SlideShare a Scribd company logo

A Clear Path to NIST & CMMC Compliance_ISSA.pptx

Download as PPTX, PDF
Jack Nichelson
Jack Nichelson

Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this webinar, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification. In addition to answering questions from attendees, this webinar will cover the following topics: • What You Need to Know About CMMC • The Crawl – Walk – Run of CMMC • Preliminary Steps for CMMC Success

Technology
1 of 22
A Clear Path to NIST & CMMC Compliance Jack Nichelson Chief Information Security Officer Jack.Nichelson@MRKTech.com CMMC 2.0 Compliance Update
MRK/TRUWEST  MRK Technologies  Security Services (CISO-for-Hire)  Value-Added Technology Reseller  Technology Recovery Group (TRG)  Point-of-Sale Lifecycle Management  River Capital/River SaaS  Equipment Leasing  Startup Venture Capital  Sibling Revelry Brewing  Craft Brewery and Tasting Room  MRK is part of the TruWest family of companies  40+ years in business  International footprint across the US, Canada and Europe 2
MRK CISO SERVICES  Run security programs for companies of all sizes, in every vertical, across the globe  Each Chief Information Security Officer (CISO) has 20+ years experience, largely in-house running security programs  Act as an employee of the company, build up their security, respond to incidents, and engage with their regulators and customers  Keep our customers safe and secure MRK’s CISO practice works with several government contractors
MRK MANAGED SECURITY  MRK Managed Security is committed to providing best in class results by fully running out an alert – investigating and running to ground every available detail.  Our differentiator is that we provide actionable alerts with details on remediation, containment and response.  We provide detailed communication that minimizes an internal team’s effort and provides an expedited path to resolution – no copy and paste tickets, no alerts without context. 4
CISO PROFILE: JACK NICHELSON  Prior experience running Infrastructure & Security at multiple Fortune 500’s  20+ years in IT & IT Security  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Board member for FBI InfraGard  Executive MBA from Baldwin-Wallace University  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.  Certs include: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP 5
INTRODUCTION TO CMMC 2.0 A New Standard in Defending Data The Cybersecurity Maturity Model Certification (CMMC) is a unified standard designed to implement and improve cybersecurity across the entire DIB, which includes more than 300,000 companies. The new model will verify that DoD contractors have sufficient controls to safeguard sensitive including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The compliance standard is an evolution of the DFARS 252.204-7012 & NIST 800-171 standards and is meant to protect the nation's sensitive data. All government contractors will have to become CMMC Compliant by 2026 in order to continue business with the U.S. Government. It’s critical to start the CMMC process sooner rather than later — whether 5 or 50 percent of your revenue comes from government contracts. Vendors that show strong controls will thrive as the entire DIB transitions to the new model. Every company within the DoD supply chain will be required to get certified to receive new contracts, representing a massive portion of potential business. In the fiscal year 2018, the DoD awarded nearly $360 billion in contracts for products, materials and services.
CMMC ACRONYMS  Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government by 2026.  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. (CMMC 2.0 Level 1)  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. (CMMC 2.0 Level 2)  Defense Federal Acquisition Regulation Supplement (DFARS): Starting in Dec. 2020, all contractors are subject to new clauses in Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012, 7019, 7020 and 7021). This means, starting immediately, that any suppliers and DIB members looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded to them.  System Security Plan (SSP): SSP is a document that identifies the functions and features of a system, including all its hardware and the software installed on the system. It outlines the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. The SSP has been part of the NIST 800-171 security requirement, set forth by DFARS 7012. DFARS 7019, holds the requirements for contractors to maintain their assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results.  Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
DIFFERENCE BETWEEN FCI & CUI  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” Within the construct of the CMMC, know that CUI will require a higher level 2 or higher of CMMC Certification whereas FCI will only require Level 1 Self-Certification.
THE LONG ROAD TO CMMC
WHAT YOU NEED TO KNOW ABOUT CMMC 2.0  In November 2021, the Department of Defense (DoD) announced that the CMMC will be undergoing three major changes to help reduce costs, streamline the compliance process, and be better aligned with other federal standards. CMMC 2.0 may not be fully implemented until late 2023.  By 2026, all DIB contractors will be required to be CMMC certified by a C3PAO before being allowed to bid on government contracts.  A strong cybersecurity posture will always be a requirement in securing a DoD contract. While the DoD stresses that it will not approve any contracts that include a CMMC requirement prior to CMMC 2.0 implementation, the department strongly encourages the DIB sector to meet the 110 security controls stipulated under NIST SP 800-171.  This is because NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0. The similarities between the two compliance models makes it easier for an NIST SP 800- 171-compliant company to achieve compliance with Level 2 standards when CMMC 2.0 becomes law. After all, the DIB is still subject to the Defense Federal Acquisition Regulation Supplement rules, which require meeting NIST 800-171 and DFARS 7012 standards.  Prime contractors will have to ensure all subs are CMMC compliant. Mandatory flow down of CMMC requirements to over 350,000 DIB companies.  The DoD estimates that about 150,000 of companies will need to meet Level 1 and about 80,000 of companies will need to be compliant with CMMC Level 2 and less 500 companies will need to comply with Level 3.  All contractors could now be subject to DFARS 252.204-7012 & 7019. This means, that any suppliers and DIB looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded
THE 3 LEVELS OF CMMC 2.0 •Level 1 (Foundational) only applies to companies that focus on the protection of FCI. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users. The DoD estimates that about 150,000 such companies exist in the DIB. •Level 2 (Advanced) is for companies working with CUI. Requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by NIST protect CUI. The DoD estimates that about 80,000 companies handle CUI. •Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. The DoD estimates that about 500 companies will need to comply with Level 3
THE “CRAWL – WALK – RUN” OF CMMC  CRAWL: Notice of NIST 800-171 DoD Assessment Requirements. In the 1st phase of CMMC implementation, contractors must register by CAGE code in SPRS and upload a self-assessment based on their 800-171 controls implementation (not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest).  Walk: The DoD Assessment Methodology begins to be enforced. A two (2) year effort where inconsequential “audits” by DCMA and the DIB-CAC are part of the process.  Run: The instantiation of how we’re going to ensure cybersecurity is foundational to all acquisition. This is when CMMC controls, processes, & practices become required elements for doing business with the Department.
NIST 800-171 EXPLAINED  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is the standard developed to protect controlled unclassified information (CUI) in nonfederal systems and organizations  NIST SP 800-171 came from a combination of the Federal Information Processing Standard (FIPS) 200 and the Moderate level of 800-53. It contains administrative and technical requirements within 110 controls organized by the following 14 control families.  CMMC level 1 organizations can complete a NIST SP 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS)  CMMC level 2 or higher requires a C3PAO to complete an assessment to determine an organization’s maturity level  The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system, which is only accessible for DoD personnel.
