | Objective | Objective Description |
---|---|---|
1B | 3.1.1 | 1. Current Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity Efforts, Regulations, and Executive Orders pertaining to the CMMC program: |
1B, 2B | 3.1.1.A |
|
1B | 3.1.1.B |
|
1B, 3B | 3.1.1.C |
|
1B, 7B | 3.1.1.C.1 |
|
2A | 3.1.1.C.2 |
|
1B | 3.1.1.C.3 |
|
3B | 3.1.2 | 2. CMMC Framework Tenets: |
3B | 3.1.2.A |
|
3B | 3.1.2.A.1 |
|
3B, 7B | 3.1.2.A.1.a |
|
3B, 7B | 3.1.2.A.1.b |
|
3B | 3.1.2.A.2 |
|
3B | 3.1.2.A.2.a |
|
3B | 3.1.2.A.2.b |
|
3B | 3.1.2.A.3 |
|
3B | 3.1.2.A.3.a |
|
3B | 3.1.2.A.3.b |
|
3B | 3.1.2.B |
|
3B | 3.1.2.B.1 |
|
3B | 3.1.2.C |
|
3B | 3.1.2.C.1 |
|
8A | 3.1.2.C.1.a |
|
3A, 8A | 3.1.2.C.1.a.i |
|
3A, 3B, 9A | 3.1.2.C.2 |
|
3A, 7B | 3.1.2.C.2.a |
|
3A, 7B, 9A | 3.1.2.C.2.a.i |
|
3B, 3C | 3.1.2.D |
|
3B, 3C | 3.1.2.D.1 |
|
3C | 3.1.3 | 3. Consequences of non-compliance: |
3C | 3.1.3.A |
|
3C | 3.1.3.B |
|
3C | 3.1.3.C |
|
3C | 3.1.3.C.1 |
|
3C | 3.1.3.C.1.a |
|
Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Lesson Topic | Objective | Objective Description |
---|---|---|
2A | 3.2.1 | 1. Importance of data classification, collection, and analysis |
2A | 3.2.1.A |
|
2A | 3.2.2 | 2. Contractor sensitive data categories |
2A | 3.2.2.A |
|
2A | 3.2.2.A.1 |
|
2A | 3.2.2.B |
|
2A, 2B | 3.2.2.B.1 |
|
2A, 2B | 3.2.3 | 3. Government authority for identifying and marking CUI |
2A, 2B | 3.2.3.A |
|
2A, 2B | 3.2.3.B |
|
2A, 2B | 3.2.3.C |
|
2B | 3.2.4 | 4. Contractor/Authorized holders’ responsibilities in handling CUI |
2B | 3.2.4.A |
|
1B, 2B | 3.2.4.B |
|
Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents.
Lesson Topic | Objective | Objective Description |
---|---|---|
3A | 3.3.1 | 1. CMMC Source Documents |
3A, 7B | 3.3.1.A |
|
7A, 7B | 3.3.1.B |
|
7A, 7B | 3.3.1.C |
|
5A | 3.3.1.D |
|
5A | 3.3.1.E |
|
3A, 7A, 10B, 10C, 10D, 10E | 3.3.1.F |
|
3A | 3.3.1.G |
|
3A, 10D | 3.3.1.H |
|
2A | 3.3.2 | 2. ISOO CUI Registry |
2A | 3.3.2.A |
|
2A | 3.3.2.A.1 |
|
2A | 3.3.2.A.1.a |
|
2B | 3.3.2.A.1.b |
|
2A | 3.3.3 | 3. DoD CUI Registry |
2A, 2B | 3.3.3.A |
|
2A, 2B | 3.3.3.A.1 |
|
2A, 2B | 3.3.3.A.2 |
|
Domain 4 - CMMC Model Construct and Implementation Evaluation
Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices.
(At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam)
Lesson Topic | Objective | Objective Description |
---|---|---|
3A | 4.1.1 | 1. Model Architecture |
3A | 4.1.2 | 2. Model Levels: |
3A, 7B | 4.1.2.A |
|
3A | 4.1.2.B |
|
3B | 4.1.2.C |
|
3B | 4.1.2.C.1 |
|
3B | 4.1.2.C.2 |
|
3A | 4.1.3 | 3. Practices: |
7B | 4.1.3.A |
|
3A | 4.1.3.A.1 |
|
3A | 4.1.3.A.2 |
|
7B | 4.1.3.A.3 |
|
8A | 4.1.4 | 4. Domains: |
3A | 4.1.4.A |
|
8A | 4.1.4.A.1 |
|
8A | 4.1.4.A.2 |
|
8A | 4.1.4.A.3 |
|
8A | 4.1.4.A.4 |
|
3A | 4.1.4.B |
|
3A | 4.1.4.C |
|
3A | 4.1.4.D |
|
3A | 4.1.4.E |
|
8A | 4.1.4.E.1 |
|
8A | 4.1.4.E.2 |
|
3A | 4.1.4.F |
|
3A | 4.1.4.G |
|
3A | 4.1.4.H |
|
8A | 4.1.4.H.1 |
|
3A | 4.1.4.I |
|
3A | 4.1.4.J |
|
8A | 4.1.4.J.1 |
|
8A | 4.1.4.J.2 |
|
8A | 4.1.4.J.3 |
|
8A | 4.1.4.J.4 |
|
3A | 4.1.4.K |
|
3A | 4.1.4.L |
|
3A | 4.1.4.M |
|
8A | 4.1.4.M.1 |
|
8A | 4.1.4.M.2 |
|
3A | 4.1.4.N |
|
8A | 4.1.4.N.1 |
|
8A | 4.1.4.N.1 |
|
8A | 4.1.4.N.1 |
|
8A | 4.1.4.N.1 |
|
Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices.
