SlideShare a Scribd company logo

Supporting your CMMC initiatives with Sumo Logic

Download as PPTX, PDF
C
CloudHesive

Supporting your CMMC initiatives with Sumo Logic

Technology
1 of 25
What are we going to talk about? • Overview of the Cybsersecurity Maturity Model Certification (CMMC) o Its history o Its direction o Who it impacts o The gap that it fills • Demonstrate how CloudHesive uses Sumo Logic to: o Address customer's needs in preparing for their CMMC audit from the perspective of a gap analysis o Generating evidence during the initial audit o Demonstration of ongoing compliance
(A brief) United States Government Refresher • United States Government o Executive Branch • Department of Defense o Office of the Under Secretary of Defense for Acquisition and Sustainment • Carnegie Mellon University/Johns Hopkins University • Developed the Program • Defense Industrial Base/Defense Supply Chain o Contractors – 100,000 of them, generating 768 Billion USD (3.2% of GDP) Annually • Their Subcontractors o Eventually phased into the Program • CMMC AB -> Cyber AB o Oversees the Program
What data may be (sub)contractors obligated to protect? • (F)ederal (C)ontract (I)nformation o Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments • (C)ontrolled (U)nclassified (I)nformation o Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls
CMMC Timeline • In 2016 DFARS 7012 clause goes into in effect requiring all contract holders to self assess to meeting the security requirements of NIST-SP-800-171 • In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to transition from a mechanism of self-attestation of an organization's basic cyber hygiene which was used to govern the Defense Industrial Base • In 2019 interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020, with an effective date of November 30, 2020 • On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline that has the model fully implemented by September 2021 • On November 4, 2021, the Department of Defense announced the release of CMMC 2.0 • In March 2023, Final Rule Making will be complete • On 60 days after March 2023, CMMC requirements will be included in new contracts
CMMC Ecosystem • Cyber (A)ccredidation (B)ody (formerly CMMC AB) o (O)rganization (S)eeking (C)ertification o (R)egistered (P)ractitioner (O)rganizations • (R)egistered (P)ractitioners • (R)egistered (P)racitioners - Advanced o (C)ertified (3)rd (P)arty (A)ssessment (O)rganizations • (C)ertified (C)MMC (P)rofessionals • (C)ertified (C)MMC (A)ssessors • (Provisional (A)ssessors • (C)MMC (Q)uality (A)ssurance (P)rofessional o (L)icensed (T)raining (P)roviders • (C)ertified (C)MMC (I)nstructors • (P)rovisional (I)nstructor o (L)icensed (P)ublishing (P)artners
CMMC 1.0 vs. CMMC 2.0 • Streamlined Model o Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels o Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards • Reliable Assessments o Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments o Higher accountability: Increases oversight of professional and ethical standards of third-party assessors • Flexible Implementation o Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification o Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances
CMMC 2.0 Level 2 Summary • Access Control (AC) • Awareness & Training (AT) • Audit & Accountability (AU) • Configuration Management (CM) • Identification & Authentication (IA) • Incident Response (IR) • Maintenance (MA) • Media Protection (MP) • Personnel Security (PS) • Physical Protection (PE) • Risk Assessment (RA) • Security Assessment (CA) • System and Communications Protection (SC) • System and Information Integrity (SI)
Preparing for Audit • Organizational Readiness o History o Current state o Sustainability of the current state
Sample Artifacts • (S)ystem (S)ecurity (P)lan • (P)lan (O)f (A)ctions & (M)ilestones • Self Assessment with SIPR Score • (S)ystem (D)esign (D)ocument • General o Policies o Procedures o Diagrams o Configuration Settings o Mechanisms o Operational Logs o Audit Logs o Monitoring o Locations o Strategies
Sample Policies • Access control policy • Audit and accountability policy • Configuration management policy • Identification and Authentication policy • Incident response policy • Personnel security policy • Risk management policy • Security awareness and training policy • Security planning policy • System and communications protection policy • System and information integrity policy • System maintenance policy • Third party hosting policy • Vendor management policy
Sample Processes • Access/Firewall Review • Audit Log Review • Backup/Restore Testing • Configuration/Change Review • Credential Rotation/Credential Audit • Incident Response Testing • Monitoring Review • Patching • Personnel (Training, Background Check) Review • Policy Review • Risk Review • Vendor Review • Vulnerability/Penetration Testing
Organizations in the DIB have a challenge • What do many of these organizations own from a tech perspective? o Not much • Computers, Files, E-Mail… o Simple needs (somewhere to work, store, retrieve, process, transmit) to deliver product • What infrastructure do they have to support these requirements? o Not much • Physical sites, People, Computers… o Operationally Capable (e.g., delivering a product), but may not be Cyber Capable • Where can they get help? o CMMC Ecosystem o People Considerations o (C)loud (S)ervice (P)roviders
AWS (CSP) Shared Responsibility Model
Third Party Solutions • Virtual Desktop (AWS) • Directory Service (AWS) • Endpoint Security Package • Vulnerability Management Package • NGFW, DLP (AWS) • E-Mail, Collaboration Suite • Monitoring Platform (Sumo Logic) • Governance, Risk and Compliance Platform • Training Platform • Background Check Platform
Organizations in the DIB have a solution to their challenge
Organizations in the DIB Become Responsible For • Data generation, processing, storage, retrieval o Understand the flow • Scope Reduction o Use an enclave • If the data can’t leave, it’s secure o Descope where possible – organization, people, domains, access • If the data can’t be accessed, it’s secure • People Considerations o Employees o Contractors o Vendors • Software Considerations o Vary based on COTS versus Custom
Continuous Monitoring
Continuous Monitoring with Sumo Logic • We have all these sources of data we are responsible for – Events and States o Data derived from the third-party solutions • We need to be able to tell current state and review historically o To support the sample processes • We need to be able to react to the high priority items o Push versus Pull • We need to demonstrate we are doing this o It’s part of the process
Windows and Other Events
Cloud Events
AWS Events
Event Response
Conclusion • In conclusion, leveraging a Cloud Service Provider, and Managed Services Provider can help to reduce your organizational burden in preparing for and maintaining CMMC defined controls. • A significant component to maintaining these controls is monitoring and response, in which Sumo Logic can be used to funnel these various sources of data and state, correlate, query and reduce for human consumption at a planned and unplanned levels of priority.
Supporting your CMMC initiatives with Sumo Logic

