SlideShare a Scribd company logo

Cmmc overview arrington_20200903

A
aegamemnon

Presentation by USD(A&S) CISO to Gold Coast Chapter of NDIA on CMMC Roll-Out

Government & Nonprofit
1 of 13
Download to read offline
Securing the DoD Supply Chain Cybersecurity Maturity Model Certification Ms. Katie Arrington Chief Information Security Officer for Acquisition 1 UNCLASSIFIED UNCLASSIFIED
CMMC Model Structure 2 17 Capability Domains (v1.0) Capabilities are assessed for Practice and Process Maturity DISTRIBUTION A. Approved for public release UNCLASSIFIED
3 LEVEL 1 BASIC CYBER HYGIENE LEVEL 2 INTERMEDIATE CYBER HYGIENE LEVEL 3 GOOD CYBER HYGIENE LEVEL 4 PROACTIVE LEVEL 5 ADVANCED / PROGRESSIVE 17 PRACTICES  Demonstrate compliance with Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 72 PRACTICES  Comply with the FAR  Encompasses a select subset of 48 practices from the NIST SP 800- 171  Perform an additional 7 practices to support intermediate cyber hygiene 130 PRACTICES  Comply with the FAR  Encompasses all practices from the NIST SP 800-171  Perform an additional 20 practices to support good cyber hygiene 156 PRACTICES  Comply with the FAR  Encompasses all practices from NIST SP 800-171 plus 20 additional practices  Includes a select subset of 11 practices from Draft NIST SP 800-171B  Perform an additional 15 practices to demonstrate a proactive cybersecurity program 171 PRACTICES  Comply with the FAR  Encompasses all practices from the NIST SP 800-171 plus 20 additional practices  Includes a select subset of 15 practices from Draft NIST SP 800-171B  Includes an additional 26 practices to demonstrate an advanced cybersecurity program CMMC Practice Progression DISTRIBUTION A. Approved for public release UNCLASSIFIED Further reduces risk of advanced threats
4 LEVEL 1 PERFORMED LEVEL 2 DOCUMENTED LEVEL 3 MANAGED LEVEL 4 REVIEWED LEVEL 5 OPTIMIZING 0 PROCESSES  Select practices are documented where required 2 PROCESSES  Each practice is documented, including Level 1 practices  A policy exists that includes all activities 3 PROCESSES  Each practice is documented  A policy exists that includes all activities  Adherence is verified through Examine or Test  A plan exists, is maintained, and resourced that includes all activities (includes mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders) 4 PROCESSES  Each practice is documented  A policy exists that includes all activities  Adherence is verified through Examine or Test  A plan exists that includes all activities  Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management and for issue resolution) 5 PROCESSES  Each practice is documented  A policy exists that includes all activities  Adherence is verified through Examine or Test  A plan exists that includes all activities  Activities are reviewed and measured for effectiveness  There is a standardized, documented approach across all applicable organizational units CMMC Maturity Process Progression DISTRIBUTION A. Approved for public release UNCLASSIFIED
CMMC Model Evolution v0.4 to v0.5 to v0.6 to v0.7 to v1.0 5 380 85 9 316 59 9 219 44 9 173 43 9 171 43 5 Practices Capabilities Processes 35 115 92 96 42 33 78 83 85 37 17 58 56 62 26 17 55 59 26 16 17 55 58 26 15 Level 1 Level 2 Level 3 Level 4 Level 5 Practices by Level 40 19 26 16 21 21 17 41 9 13 5 17 8 36 16 17 45 13 39 17 20 16 18 7 16 30 9 10 3 12 8 27 16 16 40 12 34 5 15 5 15 0 16 18 7 9 4 6 4 15 11 5 35 15 26 3 14 5 11 0 11 14 6 8 2 6 4 12 8 3 27 13 26 2 14 5 11 0 11 13 6 8 2 6 4 12 8 3 27 13 AC AM AA AT CM CG IDA IR MA MP PS PP RE RM SAS SA SCP SII Practices by Domain V0.4 V0.5 V0.6 V0.7 V1.0 DISTRIBUTION A. Approved for public release UNCLASSIFIED
• CMMC Model leverages multiple sources and references – CMMC Level 1 only includes the basic safeguarding requirements from FAR Clause 52.204-21 – CMMC Levels 4 and 5 includes 15 enhanced security requirements from Draft NIST SP 800-171B CMMC Model v1.0: Source Counts 6 CMMC Model v1.0: Number of Practices per Source * Note: QTY 15 safeguarding requirements from FAR clause 52.204-21 correspond to QTY 17 security requirements from NIST SP 800-171, and in turn, QTY 17 practices in CMMC CMMC Level Total Number Practices Introduced per CMMC Level Source 48 CFR 52.204-21 NIST SP 800-171 Draft NIST SP 800-171B Other Level 1 17 15 * 17 - - Level 2 55 - 48 - 7 Level 3 58 - 45 - 13 Level 4 26 - - 11 15 Level 5 15 - - 4 11 Total 171 - 110 15 46 DISTRIBUTION A. Approved for public release UNCLASSIFIED
