CMMC compliance is the key to winning and retaining government contracts. CMMC requirements will soon appear in all Department of Defense (DoD) RFPs, contracts and grants and are expected to materialize in all federal government contracts as already evidenced by GSA's STARS III RFP.
How will this impact your business? CMMC requires all government contractors and subcontractors to be certified to at least Level I (basic cyber hygiene) with increasing levels of certification for CUI/CDI and special or high-risk programs. In fact, Level III certification is required for all contracts involving CUI.
And just like it takes a village to raise a child, it takes a team of professionals to prepare for and maintain CMMC compliance. From government contract compliance to CMMC readiness to implementation of technical solutions, you need a team of professionals to achieve and maintain CMMC compliance.
We recognize that CMMC certification is a process (journey), not a destination, and take a bit-sized approach to a continuous effort on your part. While you must achieve the appropriate level of certification for a specific contract before submitting your bid/proposal, we realize that you will not achieve the goal overnight.
This webinar will help you understand the basic CMMC requirements, certification process, timeline, and roles of your strategic partners.
1. Core Business Solutions, Inc.
Cybersecurity Maturity Model
Certification (CMMC)
October, 2020
1 R
2. Core Business Solutions, Inc.
Today’s Presenters
Robert JonesScott Dawson Andrew Streetman
Core Business Solutions, Inc.
President and Co-Founder
Left Brain Professionals President &
Principal GovCon Accounting Advisor
Vysion Technology Solutions
President and CEO
3 R
3. Core Business Solutions, Inc.
Today’s Agenda
• Where Did CMMC Come From?
• How Does CMMC Apply to Me?
• CMMC Level 1
• CMMC Level 3
• CMMC Timeline
• CMMC Costs
4 S
5. Core Business Solutions, Inc.
Existing Cybersecurity Regulations
Federal Regulation Title Applies To Requirements
FAR 52.204-21 “Basic Safeguarding of Covered
Contractor Information
Systems”
All govt
contractors
Includes 17 basic cyber practices to
protect Federal Contract Information
(FCI)
DFARS 252.204-7012 “Safeguarding Covered Defense
Information And Cyber Incident
Reporting”
All defense
contractors
Includes 110 cyber practices to
provide “adequate security” to protect
Controlled Unclassified Information
(CUI)
Contractors agree to comply by signing a government contract.
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
https://www.acquisition.gov/far/52.204-21-07 R
6. Core Business Solutions, Inc.
Federal Contract Information (FCI)
• “Information, not intended for public release, that is provided by or
generated for the Government under a contract to develop or deliver a
product or service to the Government.”
• In other words, information that is not available publicly.
• This is the focus of CMMC Level 1
9 R
7. Core Business Solutions, Inc.
Controlled Unclassified Information (CUI)
• “CUI is information the Government creates or possesses, or that an entity
creates or possesses for or on behalf of the Government, that a law,
regulation, or Government-wide policy requires or permits an agency to
handle using safeguarding or dissemination controls.”
• The CUI Registry can be found at https://www.archives.gov/cui
• This is the focus of CMMC Level 3
Produced by
DoD
Received by
Prime/Sub
Received by
DoD
Produced by
Prime/Sub
11 S
8. Core Business Solutions, Inc.
New DFARS Regulations - effective Nov 30, 2020
NIST SP 800-171
DoD Assessment
• DFARS 252.204-7019
• DFARS 252.204-7020
CMMC Certification
• DFARS 252.204-7021
Self-assessment score must be
submitted to DoD SPRS to be
awarded any contracts and/or
options.
Current CMMC Certificate at the
appropriate level required to be awarded
DoD prime/sub contract requiring CMMC.
Short Term Long Term
12 S
9. Core Business Solutions, Inc.
Assessment Requirements
• Complete self-assessment using DoD scoring
• Develop written System Security Plan (SSP)
• Complete POAM (Plan of Actions and Milestones)
• Submit to SPRS:
• Date of assessment
• Summary level score
• Scope of assessment
• Plan of action completion date
Be aware that DCMA is conducting
its own assessments to verify
compliance.