Recommended

How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...Ignyte Assurance Platform
 
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Cyber review-guide
Cyber review-guideCyber review-guide
Cyber review-guideaqazad
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 

Recommended

How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...Ignyte Assurance Platform
 
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Cyber review-guide
Cyber review-guideCyber review-guide
Cyber review-guideaqazad
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
Application of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCApplication of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCSeungjoo Kim
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentInfosec
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement William McBorrough
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018Richard Marti - Principal
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
A Vision On Integrated Inspection Planning Prototyping
A Vision On Integrated Inspection Planning PrototypingA Vision On Integrated Inspection Planning Prototyping
A Vision On Integrated Inspection Planning PrototypingGH_Wijnants
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...Priyanka Aash
 
Pmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewPmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewAlan McSweeney
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI WorkshopCondition Zebra (CONZebra)
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
Serverless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of FloridaServerless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of FloridaCloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...CloudHesive
 

More Related Content

Similar to Supporting your CMMC initiatives with Sumo Logic

Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
Application of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCApplication of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCSeungjoo Kim
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentInfosec
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement William McBorrough
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
A Vision On Integrated Inspection Planning Prototyping
A Vision On Integrated Inspection Planning PrototypingA Vision On Integrated Inspection Planning Prototyping
A Vision On Integrated Inspection Planning PrototypingGH_Wijnants
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...Priyanka Aash
 
Pmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewPmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewAlan McSweeney
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 

Similar to Supporting your CMMC initiatives with Sumo Logic (20)

Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
Application of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCApplication of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLC
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessment
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
A Vision On Integrated Inspection Planning Prototyping
A Vision On Integrated Inspection Planning PrototypingA Vision On Integrated Inspection Planning Prototyping
A Vision On Integrated Inspection Planning Prototyping
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
 
Pmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewPmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment Overview
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
 

More from CloudHesive

Serverless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of FloridaServerless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of FloridaCloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...CloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...CloudHesive
 
Accelerating Business and Research Through Automation and Artificial Intellig...
Accelerating Business and Research Through Automation and Artificial Intellig...Accelerating Business and Research Through Automation and Artificial Intellig...
Accelerating Business and Research Through Automation and Artificial Intellig...CloudHesive
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptxAmazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptxCloudHesive
 
ConnectPath Introduction
ConnectPath IntroductionConnectPath Introduction
ConnectPath IntroductionCloudHesive
 
Modernize your contact center with ConnectPath CX v2.pdf
Modernize your contact center with ConnectPath CX v2.pdfModernize your contact center with ConnectPath CX v2.pdf
Modernize your contact center with ConnectPath CX v2.pdfCloudHesive
 
Modernize your contact center with ConnectPath CX — Chart.pdf
Modernize your contact center with ConnectPath CX — Chart.pdfModernize your contact center with ConnectPath CX — Chart.pdf
Modernize your contact center with ConnectPath CX — Chart.pdfCloudHesive
 
End User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxEnd User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxCloudHesive
 