Draft CMMC Schedule Q3FY20 Q4FY20 Q1FY21 Q2FY21 Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar CMMC Pathfinders (PF) • Existing Contracts • Acquisition Table Top Exercises (TTXs) • Mock Training • Mock Assessments (Non-Punitive, Non-Attribution) • CMMC Accreditation Body (AB) Processes CMMC Pilots • New Contracts • CMMC Requirement Flow Down • CUI Tracking • Mock Assessments (Non-Punitive, Non-Attribution) • CMMC eMASS MVP version • CMMC-AB Processes CMMC Phased Rollout • CMMC-AB Accreditation of CMMC Third Party Assessment Organizations (C3PAOs) • CMMC Assessments PF1 Kickoff PF1 Mock Assessments (Level 1, 3) PF1 Senior Leader Outbrief PF1 Virtual TTXs PF2 Kickoff PF2 Mock Assessments PF2 Outbrief Updated on 20 Jul 2020 Initial RFIs with CMMC L3 & L1 Requirement L1 - L3 Provisional Assessments L1 - L3 Baseline Assessments Select Pilot Contracts Services & Agencies Nominate Pilot Contracts CMMC-AB Provisional Training of Candidate Assessors CMMC-AB Registration for Candidate C3PAOs CMMC-AB Training of Mock C3PAO RFIs for Pilot Contracts RFPs for Pilot Contracts Contract Award for Pilot Contracts … … PF2 CUI TTX … … UNCLASSIFIED
Projected CMMC Roll-Out 8 Total Number of Prime Contractors and Sub-Contractors with CMMC Requirement FY21 FY22 FY23 FY24 FY25 Level 1 895 4,490 14,981 28,714 28,709 Level 2 149 748 2,497 4,786 4,785 Level 3 448 2,245 7,490 14,357 14,355 Level 4 4 8 16 24 28 Level 5 4 8 16 24 28 Total 1,500 7,500 25,000 47,905 47,905 Total Number of Contracts with CMMC Requirement FY21 FY22 FY23 FY24 FY25 15 75 250 479 479 • OUSD(A&S) will work with Services and Agencies to identify candidate programs that will have the CMMC requirement during FY21-FY25 phased roll-out • All new DoD contracts will contain the CMMC requirement starting in FY26 UNCLASSIFIED DISTRIBUTION A. Approved for public release
• Background: – DoD released draft versions (v0.4, v0.6, v0.7) of the CMMC Model to the public in CY2019 to obtain comments and feedback prior to releasing v1.0 in January 2020 – Before a proposed rule is published in the Federal Register for public comment * – The Office of Information and Regulatory Affairs (OIRA) analyzes draft proposed rules when they are “significant” due to economic effects or because they raise important policy issues * • DoD is seeking clearance from OMB/OIRA to publish and seek public comment on a proposed DFARS rule that implements CMMC in a phased rollout DFARS 9 UNCLASSIFIED * Source: “A Guide to the Rulemaking Process.” federalregister.gov
10 https://www.acq.osd.mil/cmmc/index.html DISTRIBUTION A. Approved for public release UNCLASSIFIED
Backups 11 DISTRIBUTION A. Approved for public release UNCLASSIFIED
Grant Certification Conduct Certification Certificate Update Internet Accessible Lookup Advance to Level Options: 1. Internal 2. SVC Provider 3. Partner Source Selection (Go/No-Go) RFP Award Self- Evaluate Companies Create Database Est. PMO Office ACQ Review RFI “Level x” & Date Develop Model CMMC Concept CMMC REQT PM Requiring Activity Select Certifier Certifier Develop Accreditation Body REQT. Est. MOU Accrd. Body BID Verify CMMC Level Find Certifier Document Cert Accreditation Body CMMC Gov’t Gov’t PM Certifier Company SRM Database Sr. Advisory Council Begin work Accrd. Body IOC CMMC Implementation Flow Begin Work Accrd. Body IOC Market Place CMMC Certificate Database Create Database 12 DISTRIBUTION A. Approved for public release UNCLASSIFIED
CMMC Accreditation Body Activities 13 Accreditation Body (AB) Manager Training Accreditation Credentialing Infrastructure (Support Systems) • Train Individuals • Train Organizations • Train Instructors • Knowledge Store • Market Place • Artifact Store • Records Mgmt. • Grant C3PAO accreditations • Audit C3PAO • Process Complaints • Grant Individual credentials • Certifiers • Accredited Certifiers • Coordinate w/ CMMC PMO and CMMC Advisory Council • Dispute resolution • Capture metrics • Integrate and coordinate functional areas Assessment Operations • Technical Appeals • Quality Control • Manage Assessment Tool • Publish CMMC Certificates Populated and accessible by DoD systems CMMC Database DISTRIBUTION A. Approved for public release UNCLASSIFIED

