Setting up your compliance program at the corporate level. Conducting Rapid - Low Fidelity Assessment for generating SPRS Scores. Developing a completed SSP (System Security Plan). How and why to create a POA&M (Plan of Actions & Milestones)

1. WEBINAR SERIES. Part 3 7 April 2021 10:30 AM EST
Hosted by CATALYST CONNECTION
Max Aulakh
Founder & CEO
CORPORATE CYBER PROGRAM

2. Who’s driving this webinar?
Max Aulakh
Founder & CEO
About our Speaker
C-SUITE DEFENSE & ASSURANCE LEADER
S
P
E
C
I
A
L
G
U
E
S
T
As a Data Security and Compliance Leader, he delivers DoD-tested security strategies and
compliance that safeguard mission-critical IT operations. Having trained and excelled in The
United States Air Force, he maintained and tested the InfoSec and ComSec functions of network
hardware, software, and IT infrastructure for global networks — both classified and unclassified.
He drove the Information Assurance (IA) programs for the U.S. Department of Defense (DoD).
Facilitated by
Connie Palucka
Vice President, Consulting at Catalyst Connection
Connie joined Catalyst Connection in 2005 and brings over 25 years
of global sales, business development, and product development
experience to her role as the Managing Director of Regional
Initiatives. She leads a team that secures and executes grants
initiatives to support manufacturers and build the region’s
vibrancy. She also works with regional academic institutions,
economic development organizations and regional manufacturers
to build new capabilities and help make Southwestern Pennsylvania
a model for the nation.

3. • Webinar 1: Laying the Foundation – The Need for Cybersecurity in U.S.
Manufacturing
• Webinar 2: DFARS & CMMC Overview
• Webinar 3: Corporate Program Setup
• Webinar 4: Real Company Examples
• Webinar 5: CMMC Breakdown
• Session 6: Risk Mitigation
6-Part Webinar Series: CYBER RESILIENCY FOR DEFENSE
CONTRACTORS

4. Business Case for Cybersecurity
Cybersecurity specific DFAR Rules,
CMMC Basic Levels
Controlled Unclassified Information
(CUI), Data Classification and
Information Protection Scheme
What we covered so far
1
2
3

5. Session 3: Corporate Program Setup
1. Setting up your compliance program at the corporate level.
2. Conducting Rapid - Low Fidelity Assessment for generating SPRS Scores.
3.Developing a completed SSP (System Security Plan).
4.How and why to create a POA&M (Plan of Actions & Milestones).

6. Corporate Security Program

7. Corporate Security Program Development
Driving to a Common Understanding
Business
Language: Existing
Business Model
Knowledge Gap:
Software & Technology
Alignment
Common Understanding
of Business Model
Common Understanding
of Technology
Common Understanding
of Risks & Rewards of
Technology
Technology Risk
Partners
Language: Servers, IP
Addresses, Routers
(Technology)
Knowledge Gap:
Customer’s Needs &
Business Model

8. Corporate Security Program
• Developing alignment starts with
understanding of your business and
external influences.
○ Primes and how they may behave
• DFARs is part of the over all federal
legislation scheme
• Internal policies require alignment with
total expectations of the business
○ Cyber Security requires early top
management input
• Start with a board resolution to setup a
corporate security program.
• Setup a basic governing committee on key
decision and “grey” area decisions
○ Helps in developing consensus &
direction.

9. SPRS System Overview

10. Supplier Performance Risk System & Reports
• Cyber Score Submission Required
• Scores are based on NIST 800-171 Assessment
• SPRS Data is used for Source Selection
• Accessible By:
o Government Personnel with Need to Know
o Contractors (your own data only)
• Not Releasable Under Freedom of Information Act (FOIA)

