Cybersecurity Maturity Model Certification (CMMC)
•Download as PPTX, PDF•
0 likes•265 views
CMMC compliance is the key to winning and retaining government contracts. CMMC requirements will soon appear in all Department of Defense (DoD) RFPs, contracts and grants and are expected to materialize in all federal government contracts as already evidenced by GSA's STARS III RFP. How will this impact your business? CMMC requires all government contractors and subcontractors to be certified to at least Level I (basic cyber hygiene) with increasing levels of certification for CUI/CDI and special or high-risk programs. In fact, Level III certification is required for all contracts involving CUI. And just like it takes a village to raise a child, it takes a team of professionals to prepare for and maintain CMMC compliance. From government contract compliance to CMMC readiness to implementation of technical solutions, you need a team of professionals to achieve and maintain CMMC compliance. We recognize that CMMC certification is a process (journey), not a destination, and take a bit-sized approach to a continuous effort on your part. While you must achieve the appropriate level of certification for a specific contract before submitting your bid/proposal, we realize that you will not achieve the goal overnight. This webinar will help you understand the basic CMMC requirements, certification process, timeline, and roles of your strategic partners.
Recommended
Recommended
More Related Content
What's hot
What's hot (10)
Similar to Cybersecurity Maturity Model Certification (CMMC)
Similar to Cybersecurity Maturity Model Certification (CMMC) (20)
Recently uploaded
Recently uploaded (20)
Cybersecurity Maturity Model Certification (CMMC)
- 1. Core Business Solutions, Inc. Cybersecurity Maturity Model Certification (CMMC) October, 2020 1 R
- 2. Core Business Solutions, Inc. Today’s Presenters Robert JonesScott Dawson Andrew Streetman Core Business Solutions, Inc. President and Co-Founder Left Brain Professionals President & Principal GovCon Accounting Advisor Vysion Technology Solutions President and CEO 3 R
- 3. Core Business Solutions, Inc. Today’s Agenda • Where Did CMMC Come From? • How Does CMMC Apply to Me? • CMMC Level 1 • CMMC Level 3 • CMMC Timeline • CMMC Costs 4 S
- 4. Core Business Solutions, Inc. Where Did CMMC Come From? 6 S
- 5. Core Business Solutions, Inc. Existing Cybersecurity Regulations Federal Regulation Title Applies To Requirements FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems” All govt contractors Includes 17 basic cyber practices to protect Federal Contract Information (FCI) DFARS 252.204-7012 “Safeguarding Covered Defense Information And Cyber Incident Reporting” All defense contractors Includes 110 cyber practices to provide “adequate security” to protect Controlled Unclassified Information (CUI) Contractors agree to comply by signing a government contract. https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012 https://www.acquisition.gov/far/52.204-21-07 R
- 6. Core Business Solutions, Inc. Federal Contract Information (FCI) • “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” • In other words, information that is not available publicly. • This is the focus of CMMC Level 1 9 R
- 7. Core Business Solutions, Inc. Controlled Unclassified Information (CUI) • “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” • The CUI Registry can be found at https://www.archives.gov/cui • This is the focus of CMMC Level 3 Produced by DoD Received by Prime/Sub Received by DoD Produced by Prime/Sub 11 S
- 8. Core Business Solutions, Inc. New DFARS Regulations - effective Nov 30, 2020 NIST SP 800-171 DoD Assessment • DFARS 252.204-7019 • DFARS 252.204-7020 CMMC Certification • DFARS 252.204-7021 Self-assessment score must be submitted to DoD SPRS to be awarded any contracts and/or options. Current CMMC Certificate at the appropriate level required to be awarded DoD prime/sub contract requiring CMMC. Short Term Long Term 12 S
