SlideShare a Scribd company logo

A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf

Jack Nichelson
Jack Nichelson

All DoD contractors are now be subject to CMMC 2.0 DFARS 252.204-7012 & 7019. This means, that any DoD suppliers looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC 2.0 certification. In addition to answering questions from attendees, this presentation will cover the following topics: • What You Need to Know About CMMC • CMMC 2.0 Proposed Changes • The Crawl – Walk – Run of CMMC • Preliminary Steps for CMMC Success • How to improve your NIST SP 800-171 Self-Assessment SPRS score

Technology
1 of 24
Download to read offline
A Clear Path to NIST & CMMC Compliance Jack Nichelson & Craig Burland Chief Information Security Officers NIST 800-171 & CMMC 2.0 Compliance Update
Jack Nichelson CONFIDENTIAL 2 • Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value. • Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. • Certs: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP • Prior experience running Infrastructure & Security at multiple Fortune 500’s • 20+ years in IT & IT Security • Board member for FBI InfraGard • Executive MBA from Baldwin-Wallace University
Craig Burland CONFIDENTIAL 3 • Information Security Leader for a Fortune 200 company as Deputy CISO and CISO • Diverse set of IT and Cyber experiences… • Building global cybersecurity programs, level 2 incident response teams, intelligence automation and operations, vulnerability management and patching program • Implementing global identity management, securing operational technology environments • Managing web, collaboration, eCommerce platforms and agile development teams • Establishing an enterprise records management program, project management office • Technical Co-Chair of NEOCC and Customer Advisory Board member of NTT Global Security and Oracle Web Center • 30+ years in IT & Cybersecurity Jack’s +1
4 TruWest Family of Companies Point of Sale (POS) Lifecycle Management Custom cybersecurity solutions IT and AIDC equipment financing Venture debt for SaaS businesses Craft kitchen and taproom
CMMC Fundamentals Recap from CMMC 2021-22 CONFIDENTIAL 5
Introduction to CMMC • The Cybersecurity Maturity Model Certification or CMMC is a unified standard designed to improve cybersecurity across the thousands of companies in the Defense Industrial Base (DIB) • The new model will verify that DoD contractors have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC is an evolution of the DFARS 252.204-7012, 7019, 7020 and 7021 regulations requiring compliance with NIST 800-171
Key CMMC Acronyms Defense Federal Acquisition Regulation Supplement (DFARS): DFARS Regulations 252.204-7012, 7019, 7020 and 7021 call for protection of CUI based on NIST 800-171 System Security Plan (SSP): The document that identifies the functions and features of an organization’s compliant system, including all its hardware and the software installed on the system Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171 Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI) Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
CMMC is built on DFARS Crawl DFARS 252.204.7012 Walk DFARS 252.204-7019 & 7020 Run DFARS 252.204-7021 • Crawl: DFARS 252.204-7012, also known as Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires defense contractors to provide adequate security by implementing the 110 security controls in NIST 800-171 and self-attest this has been done. This clause went into effect end of 2017. • Walk : DFARS 252.204-7019 & 7020, are clauses that outline the requirements for contractors to comply with NIST 800-171. It requires contractors to maintain a record of their NIST 800-171 compliance with a System Security Plan (SSP) and registering a CAGE code in the Supplier Performance Risk System (SPRS). This is not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest. These clauses went into effect on November 30, 2020. • Run: DFARS 252.204-7021, also known as “Cybersecurity Maturity Model Certification Requirements”, is a clause that outlines the requirements for contractors to comply with the Cybersecurity Maturity Model Certification (CMMC). This is when CMMC controls, processes, & practices become required elements for doing business with the Department. This clause will go into effect October 2025.
• All members of the DIB are subject to the Defense Federal Acquisition Regulation Supplement (DFARS) rules, which require meeting NIST 800-171 • NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0 • All DoD contractors will have to ensure all subs are CMMC compliant (a.k.a. “Flow Down”) • CMMC compliance will be phased into contracts in 2025 What You Need to Know About CMMC 2.0
Recent Key Events in CMMC’s Timeline Jul 2022: Aerojet Rocketdyne Agrees to pay $9MM Resolve False Claims Act Allegations Jan 2023: DoD releases the Accreditation Body Assessment Guide Mar 2023: DFARS 7024 published, allowing SPRS Assessments to be used for contract decisions Mar 2023: The first C3PAOs are accredited Jul 2023: DoD releases the proposed CMMC rule to OMB CONFIDENTIAL 10
Timeline for CMMC Adoption CONFIDENTIAL 11
Call to Action Enough! It’s time to get shit done! CONFIDENTIAL 12
A Simple Framework Plan: Establish objectives and goals • This stage focuses on identifying the problem or opportunity for improvement, setting specific targets, and planning how to achieve them. Do: Implement the planned actions • This stage involves carrying out the planned activities, starting with a pilot project or small-scale test. • It's a hands-on phase where you put your plan into action. Check: Assess and monitor the results • Compare the actual outcomes to the expected outcomes and gather data to evaluate the effectiveness of the changes. Act: Make decisions and take actions • If the results align with your objectives and goals, you standardize the improvements, update processes, and continue monitoring. • If the results fall short, you adjust your plan, make necessary changes, and repeat the PDCA cycle. Plan Do Check Act
