All DoD contractors are now be subject to CMMC 2.0 DFARS 252.204-7012 & 7019. This means, that any DoD suppliers looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC 2.0 certification.In addition to answering questions from attendees, this presentation will cover the following topics:• What You Need to Know About CMMC• CMMC 2.0 Proposed Changes• The Crawl – Walk – Run of CMMC• Preliminary Steps for CMMC Success• How to improve your NIST SP 800-171 Self-Assessment SPRS score
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
CMMC compliance is the key to winning and retaining government contracts. CMMC requirements will soon appear in all Department of Defense (DoD) RFPs, contracts and grants and are expected to materialize in all federal government contracts as already evidenced by GSA's STARS III RFP.
How will this impact your business? CMMC requires all government contractors and subcontractors to be certified to at least Level I (basic cyber hygiene) with increasing levels of certification for CUI/CDI and special or high-risk programs. In fact, Level III certification is required for all contracts involving CUI.
And just like it takes a village to raise a child, it takes a team of professionals to prepare for and maintain CMMC compliance. From government contract compliance to CMMC readiness to implementation of technical solutions, you need a team of professionals to achieve and maintain CMMC compliance.
We recognize that CMMC certification is a process (journey), not a destination, and take a bit-sized approach to a continuous effort on your part. While you must achieve the appropriate level of certification for a specific contract before submitting your bid/proposal, we realize that you will not achieve the goal overnight.
This webinar will help you understand the basic CMMC requirements, certification process, timeline, and roles of your strategic partners.
The Cybersecurity Maturity Model Certification enforces the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared by the U.S. Department of Defense with contractors and subcontractors. Learn more in the ControlCase CMMC Basics Webinar.
ControlCase covers the following:
- What is CMMC?
- Who does CMMC apply to?
What is the accreditation body (CMMC-AB)?
- What is a CMMC Third Party Organization (C3PAO)?
- What does CMMC mean for Cybersecurity?
- What are the CMMC certification levels?
- How often is CMMC needed?
- CMMC and NIST
- What is the CMMC Assessment process?
The new CMMC version 1 was published in January 2020. This presentation was provided to small businesses's that are part of the DoD supply chain. It helps to understand the requirements.
This presentation was developed to accompany the live webinar hosted by Federal Publications Seminars. Guests included Bryan Van Brunt, Founder of Van Brunt Law Firm, P.A, and Max Aulakh, Founder & CEO of Ignyte Assurance Platform and Ignyte Institute, who discussed how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC) compliance regulations and to be able to continue working with the DoD as a prime or subcontractor after the interim rule comes into effect. It gives you both legal and technical perspectives on how to protect your business and maintain a competitive advantage, explains what tools and manpower are required to become compliant within the optimal period of time and with limited IT resources. Speakers also shared important lessons learned while running NIST and CMMC projects.
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.In addition to answering questions from attendees, this presentation will cover the following topics:• What You Need to Know About CMMC• CMMC 2.0 Proposed Changes• The Crawl – Walk – Run of CMMC• Preliminary Steps for CMMC Success• How to improve your NIST SP 800-171 Self-Assessment SPRS score
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
CMMC compliance is the key to winning and retaining government contracts. CMMC requirements will soon appear in all Department of Defense (DoD) RFPs, contracts and grants and are expected to materialize in all federal government contracts as already evidenced by GSA's STARS III RFP.
How will this impact your business? CMMC requires all government contractors and subcontractors to be certified to at least Level I (basic cyber hygiene) with increasing levels of certification for CUI/CDI and special or high-risk programs. In fact, Level III certification is required for all contracts involving CUI.
And just like it takes a village to raise a child, it takes a team of professionals to prepare for and maintain CMMC compliance. From government contract compliance to CMMC readiness to implementation of technical solutions, you need a team of professionals to achieve and maintain CMMC compliance.
We recognize that CMMC certification is a process (journey), not a destination, and take a bit-sized approach to a continuous effort on your part. While you must achieve the appropriate level of certification for a specific contract before submitting your bid/proposal, we realize that you will not achieve the goal overnight.
This webinar will help you understand the basic CMMC requirements, certification process, timeline, and roles of your strategic partners.
The Cybersecurity Maturity Model Certification enforces the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared by the U.S. Department of Defense with contractors and subcontractors. Learn more in the ControlCase CMMC Basics Webinar.
ControlCase covers the following:
- What is CMMC?
- Who does CMMC apply to?
What is the accreditation body (CMMC-AB)?
- What is a CMMC Third Party Organization (C3PAO)?
- What does CMMC mean for Cybersecurity?
- What are the CMMC certification levels?
- How often is CMMC needed?
- CMMC and NIST
- What is the CMMC Assessment process?