11. Product Data Reporting and Evaluation
Program (PDREP)
automated
manual
Air Force Contracting
Database Information System
(J018)
- EDA
- WAWF
- MOCAS
- USN/USMC
- USAF
- Army
- DCMA
- DLA
- GIDEP
- USAF
- NAVAIR
- USMC Aviation
Joint Discrepancy Reporting System
(JDRS)
Contractor Performance Assessment
Reporting System (CPARS)
- PPIRS-RC
- FAPIIS
Other (ad hoc)
- DLA
Contract Data
- Award, Delivery, Pricing
Quality Data
- PQDRs, GIDEP, MIRs, Bulletins, SDRs
- Surveys, Lab Reports
Material Data
- NSNs, application and safety criticality
Contract Data
- Award, Delivery
Quality Data
- PQDRs
DCMA Supplier Risk System (SRS)
Supplier Risk Data
- Corrective Action Requests (CARs)
- Corrective Action Plans (CAPs)
- Program Assessment Reports (PARs)
Bureau of Labor
Statistics
Contract Data
- Award, Delivery
System for Award Mgt
(SAM)
DLA
- eProcurement
- EBS
- eProcurement
- EBS
Price Risk Data
- PPI (inflation)
Company Data
- CAGE codes
- Exclusion/debarment
- DUNS & MPIN
Item Risk Data
- DMSMS
Supplier Risk Data
- performance ratings, testimonials
SPRS
Supplier Performance Risk System Data Flow
DLA

12. SPRS Scoring Methodology

13. NIST Point System Methodology
110 NIST 800-171 Controls are weighted and are subtracted from the starting score of 110
A perfect score is 110
A negative score is possible
● Controls are worth 5 points, some 3, and some 1.
● There are 42 controls worth 5 points each, which include:
○ The 17 basic safeguards required of all Federal contractors’ IT systems, as outlined in the FAR Clause 52.204-21, and
○ Other controls that “would allow for exploitation of the network and its information.”
● There are 14 controls worth 3 points each, which if not implemented “have a specific and confined effect on the security of the
network and its data”
● The remaining 54 controls are worth 1 point.
● Two of the controls, 3.5.3 (multi-factor authentication) and 3.13.11 (FIPS-validated cryptography), are worth either 5 or 3 points,
depending on the level on non-compliance
● If the organization does not have an SSP, no score is possible - negative 110. A score can be generated without an SSP but 110
points are deducted from the start.

14. Model & Structure

15. SPRS Scores & Domains

16. SSP Development & POA&Ms

17. System Security Plan
Formal document that provides an overview of the security requirements
for an information system and describes the security controls in place or
planned for meeting those requirements.
info@Ignyteplatform.com for template requests

18. System Security Plan Components
Plan or System Name
Identifier
CMMC Level (System Categorization)
System Owner
Other Contacts (IT Management, Audit Firm, etc..)
Assignment of Security Responsibilities
Information Type (CUI Data)
General Description/System Purpose
System Environment
System Interconnections
Laws, Regulations and Policies Impacting Systems
Control Section
Minimum Security Controls
• Control Name, ID
• Control Owner
• Control Response
• Current Status
info@Ignyteplatform.com for template requests

19. Plan of Action & Milestones (POA&M)
A document that identifies tasks needing to be accomplished. It details
resources required to accomplish the elements of the plan, any milestones
in meeting the tasks, and scheduled completion dates for the milestones.
info@Ignyteplatform.com for template requests

20. Plan of Actions & Milestones Components
POAM ID
Related Control(s)
Weakness Name
Weakness Description
Weakness Source Detection
Asset Identification
Point of Contact
Resources Required
Remediation Plan
Scheduled Completion Date
Planned Milestones
Vendor Dependencies
Current Status
Risk Rating
Comments
info@Ignyteplatform.com for template requests

21. Summary
• Corporate Security Program - Start with business leadership first
• SPRS Assessment - Conduct a rapid assessment (low fidelity) update your
scores often or during major changes
• SSPs & POA&Ms - Two primary planning documents, formal documentation that
is expected to be provided to auditors for purpose of certification.

22. Summary

23. Questions?
Thank you!
Point of Contact
Connie Palucka
Vice President, Consulting
Max Aulakh, MBA, CISSP, PMP
Founder & CEO
Point of Contact
info@ignyteplatform.com cpalucka@catalystconnection.org