14 S
10. Core Business Solutions, Inc.
Tips to Get Started Now on DoD Assessment
1. Download the DoD Assessment Methodology:
• https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-
171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
2. Review assessment criteria
3. Make a list of gaps in your current IT or business practices
16 S
12. Core Business Solutions, Inc.
Understand CMMC Certification Basics
• Focus on cybersecurity practices
• Technical
• Management/organizational
• 3-year certification (no annual surveillance
audits)
• Requires involvement
• Management team
• Technology resources
• Employees
19 R
13. Core Business Solutions, Inc.
Who Does CMMC Apply To ?
• All DoD prime contractors and ALL subcontractors
• Regardless of products and/or services sold
Less sensitive
information More sensitive
information
Lower Level
Certification
Higher Level
Certification
20 S
14. Core Business Solutions, Inc.
CMMC Certification Levels
CMMC Level Practices
CMMC Level 1 17 Practices
CMMC Level 2 72 Practices (includes Level 1 practices)
CMMC Level 3 130 Practices (includes Level 2 practices)
CMMC Level 4 156 Practices (includes Level 3 practices)
CMMC Level 5 171 Practices (includes Level 4 practices)
“Do I receive any
payments from any
customer that is related
to a defense contract?”
If yes, CMMC applies to
you.
22 R
15. Core Business Solutions, Inc.
CMMC Level 1
What ALL DoD Contractors/Subcontractors Have
to Do
24 S
16. Core Business Solutions, Inc.
CMMC Level 1 Practices
• You may currently meet or
nearly meet the 17 CMMC L1
requirements.
• Conduct gap assessment to
determine readiness.
User accounts
and
passwords (4)
Network
connections
and firewalls
(2)
Employee
policies (1)
Media and
device
protection
(1)
Visitors and
secure
facility
access (4)
Wi-Fi
settings (1)
Device
maintenance
and antivirus (4)
25 A
17. Core Business Solutions, Inc.
Tips to Get Started Now on CMMC L1
1. Download the CMMC model
• https://www.acq.osd.mil/cmmc/draft.html
2. Review the 17 requirements with company management and your IT
resource (internal or external)
• Marked Level 1 on pp. 12-22 in CMMC Model
3. Make a list of gaps in your current IT or business practices
27 R
19. Core Business Solutions, Inc.
CMMC Level 3 Domains
Total of 130
practices
110 are from
NIST SP 800-171
30 A
20. Core Business Solutions, Inc.
Two Types of Security Practices in CMMC L3
Technical
Controls
60%
Organizational
Controls
40%
Handled by Management
- Requires top
management
involvement
- Management training
is recommended
Handled by IT (internal or
external)
- Requires experienced
IT/MSP
- Technical training is
recommended
32 R
21. Core Business Solutions, Inc.
CMMC Process Maturity
• “How well” practices are effectively
integrated into your business.
• Greater demands for
“institutionalizing” CMMC practices
with higher levels.
• You can’t wait ‘til the last minute!
33 S
22. Core Business Solutions, Inc.
Tips to Get Started Now on CMMC L3
1. Identify professional resources
• Training/consultation
• IT resources (internal or external)
2. Conduct gap assessment
• Technical gaps
• Organizational gaps
3. Complete training
• IT/Technical training
• Management training
4. Develop written plan (SSP and POAM) and budget
Keep working on NIST SP
800-171 compliance.
