CCP Blueprint: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Source of Reference: The [https://cyberab.org/Portals/0/cmmc-ab-ccp-blueprint-03-14-22-final-v7_2%20FINAL%20%28Public%29_1.pdf CCP blueprint] from Cybersecurity Maturity Model Certification Accreditation Body, Inc.'''
'''Source of Reference: The CCP blueprint document from [https://cyberab.org/CMMC-Ecosystem/Ecosystem-roles/Assessing-and-Certification Cybersecurity Maturity Model Certification Accreditation Body, Inc.]'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 6: Line 6:
Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:
Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:
{|class="wikitable"
{|class="wikitable"
|'''Domain'''
|'''Exam Weight'''
|-
|-
! Objective !! '''Domain''' !! '''Exam Weight'''
|-
|-
|1.0
|1. CMMC Ecosystem
|1. CMMC Ecosystem
|5%
|5%
|-
|-
|2.0
|2. CMMC-AB Code of Professional Conduct (Ethics)
|2. CMMC-AB Code of Professional Conduct (Ethics)
|5%
|5%
|-
|-
|3.0
|3. CMMC Governance and Sources Documents
|3. CMMC Governance and Sources Documents
|15%
|15%
|-
|-
|4.0
|4. CMMC Model Construct and Implementation Evaluation
|4. CMMC Model Construct and Implementation Evaluation
|35%
|35%
|-
|-
|5.0
|5. CMMC Assessment Process (CAP)
|5. CMMC Assessment Process (CAP)
|25%
|25%
|-
|-
|6.0
|6. Scoping
|6. Scoping
|15%
|15%
Line 30: Line 37:
== Domain 1: CMMC Ecosystem ==
== Domain 1: CMMC Ecosystem ==
=== Task 1. Identify and compare roles/responsibilities/requirements of authorities across the CMMC Ecosystem. ===
=== Task 1. Identify and compare roles/responsibilities/requirements of authorities across the CMMC Ecosystem. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|'''1. Authorities:'''
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|3B
|1.1.1
|1. Authorities:
|-
|3B
|1.1.1.A
|A. Office of the Undersecretary of Defense (OUSD)
|-
|-
|a. Office of the Undersecretary of Defense (OUSD)
|1B, 3A, 7A, 8A
|1.1.1.A.1
|
:(1) Cybersecurity standards and best practices and knowledge of how to map these controls and processes across several levels that range from basic to advanced cyber hygiene
:(1) Cybersecurity standards and best practices and knowledge of how to map these controls and processes across several levels that range from basic to advanced cyber hygiene
|-
|1B, 3B, 3C
|1.1.1.A.2
|
:(2) Regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements
:(2) Regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements
|-
|-
|b. CMMC Ecosystem and the different types of entities participating in it
|3B
|1.1.1.B
|B. CMMC Ecosystem and the different types of entities participating in it
|-
|3B
|1.1.1.B.1
|
:(1) Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
:(1) Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
|-
|3B
|1.1.1.B.1.a
|
::(a) Organizations:
::(a) Organizations:
|-
|3B
|1.1.1.B.1.a.1
|
:::1. Organizations Seeking Certification (OSC)
:::1. Organizations Seeking Certification (OSC)
|-
|3B
|1.1.1.B.1.a.1.1
|
::::(1) Purpose, Requirements, and benefits of OSC involvement in the ecosystem
::::(1) Purpose, Requirements, and benefits of OSC involvement in the ecosystem
|-
|3B
|1.1.1.B.1.a.2
|
:::2. CMMC Third-Party Assessment Organizations (C3PAO)
:::2. CMMC Third-Party Assessment Organizations (C3PAO)
|-
|3B
|1.1.1.B.1.a.3
|
:::3. Registered Provider Organizations (RPO)
:::3. Registered Provider Organizations (RPO)
|-
|3B
|1.1.1.B.1.a.3.1
|
::::(1) Requirements and Benefits of RPO
::::(1) Requirements and Benefits of RPO
|-
|3B
|1.1.1.B.1.b
|
::(b) Individuals:
::(b) Individuals:
|-
|3B
|1.1.1.B.1.b.1
|
:::1. Registered Practitioner (RP)
:::1. Registered Practitioner (RP)
|-
|3B
|1.1.1.B.1.b.1.1
|
::::(1) RPs in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants, but do not participate in Certified CMMC Assessments.
::::(1) RPs in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants, but do not participate in Certified CMMC Assessments.
|-
|3B
|1.1.1.B.2
|
:(2) CMMC Assessors and Instructors Certification Organization (CAICO)
:(2) CMMC Assessors and Instructors Certification Organization (CAICO)
|-
|3B
|1.1.1.B.2.a
|
::(a) Organizations:
::(a) Organizations:
|-
|3B
|1.1.1.B.2.a.1
|
:::1. Licensed Partner Publishers (LPP)
:::1. Licensed Partner Publishers (LPP)
|-
|3B
|1.1.1.B.2.a.1.1
|
::::(1) Purpose, requirements, and benefits of LPPs
::::(1) Purpose, requirements, and benefits of LPPs
|-
|3B
|1.1.1.B.2.a.2
|
:::2. Licensed Training Providers (LTP)
:::2. Licensed Training Providers (LTP)
|-
|3B
|1.1.1.B.2.a.2.1
|
::::(1) Purpose, requirements, and benefits of LTPs
::::(1) Purpose, requirements, and benefits of LTPs
|-
|3B
|1.1.1.B.2.b
|
::(b) Individuals:
::(b) Individuals:
|-
|3B
|1.1.1.B.2.b.1
|
:::1. Provisional Assessors (PA)
:::1. Provisional Assessors (PA)
|-
|3B
|1.1.1.B.2.b.1.1
|
::::(1) Purpose, requirements, and benefits of PAs
::::(1) Purpose, requirements, and benefits of PAs
|-
|3B
|1.1.1.B.2.b.1.2
|
::::(2) Timeline for sunsetting
::::(2) Timeline for sunsetting
|-
|3B
|1.1.1.B.2.b.2
|
:::2. Provisional Instructors (PI)
:::2. Provisional Instructors (PI)
|-
|3B
|1.1.1.B.2.b.2.1
|
::::(1) Purpose, requirements, and benefits of PIs
::::(1) Purpose, requirements, and benefits of PIs
|-
|3B
|1.1.1.B.2.b.2.2
|
::::(2) Timeline for sunsetting
::::(2) Timeline for sunsetting
|-
|3B
|1.1.1.B.2.b.3
|
:::3. Certified CMMC Professional (CCP)
:::3. Certified CMMC Professional (CCP)
|-
|3B
|1.1.1.B.2.b.3.1
|
::::(1) Purpose, requirements, and benefits of CCPs’ active involvement in the ecosystem
::::(1) Purpose, requirements, and benefits of CCPs’ active involvement in the ecosystem
|-
|3B
|1.1.1.B.2.b.3.2
|
::::(2) Timeline for CCP certification and assessments
::::(2) Timeline for CCP certification and assessments
|-
|3B
|1.1.1.B.2.b.4
|
:::4. Certified CMMC Assessor (CCA)
:::4. Certified CMMC Assessor (CCA)
|-
|3B
|1.1.1.B.2.b.4.1
|
::::(1) Purpose, requirements, and benefits of CCAs’ active involvement in the ecosystem
::::(1) Purpose, requirements, and benefits of CCAs’ active involvement in the ecosystem
|-
|3B
|1.1.1.B.2.b.4.2
|
::::(2) Timeline for CCA certification and assessments
::::(2) Timeline for CCA certification and assessments
|-
|3B
|1.1.1.B.2.b.5
|
:::5. Certified CMMC Instructor (CCI)
:::5. Certified CMMC Instructor (CCI)
|-
|3B
|1.1.1.B.2.b.5.1
|
::::(1) Purpose, requirements, and benefits of CCIs’ active involvement in the ecosystem
::::(1) Purpose, requirements, and benefits of CCIs’ active involvement in the ecosystem
|-
|3B
|1.1.1.B.2.b.5.2
|
::::(2) Timeline for CCI certification and assessments
::::(2) Timeline for CCI certification and assessments
|-
|3B, 10A
|1.1.1.B.2.b.6
|
:::6. Assessment Team Member
:::6. Assessment Team Member
|-
|3B, 10A
|1.1.1.B.2.b.6.1
|
::::(1) CCP and CCA roles on the Assessment Team
::::(1) CCP and CCA roles on the Assessment Team
|-
|3B, 10A
|1.1.1.B.2.b.7
|
:::7. CMMC Lead Assessor
:::7. CMMC Lead Assessor
|-
|3B, 10A
|1.1.1.B.2.b.7.1
|
::::(1) Lead Assessor role on the Assessment Team
::::(1) Lead Assessor role on the Assessment Team
|-
|3B
|1.1.1.B.2.b.7.2
|
::::(2) Timeline for Lead Assessor certification
::::(2) Timeline for Lead Assessor certification
|}
|}
Line 79: Line 253:
== Domain 2: CMMC-AB Code of Professional Conduct (Ethics) ==
== Domain 2: CMMC-AB Code of Professional Conduct (Ethics) ==
=== Task 1. Identify and apply knowledge of the Guiding Principles and Practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements. ===
=== Task 1. Identify and apply knowledge of the Guiding Principles and Practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|# General ethics topics
|-
# CMMC-AB Code of Professional Conduct (CoPC)
! style="width: 10%"|Lesson Topic
# ISO/IEC
! style="width: 10%"|Objective
# Department of Defense (DoD) requirements
! style="width: 80%"|Objective Description
# Professionalism
|-
# Objectivity
|4B
# Confidentiality
|2.1.1
# Proper use of methods
|1. General ethics topics
# Information integrity
|-
# Conflicts of interest
|-
# Respect for intellectual property
|4B
# Lawful and ethical practices
|2.1.2
# Contracts and non-disclosure agreements
|2. CMMC-AB Code of Professional Conduct (CoPC)
|-
|3B, 4A
|2.1.3
|3. ISO/IEC
|-
|4B
|2.1.4
|4. Department of Defense (DoD) requirements
|-
|4B
|2.1.5
|5. Professionalism
|-
|4B
|2.1.6
|6. Objectivity
|-
|4B
|2.1.7
|7. Confidentiality
|-
|4B
|2.1.8
|8. Proper use of methods
|-
|4B
|2.1.9
|9. Information integrity
|-
|4B
|2.1.10
|10. Conflicts of interest
|-
|4B
|2.1.11
|11. Respect for intellectual property
|-
|4B
|2.1.12
|12. Lawful and ethical practices
|-
|4A, 4B, 7A, 10B
|2.1.13
|13. Contracts and non-disclosure agreements
|}
|}


