The webinar provides an overview of compliance frameworks such as DFARS, NIST 800-171, and CMMC, essential for defense contractors to protect controlled unclassified information (CUI). ControlCase offers a compliance as a service platform to streamline the auditing process and improve certification efficiency for organizations. The presentation outlines the importance of submitting SPRS scores and the upcoming implementation timeline for CMMC 2.0 regulations.

1. Webinar
CMMC Basics
Presented by:
Erik Winkler, Partner, Federal, ControlCase
Shamala Boyd, Chief Risk Officer, ControlCase

2. ERIK WINKLER
Partner, Federal
ControlCase
SHAMALA BOYD
Chief Risk Officer
ControlCase
Presenters:

3. ControlCase. All Rights Reserved. 3
Agenda
ControlCase
Intro
DFARS, NIST
800-171, SPRS,
CMMC Overview
What is
DFARS?
What is NIST
800-171
01 02 03 04
What is an
SPRS Score?
What is CMMC? Status of CMMC
2.0 Rule
05 06 07 08
CMMC Next
Steps

4. ControlCase
Introduction
© ControlCase. All Rights Reserved.

5. © ControlCase. All Rights Reserved. 5
ControlCase Overview
Best-in-Class
Compliance
Platform
 ControlCase is revolutionizingthe way enterprises and organizationsdeal with the numerous and
frequently changingIT complianceand regulatory requirements
 Proprietary software, including appliance and SaaS solutions,that enable CaaS (GRC and Data Discovery)
 Compelling proprietary offering combining proprietarysoftware, certification/audits,and managed services on a
single platform.
 One AuditTMenablesour clienteleto Assess once:Comply to Many
 Leadership positionsin the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains
 Serving over 1,000 customers
 Global footprint with offices in the U.S., LATAM,UK, India, and Canada
 Leverages an offshore delivery infrastructure for competitiveadvantage
 IT compliancemanager for multiple industry segments including banking, service providers, retail,
hospitality,and telecom
Global Vision
& Solutions
Enhancement
Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC
software and managed services
Founded in 2004
Headquartered in Fairfax,
VA
Offices in U.S., Canada,
LATAM, UK, India
300+ employees

6. ControlCase Snapshot
© ControlCase. All Rights Reserved. 6
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal
resources to focus on
other priorities
Offload much of the
compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
300+
SECURITY
EXPERTS

7. ControlCase Snapshot – Solution
© ControlCase. All Rights Reserved. 7
Certification and
Continuous
Compliance Services
Partnership
Approach
Compliance
HUB
+ =
IT Certification
Services
Continuous
Compliance
Services
&

8. Certification Services
One Audit
Assess Once. Comply to Many.
© ControlCase. All Rights Reserved. 8
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
MARS-E PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF

9. © ControlCase. All Rights Reserved.
DFARS, NIST 800-171,
SPRS, CMMC Overview

10. DFARS, NIST 800-171, SPRS, CMMC Overview
© ControlCase. All Rights Reserved. 10
DFARS are the overall
regulations
NIST 800-171 is the
control framework that
DFARS relies on
SPRS score is the
methodology for
scoring NIST 800-171
CMMC is the framework that
gets this all together

11. © ControlCase. All Rights Reserved.
What is
DFARS?

12. Defense Federal Acquisition Regulation Supplement (DFARS)
The Defense Federal Acquisition
Regulation Supplement (DFARS) to
the Federal Acquisition Regulation
(FAR) is administered by the
Department of Defense (DoD).
The DFARS implements and
supplements the FAR.
DFARS was established in
December of 2015 to protect the
confidentiality of Controlled
Unclassified Information (CUI)
within the Defense Industrial
Base (DIB).
In order to be awarded new DoD
contracts, a contractor or supplier must
be in compliance with this set of
cybersecurity regulations, also known
as the Defense Federal Acquisition
Regulation Supplement or DFARS.
What is DFARS?
© ControlCase. All Rights Reserved. 12

13. © ControlCase. All Rights Reserved.
What is NIST
800-171?

14. NIST SP800-171
NIST is the National Institute of
Standards and Technology at the U.S.
Department of Commerce. The NIST
Cybersecurity Framework helps
businesses of all sizes better
understand, manage, and reduce
their cybersecurity risk and protect
their networks and data.
Specifically, NIST 800-171 dictates how
contractors and sub-contractors of
Federal agencies should manage
Controlled Unclassified Information
(CUI).
The NIST 800-171 Basic Assessment
is a low-confidence self-assessment
conducted following the NIST 800-171
DoD Assessment Methodology.
The NIST 800-171 Basic Assessment
is a low-confidence self-assessment
conducted following the NIST 800-171
DoD Assessment Methodology.
As of November 30, 2020, all DoD
contractors must conduct a NIST 800-
171 Basic Assessment and submit
their score to the Supplier
Performance Risk System (SPRS).
What is NIST 800-171?
© ControlCase. All Rights Reserved. 14

15. NIST 800-171 Control Domains
110 security requirements broken down into 14 control domains taken from FIPS 200 and NIST 800-53:
© 2020 ControlCase. All Rights Reserved. 15
Access Control Identification & Authentication Physical Protection Security Assessment
Audit & Accountability Incident Response Personnel Security
System & Communications
Protection
Awareness & Training Maintenance
Risk
Assessment
Systems & Information Integrity
Configuration Management Media Protection

16. © ControlCase. All Rights Reserved.
What is an
SPRS score?