A Clear Path to Getting CMMC Compliant PDCA Plan Do Check Act CMMC Identify Remediate Verify Assess KEYS NIST 800-171 POA&Ms SSP C3PAO CONFIDENTIAL 14
Framework for Getting CMMC Compliant Identify (Plan): • Identify the problem = 3rd party NIST 800-171 Risk & Security Assessment • Set specific targets = Determine your current exposure and desired CMMC level • Plan how to achieve them = High-level design. Estimated costs. Business buy-in. Remediate (Do): • Plan how to achieve them (again) = Develop Plans of Action & Milestones (POA&Ms) • Carry out the planned activities = Execute the POA&Ms and Build Your NIST Security Program Verify (Check): • Compare the actual to expected outcomes = Build the System Security Plan (SSP) • Gather data to evaluate the effectiveness of the changes = Perform a follow-up assessment and regenerate SPAR Score Assess (Act): • Evaluate = Assessment by a certified 3CPAO Auditor • Standardize the improvements, and update processes = Monitor compliance Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
Identify (Plan) • Determine your current exposure • DFARS is effective now • Is it mentioned in existing contracts? • Where is your CUI today? Who uses it? • Who are your customers? Suppliers? • Commit to required CMMC level • Based on current and desired business • Sets your overall objective • Conduct NIST 800-171 Risk & Security Assessment • Not a simple risk or gap assessment. Use a certified practitioner. • Identify the specified categories of CUI received/developed • Map CUI data flow through all Users, Systems, Software and Cloud services • Understand initial CMMC compliance report and SPAR score • Check the business’ appetite • Build a high-level design • Estimate costs • Socialize with stakeholders CMMC is about CUI. NIST is about IP. Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
Critical, Common Areas of Control CONFIDENTIAL 17 Assess Risks: ABA – Always Be Assessing Authorized Users: Know your people CUI Enclave & Environment: Build a safe home for CUI Encrypt CUI: Wherever it is Monitor Assets: Always watching Manage Media: Just say no Physical Access: It’s a closed-door policy Consider People, Process, and Technology for IT and the Business Estimate the Total Cost of Compliance
Remediate (Do) • Align your security program with NIST • NIST-based policies • CUI-specific training • Identify authorized people (e.g., US Citizens) • Governance, Risk, & Compliance Committee • Develop Plans of Action & Milestones (POA&Ms) • POA&Ms outline the steps to address and remediate security vulnerabilities, weaknesses, or deficiencies • They define the who, what, when, and how • Execute the POA&Ms • Executing POA&Ms will take focus, time, and effort • POA&Ms should be realistic • POA&Ms can be iterative NIST-Based Security Program is key Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
Big Remediation Challenges No business buy-in. No contract awareness. Understanding how CUI flows through an organization Inadequate policies, procedures & compliance-related documentation. High-level System Security Plan (SSP) Poor (or missing) Plans of Action and Milestones (POA&M) Limited security monitoring & incident response capabilities FIPS-Compliant vs. FIPS-Validated Encryption FedRAMP-Equivalent vs. FedRAMP- authorized Cloud Services
Verify (Check) • Perform a DoD Self-Assessment by a 3rd party • DoD self-assessment helps validate controls and generate the SPAR score • Use of an objective, trained, experienced 3rd party is key to avoid internal bias and bring an auditor’s perspective • Build the System Security Plan (SSP) • An SSP serves as a comprehensive document that outlines the security controls and safeguards implemented in your environment • The SSP is the key element of your application for CMMC compliance – auditors will start with the SSP • Establish and maintain sufficient evidence for your score • Regenerate SPAR Score • Update Supplier Performance Risk System (SPRS) score • If not 110, return to Identify Identify (Plan) Remediate (Do) Verify (Check) Assess (Act) Evidence, evidence, evidence
Assess (Act) • Select and Schedule C3PAO • This is an important partner in your journey • Spend the time to find a good fit • Expect a queue for C3PAOs, especially as the deadline approaches • Get the C3PAO Assessment • Showtime! • The assess will be a detailed review of SSP and Evidence • Monitor and prepare for reassessment • It’s critical to understand and communicate that CMMC compliance is not a one-and-done effort • Monitoring controls, tracking risks, etc. is a critical element of compliance Expect long wait times for C3PAOs! Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
In conclusion… CONFIDENTIAL 22 “Everyone Has A Will To Win But Very Few Have The Will To Prepare To Win.” — Vince Lombardi
CMMC 2023 Summary CMMC builds on DFARS and NIST 800-171 -- Rules that you should already be following The government continues to ramp up regulations and enforcement – CMMC is real and coming Closing gaps will require investment in people, process, and technology Passing the assessment gauntlet will require strong evidence of people, process, and technology Think about cycles of improvement – it’s not about getting to 110 immediately Companies that finish early will have an opportunity to win business from those that don’t CONFIDENTIAL 23 Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
THANK YOU Jack Nichelson and Craig Burland Chief Information Security Officers

