Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.In addition to answering questions from attendees, this presentation will cover the following topics:• What You Need to Know About CMMC• CMMC 2.0 Proposed Changes• The Crawl – Walk – Run of CMMC• Preliminary Steps for CMMC Success• How to improve your NIST SP 800-171 Self-Assessment SPRS score

1. A Clear Path to NIST & CMMC Compliance
Jack Nichelson
Chief Information Security Officer
CMMC 2.0 Compliance Update

2. Jack Nichelson
CONFIDENTIAL 2
• Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute
and Received the CSO50 award for connecting security initiatives to business value.
• Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC)
team.
• Certs: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP
• Prior experience running Infrastructure & Security at multiple Fortune 500’s
• 20+ years in IT & IT Security
• Board member for FBI InfraGard
• Executive MBA from Baldwin-Wallace University

3. 3
Point of Sale (POS)
Lifecycle
Management
Custom cybersecurity
solutions
IT and AIDC
equipment
financing
Venture debt for
SaaS businesses
Craft kitchen
and taproom
TruWest Family of Companies

4. 4
Technology Solutions
Work alongside your team to recommend technology
solutions that are smart, flexible and tailored to fit your
specific needs.
Fractional CISOs
We offer a highly experienced CISO (Chief Information
Security Officer) Team with decades of real-world
enterprise-grade security expertise across multiple
verticals.
Managed Security
Services
Our 24/7/365 SOC (Security Operations Center) team
operates and monitors a suite of enterprise solutions
designed to help protect, monitor, alert, advise &
respond on our customers’ information security
threats.

5. Introduction to CMMC 2.0
A New Standard in Defending Data
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard designed to implement
and improve cybersecurity across the entire DIB, which includes more than 300,000 companies. The new
model will verify that DoD contractors have sufficient controls to safeguard sensitive data, including
Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The compliance
standard is an evolution of the DFARS 252.204-7012 & NIST 800-171 standards and is meant to protect
the nation's sensitive data. All government contractors will have to become CMMC Compliant by 2026 in
order to continue business with the U.S. Government.
It’s critical to start the CMMC process sooner rather than later —
Whether 5 or 50 percent of your revenue comes from government
contracts. Vendors that show strong controls will thrive as the entire DIB
transitions to the new model. Every company within the DoD supply chain
will be required to get certified to receive new contracts, representing a
massive portion of potential business. In the fiscal year 2018, the DoD
awarded nearly $360 billion in contracts for products, materials and
services.

6. CMMC Acronyms
Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's
solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional
and is designed to permit only allow businesses with a valid CMMC certification to bid on and
win contracts with the US Government by 2026.
Federal Contract Information (FCI): FCI is information provided by or generated for the
Government under contract not intended for public release. (CMMC 2.0 Level 1 = FAR 52.204-
21)
Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all
Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three
markings are given to unclassified content that must be protected in a very specific manner
both within and outside a government information system. (CMMC 2.0 Level 2 = DFARS
252.204-7012)
Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized
by the CMMC-AB to conduct, and deliver CMMC assessments

7. CMMC Acronyms
Defense Federal Acquisition Regulation Supplement (DFARS): Starting in Dec. 2020,
all contractors are subject to new clauses in the Defense Federal Acquisition Regulation
Supplement (DFARS 252.204-7012, 7019, 7020 and 7021). This means, starting immediately,
that any suppliers and DIB members looking to earn new business or up for a renewal will
need to complete a new NIST 800-171 Self-Assessment and upload the results to the
Supplier Performance Risk System (SPRS) before a contract is awarded to them.
System Security Plan (SSP): SSP is a document that identifies the functions and features
of a system, including all its hardware and the software installed on the system. It outlines
the security requirements of the system and describe the controls in place or planned,
responsibilities and expected behavior of all individuals who access the system. The SSP has
been part of the NIST 800-171 security requirement, set forth by DFARS 7012. DFARS 7019,
holds the requirements for contractors to maintain their assessments and report them
properly, as well as the requirements for contracting authorities to award or withhold award
based upon properly reported assessment results.