Analytics at CloudHesive
Analytics at CloudHesiveAnalytics at CloudHesive
Analytics at CloudHesiveCloudHesive
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
Best Practices and Resources to Effectively Manage and Optimize Your AWS CostsBest Practices and Resources to Effectively Manage and Optimize Your AWS Costs
Best Practices and Resources to Effectively Manage and Optimize Your AWS CostsCloudHesive
 
Serverless data and analytics on AWS for operations
Serverless data and analytics on AWS for operations Serverless data and analytics on AWS for operations
Serverless data and analytics on AWS for operations CloudHesive
 
reInvent reCap 2022
reInvent reCap 2022reInvent reCap 2022
reInvent reCap 2022CloudHesive
 
Serverless without Code (Lambda)
Serverless without Code (Lambda)Serverless without Code (Lambda)
Serverless without Code (Lambda)CloudHesive
 
AWS Advanced Analytics Automation Toolkit (AAA)
AWS Advanced Analytics Automation Toolkit (AAA)AWS Advanced Analytics Automation Toolkit (AAA)
AWS Advanced Analytics Automation Toolkit (AAA)CloudHesive
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on securityCloudHesive
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 

More from CloudHesive (20)

Serverless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of FloridaServerless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of Florida
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
 
Accelerating Business and Research Through Automation and Artificial Intellig...
Accelerating Business and Research Through Automation and Artificial Intellig...Accelerating Business and Research Through Automation and Artificial Intellig...
Accelerating Business and Research Through Automation and Artificial Intellig...
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptxAmazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
 
ConnectPath Introduction
ConnectPath IntroductionConnectPath Introduction
ConnectPath Introduction
 
Modernize your contact center with ConnectPath CX v2.pdf
Modernize your contact center with ConnectPath CX v2.pdfModernize your contact center with ConnectPath CX v2.pdf
Modernize your contact center with ConnectPath CX v2.pdf
 
Modernize your contact center with ConnectPath CX — Chart.pdf
Modernize your contact center with ConnectPath CX — Chart.pdfModernize your contact center with ConnectPath CX — Chart.pdf
Modernize your contact center with ConnectPath CX — Chart.pdf
 
End User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxEnd User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptx
 
Analytics at CloudHesive
Analytics at CloudHesiveAnalytics at CloudHesive
Analytics at CloudHesive
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
Best Practices and Resources to Effectively Manage and Optimize Your AWS CostsBest Practices and Resources to Effectively Manage and Optimize Your AWS Costs
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
 
Serverless data and analytics on AWS for operations
Serverless data and analytics on AWS for operations Serverless data and analytics on AWS for operations
Serverless data and analytics on AWS for operations
 
reInvent reCap 2022
reInvent reCap 2022reInvent reCap 2022
reInvent reCap 2022
 
Serverless without Code (Lambda)
Serverless without Code (Lambda)Serverless without Code (Lambda)
Serverless without Code (Lambda)
 
AWS Advanced Analytics Automation Toolkit (AAA)
AWS Advanced Analytics Automation Toolkit (AAA)AWS Advanced Analytics Automation Toolkit (AAA)
AWS Advanced Analytics Automation Toolkit (AAA)
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Supporting your CMMC initiatives with Sumo Logic

