資料保護在滿足 CMMC (Cybersecurity Maturity Model Certification) 規範中扮演著至關重要的角色。CMMC 是一種規範國防基礎工業 (Defense Industrial Base，DIB) 採用的資訊安全標準，旨在強化供應鏈中的資訊傳遞及使用的安全措施，以確保敏感資訊在合約承包商傳遞間得到妥善保護。供應鏈雖不見得直接與國防相關，卻避免不了合約約束。在追求 CMMC 合規性時，組織應採取涵蓋人員、流程和技術的綜合方法，建立一個有彈性的網路安全基礎設施，以適應不斷變化的威脅並保護敏感資訊。

From the perspective of a CMMC Certified Assessor (CCA) affiliated with an authorized CMMC Third-Party Assessment Organization (C3PAO), this presentation is rooted in firsthand experience, having successfully compiled the necessary documentation and passed the rigorous U.S. Department of Defense’s DIBCAC High Confidence assessment and a Joint Surveillance Voluntary Assessment (JSVA).

The pathway to CMMC / NIST 800-171 compliance requires a Defense Industrial Base (DIB) contractor or subcontractor to meticulously prepare a comprehensive set of documentation. This talk aims to demystify the assessment process, highlighting key focus areas for assessors and delineating the preparatory steps essential for achieving a CMMC Level 2 Certification Assessment. This includes discussing the scoping process, understanding control inheritance, and setting realistic expectations for involvement and documentation from managed service providers (MSPs) and cloud service providers (CSPs). 

Furthermore, the presenter will share an essential objective evidence list crafted to guide DIB contractors on what assessors anticipate regarding documentation and assessment activities. Attendees will leave with a robust understanding of the CMMC Level 2 certification assessment process, insight into assessor expectations, and resources to streamline their preparation for CMMC compliance.

Audience Key Takeaways:

1. Gain a comprehensive overview of the CMMC Level 2 certification assessment process, enriched by the presenter's JSVA experience.
2. Acquire a clear understanding of what C3PAOs anticipate from DIB contractors in preparation for and during the assessment.
3. Receive an invaluable objective evidence list to guide DIB contractors in preparing their documentation and assessment activities according to assessor expectations.

台灣因政治地緣及其在全球高科技供應鏈所扮演角色的受關注情況，一直是資安威脅與惡意攻擊的熱點之一；從國家安全暨國防的觀點，台灣確實需要戰略性地就本身的產業供應鏈環境實需，面對這個不斷演進、複雜、全球性的安全威脅問題，思考設定更積極的 CMMC 機制導入目標，並採取更進一步的策略規劃作為，以建構更強大的國防產業安全韌性。