Matthieu Garin’s Post

📚 On October 15, the United States Department of Defense published the #CMMC final rule (#32CFR) to protect Controlled Unclassified Information (#CUI) and sensitive contract data across the Defense Industrial Base (including third-party, fourth-party vendors...) 🇺🇸 This is a major development in the #US and is likely to influence governments worldwide! 🌐 #MustRead #ThirdPartySecurity Excellent article by Jonathan Deglise summarizing the main takeaways, thanks Jonathan!! https://lnkd.in/eaMCzz-f 1️⃣ CMMC 2.0 assessments will begin soon. Starting December 16, 2024, CMMC assessments will be available 📆 2️⃣ The current version of NIST 800-171 will serve as the foundation for CMMC Level 2 assessments and certification 📄 3️⃣ Self-assessments will apply to only a small fraction of OSCs (Organization Seeking Certification) - about 2% 4️⃣ Subcontractors are required to obtain a certification similar to the prime contractor's #FourthPartiesSecurity 📈 5️⃣ The DoD reserves the right to assess any CMMC-certified organization at any time 🔎 6️⃣ Any CUI managed by a #Cloud Service Provider must meet #FedRAMP Authorization at the Moderate level ☁️ 7️⃣ #MSPs without direct CUI access do not need CMMC certification (simple description of their responsibilities) 8️⃣ #VDI clients that limit interaction to #KVM input🖱, and do not process critical data are considered out of scope

  • diagram
Abderrahmane Smimite

Ph.D, CISSP, SPC | Cloud, Data/AI and Cyber Security | Open Source Advocate 🐙🇫🇷

1mo

Indeed, it finally happened:) side notes, identifying and marking the CUI is the tricky part when dealing with CMMC, so here is a starting point https://www.archives.gov/cui also CMMC is usually paired with 800.171 that got updated on May as well

You’re right, CMMC is a big step forward, but it doesn’t address the bigger issue: why is so much information marked as CUI in the first place? Unfortunately, over classifying creates cascading problems—and piles on unnecessary costs.

Addy Sharma 🔐

Cloud Security Architect | Azure & AWS Certified | SANS | IAM | CASB | CWPP | DLP | EDR | SIEM Expert ☁️ Cloud Security Assessments ⚙️ Architecting Cloud Security Controls 📡 Incident Response

1mo

The CMMC final rule marks significant progress in enhancing cybersecurity measures within the defense sector.

Stéphane B.

CISO / Cyber Security Governance, SME

1mo

Intéressant 😉 MERCI pour le partage. Cdlt; Stéphane

Jonathan Deglise

Cybersecurity Consultant at Wavestone | Experienced Advisor to the CxOs | ISO 27001 Lead Implementer & Auditor & Trainer | AWS Security Specialty & MS-500 & AZ-500 Certified | CCSK | CMMC Foundations

1mo

Thanks Matthieu Garin! Appreciate the support in raising awareness on CMMC! Looking forward to helping more clients navigate compliance together.

See more comments

To view or add a comment, sign in

Explore topics