The new CMMC version 1 was published in January 2020. This presentation was provided to small businesses's that are part of the DoD supply chain. It helps to understand the requirements.
This presentation was developed to accompany the live webinar hosted by Federal Publications Seminars. Guests included Bryan Van Brunt, Founder of Van Brunt Law Firm, P.A, and Max Aulakh, Founder & CEO of Ignyte Assurance Platform and Ignyte Institute, who discussed how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC) compliance regulations and to be able to continue working with the DoD as a prime or subcontractor after the interim rule comes into effect. It gives you both legal and technical perspectives on how to protect your business and maintain a competitive advantage, explains what tools and manpower are required to become compliant within the optimal period of time and with limited IT resources. Speakers also shared important lessons learned while running NIST and CMMC projects.
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.In addition to answering questions from attendees, this presentation will cover the following topics:• What You Need to Know About CMMC• CMMC 2.0 Proposed Changes• The Crawl – Walk – Run of CMMC• Preliminary Steps for CMMC Success• How to improve your NIST SP 800-171 Self-Assessment SPRS score
The importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential.
Amongst others, the webinar covers:
• ISO/IEC 27002 and ISO/IEC 27032 and their key components
• Key Components of a Resilient Cybersecurity Strategy
• CMMC Frameworks
Presenters:
Dr. Oz Erdem
Governance, Risk and Compliance (GRC) consultant, trainer, auditor, and speaker
Dr. Erdem has over 25 years of experience in information security, trade compliance, data privacy, and risk management. He took leadership roles in governance and compliance at various Fortune 100-500 companies and SMBs, including Siemens Corporation, Siemens Industry, Linqs, Texas Instruments, Rtrust, ICEsoft Technologies, NATO C3A, and BILGEM. In addition, successfully managed software development (i.e., embedded, cloud, and SaaS) and digital product projects involving information security, mobile networks, and IoT networks. Further, Dr. Erdem led several non-profit organizations, such as National Association of District Export Councils (NADEC), Government Contractors Council (GovConCouncil), and Central-North Florida District Export Council as the Chairman of the Board.
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
George Usi - CEO of Omnistruct
An internet pioneer and award-winning leader in internet governance with over 25 years of experience, George Usi knows that getting hacked is not a matter of ‘if’ but, ‘when’ and the fiscal and reputational effects that has on a business, the executives, and the board. George is the Co-Founder of Omnistruct, a cyber risk company. Omnistruct protects and expands revenue creation, reputation, and customer retention through cyber risk transference, governance, and compliance. We ensure that security and privacy programs work.
Date: January 24, 2024
YouTube Video: https://youtu.be/9i5p5WFExT4
Website: https://bit.ly/3SjovIP
In January 2020, the Department of Defense released the initial version of Cybersecurity Maturity Model Certification (CMMC) standard. Certifications will begin for new and existing defense contractors this year. As you are preparing for the CMMC now by becoming NIST 800-171 compliant, it is critical to ensure you can continue bidding on RFPs. Any type of cybersecurity audit takes time and getting compliant to NIST 800-171 ahead of an audit is no different.
Whether your organization’s security and compliance are 80% of the way there, or you think your infrastructure needs a complete overhaul, get tips and insights to get you closer to compliance.
We Share:
- An overview of the compliance requirements,
- Tips for analyzing current cyber security measures and processes,
- How the Microsoft 365 Cloud helps ensure compliance
- Measures you can put in place to help you meet NIST 800-171 compliance
As a Texas-based defense prime or subcontractor, you’ve probably taken steps towards protecting your Controlled Unclassified Information (CUI), preparing for Cybersecurity Maturity Model Certification (CMMC), or even documenting your NIST 800-171 compliance.
But how can you ensure that those steps will prepare your business for a successful audit in light of the latest changes to the CMMC 2.0 release?
TMAC hosted an educational webinar together with Max Aulakh – CEO at Ignyte Platform, on April 5th, to discuss what changed in the CMMC 2.0 audit assurance process:
- What should SMBs be aware of in the process of preparing for the CMMC audit?
- How CMMC 2.0 changes impact your business?
- What parts of CMMC 1.0 can your business reuse to maintain your compliance efforts?
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
The CMMC, NIST 800-171, and ISO/IEC 27001 frameworks include the application of a structured approach to cybersecurity and a formal risk assessment process, and the implementation of customized security controls. However, each of them has a distinct scope.
The webinar covers
• US legislative overview, impacts and update in NIST adoption
• Weaving together NIST PF and NIST 800-171
• Quick definitions for CMMC / 27001 / 800-171
• Common scope elements between CMMC / 27001 / 800-171
• Differences in scope between CMMC / 27001 / 800-171
• When to implement each of the three
• How these three can support each other
• The link between these three and cyber insurance
• How each of these is used to measure and implement compliance
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
In this deck ControlCase will discuss the following:
What is CMMC 2.0?