Recommended

Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
Robert E Jones
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
William McBorrough
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
Murray Security Services
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance Nightmare
Ignyte Assurance Platform
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
Ignyte Assurance Platform
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
Jack Nichelson
 

Recommended

Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
Robert E Jones
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
AmyPoblete3
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
William McBorrough
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
Murray Security Services
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance Nightmare
Ignyte Assurance Platform
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
Ignyte Assurance Platform
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
Jack Nichelson
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdf
toncik
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
Withum
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
Ignyte Assurance Platform
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
PECB
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
ControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
ControlCase
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
Ignyte Assurance Platform
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ignyte Assurance Platform
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
Infosec
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
JSchaus & Associates
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
Ignyte Assurance Platform
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable
SolarWinds
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
Jack Nichelson
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
John Gilligan
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023
Withum
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365
Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
Jack Nichelson
 

More Related Content

Similar to A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdf
toncik
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
Withum
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
Ignyte Assurance Platform
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
PECB
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
ControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
ControlCase
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
Ignyte Assurance Platform
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ignyte Assurance Platform
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
Infosec
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
JSchaus & Associates
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
Ignyte Assurance Platform
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable
SolarWinds
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
Jack Nichelson
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
John Gilligan
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023
Withum
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 

Similar to A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf (20)

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdf
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo Logic
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
 

More from Jack Nichelson

Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365
Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
Jack Nichelson
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
Jack Nichelson
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through Measurement
Jack Nichelson
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
Jack Nichelson
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 

More from Jack Nichelson (9)

Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through Measurement
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 

Recently uploaded

PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 

Recently uploaded (20)

PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf

  • 1. A Clear Path to NIST & CMMC Compliance Jack Nichelson & Craig Burland Chief Information Security Officers NIST 800-171 & CMMC 2.0 Compliance Update
  • 2. Jack Nichelson CONFIDENTIAL 2 • Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value. • Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. • Certs: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP • Prior experience running Infrastructure & Security at multiple Fortune 500’s • 20+ years in IT & IT Security • Board member for FBI InfraGard • Executive MBA from Baldwin-Wallace University
  • 3. Craig Burland CONFIDENTIAL 3 • Information Security Leader for a Fortune 200 company as Deputy CISO and CISO • Diverse set of IT and Cyber experiences… • Building global cybersecurity programs, level 2 incident response teams, intelligence automation and operations, vulnerability management and patching program • Implementing global identity management, securing operational technology environments • Managing web, collaboration, eCommerce platforms and agile development teams • Establishing an enterprise records management program, project management office • Technical Co-Chair of NEOCC and Customer Advisory Board member of NTT Global Security and Oracle Web Center • 30+ years in IT & Cybersecurity Jack’s +1
  • 4. 4 TruWest Family of Companies Point of Sale (POS) Lifecycle Management Custom cybersecurity solutions IT and AIDC equipment financing Venture debt for SaaS businesses Craft kitchen and taproom
  • 5. CMMC Fundamentals Recap from CMMC 2021-22 CONFIDENTIAL 5
  • 6. Introduction to CMMC • The Cybersecurity Maturity Model Certification or CMMC is a unified standard designed to improve cybersecurity across the thousands of companies in the Defense Industrial Base (DIB) • The new model will verify that DoD contractors have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC is an evolution of the DFARS 252.204-7012, 7019, 7020 and 7021 regulations requiring compliance with NIST 800-171
  • 7. Key CMMC Acronyms Defense Federal Acquisition Regulation Supplement (DFARS): DFARS Regulations 252.204-7012, 7019, 7020 and 7021 call for protection of CUI based on NIST 800-171 System Security Plan (SSP): The document that identifies the functions and features of an organization’s compliant system, including all its hardware and the software installed on the system Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171 Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI) Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
  • 8. CMMC is built on DFARS Crawl DFARS 252.204.7012 Walk DFARS 252.204-7019 & 7020 Run DFARS 252.204-7021 • Crawl: DFARS 252.204-7012, also known as Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires defense contractors to provide adequate security by implementing the 110 security controls in NIST 800-171 and self-attest this has been done. This clause went into effect end of 2017. • Walk : DFARS 252.204-7019 & 7020, are clauses that outline the requirements for contractors to comply with NIST 800-171. It requires contractors to maintain a record of their NIST 800-171 compliance with a System Security Plan (SSP) and registering a CAGE code in the Supplier Performance Risk System (SPRS). This is not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest. These clauses went into effect on November 30, 2020. • Run: DFARS 252.204-7021, also known as “Cybersecurity Maturity Model Certification Requirements”, is a clause that outlines the requirements for contractors to comply with the Cybersecurity Maturity Model Certification (CMMC). This is when CMMC controls, processes, & practices become required elements for doing business with the Department. This clause will go into effect October 2025.
  • 9. • All members of the DIB are subject to the Defense Federal Acquisition Regulation Supplement (DFARS) rules, which require meeting NIST 800-171 • NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0 • All DoD contractors will have to ensure all subs are CMMC compliant (a.k.a. “Flow Down”) • CMMC compliance will be phased into contracts in 2025 What You Need to Know About CMMC 2.0
  • 10. Recent Key Events in CMMC’s Timeline Jul 2022: Aerojet Rocketdyne Agrees to pay $9MM Resolve False Claims Act Allegations Jan 2023: DoD releases the Accreditation Body Assessment Guide Mar 2023: DFARS 7024 published, allowing SPRS Assessments to be used for contract decisions Mar 2023: The first C3PAOs are accredited Jul 2023: DoD releases the proposed CMMC rule to OMB CONFIDENTIAL 10
  • 11. Timeline for CMMC Adoption CONFIDENTIAL 11
  • 12. Call to Action Enough! It’s time to get shit done! CONFIDENTIAL 12
  • 13. A Simple Framework Plan: Establish objectives and goals • This stage focuses on identifying the problem or opportunity for improvement, setting specific targets, and planning how to achieve them. Do: Implement the planned actions • This stage involves carrying out the planned activities, starting with a pilot project or small-scale test. • It's a hands-on phase where you put your plan into action. Check: Assess and monitor the results • Compare the actual outcomes to the expected outcomes and gather data to evaluate the effectiveness of the changes. Act: Make decisions and take actions • If the results align with your objectives and goals, you standardize the improvements, update processes, and continue monitoring. • If the results fall short, you adjust your plan, make necessary changes, and repeat the PDCA cycle. Plan Do Check Act