Lesson Topic | Objective | Objective Description |
---|---|---|
3A, 7B | 4.2.1 | 1. The definition of each practice |
3A, 7B | 4.2.2 | 2. The Assessment Objectives |
7A, 7B, 8A | 4.2.3 | 3. The Assessment Methods (Examine, Interview, and Test) to use for the practices |
7B | 4.2.4 | 4. What information to look for in practice discussion |
7B | 4.2.5 | 5. The Key References and their applicability to the practices: |
7B | 4.2.5.A |
|
7A, 7B | 4.2.5.B |
|
Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence.
Lesson Topic | Objective | Objective Description |
---|---|---|
7A | 4.3.1 | 1. Appraised Evidence is adequate |
7A | 4.3.2 | 2. Measure if the Evidence is sufficient |
Domain 5: CMMC Assessment Process
Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment).
Lesson Topic | Objective | Objective Description |
---|---|---|
10B | 5.1.1 | 1. Validation criteria of OSC’s assessment evidence |
7B | 5.1.2 | 2. Analyzing the CMMC practice requirements |
10B | 5.1.3 | 3. What needs to be included in a CMMC Assessment Plan |
10B | 5.1.4 | 4. The CMMC Readiness Review Process |
Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment).
Lesson Topic | Objective | Objective Description |
---|---|---|
7B, 10C | 5.2.1 | 1. How to assist/support the Assessment Team during an assessment |
7A, 7B, 10C | 5.2.2 | 2. The three possible assessment methods (Examine, Interview, and Test) and scoring evidence successfully for each practice |
10A, 10C | 5.2.3 | 3. Communication skills to interview or observe tests/demonstrations for assessment practices |
7B, 8C, 10C | 5.2.4 | 4. How Assessment Team Members rate practices and validate preliminary results |
10C | 5.2.5 | 5. How Assessment Team Members assist in the preparation of final findings |
10C | 5.2.6 | 6. How to score practices that are on a Plan of Action and Milestone (POA&M) |
Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results).
Lesson Topic | Objective | Objective Description |
---|---|---|
10D | 5.3.1 | 1. The evidence presented for each practice |
7B, 10C | 5.3.2 | 2. How Assessment Team Members score practices, validate, and deliver assessment preliminary results |
10C | 5.3.3 | 3. How the Assessment Lead drafts and scores the final findings |
10D | 5.3.4 | 4.# How the final findings and associated information are incorporated into the Assessment Report |
10D | 5.3.5 | 5. How the Lead Assessor submits the assessment report, including the review process, submitting to the C3PAO and the OSC |
10D | 5.3.6 | 6. How to package and archive the assessment results for a record to support any future questions that may be asked |
Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items).
Lesson Topic | Objective | Objective Description |
---|---|---|
10C | 5.4.1 | 1. The evaluation of assessment POA&M items |
10C | 5.4.1.A |
|
10C | 5.4.1.A.1 |
|
10C | 5.4.1.A.2 |
|
10C | 5.4.1.B |
|
Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment.
Lesson Topic | Objective | Objective Description |
---|---|---|
10B | 5.5.1 | 1. Plan and Prepare Assessments: |
10A | 5.5.1.A |
|
10A | 5.5.1.B |
|
10A | 5.5.1.C |
|
10C | 5.5.2 | 2. Conduct Assessment: |
10A | 5.5.2.A |
|
10A | 5.5.2.B |
|
10A | 5.5.2.C |
|
10D | 5.5.3 | 3. Report Recommended Assessment Results: |
10A | 5.5.3.A |
|
10E | 5.5.4 | 4. Remediate Outstanding Assessment Issues: |
10A | 5.5.4.A |
|
Domain 6: Scoping
Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process.
Lesson Topic | Objective | Objective Description |
---|---|---|
5A | 6.1.1 | 1. Defining organizational scoping |
5A | 6.1.1.A |
|
5A | 6.1.1.B |
|
5A | 6.1.1.C |
|
Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets.
Lesson Topic | Objective | Objective Description |
---|---|---|
5A | 6.2.1 | 1. Defining FCI data in the form of Assets that: |
5A | 6.2.1.A |
|
5A | 6.2.1.B |
|
5A | 6.2.1.C |
|
5A | 6.2.2 | 2. Out-of-Scope Assets |
5A | 6.2.3 | 3. Specialized Assets |
5A | 6.2.3.A |
|
5A | 6.2.3.B |
|
5A | 6.2.3.C |
|
5A | 6.2.3.D |
|
5A | 6.2.3.E |
|
5A | 6.2.4 | 4. Scoping Activities |
5A | 6.2.4.A |
|
5A | 6.2.4.B |
|
5A | 6.2.4.C |
|
5A | 6.2.4.D |
|