35 S
24. Core Business Solutions, Inc.
CMMC Timeline
Jan 2020 Mar 2020 Sept-Dec Nov 30 Dec 2020 Jan 2021 2021-2026
CMMC Model
published
CMMC-AB
stood up
Provisional
training for
Assessors
New DFARS
Interim Rule
takes effect
DoD Self-
Assessment
required for all
contracts
CMMC
Assessments
begin
CMMC rollout
through new
contracts
YOU ARE HERE
38 R
25. Core Business Solutions, Inc.
CMMC Preparation Steps
1. Learn the requirements
and conduct an assessment
• Technology/Infrastructure
• IT and ManagementTraining
• SSP & POAM
• Technical Roadmap and Budget
2. Implementation and
Remediation
• Incident Response
• Risk Assessment
• Asset Management
• Change Management
• Management Reviews
• Policies and Procedures
• Employee Awareness and
Safe Practices
• Technology Upgrades
3. Third-Party
Certification
• Readiness Assessment
• Final Preparation
• Third-Party Audit
• Corrective Action
• Certification
Level 1: Allow 2-3 Months
Level 3: Allow 6-9 Months
40 S
26. Core Business Solutions, Inc.
NIST/CMMC Implementation Team
Project Lead
Technical
Lead
Management
Consultant
Technical
Consultant
Vysion
Technology
Solutions
CORE Business
SolutionsLeft Brain
Professionals
ClientStrategic
Business
Advisor
CORE
Business
Solutions
41 S
29. Core Business Solutions, Inc.
Factors Affecting Cost of CMMC
Situation/Factor Increases Cost Reduces Cost
CMMC Level Level 3 Level 1
CUI volume and workflow Many CUI documents and many users need access Few CUI documents and few users need access
IT Support Resource Internal IT resources only External IT resources (e.g. MSP)
Current IT resources and capability
Little experience with cybersecurity standards and
solutions
High degree of cybersecurity standards and
solutions
Size and complexity of network Large number of devices and complex network Few devices and simple network
Age of network equipment Older equipment Newer equipment
Capability of network equipment Consumer-grade equipment Enterprise-grade equipment
Number of facilities Multiple sites Single site
Use of cloud apps Significant use of cloud apps Little or no use of cloud apps
49 S
30. Core Business Solutions, Inc.
CMMC Program Contacts
Scott Dawson
President
Core Business Solutions, Inc.
866.354.0300 ext 1001
scott.dawson@thecoresolution.com
55
R
Robert Jones
President
Left Brain Professionals
614.556.4415
www.LeftBrainPro.com
Support@LeftBrainPro.com
31. Core Business Solutions, Inc.
Resources
• New DFARS Regulation: https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
• Cybersecurity Maturity Model Certification:https://www.acq.osd.mil/cmmc/draft.html
• OUSD(A&S) CMMC website: https://www.acq.osd.mil/cmmc/
• CMMC-AB website: https://www.cmmcab.org/
• NIST Special Publication (SP) 800-171:https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
• SPRS Homepage: https://www.sprs.csd.disa.mil/default.htm
• CMMC-AB LinkedIn Page: https://www.linkedin.com/company/cybersecurity-maturity-model-certification-accrediation-body-
cmmc-ab/
• CMMC AB National Conversation Series - An Overview with Board Chairman, Ty Schieber: https://youtu.be/lwqd4IOHXuk
S
Editor's Notes
Run Polls 1 & 2
Zane – tell us about your experience with MEPs and NIST
What’s behind CMMC?
The threat to the nation, our military and our economy
•
The push toward cybersecurity throughout the defense industry began in the Obama presidency. CMMC builds on previous and current contractual regulations by introducing a formal 3rd-party certification.
o FAR 52.204-21 is a current regulation for all govt contractors and includes the 17 practices of CMMC Level 1.
o DFARS 252.204-7012 is a current regulation for all defense contractors and includes 110 practices (including those from Level 1) of the 130 required by CMMC Level 3.
Following a number of high profile cyber incidents involving defense programs, the DoD IG conducted a series of contractor audits and concluded that some DoD contractors were not consistently implementing mandated system security requirements or advancing their POA&Ms to achieve full compliance with all 110 security controls.
The 17 practices in Level 1 serve the purpose of protecting Federal Contract Information (FCI).
FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
In other words, all of the documentation or information that is received or generated as part of a defense contract that is not available publicly (like beta.sam.gov).