- 9. Core Business Solutions, Inc. Assessment Requirements • Complete self-assessment using DoD scoring • Develop written System Security Plan (SSP) • Complete POAM (Plan of Actions and Milestones) • Submit to SPRS: • Date of assessment • Summary level score • Scope of assessment • Plan of action completion date Be aware that DCMA is conducting its own assessments to verify compliance. 14 S
- 10. Core Business Solutions, Inc. Tips to Get Started Now on DoD Assessment 1. Download the DoD Assessment Methodology: • https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800- 171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf 2. Review assessment criteria 3. Make a list of gaps in your current IT or business practices 16 S
- 11. Core Business Solutions, Inc. How Does CMMC Apply to Me ? 17 S
- 12. Core Business Solutions, Inc. Understand CMMC Certification Basics • Focus on cybersecurity practices • Technical • Management/organizational • 3-year certification (no annual surveillance audits) • Requires involvement • Management team • Technology resources • Employees 19 R
- 13. Core Business Solutions, Inc. Who Does CMMC Apply To ? • All DoD prime contractors and ALL subcontractors • Regardless of products and/or services sold Less sensitive information More sensitive information Lower Level Certification Higher Level Certification 20 S
- 14. Core Business Solutions, Inc. CMMC Certification Levels CMMC Level Practices CMMC Level 1 17 Practices CMMC Level 2 72 Practices (includes Level 1 practices) CMMC Level 3 130 Practices (includes Level 2 practices) CMMC Level 4 156 Practices (includes Level 3 practices) CMMC Level 5 171 Practices (includes Level 4 practices) “Do I receive any payments from any customer that is related to a defense contract?” If yes, CMMC applies to you. 22 R
- 15. Core Business Solutions, Inc. CMMC Level 1 What ALL DoD Contractors/Subcontractors Have to Do 24 S
- 16. Core Business Solutions, Inc. CMMC Level 1 Practices • You may currently meet or nearly meet the 17 CMMC L1 requirements. • Conduct gap assessment to determine readiness. User accounts and passwords (4) Network connections and firewalls (2) Employee policies (1) Media and device protection (1) Visitors and secure facility access (4) Wi-Fi settings (1) Device maintenance and antivirus (4) 25 A
- 17. Core Business Solutions, Inc. Tips to Get Started Now on CMMC L1 1. Download the CMMC model • https://www.acq.osd.mil/cmmc/draft.html 2. Review the 17 requirements with company management and your IT resource (internal or external) • Marked Level 1 on pp. 12-22 in CMMC Model 3. Make a list of gaps in your current IT or business practices 27 R
- 18. Core Business Solutions, Inc. CMMC Level 3 Required if You Handle CUI 28 S
- 19. Core Business Solutions, Inc. CMMC Level 3 Domains Total of 130 practices 110 are from NIST SP 800-171 30 A
- 20. Core Business Solutions, Inc. Two Types of Security Practices in CMMC L3 Technical Controls 60% Organizational Controls 40% Handled by Management - Requires top management involvement - Management training is recommended Handled by IT (internal or external) - Requires experienced IT/MSP - Technical training is recommended 32 R
- 21. Core Business Solutions, Inc. CMMC Process Maturity • “How well” practices are effectively integrated into your business. • Greater demands for “institutionalizing” CMMC practices with higher levels. • You can’t wait ‘til the last minute! 33 S
- 22. Core Business Solutions, Inc. Tips to Get Started Now on CMMC L3 1. Identify professional resources • Training/consultation • IT resources (internal or external) 2. Conduct gap assessment • Technical gaps • Organizational gaps 3. Complete training • IT/Technical training • Management training 4. Develop written plan (SSP and POAM) and budget Keep working on NIST SP 800-171 compliance. 35 S
- 23. Core Business Solutions, Inc. CMMC Timeline 36 S
- 24. Core Business Solutions, Inc. CMMC Timeline Jan 2020 Mar 2020 Sept-Dec Nov 30 Dec 2020 Jan 2021 2021-2026 CMMC Model published CMMC-AB stood up Provisional training for Assessors New DFARS Interim Rule takes effect DoD Self- Assessment required for all contracts CMMC Assessments begin CMMC rollout through new contracts YOU ARE HERE 38 R
