Abstract image of a woman sitting on books and studying on a laptop

A Clear Path to NIST & CMMC Compliance_ISSA.pptx

Download as PPTX, PDF
Jack Nichelson, profile picture
Jack Nichelson

The document outlines the importance of CMMC 2.0 compliance for contractors working with the Department of Defense, emphasizing the need for all companies in the DIB to achieve certification by 2026 to secure government contracts. It provides a detailed explanation of the CMMC levels, assessment processes, and prerequisites necessary for meeting compliance, including the establishment of security plans and inventory documentation. Additionally, it underscores the shift from NIST 800-171 to CMMC as a unified standard for cybersecurity across the defense industrial base.

Technology
1 of 22
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
A Clear Path to NIST & CMMC Compliance Jack Nichelson Chief Information Security Officer Jack.Nichelson@MRKTech.com CMMC 2.0 Compliance Update
MRK/TRUWEST  MRK Technologies  Security Services (CISO-for-Hire)  Value-Added Technology Reseller  Technology Recovery Group (TRG)  Point-of-Sale Lifecycle Management  River Capital/River SaaS  Equipment Leasing  Startup Venture Capital  Sibling Revelry Brewing  Craft Brewery and Tasting Room  MRK is part of the TruWest family of companies  40+ years in business  International footprint across the US, Canada and Europe 2
MRK CISO SERVICES  Run security programs for companies of all sizes, in every vertical, across the globe  Each Chief Information Security Officer (CISO) has 20+ years experience, largely in-house running security programs  Act as an employee of the company, build up their security, respond to incidents, and engage with their regulators and customers  Keep our customers safe and secure MRK’s CISO practice works with several government contractors
MRK MANAGED SECURITY  MRK Managed Security is committed to providing best in class results by fully running out an alert – investigating and running to ground every available detail.  Our differentiator is that we provide actionable alerts with details on remediation, containment and response.  We provide detailed communication that minimizes an internal team’s effort and provides an expedited path to resolution – no copy and paste tickets, no alerts without context. 4
CISO PROFILE: JACK NICHELSON  Prior experience running Infrastructure & Security at multiple Fortune 500’s  20+ years in IT & IT Security  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Board member for FBI InfraGard  Executive MBA from Baldwin-Wallace University  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.  Certs include: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP 5
INTRODUCTION TO CMMC 2.0 A New Standard in Defending Data The Cybersecurity Maturity Model Certification (CMMC) is a unified standard designed to implement and improve cybersecurity across the entire DIB, which includes more than 300,000 companies. The new model will verify that DoD contractors have sufficient controls to safeguard sensitive including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The compliance standard is an evolution of the DFARS 252.204-7012 & NIST 800-171 standards and is meant to protect the nation's sensitive data. All government contractors will have to become CMMC Compliant by 2026 in order to continue business with the U.S. Government. It’s critical to start the CMMC process sooner rather than later — whether 5 or 50 percent of your revenue comes from government contracts. Vendors that show strong controls will thrive as the entire DIB transitions to the new model. Every company within the DoD supply chain will be required to get certified to receive new contracts, representing a massive portion of potential business. In the fiscal year 2018, the DoD awarded nearly $360 billion in contracts for products, materials and services.
CMMC ACRONYMS  Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government by 2026.  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. (CMMC 2.0 Level 1)  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. (CMMC 2.0 Level 2)  Defense Federal Acquisition Regulation Supplement (DFARS): Starting in Dec. 2020, all contractors are subject to new clauses in Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012, 7019, 7020 and 7021). This means, starting immediately, that any suppliers and DIB members looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded to them.  System Security Plan (SSP): SSP is a document that identifies the functions and features of a system, including all its hardware and the software installed on the system. It outlines the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. The SSP has been part of the NIST 800-171 security requirement, set forth by DFARS 7012. DFARS 7019, holds the requirements for contractors to maintain their assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results.  Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
DIFFERENCE BETWEEN FCI & CUI  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” Within the construct of the CMMC, know that CUI will require a higher level 2 or higher of CMMC Certification whereas FCI will only require Level 1 Self-Certification.
THE LONG ROAD TO CMMC