Who does CMMC 2.0 apply to?
What is the accreditation body (CMMC-AB)?
What is a CMMC Third Party Organization (C3PAO)?
What does CMMC mean for Cybersecurity?
What are the CMMC certification levels?
How often is CMMC needed?
CMMC and NIST
What is the CMMC Assessment process?
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
The emerging CMMC model applies to one of the most diverse industries in the world, known as the Defense Industrial Base (DIBs), which includes businesses of all sizes, in every sector that the U.S. government works with, including healthcare, financial services, insurance, manufacturing, and traditional defense contractors. The CMMC aims to become the de facto cross-industry cybersecurity certification to provide a minimal level of assurance for organizations of all sizes. CMMC has the potential to replace all other information security certifications such as SOC 2, ISO 27001, HITRUST, etc.
Local security and business leaders from all industries are invited to learn the essential and most critical elements of the CMMC framework that go beyond traditional security frameworks. This presentation will share vital information such as entity level or business level scope of certification, technical scope, controlled unclassified information (CUI), and most importantly, how to professionally prepare for an audit.
Ignyte Assurance team has worked with 70+ businesses across the United States that are considered critical to the U.S. DoD Supply Chain to implement this framework. In addition, Ignyte is currently going through a complete top-down audit being performed by the Defense Contractor Management Agency (DCMA) to formally be recognized as one of the few Certified Third-Party Assessor Organizations (C3PAO) in our region. This presentation will help our local businesses understand the impact of the emerging certification requirements imposed by the Department of Defense, known as the Cybersecurity Maturity Model Certification (CMMC).
Why does DFARS exist?
Current requirements for companies with Controlled Unclassified Information (CUI) or DoD Covered Defense Information (CDI)
What is CMMC?
CompTIA cysa+ certification changes: Everything you need to knowInfosec
Join Patrick Lane, Director of Products at CompTIA, to learn everything you need to know about the latest CySA+ certification and exam (CS0-002) updates, including:
Evolving security analyst job skills
Common job roles for CySA+ holders
Tips to pass the updated CySA+ exam
Plus CySA+ questions from live viewers
The DoD released v1.2 of the CMMC on March 18, 2020, Walkthrough the slides to understand
1. CMMC/DFARS/NIST SP 800-171
2. CMMC Framework
3. CMMC Levels & Requirements
4. The CMMC effort builds upon existing regulation
5. CMMC – Asset Management
6. CMMC Practices Across Domains per Maturity Levels
7. NIST 800-171 to CMMC Gaps
8. Certification & Accreditation Details
9. CMMC Training
10. Challenges being solved by Ignyte | Training
11. Challenges being solved by Ignyte | Automation
12. What is included within the Full CMMC Accreditation Package?
13. CMMC Accreditation Process Automated
Government Webinar: Preparing for CMMC Compliance Roundtable SolarWinds
In this webinar, Adam Rosenbaum, who leads our Federal System Integrator program here at SolarWinds, was joined by Jason Spezzano, Senior Director of Cybersecurity, and Dave Gray, Senior Cybersecurity Analyst, both of CyberDefenses, Inc., for a panel discussion about preparing for CMMC Compliance and what can be done now to get ready.
During this interactive webinar, attendees learned from this panel:
How to leverage NIST 800-171 compliance reports to track progress or support audits
How to use tools like SolarWinds’ solutions to maintain IT hygiene
How to leverage configuration and patch management tools to satisfy security controls or help implement and manage controls
How to use configuration and log management to verify controls are implemented correctly[SWL1]
How to navigate the process of obtaining certification
How an assessment, from security services firms like CyberDefenses, can make the process more efficient
A Clear Path to NIST & CMMC Compliance_ISSA.pptxJack Nichelson
Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this webinar, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.
In addition to answering questions from attendees, this webinar will cover the following topics:
• What You Need to Know About CMMC
• The Crawl – Walk – Run of CMMC
• Preliminary Steps for CMMC Success
CMMC for Contractors and Manufacturers – What to Know for 2023Withum
Manufacturers, contractors, and suppliers who are members of (and/or affiliated with) the U.S. Defense Industrial Base (DIB) must prepare now to ensure assessment readiness. Fears of a near-term enormous bureaucratic traffic jam are arising as tens of thousands of SMBs scramble to become CMMC compliant to avoid administrative exclusion from the DOD bidding process.
A Summit to advance BAS cybersecurity
For the second year, the New Deal for Buildings is organizing a Cybersecurity Summit at AHR Expo. The event is designed to gather BAS leaders and facility practitioners to discuss and chart the way forward for the adoption of comprehensive cybersecurity policies, practices, and technologies in the BAS industry. Sponsors of this event are made up of the leading companies and organizations advocating for better cybersecurity in building automation systems.