NIST 800-171 CONTROLS OVERVIEW
DFARS INTERIM RULE OVERVIEW  252.205 7012 (Existing): Created basis for protecting controlled unclassified information implementing NIST 800-171 controls  252.204 7019 (New as of 11/20/20): Created a self assessment (Basic) requirement related to 800 171 and publishing in SPRS  252.204 7020 (New as of 11/20/20): Expands the 800 171 scores to include Moderate and High assurance assessments conducted by the DIBCAC and recorded in SRPS. Flow down required to subs and having a score in 800 171 requirement prior to award  252.204 7021 (New as of 11/20/20): Creates the basis for CMMC and outlines C3PAOs and timeline for the rollout. On September 29, 2020, the DoD issued the interim rule implementing the CMMC program. The rule introduces a new mandatory construct, the DoD Assessment Methodology, to serve as an interim certification process before contractors undergo a full CMMC review. A full description of the interim rule and what it means for DoD contractors follows.
DFARS INTERIM RULE - 5 KEY TAKEAWAYS 1) This new requirement takes effect on December 1, 2020 for all contractors that are subject to the DFARS 252.204-7012 & 7019 clause based on their handling of Controlled Unclassified Information (CUI) 2) Contractors that handle CUI will need to complete a new NIST 800-171 Self-Assessment based on a new scoring methodology and then post their score in the Supplier Performance Risk System (SPRS) before a contract will be awarded 3) The Self-Assessment must also include the completion of a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of their network and their plan to achieve 100% compliance with the NIST 800-171 requirements 4) Prime Contractors must flow this requirement down to their subcontractors/suppliers that handle CUI as well. 5) DCMA will be conducting random audits to ensure companies have not only completed the self-assessment, but have scored themselves accurately, have an SSP and are working towards completing a realistic POAM. SPRS Reporting Requirements: • Your system security plan name • The CAGE code associated with the plan • A brief description of the plan architecture • The date the assessment was completed • The date that a score of 110 will be achieved
PRELIMINARY STEPS FOR CMMC SUCCESS Step 1: Identify The Target CMMC Level: In order to start, you have to know what target CMMC certification level your organization needs to attain. CMMC is focuses entirely on the classification of data: • If you store, transmit and/or process just FCI, then you are a Level 1 • If you store, transmit and/or process FCI and/or CUI, then you are a Level 2 Step 2: Document FCI/CUI Data/Process Flows: The DoD considers any part of your organization that touches CUI & FCI (i.e., where it’s stored, how it’s processed, and how it’s transmitted) to be “in-scope” when it comes to an official certification assessment. For example, organization may have other unrelated departments (e.g., marketing, sales, etc.) where CUI & FCI will not be stored, processed, or transmitted. To make compliance as smooth and cost-effective as possible, you’ll want to isolate only the relevant parts of your into its own network. Step 3: Establish an Asset Inventory, Network Diagrams, Policies, Processes, and Plans: The CMMC is all about “Process Maturity.” It’s an organization’s commitment to and consistency in performing specific practices. To do this successfully, you need to establish several governing documents describing what the organization should abide by (policies), how they should be implemented (processes), and those tasks will be funded and managed (plans). Step 4: Create a System Security Plan (SSP): The SSP is your organization’s plan to secure its systems. More specifically, it is a collection of documents that paint a picture of your environment, the associated security requirements, the implemented or planned controls, and the expected behaviors of all individuals who access the system. In addition to other documents, you will need to reference your previously established policies, processes, and plans as they relate to each domain. Depending on your organization, your SSP might include your entire, a subset, or multiple subsets of your organization. Step 5: Train Personnel On Secure Practices: The common weak link in most organization is the “people factor” that covers the individuals required to operate processes. OSCs are required to train its personnel on CUI handling practices, role-specific security training, insider threat awareness and is some cases ITAR/EAR training for export control.
PRELIMINARY STEPS FOR CMMC SUCCESS Step 6: Conduct a CMMC Pre-Assessment: The CMMC Pre-Assessment is a necessary internal tool to prepare for the actual certification assessment. It is the only way to know which practices your organization is missing, collect evidence about processes and plans, and Plan of Actions & Milestones (POA&M) for missing practices, processes, and plans. Create a POA&M: You will take all of your missing controls and create a formal document that describes the specific steps your organization will take to implement a particular practice (actions) fully and over what period (milestones). Step 7: Choose a Certified Third-Party Assessor Organization (C3PAO): A Certified Third-Party Assessor Organization (C3PAO) is an official organization certified to provide CMMC certifications by the CMMC Accreditation Body (CMMC-AB). There are currently over 100 C3PAOs that you can work with on the CMMC-AB Marketplace. It would be best if you chose to work with a C3PAO that not only fits your budget but has previous experience with your industry. Step 8: Get Certified: Your C3PAO and its CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) will use the CMMC- AB assessment guidelines to conduct a CMMC assessment for your entire organization or a specific CUI Enclave. CCPs and CCAs will information and evidence to independently verify that an organization meets the stated assessment objectives for all of the required practices and processes. If the C3PAO can successfully demonstrate the organization implements all practices and has the appropriate process maturity, they will grant the official certification. Step 9: Recertification: Your certification will last for three years, which means that you will need to recertify every three years. The recertification process is the same as the initial process. Step 10: Conclusion: Going zero to certification involves a well-oiled machine with many moving parts, from scoping your organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to hiring a C3PAO to certify you. some organizations might be well resourced to undertake this process, others might struggle to get started. It is wise to seek out help the many accredited organizations on the CMMC-AB Marketplace. MRK is a Registered Practitioner Organization (RPO).
QUESTIONS?
THANK YOU!  Jack Nichelson (CISO, MRK Technologies)
CMMC AUDIT REMEDIATION PLAN
QUESTIONS? First CMMC 2.0 is on hold with the potential for the rulemaking process to stretch out as late as fall 2023. The DoD has asked all organizations to use this time implementing and ensuring all subs meet NIST 800-171 (DFARS 252.204-7012 & 7019). The DoD has also indicated that there may be incentives for early adoption and having improved self-assessment scores posted to the DoD’s Supplier Performance Risk System (SPRS). A trend appears to be forming among primes - to require all subcontractors to be certified at CMMC 2.0 Level 2. From the prime’s point of view, this would mean reduced risk of sharing CUI with a subcontractor that is not certified to handle it because all of their subcontractors are certified. This is why we are seeing this big push by the primes to get their subs to show they are meeting all 110 controls in NIST 800-171 (DFARS 252.204-7012 & 7019) and proving it by uploading self-assessment scores to the DoD’s Supplier Performance Risk System (SPRS).