Recommended

Module 6 qaqc training
Module 6 qaqc trainingModule 6 qaqc training
Module 6 qaqc trainingDiaz Susetyo
 
65sp3 Rdidp Milestones.07.23.09
65sp3 Rdidp Milestones.07.23.0965sp3 Rdidp Milestones.07.23.09
65sp3 Rdidp Milestones.07.23.09flau3388
 
GHRIS Program Status 11-Mar-15
GHRIS Program Status 11-Mar-15GHRIS Program Status 11-Mar-15
GHRIS Program Status 11-Mar-15Sean Reynolds, PMP
 
PMP and Planning Process Equivalents
PMP and Planning Process EquivalentsPMP and Planning Process Equivalents
PMP and Planning Process EquivalentsKevin Pannell
 
Fmea alignment aiag_and_vda_-_eng
Fmea alignment aiag_and_vda_-_engFmea alignment aiag_and_vda_-_eng
Fmea alignment aiag_and_vda_-_engerkinguler
 
IIE Call For Paper
IIE Call For PaperIIE Call For Paper
IIE Call For Papermdmilward
 
Commissioning Planning Meeting
Commissioning Planning MeetingCommissioning Planning Meeting
Commissioning Planning MeetingSean Chen, PMP, MBA
 
Qa presentation ppt
Qa presentation pptQa presentation ppt
Qa presentation pptLokesh Sharma
 

Recommended

Module 6 qaqc training
Module 6 qaqc trainingModule 6 qaqc training
Module 6 qaqc trainingDiaz Susetyo
 
65sp3 Rdidp Milestones.07.23.09
65sp3 Rdidp Milestones.07.23.0965sp3 Rdidp Milestones.07.23.09
65sp3 Rdidp Milestones.07.23.09flau3388
 