The Summit comes at the heels of the release of BACnet/SC, a critical component to securing BAS networks.
Office 365 Security - Its 2am do you know whos in your office 365Jack Nichelson
You’ve entrusted all of your company’s data to Microsoft’s cloud…what could go wrong? In 2018 you’ve either moved your data to Office365, you’re thinking about it, or you’ve locked your entire business into Lotus Notes. As cloud providers eat away traditional infrastructure, IT and Security teams must either adapt to this brave new world, or be left behind. In this talk we will provide real-world examples and how to apply both traditional and new security controls/tools to secure Office 365 & Azure. We will give specific, actionable recommendations you can make to your Microsoft Office 365 and Azure tenants. Recommendations like how to prevent external threats like account takeovers, internal threats like Shadow cloud Apps, effective monitoring and processes to follow to minimize the likelihood that your company becomes the Next Big Breach. The new perimeter is identities in the cloud, so learn to protect them with Azure Active Directory.
The importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential.
Amongst others, the webinar covers:
• ISO/IEC 27002 and ISO/IEC 27032 and their key components
• Key Components of a Resilient Cybersecurity Strategy
• CMMC Frameworks
Presenters:
Dr. Oz Erdem
Governance, Risk and Compliance (GRC) consultant, trainer, auditor, and speaker
Dr. Erdem has over 25 years of experience in information security, trade compliance, data privacy, and risk management. He took leadership roles in governance and compliance at various Fortune 100-500 companies and SMBs, including Siemens Corporation, Siemens Industry, Linqs, Texas Instruments, Rtrust, ICEsoft Technologies, NATO C3A, and BILGEM. In addition, successfully managed software development (i.e., embedded, cloud, and SaaS) and digital product projects involving information security, mobile networks, and IoT networks. Further, Dr. Erdem led several non-profit organizations, such as National Association of District Export Councils (NADEC), Government Contractors Council (GovConCouncil), and Central-North Florida District Export Council as the Chairman of the Board.
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
George Usi - CEO of Omnistruct
An internet pioneer and award-winning leader in internet governance with over 25 years of experience, George Usi knows that getting hacked is not a matter of ‘if’ but, ‘when’ and the fiscal and reputational effects that has on a business, the executives, and the board. George is the Co-Founder of Omnistruct, a cyber risk company. Omnistruct protects and expands revenue creation, reputation, and customer retention through cyber risk transference, governance, and compliance. We ensure that security and privacy programs work.
Date: January 24, 2024
YouTube Video: https://youtu.be/9i5p5WFExT4
Website: https://bit.ly/3SjovIP
In January 2020, the Department of Defense released the initial version of Cybersecurity Maturity Model Certification (CMMC) standard. Certifications will begin for new and existing defense contractors this year. As you are preparing for the CMMC now by becoming NIST 800-171 compliant, it is critical to ensure you can continue bidding on RFPs. Any type of cybersecurity audit takes time and getting compliant to NIST 800-171 ahead of an audit is no different.
Whether your organization’s security and compliance are 80% of the way there, or you think your infrastructure needs a complete overhaul, get tips and insights to get you closer to compliance.
We Share:
- An overview of the compliance requirements,
- Tips for analyzing current cyber security measures and processes,
- How the Microsoft 365 Cloud helps ensure compliance
- Measures you can put in place to help you meet NIST 800-171 compliance
As a Texas-based defense prime or subcontractor, you’ve probably taken steps towards protecting your Controlled Unclassified Information (CUI), preparing for Cybersecurity Maturity Model Certification (CMMC), or even documenting your NIST 800-171 compliance.
But how can you ensure that those steps will prepare your business for a successful audit in light of the latest changes to the CMMC 2.0 release?
TMAC hosted an educational webinar together with Max Aulakh – CEO at Ignyte Platform, on April 5th, to discuss what changed in the CMMC 2.0 audit assurance process:
- What should SMBs be aware of in the process of preparing for the CMMC audit?
- How CMMC 2.0 changes impact your business?
- What parts of CMMC 1.0 can your business reuse to maintain your compliance efforts?
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
The CMMC, NIST 800-171, and ISO/IEC 27001 frameworks include the application of a structured approach to cybersecurity and a formal risk assessment process, and the implementation of customized security controls. However, each of them has a distinct scope.
The webinar covers
• US legislative overview, impacts and update in NIST adoption
• Weaving together NIST PF and NIST 800-171
• Quick definitions for CMMC / 27001 / 800-171
• Common scope elements between CMMC / 27001 / 800-171
• Differences in scope between CMMC / 27001 / 800-171
• When to implement each of the three
• How these three can support each other
• The link between these three and cyber insurance
• How each of these is used to measure and implement compliance
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
In this deck ControlCase will discuss the following:
What is CMMC 2.0?