WHAT YOU NEED TO KNOW ABOUT CMMC 2.0  In November 2021, the Department of Defense (DoD) announced that the CMMC will be undergoing three major changes to help reduce costs, streamline the compliance process, and be better aligned with other federal standards. CMMC 2.0 may not be fully implemented until late 2023.  By 2026, all DIB contractors will be required to be CMMC certified by a C3PAO before being allowed to bid on government contracts.  A strong cybersecurity posture will always be a requirement in securing a DoD contract. While the DoD stresses that it will not approve any contracts that include a CMMC requirement prior to CMMC 2.0 implementation, the department strongly encourages the DIB sector to meet the 110 security controls stipulated under NIST SP 800-171.  This is because NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0. The similarities between the two compliance models makes it easier for an NIST SP 800- 171-compliant company to achieve compliance with Level 2 standards when CMMC 2.0 becomes law. After all, the DIB is still subject to the Defense Federal Acquisition Regulation Supplement rules, which require meeting NIST 800-171 and DFARS 7012 standards.  Prime contractors will have to ensure all subs are CMMC compliant. Mandatory flow down of CMMC requirements to over 350,000 DIB companies.  The DoD estimates that about 150,000 of companies will need to meet Level 1 and about 80,000 of companies will need to be compliant with CMMC Level 2 and less 500 companies will need to comply with Level 3.  All contractors could now be subject to DFARS 252.204-7012 & 7019. This means, that any suppliers and DIB looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded
THE 3 LEVELS OF CMMC 2.0 •Level 1 (Foundational) only applies to companies that focus on the protection of FCI. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users. The DoD estimates that about 150,000 such companies exist in the DIB. •Level 2 (Advanced) is for companies working with CUI. Requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by NIST protect CUI. The DoD estimates that about 80,000 companies handle CUI. •Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. The DoD estimates that about 500 companies will need to comply with Level 3
THE “CRAWL – WALK – RUN” OF CMMC  CRAWL: Notice of NIST 800-171 DoD Assessment Requirements. In the 1st phase of CMMC implementation, contractors must register by CAGE code in SPRS and upload a self-assessment based on their 800-171 controls implementation (not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest).  Walk: The DoD Assessment Methodology begins to be enforced. A two (2) year effort where inconsequential “audits” by DCMA and the DIB-CAC are part of the process.  Run: The instantiation of how we’re going to ensure cybersecurity is foundational to all acquisition. This is when CMMC controls, processes, & practices become required elements for doing business with the Department.
NIST 800-171 EXPLAINED  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is the standard developed to protect controlled unclassified information (CUI) in nonfederal systems and organizations  NIST SP 800-171 came from a combination of the Federal Information Processing Standard (FIPS) 200 and the Moderate level of 800-53. It contains administrative and technical requirements within 110 controls organized by the following 14 control families.  CMMC level 1 organizations can complete a NIST SP 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS)  CMMC level 2 or higher requires a C3PAO to complete an assessment to determine an organization’s maturity level  The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system, which is only accessible for DoD personnel.
NIST 800-171 CONTROLS OVERVIEW
DFARS INTERIM RULE OVERVIEW  252.205 7012 (Existing): Created basis for protecting controlled unclassified information implementing NIST 800-171 controls  252.204 7019 (New as of 11/20/20): Created a self assessment (Basic) requirement related to 800 171 and publishing in SPRS  252.204 7020 (New as of 11/20/20): Expands the 800 171 scores to include Moderate and High assurance assessments conducted by the DIBCAC and recorded in SRPS. Flow down required to subs and having a score in 800 171 requirement prior to award  252.204 7021 (New as of 11/20/20): Creates the basis for CMMC and outlines C3PAOs and timeline for the rollout. On September 29, 2020, the DoD issued the interim rule implementing the CMMC program. The rule introduces a new mandatory construct, the DoD Assessment Methodology, to serve as an interim certification process before contractors undergo a full CMMC review. A full description of the interim rule and what it means for DoD contractors follows.
DFARS INTERIM RULE - 5 KEY TAKEAWAYS 1) This new requirement takes effect on December 1, 2020 for all contractors that are subject to the DFARS 252.204-7012 & 7019 clause based on their handling of Controlled Unclassified Information (CUI) 2) Contractors that handle CUI will need to complete a new NIST 800-171 Self-Assessment based on a new scoring methodology and then post their score in the Supplier Performance Risk System (SPRS) before a contract will be awarded 3) The Self-Assessment must also include the completion of a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of their network and their plan to achieve 100% compliance with the NIST 800-171 requirements 4) Prime Contractors must flow this requirement down to their subcontractors/suppliers that handle CUI as well. 5) DCMA will be conducting random audits to ensure companies have not only completed the self-assessment, but have scored themselves accurately, have an SSP and are working towards completing a realistic POAM. SPRS Reporting Requirements: • Your system security plan name • The CAGE code associated with the plan • A brief description of the plan architecture • The date the assessment was completed • The date that a score of 110 will be achieved