== Domain 3. CMMC Governance and Source Documents ==
== Domain 3. CMMC Governance and Source Documents ==
=== Task 1. Demonstrate understanding of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-federal unclassified networks. ===
=== Task 1. Demonstrate understanding of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-federal unclassified networks. ===
 
{|class="wikitable" style="width: 85%;"
 
|-
 
! style="width: 10%"|Lesson Topic
1. Current Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity Efforts, Regulations,
! style="width: 10%"|Objective
and Executive Orders pertaining to the CMMC program:
! style="width: 80%"|Objective Description
A. Part 32 of the Code of Federal Regulations (C.F.R.)
|-
B. Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R
|1B
C. DFARS Clause 252.204-7012
|3.1.1
(1) National Institute of Standards and Technology (NIST) SP 800-171
|1. Current Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity Efforts, Regulations, and Executive Orders pertaining to the CMMC program:
(2) Technical Data (DFARS 252.227-7013)
|-
(3) FedRAMP
|1B, 2B
 
|3.1.1.A
 
|
 
:A. Part 32 of the Code of Federal Regulations (C.F.R.)
 
|-
 
|1B
 
|3.1.1.B
2. CMMC Framework Tenets:
|
A. Key aspects of CMMC v.20 program requirements
:B. Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R
(1) Streamlined Model
|-
(a) Focused on the most critical requirements
|1B, 3B
(b) Aligned with widely accepted standards
|3.1.1.C
 
|
 
:C. DFARS Clause 252.204-7012
 
|-
(2) Reliable Assessments
|1B, 7B
(a) Reduced assessment costs
|3.1.1.C.1
(b) Higher accountability
|
 
::(1) National Institute of Standards and Technology (NIST) SP 800-171
 
|-
 
|2A
(3) Flexible Implementation
|3.1.1.C.2
(a) Spirit of collaboration
|
(b) Added flexibility and speed
::(2) Technical Data (DFARS 252.227-7013)
 
|-
 
|1B
 
|3.1.1.C.3
 
|
 
::(3) FedRAMP
 
|-
B. Rulemaking and timeline for CMMC v2.0
|3B
(1) Incentives, Assessments, and 9–24-month rule making
|3.1.2
 
|2. CMMC Framework Tenets:
 
|-
 
|3B
C. Levels of CMMC assessments and requirements
|3.1.2.A
 
|
 
:A. Key aspects of CMMC v.20 program requirements
 
|-
(1) Foundational/Level 1 (same as previous CMMC v1.0 level 1)
|3B
a. FAR Clause 52.204-21
|3.1.2.A.1
a. Provide overview of the 17 basic safeguarding requirements and how
|
procedures are applied within the CMMC L1/L2 practices/assessment
::(1) Streamlined Model
framework
|-
 
|3B, 7B
 
|3.1.2.A.1.a
 
|
 
:::(a) Focused on the most critical requirements
 
|-
 
|3B, 7B
 
|3.1.2.A.1.b
 
|
 
:::(b) Aligned with widely accepted standards
 
|-
(2) Advanced/Level 2 (previous level 3)
|3B
b. NIST SP 800-171 (Requirements)
|3.1.2.A.2
a. Provide overview of the 110 NIST SP 800-171 requirements and how they
|
are applied within the CMMC Level 2 practices/assessment framework
::(2) Reliable Assessments
 
|-
 
|3B
 
|3.1.2.A.2.a
 
|
 
:::(a) Reduced assessment costs
 
|-
 
|3B
D. Self-Assessments vs. Third-Party Assessments
|3.1.2.A.2.b
(1) Define different criteria for various assessment type under CMMC v2.0 framework
|
 
