Data protection plays a vital role in meeting CMMC (Cybersecurity Maturity Model Certification) compliance. CMMC is an information security standard that regulates the Defense Industrial Base (DIB). It aims to strengthen security measures for information transmission and use in the supply chain to ensure that confidential information is properly protected between contractors. Although the supply chain may not be directly related to national defense, it cannot avoid contractual constraints. When pursuing CMMC compliance, organizations should take a comprehensive approach that spans people, processes, and technology to build a resilient cybersecurity infrastructure that can adapt to evolving threats and protect confidential information.

From the perspective of a CMMC Certified Assessor (CCA) affiliated with an authorized CMMC Third-Party Assessment Organization (C3PAO), this presentation is rooted in firsthand experience, having successfully compiled the necessary documentation and passed the rigorous U.S. Department of Defense’s DIBCAC High Confidence assessment and a Joint Surveillance Voluntary Assessment (JSVA).

The pathway to CMMC / NIST 800-171 compliance requires a Defense Industrial Base (DIB) contractor or subcontractor to meticulously prepare a comprehensive set of documentation. This talk aims to demystify the assessment process, highlighting key focus areas for assessors and delineating the preparatory steps essential for achieving a CMMC Level 2 Certification Assessment. This includes discussing the scoping process, understanding control inheritance, and setting realistic expectations for involvement and documentation from managed service providers (MSPs) and cloud service providers (CSPs). 

Furthermore, the presenter will share an essential objective evidence list crafted to guide DIB contractors on what assessors anticipate regarding documentation and assessment activities. Attendees will leave with a robust understanding of the CMMC Level 2 certification assessment process, insight into assessor expectations, and resources to streamline their preparation for CMMC compliance.

Audience Key Takeaways:

1. Gain a comprehensive overview of the CMMC Level 2 certification assessment process, enriched by the presenter's JSVA experience.
2. Acquire a clear understanding of what C3PAOs anticipate from DIB contractors in preparation for and during the assessment.
3. Receive an invaluable objective evidence list to guide DIB contractors in preparing their documentation and assessment activities according to assessor expectations.

Taiwan, a hotspot for malicious targets of cyber-attacks due to its role as a key link of high-tech in global supply chain. From national defense and security perspectives, it really needs more strategic thinking and proactive measures to counter cyber-threats - a non-stop, complex and global security issue. However, comparing the scale of Taiwan defense industrial suppliers with the extensive defense industrial base of the United States, it requires a collaborative effort of diverse stakeholders to collectively explore how to establish a constructive mechanism similar to the CMMC that aligns with national security needs and its own defense industrial environment. And, this will aim to establish a stronger cybersecurity resilience for its national defense supply chain. It is, therefore, urged and anticipated that Taiwan government set a much more aggressive mission goal with proactive cross-department integration and support efforts to promote much closer cooperations between US-Taiwan defense industry and help industry engaging the CMMC and compliance to the NIST related standards.