8. Federal Contract Information (FCI): FCI is information
provided by or generated for the Government under
contract not intended for public release. “information, not
intended for public release, that is provided by or
generated for the Government under a contract to develop
or deliver a product or service to the Government, but not
including information provided by the Government to the
public (such as on public websites) or simple transactional
information, such as necessary to process payments.”
Controlled Unclassified Information (CUI): CUI is an
umbrella term that encompasses all Covered Defense
Information (CDI) and Controlled Technical Information
(CTI). These three markings are given to unclassified
content that must be protected in a very specific manner
both within and outside a government information system.
“information that requires safeguarding or dissemination
controls pursuant to and consistent with applicable law,
regulations, and government-wide policies but is not
classified under Executive Order 13526 or the Atomic
Energy Act, as amended.”
Difference between FCI & CUI

9. CMMC Timeline

10. CMMC Timeline

11. In November 2021, the Department of Defense (DoD) announced that
the CMMC will be undergoing three major changes to help reduce costs,
streamline the compliance process, and be better aligned with other
federal standards. CMMC 2.0 may not be fully implemented until late
2023.
By 2026, all DIB contractors will be required to be CMMC certified by a
C3PAO before being allowed to bid on government contracts.
A strong cybersecurity posture will always be a requirement in securing a
DoD contract. While the DoD stresses that it will not approve any
contracts that include a CMMC requirement prior to CMMC 2.0
implementation, the department strongly encourages the DIB sector to
meet the 110 security controls stipulated under NIST SP 800-171.
This is because NIST SP 800-171 is completely aligned with Level 2 of
CMMC 2.0. After all, the DIB is still subject to the Defense Federal
Acquisition Regulation Supplement rules, which require meeting NIST
800-171 and DFARS 7012 standards.
Prime contractors will have to ensure all subs are CMMC compliant.
Mandatory flow down of CMMC requirements to over 350,000 DIB
companies.
The DoD estimates that about 150,000 of companies will need to meet
Level 1 and about 80,000 of companies will need to be compliant with
CMMC Level 2 and less 500 companies will need to comply with Level 3.
What You Need to Know About CMMC 2.0

12. The 3 levels of CMMC 2.0
Level 1 (Foundational) only applies to companies that focus on the protection of FCI. Level 1 will be based on the 17
controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection
of FCI. These controls look to protect covered contractor information systems, limit access to authorized users. The
DoD estimates that about 150,000 such companies exist in the DIB.
Level 2 (Advanced) is for companies working with CUI. Requirements will mirror NIST SP 800-171 and eliminate all
practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels
and 110 security controls developed by NIST to protect CUI found in DFARS 252.204-7012. The DoD estimates that
about 80,000 companies handle CUI.
Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies
working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements
for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a
subset of NIST SP 800-172 controls. The DoD estimates that about 500 companies will need to comply with Level 3.

13. CRAWL: Notice of NIST 800-171 DoD Assessment
Requirements. In the 1st phase of CMMC
implementation, contractors must register by
CAGE code in SPRS and upload a self-assessment
based on their 800-171 controls implementation
(not “graded”, but the DFARS rule does articulate
the risk of False Claims Act (FCA) litigation if not
done in earnest).
Walk: The DoD Assessment Methodology begins
to be enforced. A two (2) year effort where
inconsequential “audits” by DCMA and the DIB-
CAC are part of the process.
Run: The instantiation of how we’re going to
ensure cybersecurity is foundational to all
acquisition. This is when CMMC controls,
processes, & practices become required elements
for doing business with the Department
The “Crawl – Walk – Run” of CMMC

14. In November 2021, the Department of Defense (DoD) announced that the CMMC will be
undergoing three major changes to help reduce costs, streamline the compliance
process, and be better aligned with other federal standards. CMMC 2.0 may not be fully
implemented until late 2023.
By 2026, all DIB contractors will be required to be CMMC certified by a C3PAO before
being allowed to bid on government contracts.
A strong cybersecurity posture will always be a requirement in securing a DoD contract.
While the DoD stresses that it will not approve any contracts that include a CMMC
requirement prior to CMMC 2.0 implementation, the department strongly encourages
the DIB sector to meet the 110 security controls stipulated under NIST SP 800-171.
This is because NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0. The
similarities between the two compliance models makes it easier for an NIST SP 800-171-
compliant company to achieve compliance with Level 2 standards when CMMC 2.0
becomes law. After all, the DIB is still subject to the Defense Federal Acquisition
Regulation Supplement rules, which require meeting NIST 800-171 and DFARS
7012 standards.
Prime contractors will have to ensure all subs are CMMC compliant. Mandatory flow
down of CMMC requirements to over 350,000 DIB companies.
The DoD estimates that about 150,000 of companies will need to meet Level 1 and about
80,000 of companies will need to be compliant with CMMC Level 2 and less 500
companies will need to comply with Level 3.
All contractors could now be subject to DFARS 252.204-7012 & 7019. This means, that
any suppliers and DIB looking to earn new business or up for a renewal will need to
complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier
Performance Risk System (SPRS) before a contract is awarded
CMMC 2.0 Keeps Changing