GHRIS Program Status 11-Mar-15
GHRIS Program Status 11-Mar-15GHRIS Program Status 11-Mar-15
GHRIS Program Status 11-Mar-15Sean Reynolds, PMP
 
PMP and Planning Process Equivalents
PMP and Planning Process EquivalentsPMP and Planning Process Equivalents
PMP and Planning Process EquivalentsKevin Pannell
 
Fmea alignment aiag_and_vda_-_eng
Fmea alignment aiag_and_vda_-_engFmea alignment aiag_and_vda_-_eng
Fmea alignment aiag_and_vda_-_engerkinguler
 
IIE Call For Paper
IIE Call For PaperIIE Call For Paper
IIE Call For Papermdmilward
 
Commissioning Planning Meeting
Commissioning Planning MeetingCommissioning Planning Meeting
Commissioning Planning MeetingSean Chen, PMP, MBA
 
Qa presentation ppt
Qa presentation pptQa presentation ppt
Qa presentation pptLokesh Sharma
 
CMMC briefing
CMMC briefingCMMC briefing
CMMC briefingUlrik Holm Nielsen
 
Project qulaity initiative report
Project qulaity initiative reportProject qulaity initiative report
Project qulaity initiative reportAbdullaHaneefa
 
Marval Release Management - the political process
Marval Release Management - the political processMarval Release Management - the political process
Marval Release Management - the political processMarval Software
 
SyCAS Brochure
SyCAS BrochureSyCAS Brochure
SyCAS BrochureFarid Tahery
 
Taking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationTaking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationSmartware Group, Inc.
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
5 project commissioning best practices for you to consider
5 project commissioning best practices for you to consider5 project commissioning best practices for you to consider
5 project commissioning best practices for you to considerOlivia Wilson
 
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10Scott Hamm
 
Student-CSV-Presentation.pptx
Student-CSV-Presentation.pptxStudent-CSV-Presentation.pptx
Student-CSV-Presentation.pptxmugimbasmith2
 
Fmq lqos introduction npi rev 2
Fmq lqos introduction npi rev 2Fmq lqos introduction npi rev 2
Fmq lqos introduction npi rev 2amitsonuksms
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...Dolly Juhu
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...Rea & Associates
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdfharis348605
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmssmarar
 
New Ahmed Ibrahim Emam(CV)
New Ahmed Ibrahim Emam(CV)New Ahmed Ibrahim Emam(CV)
New Ahmed Ibrahim Emam(CV)Ahmed Emam
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortVeeva Systems
 
Continuous Performance Testing: The New Standard
Continuous Performance Testing: The New StandardContinuous Performance Testing: The New Standard
Continuous Performance Testing: The New StandardTechWell
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSFilippo Ferri
 
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...gajnagarg
 
AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024Scalabrini Institute for Human Mobility in Africa
 

More Related Content

Similar to Cmmc overview arrington_20200903

Project qulaity initiative report
Project qulaity initiative reportProject qulaity initiative report
Project qulaity initiative reportAbdullaHaneefa
 
Marval Release Management - the political process
Marval Release Management - the political processMarval Release Management - the political process
Marval Release Management - the political processMarval Software
 
Taking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationTaking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationSmartware Group, Inc.
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
5 project commissioning best practices for you to consider
5 project commissioning best practices for you to consider5 project commissioning best practices for you to consider
5 project commissioning best practices for you to considerOlivia Wilson
 
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10Scott Hamm
 
Student-CSV-Presentation.pptx
Student-CSV-Presentation.pptxStudent-CSV-Presentation.pptx
Student-CSV-Presentation.pptxmugimbasmith2
 
Fmq lqos introduction npi rev 2
Fmq lqos introduction npi rev 2Fmq lqos introduction npi rev 2
Fmq lqos introduction npi rev 2amitsonuksms
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...Dolly Juhu
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...Rea & Associates
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdfharis348605
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmssmarar
 
