The document explains CMMC 2.0 and its implications for small and midsize businesses, focusing on compliance requirements and the assessment process. It highlights the health of the defense industrial base and the challenges it faces, including supply chain issues and declines in innovation. Additionally, the document outlines the structure of CMMC 2.0, including levels of assessment for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

1. c
CMMC 2.0 Explained:
Impact for Small & Midsize Businesses
Max Aulakh, MBA, CISSP, PMP, ITIL-F
Ignyte Assurance Platform
Darold Tippey
TMAC

2. Speaker
Max Aulakh is the managing director at Ignyte Assurance Platform. He started his
career in the US Air Force and spent the majority of his time in the Middle East during
his enlistment. He brings 15+ years of hands-on working experience from global
enterprises on automating risk management and cyber security frameworks. Prior to
working with the commercial sector, he focused on automating traditional A&A
packages under DITSCAP and DIACAP frameworks. His team was responsible for
executing 100+ ATOs on various types of classified and unclassified government
networks.
His work currently focuses on automating the risk management framework through
the use of language analysis for commercial enterprises struggling with cloud and
FedRAMP compliance. His experience is formally supplemented by graduate-level
education in business with an undergraduate in systems security and computer
science from American Military University. Max enjoys cloud engineering and helping
compliance professionals adopt to modern agile compliance principles. When he is
not working, Max enjoys spending time with his wife Farah and three kids in Ohio.
Max Aulakh, MBA, CISSP, PMP, ITIL-F
Ignyte Assurance Platform
Cyber & Technology Industry Credentials
• CISSP
• PMP
• Linux+
• Certified Scrum Master
• Digital Defensive Programming
• OWASP
• Threat Modeling
• Security+
• Network+
• ITIL-F
• USAF
• Army
• Navy
• CIA
• NSA
• NASIC
• DOS
• NRO
• NGA
Federal & Corporate agency cybersecurity experience
• Dell
• IBM
• UFCU

3. Today, we’ll talk about…
• What has changed?
• What should small businesses be aware of?
• How does this change impact your business?
• And what parts of CMMC 1.0 can reused to maintain and update status of your compliance efforts?

4. Agenda
• Health of the Defense Industrial Base (DIB)
• CMMC 2.0
o FCI vs CUI
o Practice vs Maturity Levels
o L1/L2 Scoping
o L1/L2 Assessments
• Audit Preparation
• Q&A
• Important Links
• Contact Information

5. Health of the Defense
Industrial Base (DIB)

6. Health of the Defense Industrial Base (DIB)
• Significant issues as reported by the National Defense Industrial Association
• 5 of 8 categories received a “failing” performance grade
• Supply Chain issues the result of the pandemic
• Demand and budget have increased
• Industrial Security remains the weakest area
• Chinese and Russian increase strategic competition
• Surge Readiness capabilities decline
• Innovation remains stagnant / Decline in R&D
• Impact of pending National Defense Strategy

7. DIB Condition Overview by Year
NDIA is worried about the health of the defense industrial base.
Condition 2019 2020 2021
Changes
2020 - 2021
Demand 82 88 94 +6
Production Inputs 66 66 67 +1
Innovation 69 69 69 =0
Supply Chain 60 71 63 -8
Competition 92 88 88 =0
Industrial Security 49 49 50 +1
Political & Regulatory 78 76 72 -4
Productive Capacity & Surge Readiness 80 67 52 -15
Overall Health & Readiness 72 72 69 -4
 -6 and worse
 -1 to -5
 No Change = 0
 +1 to +5
 +6 and better
Factor Score Key

8. CMMC 2.0

9. Introducing CMMC 2.0
• Brief History
 FARS clause 52.204-21 & DFARS clause 252.204-7012
 Inspector General Report - 2019
 National Defense Authorization Act of 2020
• Supersedes CMMC 1.0
• Collaborative Partnership between the DoD and the DIB
• Enhanced Security for Sensitive, Non-Classified Information
• Heavy Focus on Continuous Monitoring

10. FCI vs CUI
Federal Contract Information or FCI,
which essentially is “government contract
information, that is not intended for public
release. It is provided or generated for the
Government, under a contract, to develop or
deliver a product or service to the Government…”
• Source: 48 CFR § 52.204-21
Controlled Unclassified Information or CUI,
is defined as information that requires safeguarding or
dissemination controls, consistent with laws, regulations,
and government-wide policies, excluding information that
is classified under EO 13526 – Classified National Security
Information…”
• Source: NIST SP 800-171 rev 2
• Refer to the DoD CUI Registry 19AUG2021 for further classification of CUI

