Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CMMC DFARS/NIST SP 800-171

127 views

Published on

The DoD released v1.2 of the CMMC on March 18, 2020, Walkthrough the slides to understand
1. CMMC/DFARS/NIST SP 800-171
2. CMMC Framework
3. CMMC Levels & Requirements
4. The CMMC effort builds upon existing regulation
5. CMMC – Asset Management
6. CMMC Practices Across Domains per Maturity Levels
7. NIST 800-171 to CMMC Gaps
8. Certification & Accreditation Details
9. CMMC Training
10. Challenges being solved by Ignyte | Training
11. Challenges being solved by Ignyte | Automation
12. What is included within the Full CMMC Accreditation Package?
13. CMMC Accreditation Process Automated

Published in: Business
  • Be the first to comment

CMMC DFARS/NIST SP 800-171

  1. 1. IGNYTE ASSURANCE PLATFORM Cybersecurity Maturity Model Certification (CMMC) April 2020 1 ©️ 2020 IGNYTE | All Rights Reserved
  2. 2. • Introductions • CMMC/DFARS/NIST SP 800-171 • CMMC Framework • CMMC Levels & Requirements • The CMMC effort builds upon existing regulation • CMMC – Asset Management • CMMC Practices Across Domains per Maturity Levels • NIST 800-171 to CMMC Gaps • Certification & Accreditation Details • CMMC Training • Challenges being solved by Ignyte | Training • Challenges being solved by Ignyte | Automation • What is included within the Full CMMC Accreditation Package? • CMMC Accreditation Process Automated AGENDA 2 ©️ 2018 IGNYTE | All Rights Reserved
  3. 3. 1 Experience: • Enterprise Risk Leader 15 years of Business and Security Technology Leadership experience • Corporate security experience – WorldPay, NCR, IBM, Dell, Credit Union, GDRTA, etc.. • Federal agency cyber experience – USAF, Army, Navy, DOS, NRO, NGA, CIA, NSA, NASIC and others units for system accreditations Formal Education & Credentials: • Wright State University – MBA (2014) • American Military University – B.S Information Security, Computer Science (2009) • Community College of the Air Force – Criminal Justice (2009) • Cyber & Technology Industry Credentials: CISSP, PMP, Linux+, Security+, Network+, ITIL-F, Certified Scrum Master • Cigital Defensing Programming, OWASP, Threat Modeling, etc.. • Cyber Regulatory/Frameworks – NIST, HIPAA, HITRUST, SOC 1/2, CIS, FFIEC, ISO 27K, FISMA • Formal Military Physical Security Training: Counter Terrorism, HAZMAT, Explosive Ordinance, Customs, Use of Force, LOAC, Force Protection, Combat Leadership, Ground Defense Command, SERE, Bloodborne Pathogens • Formalized Weapon Systems Training: M9, M4, M2, M249 & M240B US Military Operational - Security Focused Global Tour of Duties: • 2007-2009: Iraq – Security Forces Member • 2006-2007: Afghanistan – Security Forces Member/Linguist • 2005-2006: Iraq – Security Forces/Classified Systems Member • 2003-2005: Turkey – US Nuclear Weapons Systems Administrator & Security Member Ignyte Assurance Platform Defense Cyber Security Professional US Military Top Secret Clearance Max Aulakh, MBA, CISSP, PMP, ITIL-F General Partner | Ignyte Platform
  4. 4. CMMC/DFARS/NIST SP 800-171 4 Defense Federal Acquisition Regulation Supplement (DFARS) • Signed into law on November 4, 2010 • This was the governments effort to protect the U.S. defense supply chain. • Mandates that private DoD contractors adopt cybersecurity standards that follow NIST 800-171 • DFARS lets contracting companies “self attest” their contract requirements after they have already won the contract NIST SP 800-171 • The National Institute of Standards and Technology (NIST) 800-171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations • Was developed after the Federal Information Security Act (FISMA), which is the law was passed in 2003. Cybersecurity Maturity Model Certification (CMMC) • The DoD released v1.2 of the CMMC on March 18, 2020 • They created CMMC in response to the continued exfiltration of controlled unclassified information (CUI) from its supply chain. • Does not allow POA&Ms like the current DFARS requirement does. • CMMC will serve as the unified standard for cybersecurity that will be incorporated as a “go/no-go” requirement for DoD acquisitions. • The DoD will require certified Third-Party Assessment Organizations (C3PAO) to conduct audits on all DoD contractors. • CMMC requirements are expected to appear in RFPs in September of 2020.
  5. 5. CMMC FRAMEWORK • The Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple security standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) • The purpose of the CMMC is to measure the level of cybersecurity maturity of prime contractors and their supply chain that work with the DoD to protect Controlled Unclassified Information (CUI) • CMMC encompasses the security requirements for CUI specified in NIST 800-171 for DFARS clause 252.204-7012 as well as basic safeguarding requirements for federal contract information (FCI) specified in FAR clause 52.204-22 • The model framework (below) organizes these processes and practices into a set of domains and maps them across five levels. • In order to provide additional structure, the framework aligns the practices to a set of capabilities within each domain • The framework further divides the practices into 17 domains, with most practices contained in six domains: • Access Control (AC) • Audit and Accountability (AU) • Incident Response (IR) • Risk Management (RM) • Systems and Communications Protection (SC) • System and Information Integrity (SI) • The remaining 11 domains have most of their practices required for higher levels of certification 5 ©️ 2020 IGNYTE | All Rights Reserved Model Processes Capabilities Practices Domains Model encompasses multiple domains For a given domain, there are processes that span a subset of the 5 levels For a given domain, there are capabilities that span a subset of the 5 levels For a given domain, there are practices that span a subset of the 5 levels