New Ahmed Ibrahim Emam(CV)
New Ahmed Ibrahim Emam(CV)New Ahmed Ibrahim Emam(CV)
New Ahmed Ibrahim Emam(CV)Ahmed Emam
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortVeeva Systems
 
Continuous Performance Testing: The New Standard
Continuous Performance Testing: The New StandardContinuous Performance Testing: The New Standard
Continuous Performance Testing: The New StandardTechWell
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSFilippo Ferri
 

Similar to Cmmc overview arrington_20200903 (20)

CMMC briefing
CMMC briefingCMMC briefing
CMMC briefing
 
Project qulaity initiative report
Project qulaity initiative reportProject qulaity initiative report
Project qulaity initiative report
 
Marval Release Management - the political process
Marval Release Management - the political processMarval Release Management - the political process
Marval Release Management - the political process
 
SyCAS Brochure
SyCAS BrochureSyCAS Brochure
SyCAS Brochure
 
Taking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationTaking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS Validation
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
5 project commissioning best practices for you to consider
5 project commissioning best practices for you to consider5 project commissioning best practices for you to consider
5 project commissioning best practices for you to consider
 
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
Lilly Risk-Based CQ_ ISPE-CCPIE China Conference 2010_9-19-10
 
Student-CSV-Presentation.pptx
Student-CSV-Presentation.pptxStudent-CSV-Presentation.pptx
Student-CSV-Presentation.pptx
 
Fmq lqos introduction npi rev 2
Fmq lqos introduction npi rev 2Fmq lqos introduction npi rev 2
Fmq lqos introduction npi rev 2
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdf
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
 
New Ahmed Ibrahim Emam(CV)
New Ahmed Ibrahim Emam(CV)New Ahmed Ibrahim Emam(CV)
New Ahmed Ibrahim Emam(CV)
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effort
 
Continuous Performance Testing: The New Standard
Continuous Performance Testing: The New StandardContinuous Performance Testing: The New Standard
Continuous Performance Testing: The New Standard
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
 

Recently uploaded

Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...gajnagarg
 
Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...
Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...
Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...Sareena Khatun
 
Time, Stress & Work Life Balance for Clerks with Beckie Whitehouse
Time, Stress & Work Life Balance for Clerks with Beckie WhitehouseTime, Stress & Work Life Balance for Clerks with Beckie Whitehouse
Time, Stress & Work Life Balance for Clerks with Beckie Whitehousesubs7
 
The NAP process & South-South peer learning
The NAP process & South-South peer learningThe NAP process & South-South peer learning
The NAP process & South-South peer learningNAP Global Network
 
Finance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCFinance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCNAP Global Network
 
Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'NAP Global Network
 
Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...
Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...
Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...kumargunjan9515
 
Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...
Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...
Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...vershagrag
 
Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...
Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...
Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...Sareena Khatun
 
Scaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP processScaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP processNAP Global Network
 
Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899
Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899
Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899Cara Menggugurkan Kandungan 087776558899
 
Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...
Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...
Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...HyderabadDolls
 
Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...
Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...
Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...ruksarkahn825
 
Our nurses, our future. The economic power of care.
Our nurses, our future. The economic power of care.Our nurses, our future. The economic power of care.
Our nurses, our future. The economic power of care.Christina Parmionova
 
Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...
Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...
Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...vershagrag
 
Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...
Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...
Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...kajalverma014
 
Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...
Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...
Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...Call Girls Mumbai
 

Recently uploaded (20)

Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Haldia [ 7014168258 ] Call Me For Genuine Models We...
 
AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024
 
Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...
Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...
Fun all Day Call Girls in Erode { 9332606886 } VVIP NISHA Call Girls Near 5 S...
 