Who does CMMC 2.0 apply to?
What is the accreditation body (CMMC-AB)?
What is a CMMC Third Party Organization (C3PAO)?
What does CMMC mean for Cybersecurity?
What are the CMMC certification levels?
How often is CMMC needed?
CMMC and NIST
What is the CMMC Assessment process?
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
The emerging CMMC model applies to one of the most diverse industries in the world, known as the Defense Industrial Base (DIBs), which includes businesses of all sizes, in every sector that the U.S. government works with, including healthcare, financial services, insurance, manufacturing, and traditional defense contractors. The CMMC aims to become the de facto cross-industry cybersecurity certification to provide a minimal level of assurance for organizations of all sizes. CMMC has the potential to replace all other information security certifications such as SOC 2, ISO 27001, HITRUST, etc.
Local security and business leaders from all industries are invited to learn the essential and most critical elements of the CMMC framework that go beyond traditional security frameworks. This presentation will share vital information such as entity level or business level scope of certification, technical scope, controlled unclassified information (CUI), and most importantly, how to professionally prepare for an audit.
Ignyte Assurance team has worked with 70+ businesses across the United States that are considered critical to the U.S. DoD Supply Chain to implement this framework. In addition, Ignyte is currently going through a complete top-down audit being performed by the Defense Contractor Management Agency (DCMA) to formally be recognized as one of the few Certified Third-Party Assessor Organizations (C3PAO) in our region. This presentation will help our local businesses understand the impact of the emerging certification requirements imposed by the Department of Defense, known as the Cybersecurity Maturity Model Certification (CMMC).
Why does DFARS exist?
Current requirements for companies with Controlled Unclassified Information (CUI) or DoD Covered Defense Information (CDI)
What is CMMC?
CompTIA cysa+ certification changes: Everything you need to knowInfosec
Join Patrick Lane, Director of Products at CompTIA, to learn everything you need to know about the latest CySA+ certification and exam (CS0-002) updates, including:
Evolving security analyst job skills
Common job roles for CySA+ holders
Tips to pass the updated CySA+ exam
Plus CySA+ questions from live viewers
The DoD released v1.2 of the CMMC on March 18, 2020, Walkthrough the slides to understand
1. CMMC/DFARS/NIST SP 800-171
2. CMMC Framework
3. CMMC Levels & Requirements
4. The CMMC effort builds upon existing regulation
5. CMMC – Asset Management
6. CMMC Practices Across Domains per Maturity Levels
7. NIST 800-171 to CMMC Gaps
8. Certification & Accreditation Details
9. CMMC Training
10. Challenges being solved by Ignyte | Training
11. Challenges being solved by Ignyte | Automation
12. What is included within the Full CMMC Accreditation Package?
13. CMMC Accreditation Process Automated
Government Webinar: Preparing for CMMC Compliance Roundtable SolarWinds
In this webinar, Adam Rosenbaum, who leads our Federal System Integrator program here at SolarWinds, was joined by Jason Spezzano, Senior Director of Cybersecurity, and Dave Gray, Senior Cybersecurity Analyst, both of CyberDefenses, Inc., for a panel discussion about preparing for CMMC Compliance and what can be done now to get ready.
During this interactive webinar, attendees learned from this panel:
How to leverage NIST 800-171 compliance reports to track progress or support audits
How to use tools like SolarWinds’ solutions to maintain IT hygiene
How to leverage configuration and patch management tools to satisfy security controls or help implement and manage controls
How to use configuration and log management to verify controls are implemented correctly[SWL1]
How to navigate the process of obtaining certification
How an assessment, from security services firms like CyberDefenses, can make the process more efficient
A Clear Path to NIST & CMMC Compliance_ISSA.pptxJack Nichelson
Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this webinar, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.
In addition to answering questions from attendees, this webinar will cover the following topics:
• What You Need to Know About CMMC
• The Crawl – Walk – Run of CMMC
• Preliminary Steps for CMMC Success
CMMC for Contractors and Manufacturers – What to Know for 2023Withum
Manufacturers, contractors, and suppliers who are members of (and/or affiliated with) the U.S. Defense Industrial Base (DIB) must prepare now to ensure assessment readiness. Fears of a near-term enormous bureaucratic traffic jam are arising as tens of thousands of SMBs scramble to become CMMC compliant to avoid administrative exclusion from the DOD bidding process.
A Summit to advance BAS cybersecurity
For the second year, the New Deal for Buildings is organizing a Cybersecurity Summit at AHR Expo. The event is designed to gather BAS leaders and facility practitioners to discuss and chart the way forward for the adoption of comprehensive cybersecurity policies, practices, and technologies in the BAS industry. Sponsors of this event are made up of the leading companies and organizations advocating for better cybersecurity in building automation systems.
