Help clear up confusion for CMMC new ruling. Assessors and POAM controls.

old.reddit.com / @/u/Tr1pline, https://old.reddit.com/user/Tr1pline

Federal Register :: Cybersecurity Maturity Model Certification (CMMC) Program

The Department estimates 8350 medium and large entities will be required to meet CMMC Level 2 C3PAO assessment requirements as a condition of contract award.
Any DoD component can request DCMA DIBCAC to initiate an assessment and these requests will take priority in the assessment scheduling process.

So which one is it? Does the Lvl2 certification require a C3PAO audit or a DIBCAC audit? Does the company get to choose C3PAO vs DIDBAC auditor? If so, C3PAO would be the easier one in my opinion.

Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program | Crowell & Moring LLP

For CMMC Level 2 assessments, POA&Ms generally are not permitted for security requirements with a point value of greater than 1 and are permitted only if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls.

Where do I find info on the point value of security requirements? Where do the list of prohibited controls?
Sounds like it's saying you need to meet 80% of the Lvl2 security controls.

submitted by /u/Tr1pline
[link] [comments]

published about 1 month ago


Previous

Penetration Testing and CMMC
published about 1 month ago

Next

Documentation Revision History
published about 1 month ago
See all items from the same source