Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...
Cmmc overview arrington_20200903
1. Securing the DoD Supply Chain
Cybersecurity Maturity Model Certification
Ms. Katie Arrington
Chief Information Security Officer for Acquisition
1
UNCLASSIFIED
UNCLASSIFIED
2. CMMC Model Structure
2
17 Capability Domains (v1.0) Capabilities are assessed for
Practice and Process Maturity
DISTRIBUTION A. Approved for public release
UNCLASSIFIED
3. 3
LEVEL 1
BASIC CYBER HYGIENE
LEVEL 2
INTERMEDIATE CYBER
HYGIENE
LEVEL 3
GOOD CYBER HYGIENE
LEVEL 4
PROACTIVE
LEVEL 5
ADVANCED / PROGRESSIVE
17 PRACTICES
Demonstrate
compliance with
Federal Acquisition
Regulation (FAR)
48 CFR 52.204-21
72 PRACTICES
Comply with the FAR
Encompasses a select
subset of 48 practices
from the NIST SP 800-
171
Perform an additional
7 practices to support
intermediate cyber
hygiene
130 PRACTICES
Comply with the FAR
Encompasses all
practices from the
NIST SP 800-171
Perform an additional
20 practices to
support good cyber
hygiene
156 PRACTICES
Comply with the FAR
Encompasses all
practices from
NIST SP 800-171 plus
20 additional
practices
Includes a select
subset of 11 practices
from Draft NIST SP
800-171B
Perform an additional
15 practices to
demonstrate a
proactive
cybersecurity
program
171 PRACTICES
Comply with the FAR
Encompasses all
practices from the
NIST SP 800-171 plus
20 additional
practices
Includes a select
subset of 15 practices
from Draft NIST SP
800-171B
Includes an
additional 26
practices to
demonstrate an
advanced
cybersecurity
program
CMMC Practice Progression
DISTRIBUTION A. Approved for public release
UNCLASSIFIED
Further reduces risk of advanced threats
4. 4
LEVEL 1
PERFORMED
LEVEL 2
DOCUMENTED
LEVEL 3
MANAGED
LEVEL 4
REVIEWED
LEVEL 5
OPTIMIZING
0 PROCESSES
Select practices are
documented where
required
2 PROCESSES
Each practice is
documented,
including Level 1
practices
A policy exists that
includes all activities
3 PROCESSES
Each practice is
documented
A policy exists that
includes all activities
Adherence is verified
through Examine or
Test
A plan exists, is
maintained, and
resourced that
includes all activities
(includes mission,
goals, project plan,
resourcing, training
needed, and
involvement of
relevant
stakeholders)
4 PROCESSES
Each practice is
documented
A policy exists that
includes all activities
Adherence is verified
through Examine or
Test
A plan exists that
includes all activities
Activities are
reviewed and
measured for
effectiveness (results
of the review is
shared with higher
level management
and for issue
resolution)
5 PROCESSES
Each practice is
documented
A policy exists that
includes all activities
Adherence is verified
through Examine or
Test
A plan exists that
includes all activities
Activities are
reviewed and
measured for
effectiveness
There is a
standardized,
documented
approach across all
applicable
organizational units
CMMC Maturity Process Progression
DISTRIBUTION A. Approved for public release
UNCLASSIFIED
5. CMMC Model Evolution
v0.4 to v0.5 to v0.6 to v0.7 to v1.0
5
380
85
9
316
59
9
219
44
9
173
43
9
171
43
5
Practices Capabilities Processes
35
115
92 96
42
33
78 83 85
37
17
58 56
62
26
17
55 59
26
16
17
55 58
26
15
Level 1 Level 2 Level 3 Level 4 Level 5
Practices by Level
40
19
26
16
21 21
17
41
9
13
5
17
8
36
16 17
45
13
39
17
20
16
18
7
16
30
9 10
3
12
8
27
16 16
40
12
34
5
15
5
15
0
16
18
7
9
4
6
4
15
11
5
35
15
26
3
14
5
11
0
11
14
6
8
2
6
4
12
8
3
27
13
26
2
14
5
11
0
11
13
6
8
2
6
4
12
8
3
27
13
AC AM AA AT CM CG IDA IR MA MP PS PP RE RM SAS SA SCP SII
Practices by Domain
V0.4 V0.5 V0.6 V0.7 V1.0
DISTRIBUTION A. Approved for public release
UNCLASSIFIED
6. • CMMC Model leverages multiple sources and references
– CMMC Level 1 only includes the basic safeguarding requirements from FAR Clause 52.204-21
– CMMC Levels 4 and 5 includes 15 enhanced security requirements from Draft NIST SP 800-171B
CMMC Model v1.0: Source Counts
6
CMMC Model v1.0: Number of Practices per Source
* Note: QTY 15 safeguarding requirements from FAR clause 52.204-21 correspond to
QTY 17 security requirements from NIST SP 800-171, and in turn, QTY 17 practices in CMMC
CMMC
Level
Total Number
Practices
Introduced per
CMMC Level
Source
48 CFR
52.204-21
NIST
SP 800-171
Draft NIST
SP 800-171B