Recommended

A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview Ignyte Assurance Platform
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareIgnyte Assurance Platform
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable SolarWinds
 

Recommended

A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationMurray Security Services
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview Ignyte Assurance Platform
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareIgnyte Assurance Platform
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable Government Webinar: Preparing for CMMC Compliance Roundtable
Government Webinar: Preparing for CMMC Compliance Roundtable SolarWinds
 
CTEK-Investor-Presentation-May-2021-1.pptx
CTEK-Investor-Presentation-May-2021-1.pptxCTEK-Investor-Presentation-May-2021-1.pptx
CTEK-Investor-Presentation-May-2021-1.pptxZharfanHanif
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsIgnyte Assurance Platform
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
Importance about do d cyber and cmmc ab at cmmcmarketplace.org
Importance about do d cyber and cmmc ab at cmmcmarketplace.orgImportance about do d cyber and cmmc ab at cmmcmarketplace.org
Importance about do d cyber and cmmc ab at cmmcmarketplace.orgcmmcmarketplace
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?Unanet
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
FED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARSFED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARSJSchaus & Associates
 
Infographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsInfographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsClint Walker
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsJSchaus & Associates
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
FED GOV CON - Cyber Security Requirements: What’s New
FED GOV CON - Cyber Security Requirements: What’s NewFED GOV CON - Cyber Security Requirements: What’s New
FED GOV CON - Cyber Security Requirements: What’s NewJSchaus & Associates
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Scott Satterwhite
 
Government Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
Government Contracting - DFARS Part 252 - Clauses - Win Federal ContractsGovernment Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
Government Contracting - DFARS Part 252 - Clauses - Win Federal ContractsJSchaus & Associates
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGovernment Technology and Services Coalition
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationTerenceBrown16
 
Symantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitSymantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitLluis Altes
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityCitrix
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented cultureJack Nichelson
 

More Related Content

Similar to A Clear Path to NIST & CMMC Compliance_ISSA.pptx

CTEK-Investor-Presentation-May-2021-1.pptx
CTEK-Investor-Presentation-May-2021-1.pptxCTEK-Investor-Presentation-May-2021-1.pptx
CTEK-Investor-Presentation-May-2021-1.pptxZharfanHanif
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
Importance about do d cyber and cmmc ab at cmmcmarketplace.org
Importance about do d cyber and cmmc ab at cmmcmarketplace.orgImportance about do d cyber and cmmc ab at cmmcmarketplace.org
Importance about do d cyber and cmmc ab at cmmcmarketplace.orgcmmcmarketplace
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?Unanet
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
FED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARSFED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARSJSchaus & Associates
 
Infographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsInfographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsClint Walker
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsJSchaus & Associates
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
FED GOV CON - Cyber Security Requirements: What’s New
FED GOV CON - Cyber Security Requirements: What’s NewFED GOV CON - Cyber Security Requirements: What’s New
FED GOV CON - Cyber Security Requirements: What’s NewJSchaus & Associates
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Scott Satterwhite
 
Government Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
Government Contracting - DFARS Part 252 - Clauses - Win Federal ContractsGovernment Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
Government Contracting - DFARS Part 252 - Clauses - Win Federal ContractsJSchaus & Associates
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationTerenceBrown16
 
Symantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitSymantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitLluis Altes
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityCitrix
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 

Similar to A Clear Path to NIST & CMMC Compliance_ISSA.pptx (20)