PRELIMINARY STEPS FOR CMMC SUCCESS Step 1: Identify The Target CMMC Level: In order to start, you have to know what target CMMC certification level your organization needs to attain. CMMC is focuses entirely on the classification of data: • If you store, transmit and/or process just FCI, then you are a Level 1 • If you store, transmit and/or process FCI and/or CUI, then you are a Level 2 Step 2: Document FCI/CUI Data/Process Flows: The DoD considers any part of your organization that touches CUI & FCI (i.e., where it’s stored, how it’s processed, and how it’s transmitted) to be “in-scope” when it comes to an official certification assessment. For example, organization may have other unrelated departments (e.g., marketing, sales, etc.) where CUI & FCI will not be stored, processed, or transmitted. To make compliance as smooth and cost-effective as possible, you’ll want to isolate only the relevant parts of your into its own network. Step 3: Establish an Asset Inventory, Network Diagrams, Policies, Processes, and Plans: The CMMC is all about “Process Maturity.” It’s an organization’s commitment to and consistency in performing specific practices. To do this successfully, you need to establish several governing documents describing what the organization should abide by (policies), how they should be implemented (processes), and those tasks will be funded and managed (plans). Step 4: Create a System Security Plan (SSP): The SSP is your organization’s plan to secure its systems. More specifically, it is a collection of documents that paint a picture of your environment, the associated security requirements, the implemented or planned controls, and the expected behaviors of all individuals who access the system. In addition to other documents, you will need to reference your previously established policies, processes, and plans as they relate to each domain. Depending on your organization, your SSP might include your entire, a subset, or multiple subsets of your organization. Step 5: Train Personnel On Secure Practices: The common weak link in most organization is the “people factor” that covers the individuals required to operate processes. OSCs are required to train its personnel on CUI handling practices, role-specific security training, insider threat awareness and is some cases ITAR/EAR training for export control.
PRELIMINARY STEPS FOR CMMC SUCCESS Step 6: Conduct a CMMC Pre-Assessment: The CMMC Pre-Assessment is a necessary internal tool to prepare for the actual certification assessment. It is the only way to know which practices your organization is missing, collect evidence about processes and plans, and Plan of Actions & Milestones (POA&M) for missing practices, processes, and plans. Create a POA&M: You will take all of your missing controls and create a formal document that describes the specific steps your organization will take to implement a particular practice (actions) fully and over what period (milestones). Step 7: Choose a Certified Third-Party Assessor Organization (C3PAO): A Certified Third-Party Assessor Organization (C3PAO) is an official organization certified to provide CMMC certifications by the CMMC Accreditation Body (CMMC-AB). There are currently over 100 C3PAOs that you can work with on the CMMC-AB Marketplace. It would be best if you chose to work with a C3PAO that not only fits your budget but has previous experience with your industry. Step 8: Get Certified: Your C3PAO and its CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) will use the CMMC- AB assessment guidelines to conduct a CMMC assessment for your entire organization or a specific CUI Enclave. CCPs and CCAs will information and evidence to independently verify that an organization meets the stated assessment objectives for all of the required practices and processes. If the C3PAO can successfully demonstrate the organization implements all practices and has the appropriate process maturity, they will grant the official certification. Step 9: Recertification: Your certification will last for three years, which means that you will need to recertify every three years. The recertification process is the same as the initial process. Step 10: Conclusion: Going zero to certification involves a well-oiled machine with many moving parts, from scoping your organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to hiring a C3PAO to certify you. some organizations might be well resourced to undertake this process, others might struggle to get started. It is wise to seek out help the many accredited organizations on the CMMC-AB Marketplace. MRK is a Registered Practitioner Organization (RPO).
QUESTIONS?
THANK YOU!  Jack Nichelson (CISO, MRK Technologies)
CMMC AUDIT REMEDIATION PLAN
QUESTIONS? First CMMC 2.0 is on hold with the potential for the rulemaking process to stretch out as late as fall 2023. The DoD has asked all organizations to use this time implementing and ensuring all subs meet NIST 800-171 (DFARS 252.204-7012 & 7019). The DoD has also indicated that there may be incentives for early adoption and having improved self-assessment scores posted to the DoD’s Supplier Performance Risk System (SPRS). A trend appears to be forming among primes - to require all subcontractors to be certified at CMMC 2.0 Level 2. From the prime’s point of view, this would mean reduced risk of sharing CUI with a subcontractor that is not certified to handle it because all of their subcontractors are certified. This is why we are seeing this big push by the primes to get their subs to show they are meeting all 110 controls in NIST 800-171 (DFARS 252.204-7012 & 7019) and proving it by uploading self-assessment scores to the DoD’s Supplier Performance Risk System (SPRS).