11. Practice vs Maturity Level
• Practice = Control Objectives
 Based on NIST
• Maturity = Effectiveness of Controls
 Based on CMMI

12. CMMC 2.0 Tiered Levels & Assessments

14. L1 Scoping Guidance for FCI
• FCI Assets = Process, Store, or Transmit FCI
 Are assessed against all applicable CMMC practices
• Additional Considerations: Areas that Process, Store, or Transmit FCI
 People
 Technology
 Facilities
 External Service Providers (ESPs)

15. L2 Scoping Guidance for CUI
L2 Assets: mapped into one of 5 categories
 CUI – part of CMMC assessment
 Security Protection Assets – part of CMMC assessment
 Contractor Risk Managed not part of CMMC assessment*
 Specialized Assets – not part of CMMC assessment*
 Same additional considerations as L1 apply for L2 Scoping
* Include in Asset Inventory and System Security Plan (SSP)

16. L2 Scoping Guidance – Scope Reduction & Use
Cases
o Scope Reduction
 Logical Separation (e.g., Firewalls, VLANs, SDNs)
 Physical Separation (e.g., Gates, Locks, Badge Access, Guards)
o Use Cases
 FCI and CUI within the same assessment scope
• Single scope vs Dual scope
• Certification is at the highest certification level (e.g., L2)
• External Service Providers are Considered (e.g., responsibility matrix, SLAs, Contracts, etc.)

17. Audit Preparation

18. Focus of L1 and L2 Self-Assessments
Protection of Federal Contract Information (FCI)
• Government contract information
• Not intended for public use
• Annual assessment and requires senior company official’s signature
Protection of Controlled Unclassified Information (CUI)
• Requires safeguarding
• Requires dissemination controls
• Excludes information that is classified (EO 13526)
• Annual and requires senior company official’s signature
Level
1
Level
2

19. Assessment Criteria and Methodology
Applicable to either an L1 or L2 Self-Assessment:
 Leverage the assessment procedures found in NIST 800-171A (section 2.1)
 Each procedure contains an assessment object and potential assessment methods
 Assessment objects contain determination statements regarding:
* specifications, mechanisms, activities, and individuals
 Assessment Methods define the nature and extent of your actions (three types):
* examining, interviewing, and testing
 Organizations can choose what assessment objects and methods they will use, based
on LOE and Cost Effectiveness

20. Primary Outcome of a L1 or L2 Assessment
• Self-Assessment Report
 Contains the findings from the assessment
 Captures the results of each practice (control) assessed
• Finding Types
 Met – fully compliant
 Not Met – include statements as to why not
 Not Applicable – does not apply to in-scope assets
* maintain artifacts & evidence to support your findings for each
• L2 is Bifurcated – may require an independent assessment by a C3PAO*

21. Audit Preparation
• Ignyte is Going Through the Audit Process
 One of the first in line to complete the accreditation
 Utilize our expertise to perform hundreds of pre-assessments
• What We’ve Learned
 Establish a Program vs Tech Only Approach
 Ensure Separation of Duties with MSPs/MSSPs
 Leverage Institutional Knowledge for Protection of FCI/CUI
 Ensure Inclusion of FARs & DFARs Requirements
 Executives Must Have a High-Level Understanding of FCI/CUI

22. Q&A Session

23. Important Resources
▪ Understanding NIST and CMMC Control Structure
▪ Cybersecurity Maturity Model Certification (CMMC)
▪ CMMC 2.0 v2 Control Mapping
▪ CMMC 2.0 Glossary of Terms
▪ Scoping Guidance L1 version 2.0 Final
▪ Scoping Guidance L2 version 2.0 Final
▪ Assessment Guidance L1 version 2.0 Final
▪ Assessment Guidance L2 version 2.0 Final
▪ FAR Clause 52.204-21
▪ DFARS Clause 252.204-7012

24. Contact us
www.ignyteplatform.com
info@ignyteplatform.com
1.833.IGNYTE1
714 E Monument Ave.
Dayton OH 45402
If you have comments or questions
about the new levels in CMMC 2.0,
please don’t hesitate to reach out.