CTEK-Investor-Presentation-May-2021-1.pptx
CTEK-Investor-Presentation-May-2021-1.pptxCTEK-Investor-Presentation-May-2021-1.pptx
CTEK-Investor-Presentation-May-2021-1.pptx
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
 
Importance about do d cyber and cmmc ab at cmmcmarketplace.org
Importance about do d cyber and cmmc ab at cmmcmarketplace.orgImportance about do d cyber and cmmc ab at cmmcmarketplace.org
Importance about do d cyber and cmmc ab at cmmcmarketplace.org
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
FED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARSFED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARS
 
Infographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsInfographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-Standards
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
FED GOV CON - Cyber Security Requirements: What’s New
FED GOV CON - Cyber Security Requirements: What’s NewFED GOV CON - Cyber Security Requirements: What’s New
FED GOV CON - Cyber Security Requirements: What’s New
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]
 
Government Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
Government Contracting - DFARS Part 252 - Clauses - Win Federal ContractsGovernment Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
Government Contracting - DFARS Part 252 - Clauses - Win Federal Contracts
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
 
Symantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company splitSymantec's London vision 2014 event more details emerge on the company split
Symantec's London vision 2014 event more details emerge on the company split
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
 

More from Jack Nichelson

Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented cultureJack Nichelson
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017Jack Nichelson
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented CultureJack Nichelson
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through MeasurementJack Nichelson
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security ManagersJack Nichelson
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 

More from Jack Nichelson (9)

Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365Office 365 Security - Its 2am do you know whos in your office 365
Office 365 Security - Its 2am do you know whos in your office 365
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through Measurement
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

