了解CMMC合规性

If you’re somewhat new to aerospace manufacturing, you might wonder what Cybersecurity Maturity Model Certification (CMMC) has to do with engineering and manufacturing. After all, what does cybersecurity have to do with aerospace? But it is important to know the美国国防部对于当前是或想与国防部合作的任何辩护承包商，很快将使该认证成为要求。

CMMC is a unified standard for implementing cybersecurity across the defense industrial base, which includes more than 300,000 companies in the supply chain. These CMMC standards are the DOD’s response to significant compromises of sensitive information located in its contractors’ information systems. In other words, the government wants to make sure data isn’t vulnerable due to suboptimal standards on the part of vendors and contractors.

过去，承包商负责实施，监视和证明自己不同系统的安全标准。CMMC的起草是大学附属研究中心，联邦资助的研发中心以及行业本身的投入。在新标准下，承包商仍负责实施网络安全标准。CMMC补充了对承包商遵守实践，程序和能力的第三方评估的要求，以适应不断发展的威胁。

国防部框架概述了五个级别的认证。每个级别都基于下面的级别：例如，第3级认证包括对1级和2的要求。下面是每个级别的简要说明：

1级-“基本网络卫生”：这是每个国防部承包商的最低标准。希望通过此级别进行审核的承包商必须实施17个NIST 800-171 REV1的控制。

2级-“中级网络卫生”：在这里，国防部承包商除其他七个控件外，还实施了国立标准技术研究所（NIST）REV1的另外48个控制。

3级 - “良好的网络卫生”：为了达到这个水平,最后45 NIST的规则Rev1 plus 13 other controls must be met.

Level 4 - “Proactive” cybersecurity:除了满足NIST REV1之外，承包商还必须满足11个NIST 800-171 REV2的控制以及15个其他控件。

5级-“高级 /进步”网络安全：为了达到最高水平，国防部承包商必须实施NIST REV2加上11个其他控件的最终控制。

此外，为了达到每个认证水平，承包商和供应商必须满足43个跨越17个能力域的43个不同功能的实践和流程的要求。

CMMC will soon be a minimum requirement to be eligible for DOD contract awards, but contractors should never view their cybersecurity compliance as an accomplished mission once a certification is earned. The DOD has emphasized that the certification is a starting point for transforming contractors’ internal cybersecurity culture and that the industry must focus on preparing their systems to be agile in a constantly evolving world of cyber threats.