Sustainability by Design: Assessment Tool for Just Energy Transition Plans
Sustainability by Design: Assessment Tool for Just Energy Transition PlansSustainability by Design: Assessment Tool for Just Energy Transition Plans
Sustainability by Design: Assessment Tool for Just Energy Transition Plans
 
Time, Stress & Work Life Balance for Clerks with Beckie Whitehouse
Time, Stress & Work Life Balance for Clerks with Beckie WhitehouseTime, Stress & Work Life Balance for Clerks with Beckie Whitehouse
Time, Stress & Work Life Balance for Clerks with Beckie Whitehouse
 
The NAP process & South-South peer learning
The NAP process & South-South peer learningThe NAP process & South-South peer learning
The NAP process & South-South peer learning
 
Finance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCFinance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCC
 
Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'
 
Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...
Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...
Delivery in 20 Mins Call Girls Malappuram { 9332606886 } VVIP NISHA Call Girl...
 
Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...
Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...
Call Girl In Prayagraj Call Girls Service 👉 6378878445 👉 Just📲 Call Ruhi Call...
 
Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...
Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...
Call girls Service Budhwar Peth - 8250092165 Our call girls are sure to provi...
 
Scaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP processScaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP process
 
Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899
Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899
Cara Gugurkan Pembuahan Secara Alami Dan Cepat ABORSI KANDUNGAN 087776558899
 
Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...
Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...
Nagerbazar @ Independent Call Girls Kolkata - 450+ Call Girl Cash Payment 800...
 
Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...
Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...
Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...
 
Our nurses, our future. The economic power of care.
Our nurses, our future. The economic power of care.Our nurses, our future. The economic power of care.
Our nurses, our future. The economic power of care.
 
Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...
Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...
Erotic Meerut Call Girls 💯Call Us 🔝 6378878445 🔝 💃 Top Class Call Girl Servi...
 
The Outlook for the Budget and the Economy
The Outlook for the Budget and the EconomyThe Outlook for the Budget and the Economy
The Outlook for the Budget and the Economy
 
Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...
Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...
Cheap Call Girls In Hyderabad Phone No 📞 9352988975 📞 Elite Escort Service Av...
 
Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...
Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...
Bhubaneswar Call Girls Bhubaneswar 👉👉 9777949614 Top Class Call Girl Service ...
 