- 25. Core Business Solutions, Inc. CMMC Preparation Steps 1. Learn the requirements and conduct an assessment • Technology/Infrastructure • IT and ManagementTraining • SSP & POAM • Technical Roadmap and Budget 2. Implementation and Remediation • Incident Response • Risk Assessment • Asset Management • Change Management • Management Reviews • Policies and Procedures • Employee Awareness and Safe Practices • Technology Upgrades 3. Third-Party Certification • Readiness Assessment • Final Preparation • Third-Party Audit • Corrective Action • Certification Level 1: Allow 2-3 Months Level 3: Allow 6-9 Months 40 S
- 26. Core Business Solutions, Inc. NIST/CMMC Implementation Team Project Lead Technical Lead Management Consultant Technical Consultant Vysion Technology Solutions CORE Business SolutionsLeft Brain Professionals ClientStrategic Business Advisor CORE Business Solutions 41 S
- 27. Core Business Solutions, Inc. Questions & Answers 43 S
- 28. Core Business Solutions, Inc. CMMC Costs So, How Much? 48 S
- 29. Core Business Solutions, Inc. Factors Affecting Cost of CMMC Situation/Factor Increases Cost Reduces Cost CMMC Level Level 3 Level 1 CUI volume and workflow Many CUI documents and many users need access Few CUI documents and few users need access IT Support Resource Internal IT resources only External IT resources (e.g. MSP) Current IT resources and capability Little experience with cybersecurity standards and solutions High degree of cybersecurity standards and solutions Size and complexity of network Large number of devices and complex network Few devices and simple network Age of network equipment Older equipment Newer equipment Capability of network equipment Consumer-grade equipment Enterprise-grade equipment Number of facilities Multiple sites Single site Use of cloud apps Significant use of cloud apps Little or no use of cloud apps 49 S
- 30. Core Business Solutions, Inc. CMMC Program Contacts Scott Dawson President Core Business Solutions, Inc. 866.354.0300 ext 1001 scott.dawson@thecoresolution.com 55 R Robert Jones President Left Brain Professionals 614.556.4415 www.LeftBrainPro.com Support@LeftBrainPro.com
- 31. Core Business Solutions, Inc. Resources • New DFARS Regulation: https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf • Cybersecurity Maturity Model Certification:https://www.acq.osd.mil/cmmc/draft.html • OUSD(A&S) CMMC website: https://www.acq.osd.mil/cmmc/ • CMMC-AB website: https://www.cmmcab.org/ • NIST Special Publication (SP) 800-171:https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final • SPRS Homepage: https://www.sprs.csd.disa.mil/default.htm • CMMC-AB LinkedIn Page: https://www.linkedin.com/company/cybersecurity-maturity-model-certification-accrediation-body- cmmc-ab/ • CMMC AB National Conversation Series - An Overview with Board Chairman, Ty Schieber: https://youtu.be/lwqd4IOHXuk S
Editor's Notes
- Run Polls 1 & 2 Zane – tell us about your experience with MEPs and NIST
- What’s behind CMMC? The threat to the nation, our military and our economy •
- The push toward cybersecurity throughout the defense industry began in the Obama presidency. CMMC builds on previous and current contractual regulations by introducing a formal 3rd-party certification. o FAR 52.204-21 is a current regulation for all govt contractors and includes the 17 practices of CMMC Level 1. o DFARS 252.204-7012 is a current regulation for all defense contractors and includes 110 practices (including those from Level 1) of the 130 required by CMMC Level 3. Following a number of high profile cyber incidents involving defense programs, the DoD IG conducted a series of contractor audits and concluded that some DoD contractors were not consistently implementing mandated system security requirements or advancing their POA&Ms to achieve full compliance with all 110 security controls.
- The 17 practices in Level 1 serve the purpose of protecting Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” In other words, all of the documentation or information that is received or generated as part of a defense contract that is not available publicly (like beta.sam.gov).