A Clear Path to NIST & CMMC Compliance_ISSA.pptx

  • 1. A Clear Path to NIST & CMMC Compliance Jack Nichelson Chief Information Security Officer Jack.Nichelson@MRKTech.com CMMC 2.0 Compliance Update
  • 2. MRK/TRUWEST  MRK Technologies  Security Services (CISO-for-Hire)  Value-Added Technology Reseller  Technology Recovery Group (TRG)  Point-of-Sale Lifecycle Management  River Capital/River SaaS  Equipment Leasing  Startup Venture Capital  Sibling Revelry Brewing  Craft Brewery and Tasting Room  MRK is part of the TruWest family of companies  40+ years in business  International footprint across the US, Canada and Europe 2
  • 3. MRK CISO SERVICES  Run security programs for companies of all sizes, in every vertical, across the globe  Each Chief Information Security Officer (CISO) has 20+ years experience, largely in-house running security programs  Act as an employee of the company, build up their security, respond to incidents, and engage with their regulators and customers  Keep our customers safe and secure MRK’s CISO practice works with several government contractors
  • 4. MRK MANAGED SECURITY  MRK Managed Security is committed to providing best in class results by fully running out an alert – investigating and running to ground every available detail.  Our differentiator is that we provide actionable alerts with details on remediation, containment and response.  We provide detailed communication that minimizes an internal team’s effort and provides an expedited path to resolution – no copy and paste tickets, no alerts without context. 4
  • 5. CISO PROFILE: JACK NICHELSON  Prior experience running Infrastructure & Security at multiple Fortune 500’s  20+ years in IT & IT Security  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Board member for FBI InfraGard  Executive MBA from Baldwin-Wallace University  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.  Certs include: Executive MBA, CISSP, CCNA, GIAC GCIH, GIAC GSLC, CCNP, CCDA, & VCP 5
  • 6. INTRODUCTION TO CMMC 2.0 A New Standard in Defending Data The Cybersecurity Maturity Model Certification (CMMC) is a unified standard designed to implement and improve cybersecurity across the entire DIB, which includes more than 300,000 companies. The new model will verify that DoD contractors have sufficient controls to safeguard sensitive including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The compliance standard is an evolution of the DFARS 252.204-7012 & NIST 800-171 standards and is meant to protect the nation's sensitive data. All government contractors will have to become CMMC Compliant by 2026 in order to continue business with the U.S. Government. It’s critical to start the CMMC process sooner rather than later — whether 5 or 50 percent of your revenue comes from government contracts. Vendors that show strong controls will thrive as the entire DIB transitions to the new model. Every company within the DoD supply chain will be required to get certified to receive new contracts, representing a massive portion of potential business. In the fiscal year 2018, the DoD awarded nearly $360 billion in contracts for products, materials and services.
  • 7. CMMC ACRONYMS  Cybersecurity Maturity Model Certification 2.0 (CMMC): CMMC is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government by 2026.  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. (CMMC 2.0 Level 1)  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. (CMMC 2.0 Level 2)  Defense Federal Acquisition Regulation Supplement (DFARS): Starting in Dec. 2020, all contractors are subject to new clauses in Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012, 7019, 7020 and 7021). This means, starting immediately, that any suppliers and DIB members looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded to them.  System Security Plan (SSP): SSP is a document that identifies the functions and features of a system, including all its hardware and the software installed on the system. It outlines the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. The SSP has been part of the NIST 800-171 security requirement, set forth by DFARS 7012. DFARS 7019, holds the requirements for contractors to maintain their assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results.  Certified Third-Party Assessment Organization (C3PAO): C3PAO is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments
  • 8. DIFFERENCE BETWEEN FCI & CUI  Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release. “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”  Controlled Unclassified Information (CUI): CUI is an umbrella term that encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” Within the construct of the CMMC, know that CUI will require a higher level 2 or higher of CMMC Certification whereas FCI will only require Level 1 Self-Certification.
  • 9. THE LONG ROAD TO CMMC