Other
Level 1 17 15 * 17 - -
Level 2 55 - 48 - 7
Level 3 58 - 45 - 13
Level 4 26 - - 11 15
Level 5 15 - - 4 11
Total 171 - 110 15 46
DISTRIBUTION A. Approved for public release
UNCLASSIFIED
7. Draft CMMC Schedule
Q3FY20 Q4FY20 Q1FY21 Q2FY21
Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar
CMMC Pathfinders (PF)
• Existing Contracts
• Acquisition Table Top Exercises (TTXs)
• Mock Training
• Mock Assessments
(Non-Punitive, Non-Attribution)
• CMMC Accreditation Body (AB)
Processes
CMMC Pilots
• New Contracts
• CMMC Requirement Flow Down
• CUI Tracking
• Mock Assessments
(Non-Punitive, Non-Attribution)
• CMMC eMASS MVP version
• CMMC-AB Processes
CMMC Phased Rollout
• CMMC-AB Accreditation of CMMC
Third Party Assessment
Organizations (C3PAOs)
• CMMC Assessments
PF1
Kickoff
PF1 Mock
Assessments (Level 1, 3)
PF1 Senior Leader Outbrief
PF1 Virtual
TTXs
PF2
Kickoff
PF2 Mock
Assessments
PF2
Outbrief
Updated on 20 Jul 2020
Initial RFIs with
CMMC L3 & L1
Requirement
L1 - L3
Provisional
Assessments
L1 - L3
Baseline
Assessments
Select
Pilot
Contracts
Services &
Agencies
Nominate
Pilot
Contracts
CMMC-AB
Provisional Training of
Candidate Assessors
CMMC-AB
Registration
for Candidate
C3PAOs
CMMC-AB Training
of Mock C3PAO
RFIs for
Pilot
Contracts
RFPs for
Pilot
Contracts
Contract Award for
Pilot
Contracts
…
…
PF2 CUI TTX
… …
UNCLASSIFIED
8. Projected CMMC Roll-Out
8
Total Number of Prime Contractors and Sub-Contractors with CMMC Requirement
FY21 FY22 FY23 FY24 FY25
Level 1 895 4,490 14,981 28,714 28,709
Level 2 149 748 2,497 4,786 4,785
Level 3 448 2,245 7,490 14,357 14,355
Level 4
4 8
16 24 28
Level 5
4 8
16 24 28
Total 1,500 7,500 25,000 47,905 47,905
Total Number of Contracts with CMMC Requirement
FY21 FY22 FY23 FY24 FY25
15 75 250 479 479
• OUSD(A&S) will work with Services and Agencies to identify candidate programs
that will have the CMMC requirement during FY21-FY25 phased roll-out
• All new DoD contracts will contain the CMMC requirement starting in FY26
UNCLASSIFIED
DISTRIBUTION A. Approved for public release
9. • Background:
– DoD released draft versions (v0.4, v0.6, v0.7) of the CMMC Model to the public in
CY2019 to obtain comments and feedback prior to releasing v1.0 in January 2020
– Before a proposed rule is published in the Federal Register for public comment *
– The Office of Information and Regulatory Affairs (OIRA) analyzes draft proposed
rules when they are “significant” due to economic effects or because they raise
important policy issues *
• DoD is seeking clearance from OMB/OIRA to publish and seek public
comment on a proposed DFARS rule that implements CMMC in a phased
rollout
DFARS
9
UNCLASSIFIED
* Source: “A Guide to the Rulemaking Process.” federalregister.gov
12. Grant
Certification
Conduct
Certification
Certificate
Update
Internet Accessible
Lookup
Advance to
Level
Options:
1. Internal
2. SVC Provider
3. Partner
Source
Selection
(Go/No-Go)
RFP Award
Self-
Evaluate
Companies
Create
Database
Est. PMO
Office
ACQ Review
RFI “Level x”
& Date
Develop
Model
CMMC
Concept
CMMC REQT
PM
Requiring Activity
Select
Certifier
Certifier
Develop
Accreditation
Body REQT.
Est. MOU
Accrd. Body
BID
Verify CMMC
Level
Find
Certifier
Document
Cert
Accreditation Body
CMMC Gov’t
Gov’t PM
Certifier
Company
SRM
Database
Sr. Advisory
Council
Begin
work
Accrd. Body
IOC
CMMC Implementation Flow
Begin
Work
Accrd. Body
IOC
Market Place
CMMC
Certificate
Database
Create
Database
12
DISTRIBUTION A. Approved for public release
UNCLASSIFIED
13. CMMC Accreditation Body Activities
13
Accreditation
Body (AB)
Manager
Training Accreditation Credentialing
Infrastructure
(Support
Systems)
• Train
Individuals
• Train
Organizations
• Train Instructors
• Knowledge
Store
• Market Place
• Artifact Store
• Records Mgmt.
• Grant C3PAO
accreditations
• Audit C3PAO
• Process Complaints
• Grant Individual
credentials
• Certifiers
• Accredited Certifiers
• Coordinate w/ CMMC PMO and
CMMC Advisory Council
• Dispute resolution
• Capture metrics
• Integrate and coordinate functional
areas
Assessment
Operations
• Technical Appeals
• Quality Control
• Manage
Assessment Tool
• Publish CMMC
Certificates
Populated and
accessible by DoD
systems
CMMC
Database
DISTRIBUTION A. Approved for public release
UNCLASSIFIED