This presentation was developed to accompany the live webinar hosted by Federal Publications Seminars. Guests included Bryan Van Brunt, Founder of Van Brunt Law Firm, P.A, and Max Aulakh, Founder & CEO of Ignyte Assurance Platform and Ignyte Institute, who discussed how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC) compliance regulations and to be able to continue working with the DoD as a prime or subcontractor after the interim rule comes into effect. It gives you both legal and technical perspectives on how to protect your business and maintain a competitive advantage, explains what tools and manpower are required to become compliant within the optimal period of time and with limited IT resources. Speakers also shared important lessons learned while running NIST and CMMC projects.
1. LIVE WEBINAR
How I Woke Up from
the CMMC Compliance Nightmare
12 Jan 2021 1 PM EST
Hosted by Federal Publications Seminars
Bryan Van Brunt
Founder
Max Aulakh
Founder & CEO
2. Acknowledgement & Disclaimer
These materials were prepared by the attorneys at the law firm of Van Brunt Law Firm, P. A. These materials present
general information about the law and are not intended to provide legal advice about any particular set of circumstances.
Legal advice may be given and relied upon only on the basis of specific facts presented by a client to an attorney.
Van Brunt Law Firm, P. A. and the authors of these materials hereby disclaim any liability which may result from reliance
on the information contained in these materials.
3. Topics to Cover Today
• Overview of Cybersecurity Maturity Model Certification (CMMC)
• Understanding DFARS NIST 800-171 and CMMC relationship
• Factors involved in determining the right level of CMMC
• Resources and efforts required to obtain the appropriate level of CMMC
• Consequences of non-compliance after the rule comes into effect
• Lessons learned in CMMC/NIST implementations
4. Meet Our Speakers
o Ignyte Assurance Platform™ AI enabled risk management software designed
to help Chief Security Officers in managing cyber & regulatory risk.
o Serves as CxO for multiple small businesses to help them manage technology
& cyber risk.
o After leaving the USAF, he drove the Information Assurance (IA) programs for
multiple Department of Defense (DoD) Agencies.
o Started his career as a security specialist in the United States Air Force
o Van Brunt Law Firm, P.A. serves clients in the areas of Government Contracts,
General Business Law, and Commercial Transactions.
o Bryan serves as a General Counsel and COO for small and medium sized
businesses in the defense industry.
o Served as the Deputy General Counsel at General Dynamics for over 13 years
focused on government contracts and general business law.
o Started his legal career as an attorney (JAG) in the United States Air Force.
Bryan Van Brunt
Founder
Max Aulakh
Founder & CEO
6. Cybersecurity Maturity Model Certification. Closer Look
• On September 29, 2020, The Department of Defense (DoD) issued an interim rule to amend DFARS to
implement the Cybersecurity Maturity Model Certification (CMMC) framework.
• So far, four draft versions of CMMC have been publicly released including the most recent, CMMC 1.02. The
CMMC Accreditation Body members are working to produce additional guidance to support the certification
path.
• Built upon the NIST SP 800-171 DoD Assessment Methodology, the CMMC framework adds a
comprehensive and scalable certification element to verify the implementation of processes and practices
associated with the achievement of a cybersecurity maturity level.
• CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect
sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified
Information (CUI) at a level commensurate with the risk, accounting for information flow down to its
subcontractors in a multi-tier supply chain.
7. CMMC Development Timeline
*Diagram is taken from presentation by Ms. Katie Arrington Chief Information Security Officer for Acquisition. Distribution A. Approved for Public Release
8. Understanding DFARS NIST 800-171 and CMMC Relationship
Who needs to be DFARS compliant?
All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI)
must meet DFARS minimum security standards or risk losing their DoD contracts. Based on
NIST Special Publication 800-171, manufacturers must implement these security controls
through all levels of their supply chain.
Where is DFARS included?
DFARS clause 252.204-7012 is included in all solicitations and contracts, including those
using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for
acquisitions solely for commercially available off- the-shelf (COTS) items. The clause
requires contractors to apply the security requirements of NIST SP 800-171 to “covered
contractor information systems,” as defined in the clause, that are not part of an IT service
or system operated on behalf of the Government.
How do NIST controls overlap with the emerging CMMC framework?
NIST 800-171 is the backbone of the CMMC framework and it is required by all CMMC
levels. For example, NIST domains cover 110 controls out of 130 required for Level 3 of
CMMC.
Would CMMC potentially replace NIST?
The CMMC is an advanced step in the DoD’s efforts to properly secure the Defense
Industrial Base (DIB). It complements and enforces NIST 800-171 as part of its
requirements.
Note: The CMMC was released by the DoD on 31 January 2020. The CMMC Accreditation Body members
are working to produce additional guidance to support the certification path. For now, Ignyte recommends
implementing NIST 800-171.
NIST SP
800-171r1
CMMC
REQUIREMENTS
20 Additional Practices
51 Maturity Processes
DFARS
REQUIREMENTS
FedRAMP Mod
Paragraphs C-G
72 Hour Report
9. 4 Main DFARS Rules
● DFARS 252.204 7012: Safeguarding
Covered Defense Information and Cyber
Incident Reporting
● DFARS 252.204 7020: NIST SP 800 171
DoD Assessment Requirements
● DFARS 252.204 7019: Notice of NIST SP
800 171 DoD Assessment Requirements
● DFARS 252.204 7021: Cybersecurity
Maturity Model Certification Requirements
11. CMMC Levels
Level Description
1
Consists of the 15 basic safeguarding requirements from FAR
clause 52.204-21.