  • 10. WHAT YOU NEED TO KNOW ABOUT CMMC 2.0  In November 2021, the Department of Defense (DoD) announced that the CMMC will be undergoing three major changes to help reduce costs, streamline the compliance process, and be better aligned with other federal standards. CMMC 2.0 may not be fully implemented until late 2023.  By 2026, all DIB contractors will be required to be CMMC certified by a C3PAO before being allowed to bid on government contracts.  A strong cybersecurity posture will always be a requirement in securing a DoD contract. While the DoD stresses that it will not approve any contracts that include a CMMC requirement prior to CMMC 2.0 implementation, the department strongly encourages the DIB sector to meet the 110 security controls stipulated under NIST SP 800-171.  This is because NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0. The similarities between the two compliance models makes it easier for an NIST SP 800- 171-compliant company to achieve compliance with Level 2 standards when CMMC 2.0 becomes law. After all, the DIB is still subject to the Defense Federal Acquisition Regulation Supplement rules, which require meeting NIST 800-171 and DFARS 7012 standards.  Prime contractors will have to ensure all subs are CMMC compliant. Mandatory flow down of CMMC requirements to over 350,000 DIB companies.  The DoD estimates that about 150,000 of companies will need to meet Level 1 and about 80,000 of companies will need to be compliant with CMMC Level 2 and less 500 companies will need to comply with Level 3.  All contractors could now be subject to DFARS 252.204-7012 & 7019. This means, that any suppliers and DIB looking to earn new business or up for a renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded
  • 11. THE 3 LEVELS OF CMMC 2.0 •Level 1 (Foundational) only applies to companies that focus on the protection of FCI. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users. The DoD estimates that about 150,000 such companies exist in the DIB. •Level 2 (Advanced) is for companies working with CUI. Requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by NIST protect CUI. The DoD estimates that about 80,000 companies handle CUI. •Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. The DoD estimates that about 500 companies will need to comply with Level 3
  • 12. THE “CRAWL – WALK – RUN” OF CMMC  CRAWL: Notice of NIST 800-171 DoD Assessment Requirements. In the 1st phase of CMMC implementation, contractors must register by CAGE code in SPRS and upload a self-assessment based on their 800-171 controls implementation (not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest).  Walk: The DoD Assessment Methodology begins to be enforced. A two (2) year effort where inconsequential “audits” by DCMA and the DIB-CAC are part of the process.  Run: The instantiation of how we’re going to ensure cybersecurity is foundational to all acquisition. This is when CMMC controls, processes, & practices become required elements for doing business with the Department.
  • 13. NIST 800-171 EXPLAINED  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is the standard developed to protect controlled unclassified information (CUI) in nonfederal systems and organizations  NIST SP 800-171 came from a combination of the Federal Information Processing Standard (FIPS) 200 and the Moderate level of 800-53. It contains administrative and technical requirements within 110 controls organized by the following 14 control families.  CMMC level 1 organizations can complete a NIST SP 800-171 Self- Assessment and upload the results to the Supplier Performance Risk System (SPRS)  CMMC level 2 or higher requires a C3PAO to complete an assessment to determine an organization’s maturity level  The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system, which is only accessible for DoD personnel.
  • 15. DFARS INTERIM RULE OVERVIEW  252.205 7012 (Existing): Created basis for protecting controlled unclassified information implementing NIST 800-171 controls  252.204 7019 (New as of 11/20/20): Created a self assessment (Basic) requirement related to 800 171 and publishing in SPRS  252.204 7020 (New as of 11/20/20): Expands the 800 171 scores to include Moderate and High assurance assessments conducted by the DIBCAC and recorded in SRPS. Flow down required to subs and having a score in 800 171 requirement prior to award  252.204 7021 (New as of 11/20/20): Creates the basis for CMMC and outlines C3PAOs and timeline for the rollout. On September 29, 2020, the DoD issued the interim rule implementing the CMMC program. The rule introduces a new mandatory construct, the DoD Assessment Methodology, to serve as an interim certification process before contractors undergo a full CMMC review. A full description of the interim rule and what it means for DoD contractors follows.
  • 16. DFARS INTERIM RULE - 5 KEY TAKEAWAYS 1) This new requirement takes effect on December 1, 2020 for all contractors that are subject to the DFARS 252.204-7012 & 7019 clause based on their handling of Controlled Unclassified Information (CUI) 2) Contractors that handle CUI will need to complete a new NIST 800-171 Self-Assessment based on a new scoring methodology and then post their score in the Supplier Performance Risk System (SPRS) before a contract will be awarded 3) The Self-Assessment must also include the completion of a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of their network and their plan to achieve 100% compliance with the NIST 800-171 requirements 4) Prime Contractors must flow this requirement down to their subcontractors/suppliers that handle CUI as well. 5) DCMA will be conducting random audits to ensure companies have not only completed the self-assessment, but have scored themselves accurately, have an SSP and are working towards completing a realistic POAM. SPRS Reporting Requirements: • Your system security plan name • The CAGE code associated with the plan • A brief description of the plan architecture • The date the assessment was completed • The date that a score of 110 will be achieved