15. When Do We Need to Be CMMC 2.0
Certified?
The planned schedule currently calls for CMMC
rulemaking to be complete by May 2023.
All contractors are now be subject to DFARS
252.204-7012 & 7019. This means, that any
suppliers and DIB looking to earn new business or
up for a renewal will need to complete a new
NIST 800-171 Self-Assessment and upload the
results to the Supplier Performance Risk System
(SPRS) before a contract is awarded.
DoD officials have also been emphasizing that
“nothing has changed” with CMMC. The
implication being that DIB orgs have been self-
attesting to NIST 800-171 compliance for years,
so there’s no excuse not to be ready.
Beware the False Claims Act
The DoD is also reminding DIB orgs about the Civil Cyber-Fraud
Initiative from the US Department of Justice (DoJ). This new ruling
emphasizes that if your business fails to comply with cybersecurity
requirements specified in your contracts, you could face hefty fines in
addition to losing your contracts under the False Claims Act.
Aerojet Rocketdyne recently found that out the hard way, to the tune of
over $9 million.

16. National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171 is the standard
developed to protect controlled unclassified information
(CUI) in nonfederal systems and organizations
NIST SP 800-171 came from a combination of the
Federal Information Processing Standard (FIPS) 200 and
the Moderate level of 800-53. It contains administrative
and technical requirements within 110 controls organized
by the following 14 control families.
CMMC level 1 organizations can complete a NIST SP
800-171 Self-Assessment and upload the results to the
Supplier Performance Risk System (SPRS)
CMMC level 2 or higher requires a C3PAO to complete
an assessment to determine an organization’s maturity
level
The DFARS 7019 clause notifies the contractor that they
are required to maintain a record of their NIST 800-171
compliance within the Supplier Performance Risk System
(SPRS). Each contractor will be required to maintain a
current DoD Assessment within the system, which is only
accessible for DoD personnel.
NIST 800-171 Explained

17. NIST 800-171 Controls Overview

18. Step 1 Compliance Log: The primary method of
providing links to audit evidence
Step 2 Response Procedures: Proof of meeting
NIST controls containing step-by-step details
Step 3 CUI Inventory: Map CUI data flow through
all Users, Systems, Software and Cloud services
Step 4 Network Topology: Create CUI data flow
illustrating where it is accessed, stored and
controlled
Step 5 Policies & Standards: All policies must be
updated and in alignment with NIST 800-171
Step 6 Plan of Action & Milestones: Create a
POAM to track control deficiencies
Step 7 System Security Plan: Create a SSP to
provided a security overview to demonstrate
compliance with NIST 800-171
7 STEPS TO NIST 800–171 COMPLIANCE

19. Path to CMMC Compliance

20. 252.205 7012 (Existing): Created basis
for protecting controlled unclassified
information by implementing NIST 800-
171 controls
252.204 7019 (New as of 11/20/20):
Created a self assessment (Basic)
requirement related to 800-171 and
publishing in SPRS
252.204 7020 (New as of 11/20/20):
Expands the 800-171 scores to include
Moderate and High assurance
assessments conducted by the DIBCAC
and recorded in SRPS. Flow down
required to subs and having a score in
800-171 a requirement prior to award
252.204 7021 (New as of 11/20/20):
Creates the basis for CMMC and
outlines C3PAOs and timeline for the
rollout.
DFARS Interim Rule Overview
On September 29, 2020, the DoD issued the interim rule
implementing the CMMC program. The rule introduces a new
mandatory construct, the DoD Assessment Methodology, to serve as
an interim certification process before contractors undergo a full
CMMC review. A full description of the interim rule and what it means
for DoD contractors follows.

21. This new requirement takes effect on December 1,
2020, for all contractors that are subject to the DFARS
252.204-7012 & 7019 clause based on their handling of
Controlled Unclassified Information (CUI)
Contractors that handle CUI will need to complete a
new NIST 800-171 Self-Assessment based on a new
scoring methodology and then post their score in the
Supplier Performance Risk System (SPRS) before a
contract will be awarded
The Self-Assessment must also include the completion
of a System Security Plan (SSP) with a Plan of Action
and Milestones (POAM) describing the current state of
their network and their plan to achieve 100% compliance
with the NIST 800-171 requirements
Prime Contractors must flow this requirement down
to their subcontractors/suppliers that handle CUI as well.
DCMA will be conducting random audits to ensure
companies have not only completed the self-assessment,
but have scored themselves accurately, have an SSP and
are working towards completing a realistic POAM.
DFARS Interim Rule - 5 Key Takeaways
SPRS Reporting Requirements:
• Your system security plan name
• The CAGE code associated with the plan
• A brief description of the plan architecture
• The date the assessment was completed
• The date that a score of 110 will be achieved