  6. 6. CMMC LEVELS & REQUIREMENTS Level 1 Performed Level 2 Documented Level 3 Managed Level 4 Reviewed Level 5 Optimized  17 Controls: Basic Cyber Hygiene  Consists of the safeguarding requirements specified in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21  72 Controls (includes level 1 controls: Intermediate Cyber Hygiene  Includes a subset of 48 controls from NIST 8000-171 (CUI)  Includes additional 7 controls to support intermediate cyber hygiene  130 Controls (includes level 2 controls): Good Cyber Hygiene  Encompasses ALL controls from 800-171  Includes additional 20 controls to support good cyber hygiene  156 Controls (includes level 3 controls): Proactive  Encompasses ALL controls from 800-171  Includes a select subset of 11 controls from DRAFT 800-171B  Includes an additional 15 controls to demonstrate a proactive cybersecurity program  171 Controls (includes level 4 controls): Advanced  Encompasses ALL controls from 800-171  Includes a select subset of 4 controls from DRAFT 800-171B  Includes an additional 11 controls to demonstrate a proactive cybersecurity program Focus: Level 1: Safeguard Federal Contract Information (FCI) Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI Level 3: Protect CUI Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs) ©️ 2020 IGNYTE | All Rights Reserved
  7. 7. THE CMMC EFFORT BUILDS UPON EXISTING REGULATIONS 7 ©️ 2020 IGNYTE | All Rights Reserved Specific Existing Regulations: • 48 Code of Federal Regulations (CFR) 52.204-21 • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 • NIST SP 800-171 rev 1 • NIST SP 800-171B (Draft) • NIST SP 800-53 • ISO 27001 • ISO 27032 • AIA NAS9933 • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. • The intent is for certified independent 3rd party organizations to conduct audits and inform risk. NIST and CMMC • NIST 800-171 is a separate, special publication from NIST 800-53, and many of the controls can be mapped back to an equivalent SP 800-53 control. • CMMC combines the controls from 800-171, 800-171B, 800-53, ISO, amongst other sources. • These controls can be mapped back to CMMC maturity levels within the Ignyte mapping engine.
  8. 8. CMMC – ASSET MANAGEMENT 8 ©️ 2020 IGNYTE | All Rights Reserved • One of the new control families CMMC has added on is the Asset Management family. • One of the biggest obstacles for organizations is having complete visibility of what is currently in their environment • With Ignyte’s Asset Management Module, organizations will be able to: • Identify and document assets • Manage Asset Inventory • Manage Asset Vulnerabilities • Provide automated documentation to auditors/assessors
  9. 9. 9 ©️ 2020 IGNYTE | All Rights Reserved 4 0 0 0 0 2 0 0 1 0 4 0 0 0 0 2 4 10 0 4 2 6 5 5 4 3 2 1 2 3 3 0 2 3 8 1 7 1 3 4 2 2 4 0 1 1 3 2 1 15 3 3 1 2 2 1 0 2 0 0 0 0 0 4 3 2 5 1 1 0 1 0 1 0 4 0 0 0 0 1 2 0 0 3 2 0 5 10 15 20 25 30 Access Control (AC) Asset Management (AM) Audit and Accountability (AU) Awareness and Training (AT) Configuration Management (CM) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Personnel Security (PS) Physical and Environmental Protection (PE) Recovery (RE) Risk Management (RM) Security Assessment (CA) Situational Awareness (SA) System and Communication Protection (SC) System and Information Integrity (SI) Level 1 Level 2 Level 3 Level 4 Level 5 CMMC PRACTICES ACROSS DOMAINS PER MATURITY LEVELS
  10. 10. NIST 800-171 TO CMMC GAPS 10 ©️ 2020 IGNYTE | All Rights Reserved Change Management Especially when you talk about change logs and true baseline configurations of an environment. Controlled Unclassified Information (CUI) Data Flow Diagrams Where CUI exists in their environment and how CUI moves through their organization Risk Management and Mitigation Plans Ensure the organization is managing risk effectively and has a plan of action and milestones in place for their current vulnerabilities. Audit Logging & Retention Utilize a centralized SIEM based solution Blacklisting and whitelisting of software This is currently not being accomplished in most organizations. Especially smaller companies that have limited IT budgets and staffing Configurations and Management of User Installed Software Most organizations are trying to first secure the server locations (on- prem/cloud) that have CUI. However the user workstations haven’t been configured at this point