Cmmc overview arrington_20200903

  • 1. Securing the DoD Supply Chain Cybersecurity Maturity Model Certification Ms. Katie Arrington Chief Information Security Officer for Acquisition 1 UNCLASSIFIED UNCLASSIFIED
  • 2. CMMC Model Structure 2 17 Capability Domains (v1.0) Capabilities are assessed for Practice and Process Maturity DISTRIBUTION A. Approved for public release UNCLASSIFIED
  • 3. 3 LEVEL 1 BASIC CYBER HYGIENE LEVEL 2 INTERMEDIATE CYBER HYGIENE LEVEL 3 GOOD CYBER HYGIENE LEVEL 4 PROACTIVE LEVEL 5 ADVANCED / PROGRESSIVE 17 PRACTICES  Demonstrate compliance with Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 72 PRACTICES  Comply with the FAR  Encompasses a select subset of 48 practices from the NIST SP 800- 171  Perform an additional 7 practices to support intermediate cyber hygiene 130 PRACTICES  Comply with the FAR  Encompasses all practices from the NIST SP 800-171  Perform an additional 20 practices to support good cyber hygiene 156 PRACTICES  Comply with the FAR  Encompasses all practices from NIST SP 800-171 plus 20 additional practices  Includes a select subset of 11 practices from Draft NIST SP 800-171B  Perform an additional 15 practices to demonstrate a proactive cybersecurity program 171 PRACTICES  Comply with the FAR  Encompasses all practices from the NIST SP 800-171 plus 20 additional practices  Includes a select subset of 15 practices from Draft NIST SP 800-171B  Includes an additional 26 practices to demonstrate an advanced cybersecurity program CMMC Practice Progression DISTRIBUTION A. Approved for public release UNCLASSIFIED Further reduces risk of advanced threats
  • 4. 4 LEVEL 1 PERFORMED LEVEL 2 DOCUMENTED LEVEL 3 MANAGED LEVEL 4 REVIEWED LEVEL 5 OPTIMIZING 0 PROCESSES  Select practices are documented where required 2 PROCESSES  Each practice is documented, including Level 1 practices  A policy exists that includes all activities 3 PROCESSES  Each practice is documented  A policy exists that includes all activities  Adherence is verified through Examine or Test  A plan exists, is maintained, and resourced that includes all activities (includes mission, goals, project plan, resourcing, training needed, and involvement of relevant stakeholders) 4 PROCESSES  Each practice is documented  A policy exists that includes all activities  Adherence is verified through Examine or Test  A plan exists that includes all activities  Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management and for issue resolution) 5 PROCESSES  Each practice is documented  A policy exists that includes all activities  Adherence is verified through Examine or Test  A plan exists that includes all activities  Activities are reviewed and measured for effectiveness  There is a standardized, documented approach across all applicable organizational units CMMC Maturity Process Progression DISTRIBUTION A. Approved for public release UNCLASSIFIED
  • 5. CMMC Model Evolution v0.4 to v0.5 to v0.6 to v0.7 to v1.0 5 380 85 9 316 59 9 219 44 9 173 43 9 171 43 5 Practices Capabilities Processes 35 115 92 96 42 33 78 83 85 37 17 58 56 62 26 17 55 59 26 16 17 55 58 26 15 Level 1 Level 2 Level 3 Level 4 Level 5 Practices by Level 40 19 26 16 21 21 17 41 9 13 5 17 8 36 16 17 45 13 39 17 20 16 18 7 16 30 9 10 3 12 8 27 16 16 40 12 34 5 15 5 15 0 16 18 7 9 4 6 4 15 11 5 35 15 26 3 14 5 11 0 11 14 6 8 2 6 4 12 8 3 27 13 26 2 14 5 11 0 11 13 6 8 2 6 4 12 8 3 27 13 AC AM AA AT CM CG IDA IR MA MP PS PP RE RM SAS SA SCP SII Practices by Domain V0.4 V0.5 V0.6 V0.7 V1.0 DISTRIBUTION A. Approved for public release UNCLASSIFIED
  • 6. • CMMC Model leverages multiple sources and references – CMMC Level 1 only includes the basic safeguarding requirements from FAR Clause 52.204-21 – CMMC Levels 4 and 5 includes 15 enhanced security requirements from Draft NIST SP 800-171B CMMC Model v1.0: Source Counts 6 CMMC Model v1.0: Number of Practices per Source * Note: QTY 15 safeguarding requirements from FAR clause 52.204-21 correspond to QTY 17 security requirements from NIST SP 800-171, and in turn, QTY 17 practices in CMMC CMMC Level Total Number Practices Introduced per CMMC Level Source 48 CFR 52.204-21 NIST SP 800-171 Draft NIST SP 800-171B Other Level 1 17 15 * 17 - - Level 2 55 - 48 - 7 Level 3 58 - 45 - 13 Level 4 26 - - 11 15 Level 5 15 - - 4 11 Total 171 - 110 15 46 DISTRIBUTION A. Approved for public release UNCLASSIFIED
