CCP Blueprint: Difference between revisions
Line 411: | Line 411: | ||
=== Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence. === | === Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence. === | ||
{|class="wikitable" | |||
| | |||
# Appraised Evidence is adequate | |||
# Measure if the Evidence is sufficient | |||
|} | |||
== Domain 5: CMMC Assessment Process == | == Domain 5: CMMC Assessment Process == |
Revision as of 18:19, 4 August 2022
Source of Reference: The CCP blueprint from Cybersecurity Maturity Model Certification Accreditation Body, Inc.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Domains
Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:
Domain | Exam Weight |
1. CMMC Ecosystem | 5% |
2. CMMC-AB Code of Professional Conduct (Ethics) | 5% |
3. CMMC Governance and Sources Documents | 15% |
4. CMMC Model Construct and Implementation Evaluation | 35% |
5. CMMC Assessment Process (CAP) | 25% |
6. Scoping | 15% |
Domain 1: CMMC Ecosystem
Task 1. Identify and compare roles/responsibilities/requirements of authorities across the CMMC Ecosystem.
1. Authorities: |
a. Office of the Undersecretary of Defense (OUSD)
|
b. CMMC Ecosystem and the different types of entities participating in it
|
Domain 2: CMMC-AB Code of Professional Conduct (Ethics)
Task 1. Identify and apply knowledge of the Guiding Principles and Practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements.
# General ethics topics
|
Domain 3. CMMC Governance and Source Documents
Task 1. Demonstrate understanding of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-federal unclassified networks.
1. Current Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity Efforts, Regulations, and Executive Orders pertaining to the CMMC program: A. Part 32 of the Code of Federal Regulations (C.F.R.) B. Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R C. DFARS Clause 252.204-7012 (1) National Institute of Standards and Technology (NIST) SP 800-171 (2) Technical Data (DFARS 252.227-7013) (3) FedRAMP
2. CMMC Framework Tenets:
A. Key aspects of CMMC v.20 program requirements
(1) Streamlined Model
(a) Focused on the most critical requirements
(b) Aligned with widely accepted standards
(2) Reliable Assessments (a) Reduced assessment costs (b) Higher accountability
(3) Flexible Implementation (a) Spirit of collaboration (b) Added flexibility and speed
B. Rulemaking and timeline for CMMC v2.0
(1) Incentives, Assessments, and 9–24-month rule making
C. Levels of CMMC assessments and requirements
(1) Foundational/Level 1 (same as previous CMMC v1.0 level 1) a. FAR Clause 52.204-21 a. Provide overview of the 17 basic safeguarding requirements and how procedures are applied within the CMMC L1/L2 practices/assessment framework
(2) Advanced/Level 2 (previous level 3)
b. NIST SP 800-171 (Requirements)
a. Provide overview of the 110 NIST SP 800-171 requirements and how they
are applied within the CMMC Level 2 practices/assessment framework
D. Self-Assessments vs. Third-Party Assessments (1) Define different criteria for various assessment type under CMMC v2.0 framework
3. Consequences of non-compliance:
A. Failure to receive an award of contract
B. Contractual liability
C. False Claims Act
(1) US Department of Justice,
(a) Civil Cyber-Fraud Initiative
�
Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
1. Importance of data classification, collection, and analysis A. CUI Basic versus Specified
2. Contractor sensitive data categories A. Federal Contract Information (FCI) (1) Section 4.1901 of the Federal Acquisition Regulation (FAR)
B. Controlled Unclassified Information (CUI) (1) Part 2002 of Title 32 CFR, 2002.4(h)
3. Government authority for identifying and marking CUI
A. Executive Order 13556
B. 32 Code of Federal Regulations, Part 2002 (Implementing Directive)
C. DoD Instruction 5200.48, Controlled Unclassified Information (CUI)
4. Contractor/Authorized holders’ responsibilities in handling CUI A. DoDI 5200.48 B. Part 2002 of Title 32 CFR
Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents.
1. CMMC Source Documents
A. CMMC Model Overview
B. CMMC Level 1 Assessment Guide
C. CMMC Level 2 Assessment Guide
D. CMMC Level 1 Scoping Guidance
E. CMMC Level 2 Scoping Guidance
F. CMMC Assessment Process (CAP)
G. CMMC Glossary
H. CMMC Artifact Hashing Tool User Guide
2. ISOO CUI Registry
A. NARA administers the CUI Registry
(1) Types of labeled information on documents such as:
(a) Export Controlled (SP-EXPT)
(b) Specified marking/labeling using NARA CUI Marking Handbook
3. DoD CUI Registry A. Types of labeled information on documents such as: (1) Naval Nuclear Propulsion Information (NNPI) (2) NNPI marking/labeling using DoD CUI Marking Aid
�
Domain 4 - CMMC Model Construct and Implementation Evaluation
Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices.
(At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam)
1. Model Architecture 2. Model Levels: A. Cumulative Nature B. Characteristics C. Levels required for specific contracts (1) Level 1 (2) Level 2
3. Practices:
A. Practices Descriptions
(1) Practice Numbering Scheme
(2) Objectives
(3) Assessment Methods and Objects
4. Domains:
A. Access Control (AC)
(1) AC.L1-3.1.1 – Authorized Access Control
(2) AC.L1-3.1.2 – Transaction & Function Control
(3) AC.L1-3.1.20 – External Connections
(4) AC.L1-3.1.22 – Control Public Information
B. Audit & Accountability (AU) C. Awareness & Training (AT) D. Configuration Management (CM) E. Identification & Authentication (IA) (1) IA.L1-3.5.1 – Identification (2) IA.L1-3.5.2 – Authentication
F. Incident Response (IR) G. Maintenance (MA) H. Media Protection (MP) (1) MP.L1-3.8.3 – Media Disposal
I. Personnel Security (PS) J. Physical Protection (PE) (1) PE.L1-3.10.1 – Limit Physical Access (2) PE.L1-3.10.3 – Escort Visitors (3) PE.L1-3.10.4 – Physical Access Logs (4) PE.L1-3.10.5 – Manage Physical Access
K. Risk Assessment (RA) L. Security Assessment (CA) M. System & Communications Protection (SC) (1) SC.L1-3.13.1 – Boundary Protection (2) SC.L1-3.13.5 – Public-Access System Separation
�
N. System & Information Integrity (SI)
(1) SI.L1-3.14.1 – Flaw Remediation
(2) SI.L1-3.14.2 – Malicious Code Protection
(3) SI.L1-3.14.4 – Update Malicious Code Protection
(4) SI.L1-3.14.5 – System & File Scanning
Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices.
1. The definition of each practice 2. The Assessment Objectives 3. The Assessment Methods (Examine, Interview, and Test) to use for the practices 4. What information to look for in practice discussion 5. The Key References and their applicability to the practices: a. Navigating and using the CMMC Assessment Guide(s) content b. Determining the assessment method(s) that would be best for gathering sufficient and accurate evidence
Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence.
|
Domain 5: CMMC Assessment Process
Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment).
|
Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment).
|
Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results).
|
Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items).
1. The evaluation of assessment POA&M items
|
Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment.
1. Plan and Prepare Assessments:
|
2. Conduct Assessment:
|
3. Report Recommended Assessment Results:
|
4. Remediate Outstanding Assessment Issues:
|
Domain 6: Scoping
Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process.
1. Defining organizational scoping
|
Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets.
1. Defining FCI data in the form of Assets that:
|
2. Out-of-Scope Assets |
3. Specialized Assets
|
4. Scoping Activities
|