  • 17. PRELIMINARY STEPS FOR CMMC SUCCESS Step 1: Identify The Target CMMC Level: In order to start, you have to know what target CMMC certification level your organization needs to attain. CMMC is focuses entirely on the classification of data: • If you store, transmit and/or process just FCI, then you are a Level 1 • If you store, transmit and/or process FCI and/or CUI, then you are a Level 2 Step 2: Document FCI/CUI Data/Process Flows: The DoD considers any part of your organization that touches CUI & FCI (i.e., where it’s stored, how it’s processed, and how it’s transmitted) to be “in-scope” when it comes to an official certification assessment. For example, organization may have other unrelated departments (e.g., marketing, sales, etc.) where CUI & FCI will not be stored, processed, or transmitted. To make compliance as smooth and cost-effective as possible, you’ll want to isolate only the relevant parts of your into its own network. Step 3: Establish an Asset Inventory, Network Diagrams, Policies, Processes, and Plans: The CMMC is all about “Process Maturity.” It’s an organization’s commitment to and consistency in performing specific practices. To do this successfully, you need to establish several governing documents describing what the organization should abide by (policies), how they should be implemented (processes), and those tasks will be funded and managed (plans). Step 4: Create a System Security Plan (SSP): The SSP is your organization’s plan to secure its systems. More specifically, it is a collection of documents that paint a picture of your environment, the associated security requirements, the implemented or planned controls, and the expected behaviors of all individuals who access the system. In addition to other documents, you will need to reference your previously established policies, processes, and plans as they relate to each domain. Depending on your organization, your SSP might include your entire, a subset, or multiple subsets of your organization. Step 5: Train Personnel On Secure Practices: The common weak link in most organization is the “people factor” that covers the individuals required to operate processes. OSCs are required to train its personnel on CUI handling practices, role-specific security training, insider threat awareness and is some cases ITAR/EAR training for export control.
  • 18. PRELIMINARY STEPS FOR CMMC SUCCESS Step 6: Conduct a CMMC Pre-Assessment: The CMMC Pre-Assessment is a necessary internal tool to prepare for the actual certification assessment. It is the only way to know which practices your organization is missing, collect evidence about processes and plans, and Plan of Actions & Milestones (POA&M) for missing practices, processes, and plans. Create a POA&M: You will take all of your missing controls and create a formal document that describes the specific steps your organization will take to implement a particular practice (actions) fully and over what period (milestones). Step 7: Choose a Certified Third-Party Assessor Organization (C3PAO): A Certified Third-Party Assessor Organization (C3PAO) is an official organization certified to provide CMMC certifications by the CMMC Accreditation Body (CMMC-AB). There are currently over 100 C3PAOs that you can work with on the CMMC-AB Marketplace. It would be best if you chose to work with a C3PAO that not only fits your budget but has previous experience with your industry. Step 8: Get Certified: Your C3PAO and its CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) will use the CMMC- AB assessment guidelines to conduct a CMMC assessment for your entire organization or a specific CUI Enclave. CCPs and CCAs will information and evidence to independently verify that an organization meets the stated assessment objectives for all of the required practices and processes. If the C3PAO can successfully demonstrate the organization implements all practices and has the appropriate process maturity, they will grant the official certification. Step 9: Recertification: Your certification will last for three years, which means that you will need to recertify every three years. The recertification process is the same as the initial process. Step 10: Conclusion: Going zero to certification involves a well-oiled machine with many moving parts, from scoping your organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to hiring a C3PAO to certify you. some organizations might be well resourced to undertake this process, others might struggle to get started. It is wise to seek out help the many accredited organizations on the CMMC-AB Marketplace. MRK is a Registered Practitioner Organization (RPO).
  • 20. THANK YOU!  Jack Nichelson (CISO, MRK Technologies)
  • 22. QUESTIONS? First CMMC 2.0 is on hold with the potential for the rulemaking process to stretch out as late as fall 2023. The DoD has asked all organizations to use this time implementing and ensuring all subs meet NIST 800-171 (DFARS 252.204-7012 & 7019). The DoD has also indicated that there may be incentives for early adoption and having improved self-assessment scores posted to the DoD’s Supplier Performance Risk System (SPRS). A trend appears to be forming among primes - to require all subcontractors to be certified at CMMC 2.0 Level 2. From the prime’s point of view, this would mean reduced risk of sharing CUI with a subcontractor that is not certified to handle it because all of their subcontractors are certified. This is why we are seeing this big push by the primes to get their subs to show they are meeting all 110 controls in NIST 800-171 (DFARS 252.204-7012 & 7019) and proving it by uploading self-assessment scores to the DoD’s Supplier Performance Risk System (SPRS).