- If you receive, generate or handle any technical or otherwise sensitive information as part of a DoD contract (or subcontract), you should treat is as CUI. Or, if in doubt, you can simply protect ALL documentation related to any unclassified defense contract as if it is CUI (better to be safe than sorry). Classified programs have much more rigorous cybersecurity requirements and are not relevant to CMMC. CUI may currently be marked as CTI, CDI, FOUO ITAR or other indication. The government is in the process of establishing rules for the marking of all CUI as CUI, but that’s down the road. Another way to confirm whether a current DoD contract will require CMMC Level 3 in the future is to look for the clause DFARS 252.204-7012 in the current contract. If so, then CMMC Level 3 will apply to future similar contracts.
- Supplier Performance Risk System (SPRS). This clause is required in all DoD solicitations except for those solely for the acquisition of commercially available off-the-shelf (COTS) items. These regulations apply to ALL suppliers in the Defense Industrial Base (DIB).
- Starting this year, the DoD (and potentially other sectors of the federal government) will begin adding CMMC certification requirements to RFIs and RFPs. In addition, the DFARS contractual regulation will be revised later in 2020 to include CMMC certification as well. It is expected to take 5 years to incorporate CMMC into all DoD contracts affecting over 300,000 suppliers in the defense industrial base (DIB), through 2026. • Eventually, every DoD contractor and all subcontractors will be required to have a CMMC certification in order to be awarded a DoD-related contract or subcontract. Current contracts will NOT be affected. This change only applies to NEW contracts.
- The certification process will work in a similar way to an ISO 9001 certification, but focused on cybersecurity with a 3 year re-certification period, but no annual surveillance audits. CMMC requirements are a mix of technical security practices and management/organizational practices. It requires involvement of your management team, technology resources and employees.
- Regardless of the type of products or services you sell to the DoD or to one of its contractors, your company will be required to have a CMMC certification. However, depending upon your contract and the type of DoD information you handle, your certification may be at a Lower Level or Higher Level of cybersecurity.
- There are 5 “maturity levels” available for CMMC certification. • EVERYONE must at least meet Level 1 CMMC certification requirements. Level one is just the basics with 17 specific requirements (called “practices”). No matter the size of your company or what you produce or supply to meet a DoD requirement, Level 1 will apply to you. And, remember, Level 1 controls are currently in FAR 52.204-21 contractual regulations for all government contracts. If you sell to the federal government, these requirements should already be in place. • The other CMMC levels build upon the 17 practices in level 1: o CMMC Level 1: 17 Practices. o CMMC Level 2: 72 Practices (includes Level 1 practices) o CMMC Level 3: 130 Practices (includes Level 2 practices) o CMMC Level 4: 156 Practices (includes Level 3 practices) o CMMC Level 5: 171 Practices (includes Level 4 practices) • So, to answer the question “Does CMMC Level 1 apply to me?”, you simply need to ask “Do I receive any payments from any customer that is related to a defense contract?” This simply means “follow the money.” • If your defense-related customer(s) haven’t (yet) notified you to expect this requirement in future contracts, they will. Customers will be obligated to “flow down” the appropriate CMMC requirements to all of their suppliers, once the DFARS regulation is modified and CMMC requirements appear in defense contracts. • Do you have at least 1 defense-related customer contract (or plan to)? Then stay with us for the remainder of this program for further details. If not, today’s session is not for you.
- It is likely that your company already meets or nearly meets many of the CMMC L1 requirements. It would require a careful review using the CMMC Model as a guide to compete a gap assessment. There are no requirements for formal documentation like policies or procedures with CMMC Level 1.