If you receive, generate or handle any technical or otherwise sensitive information as part of a DoD contract (or subcontract), you should treat is as CUI.
Or, if in doubt, you can simply protect ALL documentation related to any unclassified defense contract as if it is CUI (better to be safe than sorry). Classified programs have much more rigorous cybersecurity requirements and are not relevant to CMMC.
CUI may currently be marked as CTI, CDI, FOUO ITAR or other indication. The government is in the process of establishing rules for the marking of all CUI as CUI, but that’s down the road.
Another way to confirm whether a current DoD contract will require CMMC Level 3 in the future is to look for the clause DFARS 252.204-7012 in the current contract. If so, then CMMC Level 3 will apply to future similar contracts.
Supplier Performance Risk System (SPRS).
This clause is required in all DoD solicitations except for those solely for the acquisition of commercially available off-the-shelf (COTS) items.
These regulations apply to ALL suppliers in the Defense Industrial Base (DIB).
Starting this year, the DoD (and potentially other sectors of the federal government) will begin adding CMMC certification requirements to RFIs and RFPs. In addition, the DFARS contractual regulation will be revised later in 2020 to include CMMC certification as well. It is expected to take 5 years to incorporate CMMC into all DoD contracts affecting over 300,000 suppliers in the defense industrial base (DIB), through 2026.
• Eventually, every DoD contractor and all subcontractors will be required to have a CMMC certification in order to be awarded a DoD-related contract or subcontract. Current contracts will NOT be affected. This change only applies to NEW contracts.
The certification process will work in a similar way to an ISO 9001 certification, but focused on cybersecurity with a 3 year re-certification period, but no annual surveillance audits.
CMMC requirements are a mix of technical security practices and management/organizational practices. It requires involvement of your management team, technology resources and employees.
Regardless of the type of products or services you sell to the DoD or to one of its contractors, your company will be required to have a CMMC certification. However, depending upon your contract and the type of DoD information you handle, your certification may be at a Lower Level or Higher Level of cybersecurity.
There are 5 “maturity levels” available for CMMC certification.
• EVERYONE must at least meet Level 1 CMMC certification requirements. Level one is just the basics with 17 specific requirements (called “practices”). No matter the size of your company or what you produce or supply to meet a DoD requirement, Level 1 will apply to you. And, remember, Level 1 controls are currently in FAR 52.204-21 contractual regulations for all government contracts. If you sell to the federal government, these requirements should already be in place.
• The other CMMC levels build upon the 17 practices in level 1:
o CMMC Level 1: 17 Practices.
o CMMC Level 2: 72 Practices (includes Level 1 practices)
o CMMC Level 3: 130 Practices (includes Level 2 practices)
o CMMC Level 4: 156 Practices (includes Level 3 practices)
o CMMC Level 5: 171 Practices (includes Level 4 practices)
• So, to answer the question “Does CMMC Level 1 apply to me?”, you simply need to ask “Do I receive any payments from any customer that is related to a defense contract?” This simply means “follow the money.”
• If your defense-related customer(s) haven’t (yet) notified you to expect this requirement in future contracts, they will. Customers will be obligated to “flow down” the appropriate CMMC requirements to all of their suppliers, once the DFARS regulation is modified and CMMC requirements appear in defense contracts.
• Do you have at least 1 defense-related customer contract (or plan to)? Then stay with us for the remainder of this program for further details. If not, today’s session is not for you.
It is likely that your company already meets or nearly meets many of the CMMC L1 requirements. It would require a careful review using the CMMC Model as a guide to compete a gap assessment.
There are no requirements for formal documentation like policies or procedures with CMMC Level 1.
As mentioned, there are 130 practices in CMMC Level 3, including the 17 practices from Level 1. Level 3 practices also include the 110 controls in NIST SP 800-171 that is required by the current DFARS clause. So, most of CMMC Level 3 will be familiar to companies who are in compliance with DFARS.