The Summit comes at the heels of the release of BACnet/SC, a critical component to securing BAS networks.
Similar to A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf (20)
Office 365 Security - Its 2am do you know whos in your office 365Jack Nichelson
You’ve entrusted all of your company’s data to Microsoft’s cloud…what could go wrong? In 2018 you’ve either moved your data to Office365, you’re thinking about it, or you’ve locked your entire business into Lotus Notes. As cloud providers eat away traditional infrastructure, IT and Security teams must either adapt to this brave new world, or be left behind. In this talk we will provide real-world examples and how to apply both traditional and new security controls/tools to secure Office 365 & Azure. We will give specific, actionable recommendations you can make to your Microsoft Office 365 and Azure tenants. Recommendations like how to prevent external threats like account takeovers, internal threats like Shadow cloud Apps, effective monitoring and processes to follow to minimize the likelihood that your company becomes the Next Big Breach. The new perimeter is identities in the cloud, so learn to protect them with Azure Active Directory.
The kickstarter to measuring what matters Evanta CISO 2017Jack Nichelson
Does counting the number of intrusions a firewall blocked in a month really justify the capital spend on security projects? What kind of operational data demonstrates cybersecurity leaders’ long-term budgetary needs for their programs and at the same time shows the progress they’ve made over the years? Learn how a duo of cybersecurity professionals used thought leadership and a goals-based approach to build the case for past capital and future spend — a system that won them both dollars and trust with peers and their boards.
Be Proactive – Focus on what you can influence
Begin with the end in mind – Define practical outcomes
Create a Problem Statement – A goal without a plan is just a wish
Put first thing first – Plan weekly, act daily
Chart Performance & Adjust – Shine a light on the problem
You're the newly-minted CISO in your organization, charged with the (un)enviable task of improving security. Unfortunately, your superiors and peers aren't quite sure what good security looks like, what they expect to see from you, or how you should go about doing it. All the execs know for sure is that if a security breach happens, it’s definitely your fault...and if a breach never comes, they question the need for security’s budget.
It falls to you to chart your own path, and help define what good security looks like within your organization. In this session we will provide real-world examples of how the three speakers have faced this challenge in multiple organizations, what metrics were chosen to show progress, and how the speakers have gone about gathering them. You will leave this session not with abstract ivory-tower ideas on measurement, but with actionable tactics you can put in place within your own program today. This session will address:
• How to show security progress
• Presenting security to senior leadership
• Real-world security metrics
• Identifying and using easily collected data
• Aligning with existing organizational metrics
10 Critical Habits of Effective Security ManagersJack Nichelson
How to Secure Things & Influence People:
10 Critical Habits of Effective Security Managers
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Information Security Metrics - Practical Security MetricsJack Nichelson
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Essentials of Automations: Optimizing FME Workflows with Parameters
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
1. A Clear Path to NIST & CMMC Compliance
Jack Nichelson & Craig Burland
Chief Information Security Officers
NIST 800-171 & CMMC 2.0 Compliance Update
2. Jack Nichelson
CONFIDENTIAL 2
• Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and
Received the CSO50 award for connecting security initiatives to business value.
• Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.
• Certs: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP
• Prior experience running Infrastructure & Security at multiple Fortune 500’s
• 20+ years in IT & IT Security
• Board member for FBI InfraGard
• Executive MBA from Baldwin-Wallace University
3. Craig Burland
CONFIDENTIAL 3
• Information Security Leader for a Fortune 200 company as Deputy
CISO and CISO
• Diverse set of IT and Cyber experiences…
• Building global cybersecurity programs, level 2 incident response
teams, intelligence automation and operations, vulnerability
management and patching program
• Implementing global identity management, securing operational
technology environments
• Managing web, collaboration, eCommerce platforms and agile
development teams
• Establishing an enterprise records management program, project
management office
• Technical Co-Chair of NEOCC and Customer Advisory Board
member of NTT Global Security and Oracle Web Center
• 30+ years in IT & Cybersecurity
Jack’s +1
4. 4
TruWest Family of Companies
Point of Sale (POS)
Lifecycle Management
Custom cybersecurity
solutions
IT and AIDC equipment
financing
Venture debt for
SaaS businesses
Craft kitchen
and taproom
6. Introduction to CMMC
• The Cybersecurity Maturity Model Certification or
CMMC is a unified standard designed to improve
cybersecurity across the thousands of companies in the
Defense Industrial Base (DIB)
• The new model will verify that DoD contractors have
sufficient controls to safeguard sensitive data,
including Confidential Unclassified Information (CUI)
and Federal Contract Information (FCI).