- As mentioned, there are 130 practices in CMMC Level 3, including the 17 practices from Level 1. Level 3 practices also include the 110 controls in NIST SP 800-171 that is required by the current DFARS clause. So, most of CMMC Level 3 will be familiar to companies who are in compliance with DFARS. These domains (“topics”) each break down into several capabilities (“actions”), which then are detailed in a number of specific practices (“controls”). Not only do the number of practices increase by more than 7x from Level 1, the technical and organizational complexity goes up – as well as the cost.
- The technical practices (about 60% of the requirements) generally require a very experienced IT professional or MSP to implement and maintain. But it is also important that your IT resource gets proper training on the CMMC requirements to be sure your company properly interprets and applies each of the requirements in the most effective and affordable manner. If you don’t have an IT resource with cybersecurity experience, you can use external help from a consultant or security professional. The organizational practices (about 40% of the requirements) are owned by top management. Just like an ISO certification assigns certain requirements to top management, so does CMMC. There are policies, training, management oversight, planning and budgeting, among other things requiring management’s involvement and sponsorship. Top management will also need specialized training to understand how the security program needs to be set up and managed for effectiveness.
- One other additional CMMC Level 3 requirement deserves special mention – Process maturity. Maturity address “how well” domains/capabilities/practices are integrated into your company’s business practices, roles and systems. The 5 maturity levels (L1-L5) which specify the practices to be implemented also require maturity processes that demonstrate increasing levels of effectiveness and “institutionalization”. Process maturity implies that you can’t wait until the last minute to implement CMMC if you expect to be certified. Give enough time for practices to mature.
- Identify professional resources Training/consultation IT resources (internal or external) Conduct gap assessment Technical gaps Organizational gaps Complete training IT/Technical training Management training Develop written plan and budget
- So, when does all of this go into effect? We can answer this in two respects: When will the first CMMC certifications go into effect? When will your company need to be certified? So far, there are 2 major milestones completed: 1. CMMC Model published (Jan, 2020) The CMMC Model contains the requirements for certification. It was first published in January, 2020 by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) and is available here: https://www.acq.osd.mil/cmmc/draft.html There is also an excellent FAQ available from the DOD here: https://www.acq.osd.mil/cmmc/faq.html 2. CMMC-Accreditation Body (CMMC-AB) stood up (Mar, 2020) “The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.” https://www.cmmcab.org/cmmc-standard#:~:text=Mission,Model%20Certification%20(CMMC)%20Program.
- How long this will take depends on a few things: What CMMC certification level are you aiming for? What cybersecurity measures do you have in place now? Who is available to work on this initiative? How well do you understand the CMMC requirements and the options available to you to comply? What financial resources do you need? (we’ll drill into costs in a moment)
- Every small business has to get their arms around the costs relating to preparation, certification and maintenance of CMMC. There are several areas of cost to consider: Preparation costs Gap assessment Training Documentation Remediation/Implementation Certification costs Certification audit Corrective action Maintenance costs Maintaining and upgrading technology Updates to training and documentation Re-certification audits (Explain the cost of assessment/SSP/PoAM/Policiies is typically $10-$15K; Remediation cost; CMMC audit cost) - - - - - and do this without trying to discourage people from doing business with DoD.
- CMMC Level - Level 3 has 130 practices while Level 1 has 17 practices. CUI volume and workflow - If only a few people need to access CUI, it may be possible to set up an isolated enclave system. IT Support Resource - Costs of employment of specialized professionals Current IT resources and capability - Experience with cybersecurity gives IT professionals an understanding of what solutions may be effective and more affordable Size and complexity of network - More devices and network complexity can require more expense to meet requirements Age of network equipment - Older equipment may not be capable to meet current cybersecurity standards. Capability of network equipment - Consumer-grade equipment often does not have capability to meet current cybersecurity standards. Number of facilities - Multiple sites can complicate network security. Use of cloud apps - Cloud apps generally do not fully support CMMC requirements at a detail level required for certification. Typically, only the premium, more expensive, levels of service and capability in cloud apps will come close to meeting CMMC requirements. In addition, local devices and network still need to meet CMMC requirements in order to access documents and data contained in cloud apps.