:::(b) Higher accountability
 
|-
 
|3B
 
|3.1.2.A.3
 
|
 
::(3) Flexible Implementation
 
|-
 
|3B
 
|3.1.2.A.3.a
 
|
3. Consequences of non-compliance:
:::(a) Spirit of collaboration
A. Failure to receive an award of contract
|-
B. Contractual liability
|3B
C. False Claims Act
|3.1.2.A.3.b
(1) US Department of Justice,
|
(a) Civil Cyber-Fraud Initiative
:::(b) Added flexibility and speed
 
|-
 
|3B
 
|3.1.2.B
 
|
 
:B. Rulemaking and timeline for CMMC v2.0
 
|-
 
|3B
 
|3.1.2.B.1
 
|
 
::(1) Incentives, Assessments, and 9–24-month rule making
 
|-
 
|3B
 
|3.1.2.C
|
 
:C. Levels of CMMC assessments and requirements
|-
|3B
|3.1.2.C.1
|
::(1) Foundational/Level 1 (same as previous CMMC v1.0 level 1)
|-
|8A
|3.1.2.C.1.a
|
:::(a) FAR Clause 52.204-21
|-
|3A, 8A
|3.1.2.C.1.a.i
|
::::i. Provide overview of the 17 basic safeguarding requirements and how procedures are applied within the CMMC L1/L2 practices/assessment framework
|-
|3A, 3B, 9A
|3.1.2.C.2
|
::(2) Advanced/Level 2 (previous level 3)
|-
|3A, 7B
|3.1.2.C.2.a
|
:::(a) NIST SP 800-171 (Requirements)
|-
|3A, 7B, 9A
|3.1.2.C.2.a.i
|
::::i. Provide overview of the 110 NIST SP 800-171 requirements and how they are applied within the CMMC Level 2 practices/assessment framework
|-
|3B, 3C
|3.1.2.D
|
:D. Self-Assessments vs. Third-Party Assessments
|-
|3B, 3C
|3.1.2.D.1
|
::(1) Define different criteria for various assessment type under CMMC v2.0 framework
|-
|3C
|3.1.3
|3. Consequences of non-compliance:
|-
|3C
|3.1.3.A
|
:A. Failure to receive an award of contract
|-
|3C
|3.1.3.B
|
:B. Contractual liability
|-
|3C
|3.1.3.C
|
:C. False Claims Act
|-
|3C
|3.1.3.C.1
|
::(1) US Department of Justice,
|-
|3C
|3.1.3.C.1.a
|
:::(a) Civil Cyber-Fraud Initiative
|}


=== Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). ===
=== Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). ===
 
{|class="wikitable" style="width: 85%;"
 
|-
 
! style="width: 10%"|Lesson Topic
1. Importance of data classification, collection, and analysis
! style="width: 10%"|Objective
A. CUI Basic versus Specified
! style="width: 80%"|Objective Description
 
|-
 
|2A
 
|3.2.1
2. Contractor sensitive data categories
|1. Importance of data classification, collection, and analysis
A. Federal Contract Information (FCI)
|-
(1) Section 4.1901 of the Federal Acquisition Regulation (FAR)
|2A
 
|3.2.1.A
 
|
 
:A. CUI Basic versus Specified
B. Controlled Unclassified Information (CUI)
|-
(1) Part 2002 of Title 32 CFR, 2002.4(h)
|2A
 
|3.2.2
 
|2. Contractor sensitive data categories
 
|-
 
|2A
 
|3.2.2.A
 
|
3. Government authority for identifying and marking CUI
:A. Federal Contract Information (FCI)
A. Executive Order 13556
|-
B. 32 Code of Federal Regulations, Part 2002 (Implementing Directive)
|2A
C. DoD Instruction 5200.48, Controlled Unclassified Information (CUI)
|3.2.2.A.1
 
|
 
::(1) Section 4.1901 of the Federal Acquisition Regulation (FAR)
 
|-
4. Contractor/Authorized holders’ responsibilities in handling CUI
|2A
A. DoDI 5200.48
|3.2.2.B
B. Part 2002 of Title 32 CFR
|
 
:B. Controlled Unclassified Information (CUI)
 
|-
 
|2A, 2B
 
|3.2.2.B.1
 
|
 
::(1) Part 2002 of Title 32 CFR, 2002.4(h)
|-
|2A, 2B
|3.2.3
|3. Government authority for identifying and marking CUI
|-
|2A, 2B
|3.2.3.A
|
:A. Executive Order 13556
|-
|2A, 2B
|3.2.3.B
|
:B. 32 Code of Federal Regulations, Part 2002 (Implementing Directive)
|-
|2A, 2B
|3.2.3.C
|
:C. DoD Instruction 5200.48, Controlled Unclassified Information (CUI)
|-
|2B
|3.2.4
|4. Contractor/Authorized holders’ responsibilities in handling CUI
|-
|2B
|3.2.4.A
|
:A. DoDI 5200.48
|-
|1B, 2B
|3.2.4.B
|
:B. Part 2002 of Title 32 CFR
|}


=== Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents. ===
=== Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents. ===
 
{|class="wikitable" style="width: 85%;"
 
|-
 
! style="width: 10%"|Lesson Topic
1. CMMC Source Documents
! style="width: 10%"|Objective
 
! style="width: 80%"|Objective Description
 
|-
 
|3A
 
|3.3.1
A. CMMC Model Overview
|1. CMMC Source Documents
B. CMMC Level 1 Assessment Guide
|-
C. CMMC Level 2 Assessment Guide
|3A, 7B
D. CMMC Level 1 Scoping Guidance
|3.3.1.A
E. CMMC Level 2 Scoping Guidance
|
F. CMMC Assessment Process (CAP)
:A. CMMC Model Overview
G. CMMC Glossary
|-
H. CMMC Artifact Hashing Tool User Guide
|7A, 7B
2. ISOO CUI Registry
|3.3.1.B
A. NARA administers the CUI Registry
|
(1) Types of labeled information on documents such as:
:B. CMMC Level 1 Assessment Guide
(a) Export Controlled (SP-EXPT)
|-
(b) Specified marking/labeling using NARA CUI Marking Handbook
|7A, 7B
 
|3.3.1.C
 
|
 
:C. CMMC Level 2 Assessment Guide
 
|-
 
|5A
 
|3.3.1.D
 
|
 
:D. CMMC Level 1 Scoping Guidance
 
|-
3. DoD CUI Registry
|5A
A. Types of labeled information on documents such as:
|3.3.1.E
(1) Naval Nuclear Propulsion Information (NNPI)
|
(2) NNPI marking/labeling using DoD CUI Marking Aid
:E. CMMC Level 2 Scoping Guidance
 
|-
 
|3A, 7A, 10B, 10C, 10D, 10E
 
|3.3.1.F
 
|
 
:F. CMMC Assessment Process (CAP)
 
|-
 
|3A
 
|3.3.1.G
 
|
 
:G. CMMC Glossary
|-
 
|3A, 10D
|3.3.1.H
|
:H. CMMC Artifact Hashing Tool User Guide
|-
|2A
|3.3.2
|2. ISOO CUI Registry
|-
|2A
|3.3.2.A
|
:A. NARA administers the CUI Registry
|-
|2A
|3.3.2.A.1
|
::(1) Types of labeled information on documents such as:
|-
|2A
|3.3.2.A.1.a
|
:::(a) Export Controlled (SP-EXPT)
|-
|2B
|3.3.2.A.1.b
|
:::(b) Specified marking/labeling using NARA CUI Marking Handbook
|-
|2A
|3.3.3
|3. DoD CUI Registry
|-
|2A, 2B
|3.3.3.A
|
:A. Types of labeled information on documents such as:
|-
|2A, 2B
|3.3.3.A.1
|
::(1) Naval Nuclear Propulsion Information (NNPI)
|-
|2A, 2B
|3.3.3.A.2
|
::(2) NNPI marking/labeling using DoD CUI Marking Aid
|}