22. Summarized Path to CMMC Success
1. Identify The Target CMMC Level.
1. If you store, transmit and/or process just FCI, then you are a Level 1
2. If you store, transmit and/or process FCI and/or CUI, then you are a Level 2
2. Document FCI/CUI Data/Process Flows.
3. Establish an Asset Inventory, Network Diagrams, Policies, Processes, and
Plans.
4. Create a System Security Plan (SSP).
5. Train Personnel On Secure Practices.
6. Conduct a CMMC Pre-Assessment.
7. Choose a Certified Third-Party Assessor Organization (C3PAO).
8. Get Certified. Step 9: Recertification.
9. Conclusion.
CONFIDENTIAL 22

23. Preliminary Steps for CMMC Success
Step 1: Identify The Target CMMC Level. In order to start, you have to know what target CMMC certification level your
organization needs to attain. CMMC is focuses entirely on the classification of data:
• If you store, transmit and/or process just FCI, then you are a Level 1
• If you store, transmit and/or process FCI and/or CUI, then you are a Level 2
Step 2: Document FCI/CUI Data/Process Flows. The DoD considers any part of your organization that touches CUI & FCI (i.e.,
where it’s stored, how it’s processed, and how it’s transmitted) to be “in-scope” when it comes to an official certification
assessment. For example, your organization may have other unrelated departments (e.g., marketing, sales, etc.) where CUI & FCI
will not be stored, processed, or transmitted. To make compliance as smooth and cost-effective as possible, you’ll want to isolate
only the relevant parts of your organization into its own network.
Step 3: Establish an Asset Inventory, Network Diagrams, Policies, Processes, and Plans. The CMMC is all about “Process
Maturity.” It’s an organization’s commitment to and consistency in performing specific practices. To do this successfully, you need
to establish several governing documents describing what the organization should abide by (policies), how they should be
implemented (processes), and how those tasks will be funded and managed (plans).
Step 4: Create a System Security Plan (SSP). The SSP is your organization’s plan to secure its systems. More specifically, it is a
collection of documents that paint a picture of your environment, the associated security requirements, the implemented or
planned controls, and the expected behaviors of all individuals who access the system. In addition to other documents, you will
need to reference your previously established policies, processes, and plans as they relate to each domain. Depending on your
organization, your SSP might include your entire, a subset, or multiple subsets of your organization.
Step 5: Train Personnel On Secure Practices. The common weak link in most organization is the “people factor” that covers the
individuals required to operate processes. OSCs are required to train its personnel on CUI handling practices, role-specific
security training, insider threat awareness and is some cases ITAR/EAR training for export control.

24. Preliminary Steps for CMMC Success
Step 6: Conduct a CMMC Pre-Assessment. The CMMC Pre-Assessment is a necessary internal tool to prepare for the
actual certification assessment. It is the only way to know which practices your organization is missing, collect evidence
about processes and plans, and create a Plan of Actions & Milestones (POA&M) for missing practices, processes, and plans.
Create a POA&M: You will take all of your missing controls and create a formal document that describes the specific steps
your organization will take to implement a particular practice (actions) fully and over what period (milestones).
Step 7: Choose a Certified Third-Party Assessor Organization (C3PAO). A Certified Third-Party Assessor Organization
(C3PAO) is an official organization certified to provide CMMC certifications by the CMMC Accreditation Body (CMMC-AB).
There are currently over 100 C3PAOs that you can work with on the CMMC-AB Marketplace. It would be best if you chose
to work with a C3PAO that not only fits your budget but has previous experience with your industry.
Step 8: Get Certified. Your C3PAO and its CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) will
use the CMMC-AB assessment guidelines to conduct a CMMC assessment for your entire organization or a specific CUI
Enclave. CCPs and CCAs will gather information and evidence to independently verify that an organization meets the stated
assessment objectives for all of the required practices and processes. If the C3PAO can successfully demonstrate the
organization implements all practices and has the appropriate process maturity, they will grant the official certification.
Step 9: Recertification. Your certification will last for three years, which means that you will need to recertify every three
years. The recertification process is the same as the initial process.
Step 10: Conclusion. Going zero to certification involves a well-oiled machine with many moving parts, from scoping your
organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to
hiring a C3PAO to certify you. While some organizations might be well resourced to undertake this process, others might
struggle to get started. It is wise to seek out help from the many accredited organizations on the CMMC-AB Marketplace.
MRK is a Registered Practitioner Organization (RPO).

25. THANK YOU
Questions
Jack Nichelson
Chief Information Security Officer

26. CMMC Audit Remediation PLAN

27. CMMC Audit Remediation PLAN