More Related Content

PPTX
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
Jack Nichelson
 
PDF
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
Jack Nichelson
 
PDF
The CMMC Has Arrived. Are You Ready?
Unanet
 
PPTX
Webinar: Critical Steps For NIST Compliance
Withum
 
PPTX
CMMC for Contractors and Manufacturers – What to Know for 2023
Withum
 
PPTX
CMMC DFARS/NIST SP 800-171
Ignyte Assurance Platform
 
PDF
Cybersecurity Maturity Model Certification
TerenceBrown16
 
PPTX
MCGlobalTech CMMC Managed Compliance Service
William McBorrough
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
Jack Nichelson
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
Jack Nichelson
 
The CMMC Has Arrived. Are You Ready?
Unanet
 
Webinar: Critical Steps For NIST Compliance
Withum
 
CMMC for Contractors and Manufacturers – What to Know for 2023
Withum
 
CMMC DFARS/NIST SP 800-171
Ignyte Assurance Platform
 
Cybersecurity Maturity Model Certification
TerenceBrown16
 
MCGlobalTech CMMC Managed Compliance Service
William McBorrough
 

Similar to A Clear Path to NIST & CMMC Compliance_ISSA.pptx (20)

PPTX
CMMC 2.0 Explained: Impact for SMBs
Ignyte Assurance Platform
 
PDF
Cybersecurity Maturity Model Certification
Murray Security Services
 
PDF
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
Ignyte Assurance Platform
 
PPTX
Webinar - CMMC Certification.pptx
ControlCase
 
PPTX
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
PPTX
How I Woke Up from the CMMC Compliance Nightmare
Ignyte Assurance Platform
 
PPTX
CMMC rollout: How CMMC will impact your organization
Infosec
 
PPTX
Government Contracting- The Dawn of the CMMC - Win Federal Contracts
JSchaus & Associates
 
PPTX
CMMC Breakdown
Ignyte Assurance Platform
 
PPTX
CMMC Certification
ControlCase
 
PPTX
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
PPTX
Demystifying CMMC: Real-World Insights from ControlCase Experts
AmyPoblete3
 
PDF
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
PPTX
Government Webinar: Preparing for CMMC Compliance Roundtable
SolarWinds
 
PDF
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
ControlCase
 
PDF
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
Rea
 
PDF
Understanding CMMC Requirements for Defense and Government Contractors.pdf
3 HTi - Engineering Software and Solutions
 
PPTX
Cybersecurity Maturity Model Certification (CMMC)
Robert E Jones
 
PPTX
CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...
CTEKMarketing
 
PDF
Cmmc overview arrington_20200903
aegamemnon
 
CMMC 2.0 Explained: Impact for SMBs
Ignyte Assurance Platform
 
Cybersecurity Maturity Model Certification
Murray Security Services
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
Ignyte Assurance Platform
 
Webinar - CMMC Certification.pptx
ControlCase
 
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
How I Woke Up from the CMMC Compliance Nightmare
Ignyte Assurance Platform
 