== Domain 4 - CMMC Model Construct and Implementation Evaluation ==
== Domain 4 - CMMC Model Construct and Implementation Evaluation ==
=== Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices. ===
=== Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices. ===
(At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam)
(At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam)
 
{|class="wikitable" style="width: 85%;"
1. Model Architecture
|-
2. Model Levels:
! style="width: 10%"|Lesson Topic
A. Cumulative Nature
! style="width: 10%"|Objective
B. Characteristics
! style="width: 80%"|Objective Description
C. Levels required for specific contracts
|-
(1) Level 1
|3A
(2) Level 2
|4.1.1
 
|1. Model Architecture
 
|-
 
|3A
 
|4.1.2
 
|2. Model Levels:
 
|-
3. Practices:
|3A, 7B
A. Practices Descriptions
|4.1.2.A
(1) Practice Numbering Scheme
|
(2) Objectives
:A. Cumulative Nature
(3) Assessment Methods and Objects
|-
 
|3A
 
|4.1.2.B
 
|
 
:B. Characteristics
 
|-
 
|3B
4. Domains:
|4.1.2.C
A. Access Control (AC)
|
(1) AC.L1-3.1.1 – Authorized Access Control
:C. Levels required for specific contracts
(2) AC.L1-3.1.2 – Transaction & Function Control
|-
(3) AC.L1-3.1.20 – External Connections
|3B
(4) AC.L1-3.1.22 – Control Public Information
|4.1.2.C.1
 
|
 
::(1) Level 1
 
|-
B. Audit & Accountability (AU)
|3B
C. Awareness & Training (AT)
|4.1.2.C.2
D. Configuration Management (CM)
|
E. Identification & Authentication (IA)
::(2) Level 2
(1) IA.L1-3.5.1 – Identification
|-
(2) IA.L1-3.5.2 – Authentication
|3A
 
|4.1.3
 
|3. Practices:
 
|-
F. Incident Response (IR)
|7B
G. Maintenance (MA)
|4.1.3.A
H. Media Protection (MP)
|
(1) MP.L1-3.8.3 – Media Disposal
:A. Practices Descriptions
 
|-
 
|3A
 
|4.1.3.A.1
I. Personnel Security (PS)
|
J. Physical Protection (PE)
::(1) Practice Numbering Scheme
(1) PE.L1-3.10.1 – Limit Physical Access
|-
(2) PE.L1-3.10.3 – Escort Visitors
|3A
(3) PE.L1-3.10.4 – Physical Access Logs
|4.1.3.A.2
(4) PE.L1-3.10.5 – Manage Physical Access
|
 
::(2) Objectives
 
|-
 
|7B
K. Risk Assessment (RA)
|4.1.3.A.3
L. Security Assessment (CA)
|
M. System & Communications Protection (SC)
::(3) Assessment Methods and Objects
(1) SC.L1-3.13.1 – Boundary Protection
|-
(2) SC.L1-3.13.5 – Public-Access System Separation
|8A
 
|4.1.4
 
|4. Domains:
 
|-
 
|3A
 
|4.1.4.A
 
|
 
:A. Access Control (AC)
 
|-
 
|8A
 
|4.1.4.A.1
|
N. System & Information Integrity (SI)
::(1) AC.L1-3.1.1 – Authorized Access Control
(1) SI.L1-3.14.1 – Flaw Remediation
|-
(2) SI.L1-3.14.2 – Malicious Code Protection
|8A
(3) SI.L1-3.14.4 – Update Malicious Code Protection
|4.1.4.A.2
(4) SI.L1-3.14.5 – System & File Scanning
|
 
::(2) AC.L1-3.1.2 – Transaction & Function Control
 
|-
 
|8A
 
|4.1.4.A.3
 
|
 
::(3) AC.L1-3.1.20 – External Connections
 
|-
 
|8A
|4.1.4.A.4
|
::(4) AC.L1-3.1.22 – Control Public Information
|-
|3A
|4.1.4.B
|
:B. Audit & Accountability (AU)
|-
|3A
|4.1.4.C
|
:C. Awareness & Training (AT)
|-
|3A
|4.1.4.D
|
:D. Configuration Management (CM)
|-
|3A
|4.1.4.E
|
:E. Identification & Authentication (IA)
|-
|8A
|4.1.4.E.1
|
::(1) IA.L1-3.5.1 – Identification
|-
|8A
|4.1.4.E.2
|
::(2) IA.L1-3.5.2 – Authentication
|-
|3A
|4.1.4.F
|
:F. Incident Response (IR)
|-
|3A
|4.1.4.G
|
:G. Maintenance (MA)
|-
|3A
|4.1.4.H
|
:H. Media Protection (MP)
|-
|8A
|4.1.4.H.1
|
::(1) MP.L1-3.8.3 – Media Disposal
|-
|3A
|4.1.4.I
|
:I. Personnel Security (PS)
|-
|3A
|4.1.4.J
|
:J. Physical Protection (PE)
|-
|8A
|4.1.4.J.1
|
::(1) PE.L1-3.10.1 – Limit Physical Access
|-
|8A
|4.1.4.J.2
|
::(2) PE.L1-3.10.3 – Escort Visitors
|-
|8A
|4.1.4.J.3
|
::(3) PE.L1-3.10.4 – Physical Access Logs
|-
|8A
|4.1.4.J.4
|
::(4) PE.L1-3.10.5 – Manage Physical Access
|-
|3A
|4.1.4.K
|
:K. Risk Assessment (RA)
|-
|3A
|4.1.4.L
|
:L. Security Assessment (CA)
|-
|3A
|4.1.4.M
|
:M. System & Communications Protection (SC)
|-
|8A
|4.1.4.M.1
|
::(1) SC.L1-3.13.1 – Boundary Protection
|-
|8A
|4.1.4.M.2
|
::(2) SC.L1-3.13.5 – Public-Access System Separation
|-
|3A
|4.1.4.N
|
:N. System & Information Integrity (SI)
|-
|8A
|4.1.4.N.1
|
::(1) SI.L1-3.14.1 – Flaw Remediation
|-
|8A
|4.1.4.N.1
|
::(2) SI.L1-3.14.2 – Malicious Code Protection
|-
|8A
|4.1.4.N.1
|
::(3) SI.L1-3.14.4 – Update Malicious Code Protection
|-
|8A
|4.1.4.N.1
|
::(4) SI.L1-3.14.5 – System & File Scanning
|}


=== Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices. ===
=== Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|3A, 7B
|4.2.1
|1. The definition of each practice
|-
|3A, 7B
|4.2.2
|2. The Assessment Objectives
|-
|7A, 7B, 8A
|4.2.3
|3. The Assessment Methods (Examine, Interview, and Test) to use for the practices
|-
|7B
|4.2.4
|4. What information to look for in practice discussion
|-
|7B
|4.2.5
|5. The Key References and their applicability to the practices:
|-
|7B
|4.2.5.A
|
::A. Navigating and using the CMMC Assessment Guide(s) content
|-
|7A, 7B
|4.2.5.B
|
|
# The definition of each practice
::B. Determining the assessment method(s) that would be best for gathering sufficient and accurate evidence
# The Assessment Objectives
# The Assessment Methods (Examine, Interview, and Test) to use for the practices
# What information to look for in practice discussion
# The Key References and their applicability to the practices:
::a. Navigating and using the CMMC Assessment Guide(s) content
::b. Determining the assessment method(s) that would be best for gathering sufficient and accurate evidence
|}
|}


=== Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence. ===
=== Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|
|-
# Appraised Evidence is adequate
! style="width: 10%"|Lesson Topic
# Measure if the Evidence is sufficient
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|7A
|4.3.1
|1. Appraised Evidence is adequate
|-
|7A
|4.3.2
|2. Measure if the Evidence is sufficient
|}
|}


== Domain 5: CMMC Assessment Process ==
== Domain 5: CMMC Assessment Process ==
=== Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment). ===
=== Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment). ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|
|-
# Validation criteria of OSC’s assessment evidence
! style="width: 10%"|Lesson Topic
# Analyzing the CMMC practice requirements
! style="width: 10%"|Objective
# What needs to be included in a CMMC Assessment Plan
! style="width: 80%"|Objective Description
# The CMMC Readiness Review Process
|-
|10B
|5.1.1
|1. Validation criteria of OSC’s assessment evidence
|-
|7B
|5.1.2
|2. Analyzing the CMMC practice requirements
|-
|10B
|5.1.3
|3. What needs to be included in a CMMC Assessment Plan
|-
|10B
|5.1.4
|4. The CMMC Readiness Review Process
|}
|}


=== Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment). ===
=== Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment). ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|
|-
# How to assist/support the Assessment Team during an assessment
! style="width: 10%"|Lesson Topic
# The three possible assessment methods (Examine, Interview, and Test) and scoring evidence successfully for each practice
! style="width: 10%"|Objective
# Communication skills to interview or observe tests/demonstrations for assessment practices
! style="width: 80%"|Objective Description
# How Assessment Team Members rate practices and validate preliminary results
|-
# How Assessment Team Members assist in the preparation of final findings
|7B, 10C
# How to score practices that are on a Plan of Action and Milestone (POA&M)
|5.2.1
|1. How to assist/support the Assessment Team during an assessment
|-
|7A, 7B, 10C
|5.2.2
|2. The three possible assessment methods (Examine, Interview, and Test) and scoring evidence successfully for each practice
|-
|10A, 10C
|5.2.3
|3. Communication skills to interview or observe tests/demonstrations for assessment practices
|-
|7B, 8C, 10C
|5.2.4
|4. How Assessment Team Members rate practices and validate preliminary results
|-
|10C
|5.2.5
|5. How Assessment Team Members assist in the preparation of final findings
|-
|10C
|5.2.6
|6. How to score practices that are on a Plan of Action and Milestone (POA&M)
|}
|}


=== Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results). ===
=== Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results). ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|
|-
# The evidence presented for each practice
! style="width: 10%"|Lesson Topic
# How Assessment Team Members score practices, validate, and deliver assessment preliminary results
! style="width: 10%"|Objective
# How the Assessment Lead drafts and scores the final findings
! style="width: 80%"|Objective Description
# How the final findings and associated information are incorporated into the Assessment Report
|-
# How the Lead Assessor submits the assessment report, including the review process, submitting to the C3PAO and the OSC
|10D
# How to package and archive the assessment results for a record to support any future questions that may be asked
|5.3.1
|1. The evidence presented for each practice
|-
|7B, 10C
|5.3.2
|2. How Assessment Team Members score practices, validate, and deliver assessment preliminary results
|-
|10C
|5.3.3
|3. How the Assessment Lead drafts and scores the final findings
|-
|10D
|5.3.4
|4.# How the final findings and associated information are incorporated into the Assessment Report
|-
|10D
|5.3.5
|5. How the Lead Assessor submits the assessment report, including the review process, submitting to the C3PAO and the OSC
|-
|10D
|5.3.6
|6. How to package and archive the assessment results for a record to support any future questions that may be asked
|}
|}


=== Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items). ===
=== Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items). ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|10C
|5.4.1
|1. The evaluation of assessment POA&M items
|1. The evaluation of assessment POA&M items
|-
|10C
|5.4.1.A
|
:A. DoD Assessment Methodology, POA&M scoring criteria
:A. DoD Assessment Methodology, POA&M scoring criteria
|-
|10C
|5.4.1.A.1
|
::(1) Minimum assessment score
::(1) Minimum assessment score
|-
|10C
|5.4.1.A.2
|
::(2) Qualifying POA&M items
::(2) Qualifying POA&M items
|-
|10C
|5.4.1.B
|
:B. CMMC AG CA.L2-3.12.2, Plan of Action objectives and requirements
:B. CMMC AG CA.L2-3.12.2, Plan of Action objectives and requirements
|}
|}


=== Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment. ===
=== Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|10B
|5.5.1
|1. Plan and Prepare Assessments:
|1. Plan and Prepare Assessments:
|-
|10A
|5.5.1.A
|
:A. CMMC CCP must be able to assist in analyzing requirements.
:A. CMMC CCP must be able to assist in analyzing requirements.
|-
|10A
|5.5.1.B
|
:B. CMMC CCP must be able to assist in developing assessment plan.
:B. CMMC CCP must be able to assist in developing assessment plan.
|-
|10A
|5.5.1.C
|
:C. CMMC CCP must be able to assist in verifying readiness to conduct assessment.
:C. CMMC CCP must be able to assist in verifying readiness to conduct assessment.
|-
|-
|10C
|5.5.2
|2. Conduct Assessment:
|2. Conduct Assessment:
|-
|10A
|5.5.2.A
|
:A. CMMC CCP must be able to assist in collecting and examining Evidence.
:A. CMMC CCP must be able to assist in collecting and examining Evidence.
|-
|10A
|5.5.2.B
|
:B. CMMC CCP must be able to assist in scoring practices and validating preliminary results.
:B. CMMC CCP must be able to assist in scoring practices and validating preliminary results.
|-
|10A
|5.5.2.C
|
:C. CMMC CCP must be able to assist in generating final assessment results.
:C. CMMC CCP must be able to assist in generating final assessment results.
|-
|-
|10D
|5.5.3
|3. Report Recommended Assessment Results:
|3. Report Recommended Assessment Results:
|-
|10A
|5.5.3.A
|
:A. CMMC CCP must be able to assist in delivering recommended assessment results.
:A. CMMC CCP must be able to assist in delivering recommended assessment results.
|-
|-
|10E
|5.5.4
|4. Remediate Outstanding Assessment Issues:
|4. Remediate Outstanding Assessment Issues:
|-
|10A
|5.5.4.A
|
:A. Awareness of the CCP’s Role in the POA&M Process
:A. Awareness of the CCP’s Role in the POA&M Process
|}
|}
Line 470: Line 1,130:
== Domain 6: Scoping ==
== Domain 6: Scoping ==
=== Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process. ===
=== Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|5A
|6.1.1
|1. Defining organizational scoping
|1. Defining organizational scoping
|-
|5A
|6.1.1.A
|
:A. Organization
:A. Organization
|-
|5A
|6.1.1.B
|
:B. Host Unit
:B. Host Unit
|-
|5A
|6.1.1.C
|
:C. Supporting Units
:C. Supporting Units
|}
|}


=== Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets. ===
=== Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|5A
|6.2.1
|1. Defining FCI data in the form of Assets that:
|1. Defining FCI data in the form of Assets that:
|-
|5A
|6.2.1.A
|
:A. Process
:A. Process
|-
|5A
|6.2.1.B
|
:B. Store
:B. Store
|-
|5A
|6.2.1.C
|
:C. Transmit
:C. Transmit
|-
|-
|5A
|6.2.2
|2. Out-of-Scope Assets
|2. Out-of-Scope Assets
|-
|-
|5A
|6.2.3
|3. Specialized Assets
|3. Specialized Assets
|-
|5A
|6.2.3.A
|
:A. Government Property
:A. Government Property
|-
|5A
|6.2.3.B
|
:B. Internet of Things (IoT)/ Industrial Internet of Things (IIoT)
:B. Internet of Things (IoT)/ Industrial Internet of Things (IIoT)
|-
|5A
|6.2.3.C
|
:C. Operational Technology (OT)
:C. Operational Technology (OT)
|-
|5A
|6.2.3.D
|
:D. Restricted Information Systems
:D. Restricted Information Systems
|-
|5A
|6.2.3.E
|
:E. Test Equipment
:E. Test Equipment
|-
|-
|5A
|6.2.4
|4. Scoping Activities
|4. Scoping Activities
|-
|5A
|6.2.4.A
|
:A. People
:A. People
|-
|5A
|6.2.4.B
|
:B. Technology
:B. Technology
|-
|5A
|6.2.4.C
|
:C. Facilities
:C. Facilities
|-
|5A
|6.2.4.D
|
:D. External Service Providers (ESP)
:D. External Service Providers (ESP)
|}
|}

Latest revision as of 23:23, 8 May 2023

Source of Reference: The CCP blueprint document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Domains

Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:

Objective Domain Exam Weight
1.0 1. CMMC Ecosystem 5%
2.0 2. CMMC-AB Code of Professional Conduct (Ethics) 5%
3.0 3. CMMC Governance and Sources Documents 15%
4.0 4. CMMC Model Construct and Implementation Evaluation 35%
5.0 5. CMMC Assessment Process (CAP) 25%
6.0 6. Scoping 15%

Domain 1: CMMC Ecosystem

Task 1. Identify and compare roles/responsibilities/requirements of authorities across the CMMC Ecosystem.

Lesson Topic Objective Objective Description
3B 1.1.1 1. Authorities:
3B 1.1.1.A A. Office of the Undersecretary of Defense (OUSD)
1B, 3A, 7A, 8A 1.1.1.A.1
(1) Cybersecurity standards and best practices and knowledge of how to map these controls and processes across several levels that range from basic to advanced cyber hygiene
1B, 3B, 3C 1.1.1.A.2
(2) Regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements
3B 1.1.1.B B. CMMC Ecosystem and the different types of entities participating in it
3B 1.1.1.B.1
(1) Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
3B 1.1.1.B.1.a
(a) Organizations:
3B 1.1.1.B.1.a.1
1. Organizations Seeking Certification (OSC)
3B 1.1.1.B.1.a.1.1
(1) Purpose, Requirements, and benefits of OSC involvement in the ecosystem
3B 1.1.1.B.1.a.2
2. CMMC Third-Party Assessment Organizations (C3PAO)
3B 1.1.1.B.1.a.3
3. Registered Provider Organizations (RPO)
3B 1.1.1.B.1.a.3.1
(1) Requirements and Benefits of RPO
3B 1.1.1.B.1.b
(b) Individuals:
3B 1.1.1.B.1.b.1
1. Registered Practitioner (RP)
3B 1.1.1.B.1.b.1.1
(1) RPs in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants, but do not participate in Certified CMMC Assessments.
3B 1.1.1.B.2
(2) CMMC Assessors and Instructors Certification Organization (CAICO)
3B 1.1.1.B.2.a
(a) Organizations:
3B 1.1.1.B.2.a.1
1. Licensed Partner Publishers (LPP)
3B 1.1.1.B.2.a.1.1
(1) Purpose, requirements, and benefits of LPPs
3B 1.1.1.B.2.a.2
2. Licensed Training Providers (LTP)
3B 1.1.1.B.2.a.2.1
(1) Purpose, requirements, and benefits of LTPs
3B 1.1.1.B.2.b
(b) Individuals:
3B 1.1.1.B.2.b.1
1. Provisional Assessors (PA)
3B 1.1.1.B.2.b.1.1
(1) Purpose, requirements, and benefits of PAs
3B 1.1.1.B.2.b.1.2
(2) Timeline for sunsetting
3B 1.1.1.B.2.b.2
2. Provisional Instructors (PI)
3B 1.1.1.B.2.b.2.1
(1) Purpose, requirements, and benefits of PIs
3B 1.1.1.B.2.b.2.2
(2) Timeline for sunsetting
3B 1.1.1.B.2.b.3
3. Certified CMMC Professional (CCP)
3B 1.1.1.B.2.b.3.1
(1) Purpose, requirements, and benefits of CCPs’ active involvement in the ecosystem
3B 1.1.1.B.2.b.3.2
(2) Timeline for CCP certification and assessments
3B 1.1.1.B.2.b.4
4. Certified CMMC Assessor (CCA)
3B 1.1.1.B.2.b.4.1
(1) Purpose, requirements, and benefits of CCAs’ active involvement in the ecosystem
3B 1.1.1.B.2.b.4.2
(2) Timeline for CCA certification and assessments
3B 1.1.1.B.2.b.5
5. Certified CMMC Instructor (CCI)
3B 1.1.1.B.2.b.5.1
(1) Purpose, requirements, and benefits of CCIs’ active involvement in the ecosystem
3B 1.1.1.B.2.b.5.2
(2) Timeline for CCI certification and assessments
3B, 10A 1.1.1.B.2.b.6
6. Assessment Team Member
3B, 10A 1.1.1.B.2.b.6.1
(1) CCP and CCA roles on the Assessment Team
3B, 10A 1.1.1.B.2.b.7
7. CMMC Lead Assessor
3B, 10A 1.1.1.B.2.b.7.1
(1) Lead Assessor role on the Assessment Team
3B 1.1.1.B.2.b.7.2
(2) Timeline for Lead Assessor certification

Domain 2: CMMC-AB Code of Professional Conduct (Ethics)

Task 1. Identify and apply knowledge of the Guiding Principles and Practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements.

Lesson Topic Objective Objective Description
4B 2.1.1 1. General ethics topics
4B 2.1.2 2. CMMC-AB Code of Professional Conduct (CoPC)
3B, 4A 2.1.3 3. ISO/IEC
4B 2.1.4 4. Department of Defense (DoD) requirements
4B 2.1.5 5. Professionalism
4B 2.1.6 6. Objectivity
4B 2.1.7 7. Confidentiality
4B 2.1.8 8. Proper use of methods
4B 2.1.9 9. Information integrity
4B 2.1.10 10. Conflicts of interest
4B 2.1.11 11. Respect for intellectual property
4B 2.1.12 12. Lawful and ethical practices
4A, 4B, 7A, 10B 2.1.13 13. Contracts and non-disclosure agreements

Domain 3. CMMC Governance and Source Documents

Task 1. Demonstrate understanding of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-federal unclassified networks.

