SlideShare a Scribd company logo

A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf

Jack Nichelson
Jack Nichelson

All DoD contractors are now be subject to CMMC 2.0 DFARS 252.204-7012 & 7019. This means, that any DoD suppliers looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC 2.0 certification. In addition to answering questions from attendees, this presentation will cover the following topics: • What You Need to Know About CMMC • CMMC 2.0 Proposed Changes • The Crawl – Walk – Run of CMMC • Preliminary Steps for CMMC Success • How to improve your NIST SP 800-171 Self-Assessment SPRS score

Technology
1 of 24
Download to read offline
A Clear Path to NIST & CMMC Compliance Jack Nichelson & Craig Burland Chief Information Security Officers NIST 800-171 & CMMC 2.0 Compliance Update
Jack Nichelson CONFIDENTIAL 2 • Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value. • Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. • Certs: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP • Prior experience running Infrastructure & Security at multiple Fortune 500’s • 20+ years in IT & IT Security • Board member for FBI InfraGard • Executive MBA from Baldwin-Wallace University
Craig Burland CONFIDENTIAL 3 • Information Security Leader for a Fortune 200 company as Deputy CISO and CISO • Diverse set of IT and Cyber experiences… • Building global cybersecurity programs, level 2 incident response teams, intelligence automation and operations, vulnerability management and patching program • Implementing global identity management, securing operational technology environments • Managing web, collaboration, eCommerce platforms and agile development teams • Establishing an enterprise records management program, project management office • Technical Co-Chair of NEOCC and Customer Advisory Board member of NTT Global Security and Oracle Web Center • 30+ years in IT & Cybersecurity Jack’s +1
4 TruWest Family of Companies Point of Sale (POS) Lifecycle Management Custom cybersecurity solutions IT and AIDC equipment financing Venture debt for SaaS businesses Craft kitchen and taproom
CMMC Fundamentals Recap from CMMC 2021-22 CONFIDENTIAL 5
Introduction to CMMC • The Cybersecurity Maturity Model Certification or CMMC is a unified standard designed to improve cybersecurity across the thousands of companies in the Defense Industrial Base (DIB) • The new model will verify that DoD contractors have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC is an evolution of the DFARS 252.204-7012, 7019, 7020 and 7021 regulations requiring compliance with NIST 800-171
Key CMMC Acronyms Defense Federal Acquisition Regulation Supplement (DFARS): DFARS Regulations 252.204-7012, 7019, 7020 and 7021 call for protection of CUI based on NIST 800-171 System Security Plan (SSP): The document that identifies the functions and features of an organization’s compliant system, including all its hardware and the software installed on the system Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171 Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI) Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
CMMC is built on DFARS Crawl DFARS 252.204.7012 Walk DFARS 252.204-7019 & 7020 Run DFARS 252.204-7021 • Crawl: DFARS 252.204-7012, also known as Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires defense contractors to provide adequate security by implementing the 110 security controls in NIST 800-171 and self-attest this has been done. This clause went into effect end of 2017. • Walk : DFARS 252.204-7019 & 7020, are clauses that outline the requirements for contractors to comply with NIST 800-171. It requires contractors to maintain a record of their NIST 800-171 compliance with a System Security Plan (SSP) and registering a CAGE code in the Supplier Performance Risk System (SPRS). This is not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest. These clauses went into effect on November 30, 2020. • Run: DFARS 252.204-7021, also known as “Cybersecurity Maturity Model Certification Requirements”, is a clause that outlines the requirements for contractors to comply with the Cybersecurity Maturity Model Certification (CMMC). This is when CMMC controls, processes, & practices become required elements for doing business with the Department. This clause will go into effect October 2025.
• All members of the DIB are subject to the Defense Federal Acquisition Regulation Supplement (DFARS) rules, which require meeting NIST 800-171 • NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0 • All DoD contractors will have to ensure all subs are CMMC compliant (a.k.a. “Flow Down”) • CMMC compliance will be phased into contracts in 2025 What You Need to Know About CMMC 2.0
Recent Key Events in CMMC’s Timeline Jul 2022: Aerojet Rocketdyne Agrees to pay $9MM Resolve False Claims Act Allegations Jan 2023: DoD releases the Accreditation Body Assessment Guide Mar 2023: DFARS 7024 published, allowing SPRS Assessments to be used for contract decisions Mar 2023: The first C3PAOs are accredited Jul 2023: DoD releases the proposed CMMC rule to OMB CONFIDENTIAL 10
Timeline for CMMC Adoption CONFIDENTIAL 11
Call to Action Enough! It’s time to get shit done! CONFIDENTIAL 12
A Simple Framework Plan: Establish objectives and goals • This stage focuses on identifying the problem or opportunity for improvement, setting specific targets, and planning how to achieve them. Do: Implement the planned actions • This stage involves carrying out the planned activities, starting with a pilot project or small-scale test. • It's a hands-on phase where you put your plan into action. Check: Assess and monitor the results • Compare the actual outcomes to the expected outcomes and gather data to evaluate the effectiveness of the changes. Act: Make decisions and take actions • If the results align with your objectives and goals, you standardize the improvements, update processes, and continue monitoring. • If the results fall short, you adjust your plan, make necessary changes, and repeat the PDCA cycle. Plan Do Check Act