CMMC rollout: How CMMC will impact your organization
Infosec
 
Government Contracting- The Dawn of the CMMC - Win Federal Contracts
JSchaus & Associates
 
CMMC Breakdown
Ignyte Assurance Platform
 
CMMC Certification
ControlCase
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
Demystifying CMMC: Real-World Insights from ControlCase Experts
AmyPoblete3
 
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
Government Webinar: Preparing for CMMC Compliance Roundtable
SolarWinds
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
ControlCase
 
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
Rea
 
Understanding CMMC Requirements for Defense and Government Contractors.pdf
3 HTi - Engineering Software and Solutions
 
Cybersecurity Maturity Model Certification (CMMC)
Robert E Jones
 
CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...
CTEKMarketing
 
Cmmc overview arrington_20200903
aegamemnon
 
Ad

More from Jack Nichelson (9)

PPTX
Office 365 Security - Its 2am do you know whos in your office 365
Jack Nichelson
 
PPTX
Creating a results oriented culture
Jack Nichelson
 
PPTX
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
PPTX
Creating a Results Oriented Culture
Jack Nichelson
 
PPTX
Moving Mountains Through Measurement
Jack Nichelson
 
PPTX
10 Critical Habits of Effective Security Managers
Jack Nichelson
 
PPTX
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
PPTX
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
PPTX
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Office 365 Security - Its 2am do you know whos in your office 365
Jack Nichelson
 
Creating a results oriented culture
Jack Nichelson
 
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
Creating a Results Oriented Culture
Jack Nichelson
 
Moving Mountains Through Measurement
Jack Nichelson
 
10 Critical Habits of Effective Security Managers
Jack Nichelson
 
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Ad

Recently uploaded (20)

PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
PDF
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 