Lesson Topic Objective Objective Description
1B 3.1.1 1. Current Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity Efforts, Regulations, and Executive Orders pertaining to the CMMC program:
1B, 2B 3.1.1.A
A. Part 32 of the Code of Federal Regulations (C.F.R.)
1B 3.1.1.B
B. Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R
1B, 3B 3.1.1.C
C. DFARS Clause 252.204-7012
1B, 7B 3.1.1.C.1
(1) National Institute of Standards and Technology (NIST) SP 800-171
2A 3.1.1.C.2
(2) Technical Data (DFARS 252.227-7013)
1B 3.1.1.C.3
(3) FedRAMP
3B 3.1.2 2. CMMC Framework Tenets:
3B 3.1.2.A
A. Key aspects of CMMC v.20 program requirements
3B 3.1.2.A.1
(1) Streamlined Model
3B, 7B 3.1.2.A.1.a
(a) Focused on the most critical requirements
3B, 7B 3.1.2.A.1.b
(b) Aligned with widely accepted standards
3B 3.1.2.A.2
(2) Reliable Assessments
3B 3.1.2.A.2.a
(a) Reduced assessment costs
3B 3.1.2.A.2.b
(b) Higher accountability
3B 3.1.2.A.3
(3) Flexible Implementation
3B 3.1.2.A.3.a
(a) Spirit of collaboration
3B 3.1.2.A.3.b
(b) Added flexibility and speed
3B 3.1.2.B
B. Rulemaking and timeline for CMMC v2.0
3B 3.1.2.B.1
(1) Incentives, Assessments, and 9–24-month rule making
3B 3.1.2.C
C. Levels of CMMC assessments and requirements
3B 3.1.2.C.1
(1) Foundational/Level 1 (same as previous CMMC v1.0 level 1)
8A 3.1.2.C.1.a
(a) FAR Clause 52.204-21
3A, 8A 3.1.2.C.1.a.i
i. Provide overview of the 17 basic safeguarding requirements and how procedures are applied within the CMMC L1/L2 practices/assessment framework
3A, 3B, 9A 3.1.2.C.2
(2) Advanced/Level 2 (previous level 3)
3A, 7B 3.1.2.C.2.a
(a) NIST SP 800-171 (Requirements)
3A, 7B, 9A 3.1.2.C.2.a.i
i. Provide overview of the 110 NIST SP 800-171 requirements and how they are applied within the CMMC Level 2 practices/assessment framework
3B, 3C 3.1.2.D
D. Self-Assessments vs. Third-Party Assessments
3B, 3C 3.1.2.D.1
(1) Define different criteria for various assessment type under CMMC v2.0 framework
3C 3.1.3 3. Consequences of non-compliance:
3C 3.1.3.A
A. Failure to receive an award of contract
3C 3.1.3.B
B. Contractual liability
3C 3.1.3.C
C. False Claims Act
3C 3.1.3.C.1
(1) US Department of Justice,
3C 3.1.3.C.1.a
(a) Civil Cyber-Fraud Initiative

Task 2. Determine the appropriate roles/responsibilities/authority for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Lesson Topic Objective Objective Description
2A 3.2.1 1. Importance of data classification, collection, and analysis
2A 3.2.1.A
A. CUI Basic versus Specified
2A 3.2.2 2. Contractor sensitive data categories
2A 3.2.2.A
A. Federal Contract Information (FCI)
2A 3.2.2.A.1
(1) Section 4.1901 of the Federal Acquisition Regulation (FAR)
2A 3.2.2.B
B. Controlled Unclassified Information (CUI)
2A, 2B 3.2.2.B.1
(1) Part 2002 of Title 32 CFR, 2002.4(h)
2A, 2B 3.2.3 3. Government authority for identifying and marking CUI
2A, 2B 3.2.3.A
A. Executive Order 13556
2A, 2B 3.2.3.B
B. 32 Code of Federal Regulations, Part 2002 (Implementing Directive)
2A, 2B 3.2.3.C
C. DoD Instruction 5200.48, Controlled Unclassified Information (CUI)
2B 3.2.4 4. Contractor/Authorized holders’ responsibilities in handling CUI
2B 3.2.4.A
A. DoDI 5200.48
1B, 2B 3.2.4.B
B. Part 2002 of Title 32 CFR

Task 3. Demonstrate understanding of the CMMC Source and Supplementary documents.

Lesson Topic Objective Objective Description
3A 3.3.1 1. CMMC Source Documents
3A, 7B 3.3.1.A
A. CMMC Model Overview
7A, 7B 3.3.1.B
B. CMMC Level 1 Assessment Guide
7A, 7B 3.3.1.C
C. CMMC Level 2 Assessment Guide
5A 3.3.1.D
D. CMMC Level 1 Scoping Guidance
5A 3.3.1.E
E. CMMC Level 2 Scoping Guidance
3A, 7A, 10B, 10C, 10D, 10E 3.3.1.F
F. CMMC Assessment Process (CAP)
3A 3.3.1.G
G. CMMC Glossary
3A, 10D 3.3.1.H
H. CMMC Artifact Hashing Tool User Guide
2A 3.3.2 2. ISOO CUI Registry
2A 3.3.2.A
A. NARA administers the CUI Registry
2A 3.3.2.A.1
(1) Types of labeled information on documents such as:
2A 3.3.2.A.1.a
(a) Export Controlled (SP-EXPT)
2B 3.3.2.A.1.b
(b) Specified marking/labeling using NARA CUI Marking Handbook
2A 3.3.3 3. DoD CUI Registry
2A, 2B 3.3.3.A
A. Types of labeled information on documents such as:
2A, 2B 3.3.3.A.1
(1) Naval Nuclear Propulsion Information (NNPI)
2A, 2B 3.3.3.A.2
(2) NNPI marking/labeling using DoD CUI Marking Aid

Domain 4 - CMMC Model Construct and Implementation Evaluation

Task 1. Given a scenario, apply the appropriate CMMC Source Documents as an aid to evaluate the implementation/review of CMMC practices.

(At a minimum CCP candidate must be evaluated on CMMC L1 Practices during CCP exam)

Lesson Topic Objective Objective Description
3A 4.1.1 1. Model Architecture
3A 4.1.2 2. Model Levels:
3A, 7B 4.1.2.A
A. Cumulative Nature
3A 4.1.2.B
B. Characteristics
3B 4.1.2.C
C. Levels required for specific contracts
3B 4.1.2.C.1
(1) Level 1
3B 4.1.2.C.2
(2) Level 2
3A 4.1.3 3. Practices:
7B 4.1.3.A
A. Practices Descriptions
3A 4.1.3.A.1
(1) Practice Numbering Scheme
3A 4.1.3.A.2
(2) Objectives
7B 4.1.3.A.3
(3) Assessment Methods and Objects
8A 4.1.4 4. Domains:
3A 4.1.4.A
A. Access Control (AC)
8A 4.1.4.A.1
(1) AC.L1-3.1.1 – Authorized Access Control
8A 4.1.4.A.2
(2) AC.L1-3.1.2 – Transaction & Function Control
8A 4.1.4.A.3
(3) AC.L1-3.1.20 – External Connections
8A 4.1.4.A.4
(4) AC.L1-3.1.22 – Control Public Information
3A 4.1.4.B
B. Audit & Accountability (AU)
3A 4.1.4.C
C. Awareness & Training (AT)
3A 4.1.4.D
D. Configuration Management (CM)
3A 4.1.4.E
E. Identification & Authentication (IA)
8A 4.1.4.E.1
(1) IA.L1-3.5.1 – Identification
8A 4.1.4.E.2
(2) IA.L1-3.5.2 – Authentication
3A 4.1.4.F
F. Incident Response (IR)
3A 4.1.4.G
G. Maintenance (MA)
3A 4.1.4.H
H. Media Protection (MP)
8A 4.1.4.H.1
(1) MP.L1-3.8.3 – Media Disposal
3A 4.1.4.I
I. Personnel Security (PS)
3A 4.1.4.J
J. Physical Protection (PE)
8A 4.1.4.J.1
(1) PE.L1-3.10.1 – Limit Physical Access
8A 4.1.4.J.2
(2) PE.L1-3.10.3 – Escort Visitors
8A 4.1.4.J.3
(3) PE.L1-3.10.4 – Physical Access Logs
8A 4.1.4.J.4
(4) PE.L1-3.10.5 – Manage Physical Access
3A 4.1.4.K
K. Risk Assessment (RA)
3A 4.1.4.L
L. Security Assessment (CA)
3A 4.1.4.M
M. System & Communications Protection (SC)
8A 4.1.4.M.1
(1) SC.L1-3.13.1 – Boundary Protection
8A 4.1.4.M.2
(2) SC.L1-3.13.5 – Public-Access System Separation
3A 4.1.4.N
N. System & Information Integrity (SI)
8A 4.1.4.N.1
(1) SI.L1-3.14.1 – Flaw Remediation
8A 4.1.4.N.1
(2) SI.L1-3.14.2 – Malicious Code Protection
8A 4.1.4.N.1
(3) SI.L1-3.14.4 – Update Malicious Code Protection
8A 4.1.4.N.1
(4) SI.L1-3.14.5 – System & File Scanning