A Clear Path to Getting CMMC Compliant PDCA Plan Do Check Act CMMC Identify Remediate Verify Assess KEYS NIST 800-171 POA&Ms SSP C3PAO CONFIDENTIAL 14
Framework for Getting CMMC Compliant Identify (Plan): • Identify the problem = 3rd party NIST 800-171 Risk & Security Assessment • Set specific targets = Determine your current exposure and desired CMMC level • Plan how to achieve them = High-level design. Estimated costs. Business buy-in. Remediate (Do): • Plan how to achieve them (again) = Develop Plans of Action & Milestones (POA&Ms) • Carry out the planned activities = Execute the POA&Ms and Build Your NIST Security Program Verify (Check): • Compare the actual to expected outcomes = Build the System Security Plan (SSP) • Gather data to evaluate the effectiveness of the changes = Perform a follow-up assessment and regenerate SPAR Score Assess (Act): • Evaluate = Assessment by a certified 3CPAO Auditor • Standardize the improvements, and update processes = Monitor compliance Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
Identify (Plan) • Determine your current exposure • DFARS is effective now • Is it mentioned in existing contracts? • Where is your CUI today? Who uses it? • Who are your customers? Suppliers? • Commit to required CMMC level • Based on current and desired business • Sets your overall objective • Conduct NIST 800-171 Risk & Security Assessment • Not a simple risk or gap assessment. Use a certified practitioner. • Identify the specified categories of CUI received/developed • Map CUI data flow through all Users, Systems, Software and Cloud services • Understand initial CMMC compliance report and SPAR score • Check the business’ appetite • Build a high-level design • Estimate costs • Socialize with stakeholders CMMC is about CUI. NIST is about IP. Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
Critical, Common Areas of Control CONFIDENTIAL 17 Assess Risks: ABA – Always Be Assessing Authorized Users: Know your people CUI Enclave & Environment: Build a safe home for CUI Encrypt CUI: Wherever it is Monitor Assets: Always watching Manage Media: Just say no Physical Access: It’s a closed-door policy Consider People, Process, and Technology for IT and the Business Estimate the Total Cost of Compliance
Remediate (Do) • Align your security program with NIST • NIST-based policies • CUI-specific training • Identify authorized people (e.g., US Citizens) • Governance, Risk, & Compliance Committee • Develop Plans of Action & Milestones (POA&Ms) • POA&Ms outline the steps to address and remediate security vulnerabilities, weaknesses, or deficiencies • They define the who, what, when, and how • Execute the POA&Ms • Executing POA&Ms will take focus, time, and effort • POA&Ms should be realistic • POA&Ms can be iterative NIST-Based Security Program is key Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
Big Remediation Challenges No business buy-in. No contract awareness. Understanding how CUI flows through an organization Inadequate policies, procedures & compliance-related documentation. High-level System Security Plan (SSP) Poor (or missing) Plans of Action and Milestones (POA&M) Limited security monitoring & incident response capabilities FIPS-Compliant vs. FIPS-Validated Encryption FedRAMP-Equivalent vs. FedRAMP- authorized Cloud Services
Verify (Check) • Perform a DoD Self-Assessment by a 3rd party • DoD self-assessment helps validate controls and generate the SPAR score • Use of an objective, trained, experienced 3rd party is key to avoid internal bias and bring an auditor’s perspective • Build the System Security Plan (SSP) • An SSP serves as a comprehensive document that outlines the security controls and safeguards implemented in your environment • The SSP is the key element of your application for CMMC compliance – auditors will start with the SSP • Establish and maintain sufficient evidence for your score • Regenerate SPAR Score • Update Supplier Performance Risk System (SPRS) score • If not 110, return to Identify Identify (Plan) Remediate (Do) Verify (Check) Assess (Act) Evidence, evidence, evidence
Assess (Act) • Select and Schedule C3PAO • This is an important partner in your journey • Spend the time to find a good fit • Expect a queue for C3PAOs, especially as the deadline approaches • Get the C3PAO Assessment • Showtime! • The assess will be a detailed review of SSP and Evidence • Monitor and prepare for reassessment • It’s critical to understand and communicate that CMMC compliance is not a one-and-done effort • Monitoring controls, tracking risks, etc. is a critical element of compliance Expect long wait times for C3PAOs! Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
In conclusion… CONFIDENTIAL 22 “Everyone Has A Will To Win But Very Few Have The Will To Prepare To Win.” — Vince Lombardi
CMMC 2023 Summary CMMC builds on DFARS and NIST 800-171 -- Rules that you should already be following The government continues to ramp up regulations and enforcement – CMMC is real and coming Closing gaps will require investment in people, process, and technology Passing the assessment gauntlet will require strong evidence of people, process, and technology Think about cycles of improvement – it’s not about getting to 110 immediately Companies that finish early will have an opportunity to win business from those that don’t CONFIDENTIAL 23 Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
THANK YOU Jack Nichelson and Craig Burland Chief Information Security Officers