17. SPRS Score
The Supplier Performance Risk
System (SPRS) is a Department of
Defense (DoD) application that
gathers, processes, and displays data
about supplier’s performance.
SPRS is a “self-certification” score
which is the result of a NIST SP 800-
171 DoD Assessment and provides
contracting officials a score for the
overall assessment of the supplier
performance and supplier risk.
Once you’ve generated your score,
the new DFARS rules require your
organization to maintain your current
score in the SPRS, meaning the Basic
DoD self-assessment can be no more
than three years old.
What is SPRS?
© ControlCase. All Rights Reserved. 17

18. © ControlCase. All Rights Reserved.
What is
CMMC?

19. Cybersecurity Maturity Model Certification (CMMC)
CMMC is a unifying standard for the
implementation of cybersecurity across
the Defense Industrial Base (DIB).
CMMC 1.0 was Released by the US
Department of Defense (DoD) and
became effective in November 2020.
CMMC 2.0 Released November 2021
CMMC ensures that DIB companies
implement appropriate cybersecurity
practices and processes to protect
Federal Contract Information (FCI) and
Controlled Unclassified Information
(CUI) within their unclassified networks.
What is CMMC?
© ControlCase. All Rights Reserved. 19

20. Who Does CMMC Apply To?
© ControlCase. All Rights Reserved. 20
Defense Industrial Base (DIB)
contractors whose unclassified
networks process, store,
or transmit Controlled
Unclassified Information (CUI).
Defense Industrial Base (DIB)
contractors whose unclassified
networks process Federal
Contract Information (FCI).

21. You have FCI Only You have CUI (in addition to FCI)
Level 1 Level 2 or 3
What CMMC Level Are You and Next Steps?
© ControlCase. All Rights Reserved. 21
WHAT YOU NEED TO DO
Level 1 Self Assessment (optionally assisted by ControlCase)
Level 2a
The information that you manage is not critical to national security - Self Assessment (optionally
assisted by ControlCase)
Level 2b
The information that you manage is critical to national security - C3PAO assessment (C3PAO
assessment once every three years)
Level 3
The information you manage involves highest priority, most critical defense programs -
Government conducts an audit (Once every three years)

22. © ControlCase. All Rights Reserved.
Next Steps for
CMMC

23. What You Need to Do
© ControlCase. All Rights Reserved. 23
First, submit your SPRS score here:
https://www.sprs.csd.disa.mil/

24. • DFARS 7019 – As of June 2022, requires compliance to NIST 800-
171 controls and the submission of your NIST 800-171 Score and
Report to the Supplier Performance Risk System (SPRS).
• For Entities with Federal Contract Information (FCI) and Controlled
Unclassified Information (CUI) within their unclassified networks,
you must:
⎻ Document your CMMC/NIST 800-171 System Security Plan (SSP)
⎻ Perform an assessment of all NIST 800-171 controls as documented in your
CMMC/NIST 800-171 System Security Plan, including formal evidence collection and
reporting.
⎻ Calculate your NIST 800-171 score as required by DFARS 7019.
⎻ Document any deficiencies with remediation steps in a Plan of Action and Milestones
(POA&M) document.
⎻ Complete affirmation using the Supplier Performance Risk System (SPRS) -
https://www.sprs.csd.disa.mil
⎻ Maintain evidence of your NIST 800-171 compliance to avoid DoJ False Claims Act
investigations.
CMMC Assessment (What you must do NOW!)
© ControlCase. All Rights Reserved. 24

25. CONTROLCASE
CMMC LEVEL 1 ASSESSMENT
PROCESS
CONTROLCASE
CMMC LEVEL 2A ASSESSMENT
PROCESS
1. Deploy Compliance Hub with NIST 800-171
controls covering 17 practices
2. Complete Scoping
3. Complete 50% Evidence Review
4. Complete 100% Evidence Review
5. *Publish Level 1 Self-Assessment Report
.
A. Deploy Compliance Hub with NIST 800-171
controls covering 110 practices
B. Complete Scoping
C. Complete 50% Evidence Review
D. Complete 100% Evidence Review
E. *Publish Level 2 Self Assessment Report
ControlCase CMMC Assessment Process
© ControlCase. All Rights Reserved. 25

26. © ControlCase. All Rights Reserved.
Status of
CMMC 2.0 Rule

27. Status of CMMC 2.0 Rule
© ControlCase. All Rights Reserved. 27
November 2023 –
OIRA completes
review of 9 CMMC
model documents
clearing the way for
rule publication.
December 2023 –
CMMC proposed
rule published in
the Federal
Register – 60-day
public comment
period begins.
Q1 2024 – Public
comment period
expected to be
closed. DoD
starts the process
to review all
comments and
finalize the rule.
Q1 2025 – CMMC
final rule is
published and goes
into effect. A 3-year
“phased roll-out” into
all DoD contracts
begins.

28. Q&A
ControlCase. All Rights Reserved. 28
• Please type your questions in the
questions window.
• Any unanswered questions will be
addressed via email following the
presentation.

29. THANK YOU
contact@controlcase.com
www.ControlCase.com