  • 14. A Clear Path to Getting CMMC Compliant PDCA Plan Do Check Act CMMC Identify Remediate Verify Assess KEYS NIST 800-171 POA&Ms SSP C3PAO CONFIDENTIAL 14
  • 15. Framework for Getting CMMC Compliant Identify (Plan): • Identify the problem = 3rd party NIST 800-171 Risk & Security Assessment • Set specific targets = Determine your current exposure and desired CMMC level • Plan how to achieve them = High-level design. Estimated costs. Business buy-in. Remediate (Do): • Plan how to achieve them (again) = Develop Plans of Action & Milestones (POA&Ms) • Carry out the planned activities = Execute the POA&Ms and Build Your NIST Security Program Verify (Check): • Compare the actual to expected outcomes = Build the System Security Plan (SSP) • Gather data to evaluate the effectiveness of the changes = Perform a follow-up assessment and regenerate SPAR Score Assess (Act): • Evaluate = Assessment by a certified 3CPAO Auditor • Standardize the improvements, and update processes = Monitor compliance Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 16. Identify (Plan) • Determine your current exposure • DFARS is effective now • Is it mentioned in existing contracts? • Where is your CUI today? Who uses it? • Who are your customers? Suppliers? • Commit to required CMMC level • Based on current and desired business • Sets your overall objective • Conduct NIST 800-171 Risk & Security Assessment • Not a simple risk or gap assessment. Use a certified practitioner. • Identify the specified categories of CUI received/developed • Map CUI data flow through all Users, Systems, Software and Cloud services • Understand initial CMMC compliance report and SPAR score • Check the business’ appetite • Build a high-level design • Estimate costs • Socialize with stakeholders CMMC is about CUI. NIST is about IP. Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 17. Critical, Common Areas of Control CONFIDENTIAL 17 Assess Risks: ABA – Always Be Assessing Authorized Users: Know your people CUI Enclave & Environment: Build a safe home for CUI Encrypt CUI: Wherever it is Monitor Assets: Always watching Manage Media: Just say no Physical Access: It’s a closed-door policy Consider People, Process, and Technology for IT and the Business Estimate the Total Cost of Compliance
  • 18. Remediate (Do) • Align your security program with NIST • NIST-based policies • CUI-specific training • Identify authorized people (e.g., US Citizens) • Governance, Risk, & Compliance Committee • Develop Plans of Action & Milestones (POA&Ms) • POA&Ms outline the steps to address and remediate security vulnerabilities, weaknesses, or deficiencies • They define the who, what, when, and how • Execute the POA&Ms • Executing POA&Ms will take focus, time, and effort • POA&Ms should be realistic • POA&Ms can be iterative NIST-Based Security Program is key Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 19. Big Remediation Challenges No business buy-in. No contract awareness. Understanding how CUI flows through an organization Inadequate policies, procedures & compliance-related documentation. High-level System Security Plan (SSP) Poor (or missing) Plans of Action and Milestones (POA&M) Limited security monitoring & incident response capabilities FIPS-Compliant vs. FIPS-Validated Encryption FedRAMP-Equivalent vs. FedRAMP- authorized Cloud Services
  • 20. Verify (Check) • Perform a DoD Self-Assessment by a 3rd party • DoD self-assessment helps validate controls and generate the SPAR score • Use of an objective, trained, experienced 3rd party is key to avoid internal bias and bring an auditor’s perspective • Build the System Security Plan (SSP) • An SSP serves as a comprehensive document that outlines the security controls and safeguards implemented in your environment • The SSP is the key element of your application for CMMC compliance – auditors will start with the SSP • Establish and maintain sufficient evidence for your score • Regenerate SPAR Score • Update Supplier Performance Risk System (SPRS) score • If not 110, return to Identify Identify (Plan) Remediate (Do) Verify (Check) Assess (Act) Evidence, evidence, evidence
  • 21. Assess (Act) • Select and Schedule C3PAO • This is an important partner in your journey • Spend the time to find a good fit • Expect a queue for C3PAOs, especially as the deadline approaches • Get the C3PAO Assessment • Showtime! • The assess will be a detailed review of SSP and Evidence • Monitor and prepare for reassessment • It’s critical to understand and communicate that CMMC compliance is not a one-and-done effort • Monitoring controls, tracking risks, etc. is a critical element of compliance Expect long wait times for C3PAOs! Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 22. In conclusion… CONFIDENTIAL 22 “Everyone Has A Will To Win But Very Few Have The Will To Prepare To Win.” — Vince Lombardi
  • 23. CMMC 2023 Summary CMMC builds on DFARS and NIST 800-171 -- Rules that you should already be following The government continues to ramp up regulations and enforcement – CMMC is real and coming Closing gaps will require investment in people, process, and technology Passing the assessment gauntlet will require strong evidence of people, process, and technology Think about cycles of improvement – it’s not about getting to 110 immediately Companies that finish early will have an opportunity to win business from those that don’t CONFIDENTIAL 23 Identify (Plan) Remediate (Do) Verify (Check) Assess (Act)
  • 24. THANK YOU Jack Nichelson and Craig Burland Chief Information Security Officers