Recommended

Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareIgnyte Assurance Platform
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
 

Recommended

Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareIgnyte Assurance Platform
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdftoncik
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsIgnyte Assurance Platform
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview Ignyte Assurance Platform
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsJSchaus & Associates
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 Ignyte Assurance Platform
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicCloudHesive
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable SolarWinds
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxJack Nichelson
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023Withum
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented cultureJack Nichelson
 

More Related Content

Similar to A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdftoncik
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsJSchaus & Associates
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicCloudHesive
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable SolarWinds
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxJack Nichelson
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023Withum
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 

Similar to A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf (20)

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdf
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo Logic
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
 

More from Jack Nichelson

Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented cultureJack Nichelson
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017Jack Nichelson
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented CultureJack Nichelson
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through MeasurementJack Nichelson
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security ManagersJack Nichelson
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 

More from Jack Nichelson (9)

Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through Measurement
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf

  • 1. A Clear Path to NIST & CMMC Compliance Jack Nichelson & Craig Burland Chief Information Security Officers NIST 800-171 & CMMC 2.0 Compliance Update
  • 2. Jack Nichelson CONFIDENTIAL 2 • Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value. • Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. • Certs: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP • Prior experience running Infrastructure & Security at multiple Fortune 500’s • 20+ years in IT & IT Security • Board member for FBI InfraGard • Executive MBA from Baldwin-Wallace University
  • 3. Craig Burland CONFIDENTIAL 3 • Information Security Leader for a Fortune 200 company as Deputy CISO and CISO • Diverse set of IT and Cyber experiences… • Building global cybersecurity programs, level 2 incident response teams, intelligence automation and operations, vulnerability management and patching program • Implementing global identity management, securing operational technology environments • Managing web, collaboration, eCommerce platforms and agile development teams • Establishing an enterprise records management program, project management office • Technical Co-Chair of NEOCC and Customer Advisory Board member of NTT Global Security and Oracle Web Center • 30+ years in IT & Cybersecurity Jack’s +1
  • 4. 4 TruWest Family of Companies Point of Sale (POS) Lifecycle Management Custom cybersecurity solutions IT and AIDC equipment financing Venture debt for SaaS businesses Craft kitchen and taproom
  • 5. CMMC Fundamentals Recap from CMMC 2021-22 CONFIDENTIAL 5
  • 6. Introduction to CMMC • The Cybersecurity Maturity Model Certification or CMMC is a unified standard designed to improve cybersecurity across the thousands of companies in the Defense Industrial Base (DIB) • The new model will verify that DoD contractors have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC is an evolution of the DFARS 252.204-7012, 7019, 7020 and 7021 regulations requiring compliance with NIST 800-171
