The document outlines the fifth part of a six-part webinar series focused on cyber resiliency for defense contractors, hosted by Max Aulakh and facilitated by Connie Palucka. It covers essential topics related to the CMMC and NIST frameworks, emphasizing cybersecurity requirements, the auditor's perspective, and practical insights from manufacturers. The session seeks to clarify terminology and processes while addressing challenges faced by small businesses in achieving compliance.

1. WEBINAR SERIES. Part 5 21 April 2021 10:30 AM EST
Hosted by CATALYST CONNECTION
Max Aulakh
Founder & CEO
CMMC Breakdown

2. Who’s driving this webinar?
Max Aulakh
Founder & CEO
About our Speaker
C-SUITE DEFENSE & ASSURANCE LEADER
S
P
E
C
I
A
L
G
U
E
S
T
As a Data Security and Compliance Leader, he delivers DoD-tested security strategies and
compliance that safeguard mission-critical IT operations. Having trained and excelled in The
United States Air Force, he maintained and tested the InfoSec and ComSec functions of network
hardware, software, and IT infrastructure for global networks — both classified and unclassified.
He drove the Information Assurance (IA) programs for the U.S. Department of Defense (DoD).
Facilitated by
Connie Palucka
Vice President, Consulting at Catalyst Connection
Connie joined Catalyst Connection in 2005 and brings over 25 years
of global sales, business development, and product development
experience to her role as the Managing Director of Regional
Initiatives. She leads a team that secures and executes grants
initiatives to support manufacturers and build the region’s
vibrancy. She also works with regional academic institutions,
economic development organizations and regional manufacturers
to build new capabilities and help make Southwestern Pennsylvania
a model for the nation.

3. • Webinar 1: Laying the Foundation – The Need for Cybersecurity in U.S.
Manufacturing
• Webinar 2: DFARS & CMMC Overview
• Webinar 3: Corporate Program Setup
• Webinar 4: Real Company Examples
• Webinar 5: CMMC Breakdown
• Session 6: Risk Mitigation
6-Part Webinar Series: CYBER RESILIENCY FOR DEFENSE CONTRACTORS

4. Today we’ll learn:
1
2
3
NIST Families & CMMC Capability
Domains
The Auditor’s Perspective
Examples from manufacturers of what
works - and what doesn't.

5. NIST FAMILIES & CMMC
CAPABILITY DOMAINS

6. NIST SECURITY CONTROL IDENTIFIERS AND FAMILY NAMES
These are used within several NIST based documents such as:
- NIST 800-171
- NIST 800-53
- Many information security textbooks taught in almost all information security education
- Items within each family is formally known as “requirements” for NIST 800-171 and known as “Controls” for NIST 800-53

7. CMMC Capability Domains
CMMC refers to “NIST Family” as “Capability Domains”
“Requirements” are referred to as “Practices”
- Change in language has caused some confusion in the
market.
- It also adds to translation of documentation work for
small and large businesses (reusability in service is
needed).
- Small changes in terminology and text can have
significant consequences for businesses.

8. NIST 800-171 versus CMMC Level 3

9. Key Areas & Order
1. Requirements can be displayed in an alphabetical order and numbered
a. Order of execution on requirements matter
b. Prioritization comes from your customer and business needs (i.e. SPRS first)
1. Recommended Domain Prioritization
1. Awareness & Training
2. Risk Management
3. Security Assessment
4. Physical Security
5. Asset Management
6. Incident Response
7. Others based on business maturity, speed and timing, and alignment with
your normal technology lifecycle (purchasing)

10. Awareness & Training
AT.2.056 Security Risk Awareness
Ensure that managers, system administrators, and users of organizational systems are made aware of the
security risks associated with their activities and of the applicable policies, standards, and procedures related
to the security of those systems.
AT.3.058 Insider Threat Awareness Training
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
AT.2.057 Personnel Security Duties Training
Ensure that personnel are trained to carry out their assigned information security-related duties and
responsibilities.

11. Risk Management
RM.2.141 Assess Risk of CUI Transmision
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation),
organizational assets, and individuals, resulting from the operation of organizational systems and the
associated processing, storage, or transmission of CUI.
RM.2.142 System Vulnerability Scans
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities
affecting those systems and applications are identified.
RM.2.143 Vulnerability Remediation
Remediate vulnerabilities in accordance with risk assessments.

12. Security Assessment
CA.2.157 System Security Plan (SSP) Maintenance
Develop, document, and periodically update system security plans that describe system boundaries, system
environments of operation, how security requirements are implemented, and the relationships with or connections
to other systems.
CA.2.159 Vulnerability Mitigation Plan
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in
organizational systems.
CA.3.161 Monitor Security Controls
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
CA.3.162 Enterprise Software Security Assessment
Employ a security assessment of enterprise software that has been developed internally, for internal use, and that
has been organizationally defined as an area of risk.