Task 2. Apply knowledge of the CMMC Assessment Criteria and Methodology to the appropriate CMMC practices.

Lesson Topic Objective Objective Description
3A, 7B 4.2.1 1. The definition of each practice
3A, 7B 4.2.2 2. The Assessment Objectives
7A, 7B, 8A 4.2.3 3. The Assessment Methods (Examine, Interview, and Test) to use for the practices
7B 4.2.4 4. What information to look for in practice discussion
7B 4.2.5 5. The Key References and their applicability to the practices:
7B 4.2.5.A
A. Navigating and using the CMMC Assessment Guide(s) content
7A, 7B 4.2.5.B
B. Determining the assessment method(s) that would be best for gathering sufficient and accurate evidence

Task 3. Analyze the adequacy/sufficiency around the location/collection/quality/usage of Evidence.

Lesson Topic Objective Objective Description
7A 4.3.1 1. Appraised Evidence is adequate
7A 4.3.2 2. Measure if the Evidence is sufficient

Domain 5: CMMC Assessment Process

Task 1. Choose the appropriate roles of the CCP in the CMMC Assessment Process when developing the assessment plan (Phase 1– Plan and Prepare Assessment).

Lesson Topic Objective Objective Description
10B 5.1.1 1. Validation criteria of OSC’s assessment evidence
7B 5.1.2 2. Analyzing the CMMC practice requirements
10B 5.1.3 3. What needs to be included in a CMMC Assessment Plan
10B 5.1.4 4. The CMMC Readiness Review Process

Task 2. Apply CMMC Assessment Process requirements pertaining to the role of the CCP as an assessment team member while conducting a CMMC assessment (Phase 2 – Conduct Assessment).

Lesson Topic Objective Objective Description
7B, 10C 5.2.1 1. How to assist/support the Assessment Team during an assessment
7A, 7B, 10C 5.2.2 2. The three possible assessment methods (Examine, Interview, and Test) and scoring evidence successfully for each practice
10A, 10C 5.2.3 3. Communication skills to interview or observe tests/demonstrations for assessment practices
7B, 8C, 10C 5.2.4 4. How Assessment Team Members rate practices and validate preliminary results
10C 5.2.5 5. How Assessment Team Members assist in the preparation of final findings
10C 5.2.6 6. How to score practices that are on a Plan of Action and Milestone (POA&M)

Task 3. Demonstrate comprehension of the CCP role in the preparation of assessment report (Phase 3 – Report Assessment Results).

Lesson Topic Objective Objective Description
10D 5.3.1 1. The evidence presented for each practice
7B, 10C 5.3.2 2. How Assessment Team Members score practices, validate, and deliver assessment preliminary results
10C 5.3.3 3. How the Assessment Lead drafts and scores the final findings
10D 5.3.4 4.# How the final findings and associated information are incorporated into the Assessment Report
10D 5.3.5 5. How the Lead Assessor submits the assessment report, including the review process, submitting to the C3PAO and the OSC
10D 5.3.6 6. How to package and archive the assessment results for a record to support any future questions that may be asked

Task 4. Demonstrate comprehension of the CCP role in the process of evaluating outstanding assessment issues on Plan of Action and Milestones (POA&M) (Phase 4 – Evaluation of Outstanding Assessment POA&M Items).

Lesson Topic Objective Objective Description
10C 5.4.1 1. The evaluation of assessment POA&M items
10C 5.4.1.A
A. DoD Assessment Methodology, POA&M scoring criteria
10C 5.4.1.A.1
(1) Minimum assessment score
10C 5.4.1.A.2
(2) Qualifying POA&M items
10C 5.4.1.B
B. CMMC AG CA.L2-3.12.2, Plan of Action objectives and requirements

Task 5. Given a scenario, determine the appropriate phases/steps to assist in the preparation/conducting/ reporting on a CMMC Level 2 Assessment.

Lesson Topic Objective Objective Description
10B 5.5.1 1. Plan and Prepare Assessments:
10A 5.5.1.A
A. CMMC CCP must be able to assist in analyzing requirements.
10A 5.5.1.B
B. CMMC CCP must be able to assist in developing assessment plan.
10A 5.5.1.C
C. CMMC CCP must be able to assist in verifying readiness to conduct assessment.
10C 5.5.2 2. Conduct Assessment:
10A 5.5.2.A
A. CMMC CCP must be able to assist in collecting and examining Evidence.
10A 5.5.2.B
B. CMMC CCP must be able to assist in scoring practices and validating preliminary results.
10A 5.5.2.C
C. CMMC CCP must be able to assist in generating final assessment results.
10D 5.5.3 3. Report Recommended Assessment Results:
10A 5.5.3.A
A. CMMC CCP must be able to assist in delivering recommended assessment results.
10E 5.5.4 4. Remediate Outstanding Assessment Issues:
10A 5.5.4.A
A. Awareness of the CCP’s Role in the POA&M Process

Domain 6: Scoping

Task 1. Understand CMMC High-Level Scoping as described in the CMMC Assessment Process.

Lesson Topic Objective Objective Description
5A 6.1.1 1. Defining organizational scoping
5A 6.1.1.A
A. Organization
5A 6.1.1.B
B. Host Unit
5A 6.1.1.C
C. Supporting Units

Task 2. Given a Scenario, analyze the organization environment to generate an appropriate scope for FCI Assets.

Lesson Topic Objective Objective Description
5A 6.2.1 1. Defining FCI data in the form of Assets that:
5A 6.2.1.A
A. Process
5A 6.2.1.B
B. Store
5A 6.2.1.C
C. Transmit
5A 6.2.2 2. Out-of-Scope Assets
5A 6.2.3 3. Specialized Assets
5A 6.2.3.A
A. Government Property
5A 6.2.3.B
B. Internet of Things (IoT)/ Industrial Internet of Things (IIoT)
5A 6.2.3.C
C. Operational Technology (OT)
5A 6.2.3.D
D. Restricted Information Systems
5A 6.2.3.E
E. Test Equipment
5A 6.2.4 4. Scoping Activities
5A 6.2.4.A
A. People
5A 6.2.4.B
B. Technology
5A 6.2.4.C
C. Facilities
5A 6.2.4.D
D. External Service Providers (ESP)