2
Consists of 65 security requirements from NIST SP 800-171
implemented via DFARS clause 252.204-7012, 7 CMMC
practices, and 2 CMMC processes. Intended as an optional
intermediary step for contractors as part of their progression
to Level 3.
3
Consists of all 110 security requirements from NIST SP 800-
171, 20 CMMC practices, and 3 CMMC processes.
4
Consists of all 110 security requirements from NIST SP 800-
171, 46 CMMC practices, and 4 CMMC processes.
5
Consists of all 110 security requirements from NIST SP 800-
171, 61 CMMC practices, and 5 CMMC processes.
12. Which CMMC level is right for your business?
CMMC Level 1
● Meeting the basic requirements to protect Federal Contract Information (FCI):
○ an up-to-date antivirus software application,
○ strong passwords,
○ unauthorized third parties protection.
● FCI is not intended for public release.
● Minimal efforts required to strengthen the cybersecurity defenses.
CMMC Level 2
● Introducing Controlled Unclassified Information (CUI)
● Standard cybersecurity practices, policies, and strategic plans.
● Major subset of the security requirements specified in NIST SP 800-171.
● 55 new practices for a total of 72 total practices.
CMMC Level 3
● Good cyber hygiene and controls necessary to protect CUI.
● Continuous review of all activities based on their cybersecurity policy.
● All requirements specified in NIST SP 800-171 and other similar standards.
● 130 required security controls, grouped into 17 domains.
CMMC Level 4 and Level 5
● Addressing the changing tactics, techniques, and procedures used by Advanced
Persistent Threats (APTs).
● Proactive cybersecurity program and standardized processes to achieve
consistency across the entire organization.
● 171 security controls, which are grouped into 17 domains.
14. PROGRAM RESOURCES
● Resources are aligned with various stages of managing the CMMC program for small business
Program
Metrics &
Management
SSP & POA&M
Deliverables
Guided
Assessment
Training
Program Deliverables
● DoD Training Website - https://securityhub.usalearning.gov/content/story.html
● Ignyte Institute Practitioner Level & Top Management Training - https://www.ignyteinstitute.org/
● CMMC System Security Plan Development - https://www.dfars-nist-800-171.com/
● NIST 171 Documentaton - https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
● SSP & Other Plan of Action & Milestones (POA&M) - https://www.dfars-nist-800-171.com/
15. CMMC Education & Training
● Ignyte Institute Courses
○ Senior Management Course (20 Mins)
○ Practitioner Level Course (1 hour)
○ www.ignyteinstitute.org
● DoD Issued CUI Training
○ What is CUI and How to recognize it
○ https://securityhub.usalearning.gov/content/sto
ry.html
17. COST OF COMPLIANCE
● COST MANAGEMENT FACTORS
○ Program Development & Management
○ Technology & Engineering Implementation
○ Audit & Certification
● Pricing can range from $20K to $200K depending on several factors.
● Market pricing for 100% of CMMC requirements is not completely understood due to changing
requirements and/or interpretation of requirements.
https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-
federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
18. Small Businesses Expected Costs
CMMC Level Yearly Non Recurring
Engineering
Yearly Recurring Engineering
Costs
Yearly Assessment Costs++ Total Yearly Costs
Level 1 $0 $0 $1,000 $1,000
Level 2 $407 $20,154 $7,489 $28,050
Level 3 $1,311 $41,666 $17,032 $60,009
Level 4 $46,917 $301,514 $23,355 $371,786
Level 5 $61,511 $384,666 $36,697 $482,874
Cost depends on technology and level of internal maturity
20. POTENTIAL SMB IMPACTS
In-adequate security controls leading to internal breach of
CUI and FCI.
• Engineering Data & Drawings
• Internal Data Theft
Report Cyber Incidents to DoD at http://dibnet.dod.mil
within 72 Hours
Increasing cost of both Technology &
Compliance
● Decrease quality and effectiveness of
current technology implementations.
Potential issues with Prime for not
following contract flow down
requirement.
● Loss of business revenue
3 Major SMB Impacts
1 3
2
22. Lessons Learned
● Implementation is multi-discipline (Not just an IT obligation)
○ IT and IT security
○ HR (training)
○ Physical security
○ Compliance/legal
○ Business leadership – implementation impacts operations
○ Employees
23. Lessons Learned. Continued
● Implementation requires a “Quarterback” and a program team
○ IT teams are not set up to Project Manage a cross-functional
implementation
○ Dedicating an PM is imperative
24. Lessons Learned. Continued
● Vendors are all new at this
○ Even established firms lack expertise in CMMC compliance
○ Every system and set of processes is unique and requires new learning
● Implementation must be viewed as a change in company paradigm
○ People – Changing to a security mindset - It’s not virus protection and IT
○ Processes – Implementation of verifiable and auditable procedures (“show me, don’t just
tell me”)
○ Technology – Implementation of technology that will require more steps and verification
• i.e. sensitivity tagging, data categorization, multi-step access, new approvals
25. Lessons Learned. Continued
● Research solutions to ensure they are compatible and
actually have the functionality your business needs.
○ Certified vendors with prior schemes
○ Certified Technology
● This is not going away. It may change, but this to fight a
real war going on right now.
26. SUMMARY
● Develop a leadership & management agenda
○ Involve business leadership, legal and IT
● NIST 800-171 & CMMC Levels
● Total Cost of Ownership
○ Program Management
○ Technology
○ Audit
● Apply Lessons Learned