13. AUDITOR’s PERSPECTIVE

14. Audit Staff
• Audit firms are expected to have many years of audit experience
• Becoming an audit firm (C3PAO) requires multiple corporate assessments such as:
▪ ISO 17020 - Inspection Body Quality Certification
▪ Foriegn Control Ownership Checks by DoD
▪ Corporate audit conducted directly by Defense Contractor Manufacturing Agency (DCMA)
• Pass/Fail or Go/No-Go Audit - Auditor’s system must have zero findings
▪ Auditor firms are expected to lead the industry and hold up to much higher scrutiny
• Audits will be conducted by highly trained, neutral assessors
• Becoming an auditor:
▪ Must have prior experience, knowledge and skills that are far outside of traditional MEP network
▪ Multiple certifications: CISSP, CISA, PMP, etc
▪ Many years of prior education: Computer Science, MBA, Accountants, Legal
▪ A proven track record

15. AUDITOR’s RULES
• Auditor Code of Ethics
• Impartiality & knowledgeable
▪ Inspector witness plan
▪ Quality control on how the audit is conducted and by whom
▪ Not-Consultants
▪ Must stick to the audit plan and/or audit standard
▪ Going outside of scope of an audit can be detrimental to the audit firm
You can push back!

16. Auditor’s Playbook | Audit Preparation & Development
● Official test cases for CMMC recently released to the
industry
○ NIST-171A as the formal requirements for testing
○ Provisional auditors have been being trained on
NIST-171A
● Level 3 Test Cases were released. Level 2, 4 & 5 are
still work in progress.
○ https://www.acq.osd.mil/cmmc/docs/CMMC_AG_Lvl3
_20201208_editable.pdf

17. TEST PLANNING
Each CMMC & NIST-171 requirement
and/or practice has the following
assessment procedures:
● 1 or more assessment objectives
● 1 or more assessment methods &
objects
○ Examination
○ Interview
○ Technical Testing
● An auditable response is required per
assessment objective
● The SSP functions at a
requirement/practice level

18. How to Manage Audit & Internal Compliance Content
• NIST 800-171, 800-171A, CMMC and
supplementary content
− Over 500 pages of documentation
− 5 to 6 individual workbooks and/or
separate spreadsheets
− Audit Management Planning &
Automation is important
− Audit shops that leverage automation
are going to be the most cost effective
in their work

19. SAMPLE INTERNAL AUDIT READINESS
Step 1: A formalized plan is required prior to conducting the audit. This plan will document all of the
requirements we plan on testing. This document is sometimes referred to as a Security Assessment
Plan (SAP). This document will be provided in the next 2 weeks to your leadership for approval by
SRC Committee.
Step 2: The assessment is conducted formally.
Step 3: The output of the plan are the results, sometimes known as Security Assessment Results
(SAR).
Industry is still waiting for SAP and SAR templates and guidance for auditors.

20. MANUFACTURER POINT OF
VIEW & LESSONS LEARNED

21. CMMC Benefits
• CMMC provides a benchmark that level sets the playing field
• CMMC could benefit smaller businesses more in an acquisition culture that has tended to
favor the Lowest Price Technically Acceptable (LPTA) model (FAR 15.101-2).
• A company that implements fewer security controls incurs less overhead cost & will likely
have lower rates than another company that implements a greater number of and more
advanced controls, even though both are technically acceptable under 800-171 self-
attestation. CMMC eliminates the trade-off between security and cost, schedule, or
performance in proposal evaluations.
~ Katie Arrington, CISO for OUSD A&S
New competitors will be created and smaller more nimble companies will emerge.

22. Operational Technology | Machines
US federal government has the most diverse set of suppliers in
the world which includes social services to weapons builders.
• Phase 1 of CMMC (next few years)
○ No Operational Technology is in scope
○ Segregate your machine environment from normal
computing operations
• DoD refers to machines & devices as “Platform IT” or “PIT”
Systems:
○ Medical devices
○ Connected weapon systems
○ Robotics
• Industry refers to these items as:
○ Industry 4.0
○ SCADA - Supervisory control and data acquisition
Expect separate type of security guidance from US government
such as critical components, acquisition of certain types of
equipment from manufactures that are classified as trusted.

23. Separation of Duties & Flow Down Management
Small businesses rely on outsourced IT companies:
• IT firms will need to become CMMC certified as they are
ultimately managing 60-70% of technology for the Defense
Industry Base today. Auditors will inspect control ownership
and control responsibilities.
• IT firms offering CMMC services should have prior corporate
certification such as ISO 27001 and/or similar corporate level
certification.
• Seek out cyber insurance coverage and also good contract
language that provides you with basic contractual
requirements.
• Separation of duties for small businesses will be a challenge.

24. SUMMARY

25. NIST Families & CMMC Capability
Domains
The Auditor’s Perspective
Examples from manufacturers of what
works - and what doesn't.
Summary
1
2
3

26. Next Week

27. Session 6: Risk Mitigation
Basics of Risk Mitigations Development
Open Topics & Questions

28. Questions?
Thank you!
Point of Contact
Connie Palucka
Vice President, Consulting
Max Aulakh, MBA, CISSP, PMP
Founder & CEO
Point of Contact
info@ignyteplatform.com cpalucka@catalystconnection.org