CMMC is an evolution of the DFARS 252.204-7012, 7019, 7020 and
7021 regulations requiring compliance with NIST 800-171
7. Key CMMC Acronyms
Defense Federal Acquisition
Regulation Supplement (DFARS):
DFARS Regulations 252.204-7012,
7019, 7020 and 7021 call for
protection of CUI based on NIST
800-171
System Security Plan (SSP):
The document that identifies the
functions and features of an
organization’s compliant system,
including all its hardware and the
software installed on the system
Cybersecurity Maturity Model
Certification 2.0 (CMMC):
CMMC is the US Government's
solution to fix low rates of
compliance associated with NIST
SP 800-171
Federal Contract Information
(FCI):
FCI is information provided by or
generated for the Government
under contract not intended for
public release
Controlled Unclassified
Information (CUI):
CUI is an umbrella term that
encompasses all Covered Defense
Information (CDI) and Controlled
Technical Information (CTI)
Certified Third-Party Assessment
Organization (C3PAO):
C3PAO is an organization
authorized by the CMMC-AB to
conduct, and deliver CMMC
assessments
8. CMMC is built on DFARS
Crawl
DFARS 252.204.7012
Walk
DFARS 252.204-7019 &
7020
Run
DFARS 252.204-7021
• Crawl: DFARS 252.204-7012, also known as Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires defense
contractors to provide adequate security by implementing the 110 security controls in NIST 800-171 and self-attest this has been done.
This clause went into effect end of 2017.
• Walk : DFARS 252.204-7019 & 7020, are clauses that outline the requirements for contractors to comply with NIST 800-171. It requires
contractors to maintain a record of their NIST 800-171 compliance with a System Security Plan (SSP) and registering a CAGE code in the
Supplier Performance Risk System (SPRS). This is not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA)
litigation if not done in earnest. These clauses went into effect on November 30, 2020.
• Run: DFARS 252.204-7021, also known as “Cybersecurity Maturity Model Certification Requirements”, is a clause that outlines the
requirements for contractors to comply with the Cybersecurity Maturity Model Certification (CMMC). This is when CMMC controls,
processes, & practices become required elements for doing business with the Department. This clause will go into effect October 2025.
9. • All members of the DIB are subject to the
Defense Federal Acquisition Regulation
Supplement (DFARS) rules, which require
meeting NIST 800-171
• NIST SP 800-171 is completely aligned
with Level 2 of CMMC 2.0
• All DoD contractors will have to ensure all
subs are CMMC compliant (a.k.a. “Flow
Down”)
• CMMC compliance will be phased into
contracts in 2025
What You Need to Know About CMMC 2.0
10. Recent Key Events in CMMC’s Timeline
Jul 2022: Aerojet
Rocketdyne
Agrees to pay
$9MM Resolve
False Claims Act
Allegations
Jan 2023: DoD
releases the
Accreditation
Body Assessment
Guide
Mar 2023: DFARS
7024 published,
allowing SPRS
Assessments to
be used for
contract
decisions
Mar 2023: The
first C3PAOs are
accredited
Jul 2023: DoD
releases the
proposed CMMC
rule to OMB
CONFIDENTIAL 10
13. A Simple Framework
Plan: Establish objectives and goals
• This stage focuses on identifying the problem or opportunity
for improvement, setting specific targets, and planning how
to achieve them.
Do: Implement the planned actions
• This stage involves carrying out the planned activities,
starting with a pilot project or small-scale test.
• It's a hands-on phase where you put your plan into action.
Check: Assess and monitor the results
• Compare the actual outcomes to the expected outcomes and
gather data to evaluate the effectiveness of the changes.
Act: Make decisions and take actions
• If the results align with your objectives and goals, you
standardize the improvements, update processes, and
continue monitoring.
• If the results fall short, you adjust your plan, make necessary
changes, and repeat the PDCA cycle.
Plan
Do
Check
Act
14. A Clear Path to Getting CMMC Compliant
PDCA
Plan
Do
Check
Act
CMMC
Identify
Remediate
Verify
Assess
KEYS
NIST 800-171
POA&Ms
SSP
C3PAO
CONFIDENTIAL 14
15. Framework for Getting CMMC Compliant
Identify (Plan):
• Identify the problem = 3rd party NIST 800-171 Risk & Security Assessment
• Set specific targets = Determine your current exposure and desired CMMC level
• Plan how to achieve them = High-level design. Estimated costs. Business buy-in.