A Clear Path to NIST & CMMC Compliance_ISSA.pptx

  • 1. A Clear Path to NIST & CMMC Compliance Jack Nichelson Chief Information Security Officer [email protected] CMMC 2.0 Compliance Update
  • 2. MRK/TRUWEST  MRK Technologies  Security Services (CISO-for-Hire)  Value-Added Technology Reseller  Technology Recovery Group (TRG)  Point-of-Sale Lifecycle Management  River Capital/River SaaS  Equipment Leasing  Startup Venture Capital  Sibling Revelry Brewing  Craft Brewery and Tasting Room  MRK is part of the TruWest family of companies  40+ years in business  International footprint across the US, Canada and Europe 2
  • 3. MRK CISO SERVICES  Run security programs for companies of all sizes, in every vertical, across the globe  Each Chief Information Security Officer (CISO) has 20+ years experience, largely in-house running security programs  Act as an employee of the company, build up their security, respond to incidents, and engage with their regulators and customers  Keep our customers safe and secure MRK’s CISO practice works with several government contractors
  • 4. MRK MANAGED SECURITY  MRK Managed Security is committed to providing best in class results by fully running out an alert – investigating and running to ground every available detail.  Our differentiator is that we provide actionable alerts with details on remediation, containment and response.  We provide detailed communication that minimizes an internal team’s effort and provides an expedited path to resolution – no copy and paste tickets, no alerts without context. 4
  • 5. CISO PROFILE: JACK NICHELSON  Prior experience running Infrastructure & Security at multiple Fortune 500’s  20+ years in IT & IT Security  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Board member for FBI InfraGard  Executive MBA from Baldwin-Wallace University  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.  Certs include: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP 5
  • 6. INTRODUCTION TO CMMC 2.0 A New Standard in Defending Data The Cybersecurity Maturity Model Certification (CMMC) is a unified standard designed to implement and improve cybersecurity across the entire DIB, which includes more than 300,000 companies. The new model will verify that DoD contractors have sufficient controls to safeguard sensitive including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The compliance standard is an evolution of the DFARS 252.204-7012 & NIST 800-171 standards and is meant to protect the nation's sensitive data. All government contractors will have to become CMMC Compliant by 2026 in order to continue business with the U.S. Government. It’s critical to start the CMMC process sooner rather than later — whether 5 or 50 percent of your revenue comes from government contracts. Vendors that show strong controls will thrive as the entire DIB transitions to the new model. Every company within the DoD supply chain will be required to get certified to receive new contracts, representing a massive portion of potential business. In the fiscal year 2018, the DoD awarded nearly $360 billion in contracts for products, materials and services.
  • 7. CMMC ACRONYMS  Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government by 2026.  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. (CMMC 2.0 Level 1)  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. (CMMC 2.0 Level 2)  Defense Federal Acquisition Regulation Supplement (DFARS): Starting in Dec. 2020, all contractors are subject to new clauses in Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012, 7019, 7020 and 7021). This means, starting immediately, that any suppliers and DIB members looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded to them.  System Security Plan (SSP): SSP is a document that identifies the functions and features of a system, including all its hardware and the software installed on the system. It outlines the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. The SSP has been part of the NIST 800-171 security requirement, set forth by DFARS 7012. DFARS 7019, holds the requirements for contractors to maintain their assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results.  Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
  • 8. DIFFERENCE BETWEEN FCI & CUI  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” Within the construct of the CMMC, know that CUI will require a higher level 2 or higher of CMMC Certification whereas FCI will only require Level 1 Self-Certification.
  • 9. THE LONG ROAD TO CMMC
  • 10. WHAT YOU NEED TO KNOW ABOUT CMMC 2.0  In November 2021, the Department of Defense (DoD) announced that the CMMC will be undergoing three major changes to help reduce costs, streamline the compliance process, and be better aligned with other federal standards. CMMC 2.0 may not be fully implemented until late 2023.  By 2026, all DIB contractors will be required to be CMMC certified by a C3PAO before being allowed to bid on government contracts.  A strong cybersecurity posture will always be a requirement in securing a DoD contract. While the DoD stresses that it will not approve any contracts that include a CMMC requirement prior to CMMC 2.0 implementation, the department strongly encourages the DIB sector to meet the 110 security controls stipulated under NIST SP 800-171.  This is because NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0. The similarities between the two compliance models makes it easier for an NIST SP 800- 171-compliant company to achieve compliance with Level 2 standards when CMMC 2.0 becomes law. After all, the DIB is still subject to the Defense Federal Acquisition Regulation Supplement rules, which require meeting NIST 800-171 and DFARS 7012 standards.  Prime contractors will have to ensure all subs are CMMC compliant. Mandatory flow down of CMMC requirements to over 350,000 DIB companies.  The DoD estimates that about 150,000 of companies will need to meet Level 1 and about 80,000 of companies will need to be compliant with CMMC Level 2 and less 500 companies will need to comply with Level 3.  All contractors could now be subject to DFARS 252.204-7012 & 7019. This means, that any suppliers and DIB looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded
  • 11. THE 3 LEVELS OF CMMC 2.0 •Level 1 (Foundational) only applies to companies that focus on the protection of FCI. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users. The DoD estimates that about 150,000 such companies exist in the DIB. •Level 2 (Advanced) is for companies working with CUI. Requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by NIST protect CUI. The DoD estimates that about 80,000 companies handle CUI. •Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. The DoD estimates that about 500 companies will need to comply with Level 3
  • 12. THE “CRAWL – WALK – RUN” OF CMMC  CRAWL: Notice of NIST 800-171 DoD Assessment Requirements. In the 1st phase of CMMC implementation, contractors must register by CAGE code in SPRS and upload a self-assessment based on their 800-171 controls implementation (not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest).  Walk: The DoD Assessment Methodology begins to be enforced. A two (2) year effort where inconsequential “audits” by DCMA and the DIB-CAC are part of the process.  Run: The instantiation of how we’re going to ensure cybersecurity is foundational to all acquisition. This is when CMMC controls, processes, & practices become required elements for doing business with the Department.
  • 13. NIST 800-171 EXPLAINED  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is the standard developed to protect controlled unclassified information (CUI) in nonfederal systems and organizations  NIST SP 800-171 came from a combination of the Federal Information Processing Standard (FIPS) 200 and the Moderate level of 800-53. It contains administrative and technical requirements within 110 controls organized by the following 14 control families.  CMMC level 1 organizations can complete a NIST SP 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS)  CMMC level 2 or higher requires a C3PAO to complete an assessment to determine an organization’s maturity level  The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system, which is only accessible for DoD personnel.