  • 7. Draft CMMC Schedule Q3FY20 Q4FY20 Q1FY21 Q2FY21 Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar CMMC Pathfinders (PF) • Existing Contracts • Acquisition Table Top Exercises (TTXs) • Mock Training • Mock Assessments (Non-Punitive, Non-Attribution) • CMMC Accreditation Body (AB) Processes CMMC Pilots • New Contracts • CMMC Requirement Flow Down • CUI Tracking • Mock Assessments (Non-Punitive, Non-Attribution) • CMMC eMASS MVP version • CMMC-AB Processes CMMC Phased Rollout • CMMC-AB Accreditation of CMMC Third Party Assessment Organizations (C3PAOs) • CMMC Assessments PF1 Kickoff PF1 Mock Assessments (Level 1, 3) PF1 Senior Leader Outbrief PF1 Virtual TTXs PF2 Kickoff PF2 Mock Assessments PF2 Outbrief Updated on 20 Jul 2020 Initial RFIs with CMMC L3 & L1 Requirement L1 - L3 Provisional Assessments L1 - L3 Baseline Assessments Select Pilot Contracts Services & Agencies Nominate Pilot Contracts CMMC-AB Provisional Training of Candidate Assessors CMMC-AB Registration for Candidate C3PAOs CMMC-AB Training of Mock C3PAO RFIs for Pilot Contracts RFPs for Pilot Contracts Contract Award for Pilot Contracts … … PF2 CUI TTX … … UNCLASSIFIED
  • 8. Projected CMMC Roll-Out 8 Total Number of Prime Contractors and Sub-Contractors with CMMC Requirement FY21 FY22 FY23 FY24 FY25 Level 1 895 4,490 14,981 28,714 28,709 Level 2 149 748 2,497 4,786 4,785 Level 3 448 2,245 7,490 14,357 14,355 Level 4 4 8 16 24 28 Level 5 4 8 16 24 28 Total 1,500 7,500 25,000 47,905 47,905 Total Number of Contracts with CMMC Requirement FY21 FY22 FY23 FY24 FY25 15 75 250 479 479 • OUSD(A&S) will work with Services and Agencies to identify candidate programs that will have the CMMC requirement during FY21-FY25 phased roll-out • All new DoD contracts will contain the CMMC requirement starting in FY26 UNCLASSIFIED DISTRIBUTION A. Approved for public release
  • 9. • Background: – DoD released draft versions (v0.4, v0.6, v0.7) of the CMMC Model to the public in CY2019 to obtain comments and feedback prior to releasing v1.0 in January 2020 – Before a proposed rule is published in the Federal Register for public comment * – The Office of Information and Regulatory Affairs (OIRA) analyzes draft proposed rules when they are “significant” due to economic effects or because they raise important policy issues * • DoD is seeking clearance from OMB/OIRA to publish and seek public comment on a proposed DFARS rule that implements CMMC in a phased rollout DFARS 9 UNCLASSIFIED * Source: “A Guide to the Rulemaking Process.” federalregister.gov
  • 11. Backups 11 DISTRIBUTION A. Approved for public release UNCLASSIFIED
  • 12. Grant Certification Conduct Certification Certificate Update Internet Accessible Lookup Advance to Level Options: 1. Internal 2. SVC Provider 3. Partner Source Selection (Go/No-Go) RFP Award Self- Evaluate Companies Create Database Est. PMO Office ACQ Review RFI “Level x” & Date Develop Model CMMC Concept CMMC REQT PM Requiring Activity Select Certifier Certifier Develop Accreditation Body REQT. Est. MOU Accrd. Body BID Verify CMMC Level Find Certifier Document Cert Accreditation Body CMMC Gov’t Gov’t PM Certifier Company SRM Database Sr. Advisory Council Begin work Accrd. Body IOC CMMC Implementation Flow Begin Work Accrd. Body IOC Market Place CMMC Certificate Database Create Database 12 DISTRIBUTION A. Approved for public release UNCLASSIFIED
  • 13. CMMC Accreditation Body Activities 13 Accreditation Body (AB) Manager Training Accreditation Credentialing Infrastructure (Support Systems) • Train Individuals • Train Organizations • Train Instructors • Knowledge Store • Market Place • Artifact Store • Records Mgmt. • Grant C3PAO accreditations • Audit C3PAO • Process Complaints • Grant Individual credentials • Certifiers • Accredited Certifiers • Coordinate w/ CMMC PMO and CMMC Advisory Council • Dispute resolution • Capture metrics • Integrate and coordinate functional areas Assessment Operations • Technical Appeals • Quality Control • Manage Assessment Tool • Publish CMMC Certificates Populated and accessible by DoD systems CMMC Database DISTRIBUTION A. Approved for public release UNCLASSIFIED