  11. 11. CERTIFICATION & ACCREDITATION DETAILS • The accreditation process being finalized • CMMC v1.2 provides useful guidance for the CMMC Accreditation Body to finalize requirements for auditors and for companies that need to start preparing for their CMMC accreditation. • A key driver for contractors is that all practices for the required CMMC level must be met before accreditation will occur. • Accreditation must occur before contracts will be eligible to be awarded. What’s involved with CMMC Certification? • The certification will measure the Defense Industrial Base (DIB) sector organizations ability to protect Federal Contract Information (FCI) and CUI • It is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect CUI that resides on the Department’s industry partners’ network. 11 ©️ 2020 IGNYTE | All Rights Reserved How will your organization become certified? • Your organization will coordinate directly with an accredited and independent certified third-party assessment organization (C3PAO) to request and schedule your CMMC assessment • Your organization will specify the level of certification requested based on your specific business requirements. • Your organization will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier
  12. 12. CHALLENGES SOLVED BY IGNYTE | TRAINING 12 ©️ 2020 IGNYTE | All Rights Reserved • CMMC Certification Training Course • 2-day hands on certification planning • Live, Online (Scheduled Time) • In Class (Anytime) • On Demand (Anytime over the web) • Mixed Learning (On Demand in addition to instructor support) • Private Team Training (on-site) • Results • Members will be educated about the CMMC Certification and its system created by the Department of Defense (DoD) to ensure defense contracting organizations have the controls implemented to secure sensitive information including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) • Members will have knowledge about the CMMC Model Framework • Members will be educated on how the CMMC Framework is dependent upon best- practices from various cybersecurity regulations including NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933 amongst others • Defense Contractors Can Prepare for CMMC Compliance • Ignyte’s CMMC on-demand training is a cost-effective learning solution that is applicable to defense contracting/manufacturing organizations to address and manage cybersecurity risks in order to be awarded the DoD contract. • Ignyte’s CMMC on-demand courses will offer the convenience and flexibility business managers and IT professionals require to complete their training goals. • Ignyte’s learning solutions offers: • 12-months of unlimited access • Online mentoring • Content equivalent to classroom training • Digital Courseware
  13. 13. • Ignyte’s accreditation solution completes CMMC & DFARs compliance and risk mitigation requirements and communication challenges between stakeholders efficient through workflow automation, predictive insights and automated monitoring • The Ignyte team leverages our proprietary software with auditor staff to: • Conduct proper scoping & characterization to control implementation cost • Tailoring & modifying NIST 800-171 controls making them relevant to the business • Defense Contractor Repository System • Capturing CUI, CDI and FCI data types • Automated STIG & CCI based implementation • SCAP compliant integrated software • Ongoing automated evidence gathering through Robotic Process Automation (RPA) • Real-time Plan of Action & Milestone (POA&M) • Tailored & Real time System Security Plan (SSP) generation • Submission to C3PAO & Assessor workflow • Authority to Operate (ATO) package builder • Collaboration between implementer, assessor, primary contractor, and accreditation body. CHALLENGES SOLVED BY IGNYTE | AUTOMATION 13 ©️ 2020 IGNYTE | All Rights Reserved Select Framework/Upload •Mapping Engine • Spreadsheet Data • CMMC • DFARs • NIST 800-171 (CUI) • Any Management Framework Assign Owners Multiple Users (Owners, Operators, Executive Management) Assess Controls Collect Evidence & Policies Control frequency, Policy Review Frequency, Policy Workflow, Ownership Collect & Review Evidence Ongoing Remediation Management
  14. 14. • Ignyte’s certification solution includes the following: • Entity size determination • Solution implementation • Onsite meeting • Training • Assessment • System Security Plan (SSP) • Plan of Action and Milestones (POA&Ms) • Remediation Roadmap • CMMC Audit Preparation • CMMC Audit Walkthrough • Audit Certification • Continued assurance & compliance WHAT IS INCLUDED WITHIN THE FULL CMMC ACCREDITATION PACKAGE? 14 ©️ 2020 IGNYTE | All Rights Reserved
  15. 15. CMMC ACCREDITATION PROCESS AUTOMATED MANAGE COMPLETE CMMC ACCREDITATION PROCESS • End to End commercialized Authorization & Attestation Technology • Ignyte was built for educated subject matter experts (SMEs) and smart organizations looking to go beyond checklist software • Accreditation software means applying a structured approach to mitigating risk by assessing the technical impact on business. • Ignyte is: • Cost-effective - less than a full-time employee (FTE) • Assessor & C3PAO friendly • Implementer Ready • Prime & Sub-Contractor preferred platform 15 ©️ 2020 IGNYTE | All Rights Reserved
  16. 16. CONTACT INFORMATION 16 ©️ 2020 IGNYTE | All Rights Reserved MAX AULAKH Ignyte Assurance Platform max@ignyteplatform.com 937-789-4216 www.ignyteplatform.com https://www.dfars-nist-800-171.com/
  17. 17. WELCOME TO THE NEXT ERA OF CYBER ASSURANCE Ignyte is the ultimate risk management engine for simplifying compliance across regulations, standards and guidelines.

×