  • 15. DFARS INTERIM RULE OVERVIEW  252.205 7012 (Existing): Created basis for protecting controlled unclassified information implementing NIST 800-171 controls  252.204 7019 (New as of 11/20/20): Created a self assessment (Basic) requirement related to 800 171 and publishing in SPRS  252.204 7020 (New as of 11/20/20): Expands the 800 171 scores to include Moderate and High assurance assessments conducted by the DIBCAC and recorded in SRPS. Flow down required to subs and having a score in 800 171 requirement prior to award  252.204 7021 (New as of 11/20/20): Creates the basis for CMMC and outlines C3PAOs and timeline for the rollout. On September 29, 2020, the DoD issued the interim rule implementing the CMMC program. The rule introduces a new mandatory construct, the DoD Assessment Methodology, to serve as an interim certification process before contractors undergo a full CMMC review. A full description of the interim rule and what it means for DoD contractors follows.
  • 16. DFARS INTERIM RULE - 5 KEY TAKEAWAYS 1) This new requirement takes effect on December 1, 2020 for all contractors that are subject to the DFARS 252.204-7012 & 7019 clause based on their handling of Controlled Unclassified Information (CUI) 2) Contractors that handle CUI will need to complete a new NIST 800-171 Self-Assessment based on a new scoring methodology and then post their score in the Supplier Performance Risk System (SPRS) before a contract will be awarded 3) The Self-Assessment must also include the completion of a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of their network and their plan to achieve 100% compliance with the NIST 800-171 requirements 4) Prime Contractors must flow this requirement down to their subcontractors/suppliers that handle CUI as well. 5) DCMA will be conducting random audits to ensure companies have not only completed the self-assessment, but have scored themselves accurately, have an SSP and are working towards completing a realistic POAM. SPRS Reporting Requirements: • Your system security plan name • The CAGE code associated with the plan • A brief description of the plan architecture • The date the assessment was completed • The date that a score of 110 will be achieved
  • 17. PRELIMINARY STEPS FOR CMMC SUCCESS Step 1: Identify The Target CMMC Level: In order to start, you have to know what target CMMC certification level your organization needs to attain. CMMC is focuses entirely on the classification of data: • If you store, transmit and/or process just FCI, then you are a Level 1 • If you store, transmit and/or process FCI and/or CUI, then you are a Level 2 Step 2: Document FCI/CUI Data/Process Flows: The DoD considers any part of your organization that touches CUI & FCI (i.e., where it’s stored, how it’s processed, and how it’s transmitted) to be “in-scope” when it comes to an official certification assessment. For example, organization may have other unrelated departments (e.g., marketing, sales, etc.) where CUI & FCI will not be stored, processed, or transmitted. To make compliance as smooth and cost-effective as possible, you’ll want to isolate only the relevant parts of your into its own network. Step 3: Establish an Asset Inventory, Network Diagrams, Policies, Processes, and Plans: The CMMC is all about “Process Maturity.” It’s an organization’s commitment to and consistency in performing specific practices. To do this successfully, you need to establish several governing documents describing what the organization should abide by (policies), how they should be implemented (processes), and those tasks will be funded and managed (plans). Step 4: Create a System Security Plan (SSP): The SSP is your organization’s plan to secure its systems. More specifically, it is a collection of documents that paint a picture of your environment, the associated security requirements, the implemented or planned controls, and the expected behaviors of all individuals who access the system. In addition to other documents, you will need to reference your previously established policies, processes, and plans as they relate to each domain. Depending on your organization, your SSP might include your entire, a subset, or multiple subsets of your organization. Step 5: Train Personnel On Secure Practices: The common weak link in most organization is the “people factor” that covers the individuals required to operate processes. OSCs are required to train its personnel on CUI handling practices, role-specific security training, insider threat awareness and is some cases ITAR/EAR training for export control.
  • 18. PRELIMINARY STEPS FOR CMMC SUCCESS Step 6: Conduct a CMMC Pre-Assessment: The CMMC Pre-Assessment is a necessary internal tool to prepare for the actual certification assessment. It is the only way to know which practices your organization is missing, collect evidence about processes and plans, and Plan of Actions & Milestones (POA&M) for missing practices, processes, and plans. Create a POA&M: You will take all of your missing controls and create a formal document that describes the specific steps your organization will take to implement a particular practice (actions) fully and over what period (milestones). Step 7: Choose a Certified Third-Party Assessor Organization (C3PAO): A Certified Third-Party Assessor Organization (C3PAO) is an official organization certified to provide CMMC certifications by the CMMC Accreditation Body (CMMC-AB). There are currently over 100 C3PAOs that you can work with on the CMMC-AB Marketplace. It would be best if you chose to work with a C3PAO that not only fits your budget but has previous experience with your industry. Step 8: Get Certified: Your C3PAO and its CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) will use the CMMC- AB assessment guidelines to conduct a CMMC assessment for your entire organization or a specific CUI Enclave. CCPs and CCAs will information and evidence to independently verify that an organization meets the stated assessment objectives for all of the required practices and processes. If the C3PAO can successfully demonstrate the organization implements all practices and has the appropriate process maturity, they will grant the official certification. Step 9: Recertification: Your certification will last for three years, which means that you will need to recertify every three years. The recertification process is the same as the initial process. Step 10: Conclusion: Going zero to certification involves a well-oiled machine with many moving parts, from scoping your organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to hiring a C3PAO to certify you. some organizations might be well resourced to undertake this process, others might struggle to get started. It is wise to seek out help the many accredited organizations on the CMMC-AB Marketplace. MRK is a Registered Practitioner Organization (RPO).
  • 20. THANK YOU!  Jack Nichelson (CISO, MRK Technologies)
  • 22. QUESTIONS? First CMMC 2.0 is on hold with the potential for the rulemaking process to stretch out as late as fall 2023. The DoD has asked all organizations to use this time implementing and ensuring all subs meet NIST 800-171 (DFARS 252.204-7012 & 7019). The DoD has also indicated that there may be incentives for early adoption and having improved self-assessment scores posted to the DoD’s Supplier Performance Risk System (SPRS). A trend appears to be forming among primes - to require all subcontractors to be certified at CMMC 2.0 Level 2. From the prime’s point of view, this would mean reduced risk of sharing CUI with a subcontractor that is not certified to handle it because all of their subcontractors are certified. This is why we are seeing this big push by the primes to get their subs to show they are meeting all 110 controls in NIST 800-171 (DFARS 252.204-7012 & 7019) and proving it by uploading self-assessment scores to the DoD’s Supplier Performance Risk System (SPRS).