Editor's Notes

  1. Title: A Clear Path to CMMC with MRK Subtitle: What DoD Contractors Need to Know to get ready Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this webinar, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification. In addition to answering questions from attendees, this webinar will cover the following topics: • What You Need to Know About CMMC • The Crawl – Walk – Run of CMMC • Preliminary Steps for CMMC Success
  2. Jason
  3. 60% of the Defense Industrial Base will need to be compliant with CMMC Level 1; 30% will need to be compliant to CMMC Level 3; less than 2% need to be compliant with CMMC Levels 4 and 5
  4. You should already be at Level 1 Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. These 17 controls are all basic cyber hygiene and represent the minimum any contractor should have already deployed.
  5. There is a widely-held misconception that a Level 1 OSC is going to be limited to small “mom and pop” companies, but that is an inaccurate assumption. An organization is designated a Level 1 when it only stores, transmits and/or processes FCI, not CUI. It is possible to have a Fortune 500 organization be a Level 1 OSC with a robust, well-staffed and mature security program. It is equally possible to have a small company with less than a handful of employees be a Level 3 OSC, even though it has no formal IT infrastructure or IT staff - just a completely virtual/remote workforce business model.
  6. There is a widely-held misconception that a Level 1 OSC is going to be limited to small “mom and pop” companies, but that is an inaccurate assumption. An organization is designated a Level 1 when it only stores, transmits and/or processes FCI, not CUI. It is possible to have a Fortune 500 organization be a Level 1 OSC with a robust, well-staffed and mature security program. It is equally possible to have a small company with less than a handful of employees be a Level 3 OSC, even though it has no formal IT infrastructure or IT staff - just a completely virtual/remote workforce business model.
  7. Recommendations: Password Manager MFA
  8. Recommendations: Password Manager MFA