  • 7. Key CMMC Acronyms Defense Federal Acquisition Regulation Supplement (DFARS): DFARS Regulations 252.204-7012, 7019, 7020 and 7021 call for protection of CUI based on NIST 800-171 System Security Plan (SSP): The document that identifies the functions and features of an organization’s compliant system, including all its hardware and the software installed on the system Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171 Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI) Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
  • 8. CMMC is built on DFARS Crawl DFARS 252.204.7012 Walk DFARS 252.204-7019 & 7020 Run DFARS 252.204-7021 • Crawl: DFARS 252.204-7012, also known as Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires defense contractors to provide adequate security by implementing the 110 security controls in NIST 800-171 and self-attest this has been done. This clause went into effect end of 2017. • Walk : DFARS 252.204-7019 & 7020, are clauses that outline the requirements for contractors to comply with NIST 800-171. It requires contractors to maintain a record of their NIST 800-171 compliance with a System Security Plan (SSP) and registering a CAGE code in the Supplier Performance Risk System (SPRS). This is not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest. These clauses went into effect on November 30, 2020. • Run: DFARS 252.204-7021, also known as “Cybersecurity Maturity Model Certification Requirements”, is a clause that outlines the requirements for contractors to comply with the Cybersecurity Maturity Model Certification (CMMC). This is when CMMC controls, processes, & practices become required elements for doing business with the Department. This clause will go into effect October 2025.
  • 9. • All members of the DIB are subject to the Defense Federal Acquisition Regulation Supplement (DFARS) rules, which require meeting NIST 800-171 • NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0 • All DoD contractors will have to ensure all subs are CMMC compliant (a.k.a. “Flow Down”) • CMMC compliance will be phased into contracts in 2025 What You Need to Know About CMMC 2.0
  • 10. Recent Key Events in CMMC’s Timeline Jul 2022: Aerojet Rocketdyne Agrees to pay $9MM Resolve False Claims Act Allegations Jan 2023: DoD releases the Accreditation Body Assessment Guide Mar 2023: DFARS 7024 published, allowing SPRS Assessments to be used for contract decisions Mar 2023: The first C3PAOs are accredited Jul 2023: DoD releases the proposed CMMC rule to OMB CONFIDENTIAL 10
  • 11. Timeline for CMMC Adoption CONFIDENTIAL 11
  • 12. Call to Action Enough! It’s time to get shit done! CONFIDENTIAL 12
  • 13. A Simple Framework Plan: Establish objectives and goals • This stage focuses on identifying the problem or opportunity for improvement, setting specific targets, and planning how to achieve them. Do: Implement the planned actions • This stage involves carrying out the planned activities, starting with a pilot project or small-scale test. • It's a hands-on phase where you put your plan into action. Check: Assess and monitor the results • Compare the actual outcomes to the expected outcomes and gather data to evaluate the effectiveness of the changes. Act: Make decisions and take actions • If the results align with your objectives and goals, you standardize the improvements, update processes, and continue monitoring. • If the results fall short, you adjust your plan, make necessary changes, and repeat the PDCA cycle. Plan Do Check Act
  • 14. A Clear Path to Getting CMMC Compliant PDCA Plan Do Check Act CMMC Identify Remediate Verify Assess KEYS NIST 800-171 POA&Ms SSP C3PAO CONFIDENTIAL 14
  • 15. Framework for Getting CMMC Compliant Identify (Plan): • Identify the problem = 3rd party NIST 800-171 Risk & Security Assessment • Set specific targets = Determine your current exposure and desired CMMC level • Plan how to achieve them = High-level design. Estimated costs. Business buy-in. Remediate (Do): • Plan how to achieve them (again) = Develop Plans of Action & Milestones (POA&Ms) • Carry out the planned activities = Execute the POA&Ms and Build Your NIST Security Program Verify (Check): • Compare the actual to expected outcomes = Build the System Security Plan (SSP) • Gather data to evaluate the effectiveness of the changes = Perform a follow-up assessment and regenerate SPAR Score Assess (Act): • Evaluate = Assessment by a certified 3CPAO Auditor • Standardize the improvements, and update processes = Monitor compliance Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 16. Identify (Plan) • Determine your current exposure • DFARS is effective now • Is it mentioned in existing contracts? • Where is your CUI today? Who uses it? • Who are your customers? Suppliers? • Commit to required CMMC level • Based on current and desired business • Sets your overall objective • Conduct NIST 800-171 Risk & Security Assessment • Not a simple risk or gap assessment. Use a certified practitioner. • Identify the specified categories of CUI received/developed • Map CUI data flow through all Users, Systems, Software and Cloud services • Understand initial CMMC compliance report and SPAR score • Check the business’ appetite • Build a high-level design • Estimate costs • Socialize with stakeholders CMMC is about CUI. NIST is about IP. Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 17. Critical, Common Areas of Control CONFIDENTIAL 17 Assess Risks: ABA – Always Be Assessing Authorized Users: Know your people CUI Enclave & Environment: Build a safe home for CUI Encrypt CUI: Wherever it is Monitor Assets: Always watching Manage Media: Just say no Physical Access: It’s a closed-door policy Consider People, Process, and Technology for IT and the Business Estimate the Total Cost of Compliance
  • 18. Remediate (Do) • Align your security program with NIST • NIST-based policies • CUI-specific training • Identify authorized people (e.g., US Citizens) • Governance, Risk, & Compliance Committee • Develop Plans of Action & Milestones (POA&Ms) • POA&Ms outline the steps to address and remediate security vulnerabilities, weaknesses, or deficiencies • They define the who, what, when, and how • Execute the POA&Ms • Executing POA&Ms will take focus, time, and effort • POA&Ms should be realistic • POA&Ms can be iterative NIST-Based Security Program is key Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 19. Big Remediation Challenges No business buy-in. No contract awareness. Understanding how CUI flows through an organization Inadequate policies, procedures & compliance-related documentation. High-level System Security Plan (SSP) Poor (or missing) Plans of Action and Milestones (POA&M) Limited security monitoring & incident response capabilities FIPS-Compliant vs. FIPS-Validated Encryption FedRAMP-Equivalent vs. FedRAMP- authorized Cloud Services
  • 20. Verify (Check) • Perform a DoD Self-Assessment by a 3rd party • DoD self-assessment helps validate controls and generate the SPAR score • Use of an objective, trained, experienced 3rd party is key to avoid internal bias and bring an auditor’s perspective • Build the System Security Plan (SSP) • An SSP serves as a comprehensive document that outlines the security controls and safeguards implemented in your environment • The SSP is the key element of your application for CMMC compliance – auditors will start with the SSP • Establish and maintain sufficient evidence for your score • Regenerate SPAR Score • Update Supplier Performance Risk System (SPRS) score • If not 110, return to Identify Identify (Plan) Remediate (Do) Verify (Check) Assess (Act) Evidence, evidence, evidence
  • 21. Assess (Act) • Select and Schedule C3PAO • This is an important partner in your journey • Spend the time to find a good fit • Expect a queue for C3PAOs, especially as the deadline approaches • Get the C3PAO Assessment • Showtime! • The assess will be a detailed review of SSP and Evidence • Monitor and prepare for reassessment • It’s critical to understand and communicate that CMMC compliance is not a one-and-done effort • Monitoring controls, tracking risks, etc. is a critical element of compliance Expect long wait times for C3PAOs! Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 22. In conclusion… CONFIDENTIAL 22 “Everyone Has A Will To Win But Very Few Have The Will To Prepare To Win.” — Vince Lombardi
  • 23. CMMC 2023 Summary CMMC builds on DFARS and NIST 800-171 -- Rules that you should already be following The government continues to ramp up regulations and enforcement – CMMC is real and coming Closing gaps will require investment in people, process, and technology Passing the assessment gauntlet will require strong evidence of people, process, and technology Think about cycles of improvement – it’s not about getting to 110 immediately Companies that finish early will have an opportunity to win business from those that don’t CONFIDENTIAL 23 Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 24. THANK YOU Jack Nichelson and Craig Burland Chief Information Security Officers