Editor's Notes

  • #2: Title: A Clear Path to CMMC with MRK Subtitle: What DoD Contractors Need to Know to get ready Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this webinar, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification. In addition to answering questions from attendees, this webinar will cover the following topics: • What You Need to Know About CMMC • The Crawl – Walk – Run of CMMC • Preliminary Steps for CMMC Success
  • #3: Jason
  • #12: 60% of the Defense Industrial Base will need to be compliant with CMMC Level 1; 30% will need to be compliant to CMMC Level 3; less than 2% need to be compliant with CMMC Levels 4 and 5
  • #13: You should already be at Level 1 Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. These 17 controls are all basic cyber hygiene and represent the minimum any contractor should have already deployed.
  • #18: There is a widely-held misconception that a Level 1 OSC is going to be limited to small “mom and pop” companies, but that is an inaccurate assumption. An organization is designated a Level 1 when it only stores, transmits and/or processes FCI, not CUI. It is possible to have a Fortune 500 organization be a Level 1 OSC with a robust, well-staffed and mature security program. It is equally possible to have a small company with less than a handful of employees be a Level 3 OSC, even though it has no formal IT infrastructure or IT staff - just a completely virtual/remote workforce business model.
  • #19: There is a widely-held misconception that a Level 1 OSC is going to be limited to small “mom and pop” companies, but that is an inaccurate assumption. An organization is designated a Level 1 when it only stores, transmits and/or processes FCI, not CUI. It is possible to have a Fortune 500 organization be a Level 1 OSC with a robust, well-staffed and mature security program. It is equally possible to have a small company with less than a handful of employees be a Level 3 OSC, even though it has no formal IT infrastructure or IT staff - just a completely virtual/remote workforce business model.
  • #20: Recommendations: Password Manager MFA
  • #23: Recommendations: Password Manager MFA