These domains (“topics”) each break down into several capabilities (“actions”), which then are detailed in a number of specific practices (“controls”). Not only do the number of practices increase by more than 7x from Level 1, the technical and organizational complexity goes up – as well as the cost.
The technical practices (about 60% of the requirements) generally require a very experienced IT professional or MSP to implement and maintain. But it is also important that your IT resource gets proper training on the CMMC requirements to be sure your company properly interprets and applies each of the requirements in the most effective and affordable manner. If you don’t have an IT resource with cybersecurity experience, you can use external help from a consultant or security professional.
The organizational practices (about 40% of the requirements) are owned by top management. Just like an ISO certification assigns certain requirements to top management, so does CMMC. There are policies, training, management oversight, planning and budgeting, among other things requiring management’s involvement and sponsorship. Top management will also need specialized training to understand how the security program needs to be set up and managed for effectiveness.
One other additional CMMC Level 3 requirement deserves special mention – Process maturity. Maturity address “how well” domains/capabilities/practices are integrated into your company’s business practices, roles and systems. The 5 maturity levels (L1-L5) which specify the practices to be implemented also require maturity processes that demonstrate increasing levels of effectiveness and “institutionalization”.
Process maturity implies that you can’t wait until the last minute to implement CMMC if you expect to be certified. Give enough time for practices to mature.
Identify professional resources
Training/consultation
IT resources (internal or external)
Conduct gap assessment
Technical gaps
Organizational gaps
Complete training
IT/Technical training
Management training
Develop written plan and budget
So, when does all of this go into effect? We can answer this in two respects:
When will the first CMMC certifications go into effect?
When will your company need to be certified?
So far, there are 2 major milestones completed:
1. CMMC Model published (Jan, 2020)
The CMMC Model contains the requirements for certification. It was first published in January, 2020 by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) and is available here:
https://www.acq.osd.mil/cmmc/draft.html
There is also an excellent FAQ available from the DOD here:
https://www.acq.osd.mil/cmmc/faq.html
2. CMMC-Accreditation Body (CMMC-AB) stood up (Mar, 2020)
“The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”
https://www.cmmcab.org/cmmc-standard#:~:text=Mission,Model%20Certification%20(CMMC)%20Program.
How long this will take depends on a few things:
What CMMC certification level are you aiming for?
What cybersecurity measures do you have in place now?
Who is available to work on this initiative?
How well do you understand the CMMC requirements and the options available to you to comply?
What financial resources do you need? (we’ll drill into costs in a moment)
Every small business has to get their arms around the costs relating to preparation, certification and maintenance of CMMC.
There are several areas of cost to consider:
Preparation costs
Gap assessment
Training
Documentation
Remediation/Implementation
Certification costs
Certification audit
Corrective action
Maintenance costs
Maintaining and upgrading technology
Updates to training and documentation
Re-certification audits
(Explain the cost of assessment/SSP/PoAM/Policiies is typically $10-$15K; Remediation cost; CMMC audit cost) - - - - - and do this without trying to discourage people from doing business with DoD.
CMMC Level - Level 3 has 130 practices while Level 1 has 17 practices.
CUI volume and workflow - If only a few people need to access CUI, it may be possible to set up an isolated enclave system.
IT Support Resource - Costs of employment of specialized professionals
Current IT resources and capability - Experience with cybersecurity gives IT professionals an understanding of what solutions may be effective and more affordable
Size and complexity of network - More devices and network complexity can require more expense to meet requirements
Age of network equipment - Older equipment may not be capable to meet current cybersecurity standards.
Capability of network equipment - Consumer-grade equipment often does not have capability to meet current cybersecurity standards.
Number of facilities - Multiple sites can complicate network security.
Use of cloud apps - Cloud apps generally do not fully support CMMC requirements at a detail level required for certification. Typically, only the premium, more expensive, levels of service and capability in cloud apps will come close to meeting CMMC requirements. In addition, local devices and network still need to meet CMMC requirements in order to access documents and data contained in cloud apps.