top of page

תקן CMMC

שירותי ייעוץ מתקדמים לספקי משרד ההגנה האמריקאי

מהו CMMC ?

Cybersecurity Maturity Model Certification (או בקיצור: CMMC) היא הסמכה לאבטחת סייבר הנדרשת עבור כל ארגון המתכוון לעבוד עם משרד ההגנה האמריקאי (Department of Defense – DoD), או כקבלן משנה של ארגון העובד עבור משרד ההגנה האמריקאי בשנים הקרובות. 

CMMC בגרסתו החדשה (ver 2) מורכב מ-3 רמות שונות של הסמכה, כל אחת מהן מותאמת לרמה שונה של אבטחת מידע הנדרשת בארגון.

רמת ההסמכה הנדרשת מכל ארגון תלויה בסוג וסיווג המידע שאליו הוא נחשף במהלך עבודתו מול משרד ההגנה, ומוגדרת במכרזים שמופצים לציבור. שימו לב כי הגדרות CMMC הן דינאמיות, וצפויות להתעדכן יחד עם התעשייה ולכן הסמכת CMMC תקפה ל-3 שנים ולאחריה יש צורך בחידוש. יש לדעת בנוסף כי כל רמת הסמכה "מכילה" את אלו הבאים מתחתיה, כלומר הסמכה לרמה 2 מכילה בתוכה את הדרישות של רמה 1, וכו'.  

 
 
 

איך עובד התהליך?

הכנת הארגון

אנחנו מגיעים לארגון שלכם ומבצעים זיהוי פערים אל מול הגנות הסייבר הקיימות, מבצעים ניתוח הפערים ויוצרים תוכנית להשלמתם (בהתאם לרמת ההסמכה הנדרשת מהארגון).

Level 2 or 3

נדרשות אחת ל-3 שנים עבור הערכה באמצעות מבדק חיצוני מגוף רשמי להסמכה מטעם ה-DoD הנקרא בשם  Certified 3rd Party Assessment Organization (C3PAO).

אנו נלווה את ההיערכות למבדק, המבדק עצמו ומענה לפערים במידה ויימצאו.

 

ליווי מוסמך

התהליך מתבצע בהובלת Certified Registered Practitioner (RP) שהינו מטמיע מוסמך מטעם גוף ההסמכה CMMC-AB המלווה את הארגון בתהליך ההסמכה.

אנו הראשונים בארץ לקבל את ההכרה מטעם הארגון.

 
WhatsApp Image 2024-01-21 at 21.13_edite
  • How will the requirement for CMMC certification affect my existing business engagements with the DoD?
    The DoD intends to require CMMC certification from its entire supply chain of suppliers and service providers, both in future tenders that include access to CUI or FCI information, and as an addition to existing contracts. Therefore, even an organization that currently works with DoD will have to present certification even if it does not intend to access future tenders after 2025, as well as its entire supply chain.
  • Can my organization obtain CMMC certification on its own?
    Although it is possible to prepare for CMMC certification internally, the process can be complex, expensive, and take a long time, especially if the organization does not employ both information security and quality assurance experts. An outside consultant with CMMC expertise can help streamline the process, ensure all requirements are met effectively, and increase the likelihood of passing the certification audit on the first try, saving a lot of time and money.
  • What is the difference between NIST SP 800-171 and CMMC?
    The NIST SP 800-171 is a guidance document intended for non-federal entities exposed to CUI. CMMC is based on these guidelines, but expands them by adding additional practices and processes as well as dividing into 5 levels of certification. Unlike NIST, which is based on self-assessment, CMMC requires certification by a third party (C3PAO).
  • What happens if we fail the CMMC assessment?
    An organization that has not met the CMMC assessment requirements will receive from the C3PAO a list of deficiencies that must be addressed. He will have to implement corrective actions for these areas and then undergo a reassessment. Please note that there may be a waiting period before a reassessment can be performed. For these reasons, it is recommended to consider the accompaniment of a professional in the certification process.
  • Will there be exceptions that will be exempt from CMMC certification?
    Currently there are no exceptions. Every contractor and subcontractor working as part of the DoD supply chain and exposed to FCI or CUI will be required to present CMMC certification regardless of their size and the industry in which they operate, although the level of certification required may vary. This also includes services provided in the cloud.
  • Will CMMC requirements change over time? And how can my organization prepare for this?
    Yes. As the threats and information security technologies evolve, so too will the model's reference to them be updated accordingly by the official accreditation body called CMMC Accreditation Body or AB. A professional consultant who will accompany the organization in the accreditation process can also assist in building a plan to keep the organization updated.
  • Can organizations that are not part of the supply chain of the US Department of Defense also be certified for the CMMC model?
    Yes. Although there is no obligation, the CMMC certification is a signal to the market about the organization's professionalism and the seriousness with which it takes the security of the information to which it is exposed.
  • How much is CMMC certification expected to cost?
    The costs vary according to a number of factors, including the level of certification requested, the size and complexity of the organization and its information networks, and the amount of existing gaps in the information security system. In addition, there are the costs for the actual third-party assessment. In a rough estimate: certification for level 1 is expected to cost between hundreds and thousands of dollars, certification for level 2 may reach thousands to tens of thousands of single dollars, and certification for level 3 and above may even reach hundreds of thousands of dollars. For an initial consultation, you can leave details in the form at the bottom of the page, or contact us directly.
  • How long is the certification process expected to take?
    Here too - it is difficult to determine since there are many variables in the process. The time it takes to prepare the organization for the test can last from a few weeks to several months.
  • How can you get professional help in the organization certification process?
    For consultant and support from our quality assurance and information security experts, you can contact us - Maof Quality, Improvement, Optimization Ltd.

אבטח את עתיד הארגון שלך

מוכן לצאת למסע שלך להסמכת CMMC ואבטחת סייבר משופרת? השאר פרטיך כאן

תודה

bottom of page