  • 1.
  • 2. What are we going to talk about? • Overview of the Cybsersecurity Maturity Model Certification (CMMC) o Its history o Its direction o Who it impacts o The gap that it fills • Demonstrate how CloudHesive uses Sumo Logic to: o Address customer's needs in preparing for their CMMC audit from the perspective of a gap analysis o Generating evidence during the initial audit o Demonstration of ongoing compliance
  • 3. (A brief) United States Government Refresher • United States Government o Executive Branch • Department of Defense o Office of the Under Secretary of Defense for Acquisition and Sustainment • Carnegie Mellon University/Johns Hopkins University • Developed the Program • Defense Industrial Base/Defense Supply Chain o Contractors – 100,000 of them, generating 768 Billion USD (3.2% of GDP) Annually • Their Subcontractors o Eventually phased into the Program • CMMC AB -> Cyber AB o Oversees the Program
  • 4. What data may be (sub)contractors obligated to protect? • (F)ederal (C)ontract (I)nformation o Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments • (C)ontrolled (U)nclassified (I)nformation o Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls
  • 5. CMMC Timeline • In 2016 DFARS 7012 clause goes into in effect requiring all contract holders to self assess to meeting the security requirements of NIST-SP-800-171 • In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to transition from a mechanism of self-attestation of an organization's basic cyber hygiene which was used to govern the Defense Industrial Base • In 2019 interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020, with an effective date of November 30, 2020 • On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline that has the model fully implemented by September 2021 • On November 4, 2021, the Department of Defense announced the release of CMMC 2.0 • In March 2023, Final Rule Making will be complete • On 60 days after March 2023, CMMC requirements will be included in new contracts
  • 6. CMMC Ecosystem • Cyber (A)ccredidation (B)ody (formerly CMMC AB) o (O)rganization (S)eeking (C)ertification o (R)egistered (P)ractitioner (O)rganizations • (R)egistered (P)ractitioners • (R)egistered (P)racitioners - Advanced o (C)ertified (3)rd (P)arty (A)ssessment (O)rganizations • (C)ertified (C)MMC (P)rofessionals • (C)ertified (C)MMC (A)ssessors • (Provisional (A)ssessors • (C)MMC (Q)uality (A)ssurance (P)rofessional o (L)icensed (T)raining (P)roviders • (C)ertified (C)MMC (I)nstructors • (P)rovisional (I)nstructor o (L)icensed (P)ublishing (P)artners
  • 7. CMMC 1.0 vs. CMMC 2.0 • Streamlined Model o Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels o Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards • Reliable Assessments o Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments o Higher accountability: Increases oversight of professional and ethical standards of third-party assessors • Flexible Implementation o Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification o Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances
  • 8. CMMC 2.0 Level 2 Summary • Access Control (AC) • Awareness & Training (AT) • Audit & Accountability (AU) • Configuration Management (CM) • Identification & Authentication (IA) • Incident Response (IR) • Maintenance (MA) • Media Protection (MP) • Personnel Security (PS) • Physical Protection (PE) • Risk Assessment (RA) • Security Assessment (CA) • System and Communications Protection (SC) • System and Information Integrity (SI)
  • 9. Preparing for Audit • Organizational Readiness o History o Current state o Sustainability of the current state
  • 10. Sample Artifacts • (S)ystem (S)ecurity (P)lan • (P)lan (O)f (A)ctions & (M)ilestones • Self Assessment with SIPR Score • (S)ystem (D)esign (D)ocument • General o Policies o Procedures o Diagrams o Configuration Settings o Mechanisms o Operational Logs o Audit Logs o Monitoring o Locations o Strategies
  • 11. Sample Policies • Access control policy • Audit and accountability policy • Configuration management policy • Identification and Authentication policy • Incident response policy • Personnel security policy • Risk management policy • Security awareness and training policy • Security planning policy • System and communications protection policy • System and information integrity policy • System maintenance policy • Third party hosting policy • Vendor management policy
  • 12. Sample Processes • Access/Firewall Review • Audit Log Review • Backup/Restore Testing • Configuration/Change Review • Credential Rotation/Credential Audit • Incident Response Testing • Monitoring Review • Patching • Personnel (Training, Background Check) Review • Policy Review • Risk Review • Vendor Review • Vulnerability/Penetration Testing
  • 13. Organizations in the DIB have a challenge • What do many of these organizations own from a tech perspective? o Not much • Computers, Files, E-Mail… o Simple needs (somewhere to work, store, retrieve, process, transmit) to deliver product • What infrastructure do they have to support these requirements? o Not much • Physical sites, People, Computers… o Operationally Capable (e.g., delivering a product), but may not be Cyber Capable • Where can they get help? o CMMC Ecosystem o People Considerations o (C)loud (S)ervice (P)roviders
  • 14. AWS (CSP) Shared Responsibility Model
  • 15. Third Party Solutions • Virtual Desktop (AWS) • Directory Service (AWS) • Endpoint Security Package • Vulnerability Management Package • NGFW, DLP (AWS) • E-Mail, Collaboration Suite • Monitoring Platform (Sumo Logic) • Governance, Risk and Compliance Platform • Training Platform • Background Check Platform
  • 16. Organizations in the DIB have a solution to their challenge
  • 17. Organizations in the DIB Become Responsible For • Data generation, processing, storage, retrieval o Understand the flow • Scope Reduction o Use an enclave • If the data can’t leave, it’s secure o Descope where possible – organization, people, domains, access • If the data can’t be accessed, it’s secure • People Considerations o Employees o Contractors o Vendors • Software Considerations o Vary based on COTS versus Custom
  • 19. Continuous Monitoring with Sumo Logic • We have all these sources of data we are responsible for – Events and States o Data derived from the third-party solutions • We need to be able to tell current state and review historically o To support the sample processes • We need to be able to react to the high priority items o Push versus Pull • We need to demonstrate we are doing this o It’s part of the process
  • 24. Conclusion • In conclusion, leveraging a Cloud Service Provider, and Managed Services Provider can help to reduce your organizational burden in preparing for and maintaining CMMC defined controls. • A significant component to maintaining these controls is monitoring and response, in which Sumo Logic can be used to funnel these various sources of data and state, correlate, query and reduce for human consumption at a planned and unplanned levels of priority.