Remediate (Do):
• Plan how to achieve them (again) = Develop Plans of Action & Milestones (POA&Ms)
• Carry out the planned activities = Execute the POA&Ms and Build Your NIST Security Program
Verify (Check):
• Compare the actual to expected outcomes = Build the System Security Plan (SSP)
• Gather data to evaluate the effectiveness of the changes = Perform a follow-up assessment
and regenerate SPAR Score
Assess (Act):
• Evaluate = Assessment by a certified 3CPAO Auditor
• Standardize the improvements, and update processes = Monitor compliance
Identify
(Plan)
Remediate
(Do)
Verify
(Check)
Assess (Act)
16. Identify (Plan)
• Determine your current exposure
• DFARS is effective now
• Is it mentioned in existing contracts?
• Where is your CUI today? Who uses it?
• Who are your customers? Suppliers?
• Commit to required CMMC level
• Based on current and desired business
• Sets your overall objective
• Conduct NIST 800-171 Risk & Security Assessment
• Not a simple risk or gap assessment. Use a certified practitioner.
• Identify the specified categories of CUI received/developed
• Map CUI data flow through all Users, Systems, Software and Cloud
services
• Understand initial CMMC compliance report and SPAR score
• Check the business’ appetite
• Build a high-level design
• Estimate costs
• Socialize with stakeholders
CMMC is about CUI. NIST is about IP.
Identify
(Plan)
Remediate
(Do)
Verify
(Check)
Assess (Act)
17. Critical, Common Areas of Control
CONFIDENTIAL 17
Assess Risks: ABA – Always Be Assessing
Authorized Users: Know your people
CUI Enclave & Environment: Build a safe home for CUI
Encrypt CUI: Wherever it is
Monitor Assets: Always watching
Manage Media: Just say no
Physical Access: It’s a closed-door policy
Consider People,
Process, and
Technology for IT
and the Business
Estimate the Total
Cost of Compliance
18. Remediate (Do)
• Align your security program with NIST
• NIST-based policies
• CUI-specific training
• Identify authorized people (e.g., US Citizens)
• Governance, Risk, & Compliance Committee
• Develop Plans of Action & Milestones (POA&Ms)
• POA&Ms outline the steps to address and remediate
security vulnerabilities, weaknesses, or deficiencies
• They define the who, what, when, and how
• Execute the POA&Ms
• Executing POA&Ms will take focus, time, and effort
• POA&Ms should be realistic
• POA&Ms can be iterative
NIST-Based Security Program is key
Identify
(Plan)
Remediate
(Do)
Verify
(Check)
Assess (Act)
19. Big Remediation Challenges
No business buy-in.
No contract
awareness.
Understanding how
CUI flows through an
organization
Inadequate policies,
procedures &
compliance-related
documentation.
High-level System
Security Plan (SSP)
Poor (or missing) Plans
of Action and
Milestones (POA&M)
Limited security
monitoring & incident
response capabilities
FIPS-Compliant vs.
FIPS-Validated
Encryption
FedRAMP-Equivalent
vs. FedRAMP-
authorized Cloud
Services
20. Verify (Check)
• Perform a DoD Self-Assessment by a 3rd party
• DoD self-assessment helps validate controls and generate
the SPAR score
• Use of an objective, trained, experienced 3rd party is key to
avoid internal bias and bring an auditor’s perspective
• Build the System Security Plan (SSP)
• An SSP serves as a comprehensive document that outlines
the security controls and safeguards implemented in your
environment
• The SSP is the key element of your application for CMMC
compliance – auditors will start with the SSP
• Establish and maintain sufficient evidence for your score
• Regenerate SPAR Score
• Update Supplier Performance Risk System (SPRS) score
• If not 110, return to Identify
Identify
(Plan)
Remediate
(Do)
Verify
(Check)
Assess (Act)
Evidence, evidence, evidence
21. Assess (Act)
• Select and Schedule C3PAO
• This is an important partner in your journey
• Spend the time to find a good fit
• Expect a queue for C3PAOs, especially as the deadline
approaches
• Get the C3PAO Assessment
• Showtime!
• The assess will be a detailed review of SSP and Evidence
• Monitor and prepare for reassessment
• It’s critical to understand and communicate that CMMC
compliance is not a one-and-done effort
• Monitoring controls, tracking risks, etc. is a critical
element of compliance
Expect long wait times for C3PAOs!
Identify
(Plan)
Remediate
(Do)
Verify
(Check)
Assess (Act)
23. CMMC 2023 Summary
CMMC builds on DFARS
and NIST 800-171 --
Rules that you should
already be following
The government
continues to ramp up
regulations and
enforcement – CMMC is
real and coming
Closing gaps will require
investment in people,
process, and
technology
Passing the assessment
gauntlet will require
strong evidence of
people, process, and
technology
Think about cycles of
improvement – it’s not
about getting to 110
immediately
Companies that finish
early will have an
opportunity to win
business from those
that don’t
CONFIDENTIAL 23
Identify (Plan)
Remediate
(Do)
Verify (Check)
Assess (Act)