[ON-DEMAND RECORDING] Deep Impact: Is Your Manufacturing Company On A Collision Course With CMMC?
•Download as PPTX, PDF•
0 likes•42 views
CMMC (Cybersecurity Maturity Model Certification) brings together a standard for the implementation of cybersecurity for those companies doing or wanting to do business with the Department of Defense (DoD). The framework includes comprehensive, and scalable certification elements to verify your implementation of process and practices associated with the cybersecurity maturity level your organization needs to achieve to win proposals. This on-demand webinar presentation featuring Andrew Geiser, a senior manager on Rea & Associates' manufacturing and distribution team, and Ty Whittenburg, a senior information systems analyst on the firm's cybersecurity and data protection, will explain how will CMMC impact manufacturing companies. The duo will also go through the various levels associated with CMMC and explain how to know which CMMC level you need based on your company's business model. This presentation is co-sponsored by Rea & Associates and the Southeast Ohio MEP and is designed to provide insight on CMMC standards for your Manufacturing organization. During this free webinar, you will hear how CMMC compliance aligns with NIST 800-171, NIST 800-53, and whether your organization need to comply with specific CMMC levels, including CMMC level 3. For more information, contact Andrew or Ty directly or visit https:www.reacpa.com for more. #CMMC #DepartmentOfDefense #cybersecurity
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to [ON-DEMAND RECORDING] Deep Impact: Is Your Manufacturing Company On A Collision Course With CMMC?
Similar to [ON-DEMAND RECORDING] Deep Impact: Is Your Manufacturing Company On A Collision Course With CMMC? (20)
More from Rea & Associates
More from Rea & Associates (20)
Recently uploaded
Recently uploaded (20)
[ON-DEMAND RECORDING] Deep Impact: Is Your Manufacturing Company On A Collision Course With CMMC?
- 2. Presenters 01 | Senior Manager, Rea & Associates – Millersburg, Ohio 02 | 8+ years of Manufacturing experience 03 | Consulting – Product Costing, Profitability, Inventory, & Operations 04 | Tax Planning and Advisory 05 | Rea Manufacturing & Distribution ● Andrew Geiser, CPA
- 3. Presenters 01 | Sr. InformationAssurance Manager, Rea & Associates 02 | 10+ years of Information Technology experience 03 | Consulting – CMMC, Governance| Risk | Compliance 04 | FBI InfraGard Member 05 | Rea Cyberservices Division ● Tyrone Whittenburg, RP
- 4. What is your biggest issue right now? Labor What effects are we seeing? Higher Costs – wages & benefits Unfilled positions
- 5. How are you going to grow? Consider these questions How many open positions do you currently have, and how long have you been trying to fill them? How many MORE positions would you need to fill to support your current growth objectives? Is that realistic? What do you do?
- 6. Automation Robotics Industry 4.0 Robotic Process Automation (RPA) 3D Printing Additive Manufacturing Smart Factories The cost/benefit is changing …
- 7. Automation means connectivity What does this mean for your security?
- 9. If your organization … ● Currently holds, bids, or reviews federal contract information; ● Has ever logged into the Procurement Integrated Enterprise Environment (PIEE) or the Supplier Performance Risk System (SPRS); ● Produces specific materials for a government contract or for company that currently holds, bids, or reviews government contracts; ● Plans to bid on government work at any point in the future; or ● Has a current or future need to review federal contract information You have a CMMC requirement.
- 10. Overview The “cybersecurity maturity model certification” is unifying the implementation of cybersecurity across the Defense Industrial Base (DIB).
- 14. CMMC objective The DoD is a policy creation organization. Oversight is not their area of expertise. An Independent Accreditation Body was created to authorize and accredit 3rd party assessors and practitioners.
- 16. The foundation The regulations and frameworks to address physical and electronic controls for safeguarding Covered Defense Information and Cyber Incident Reporting. Federal Acquistion Regulation 52.204-21 Defense Federal Acquistion Supplement 252.204-7012 NIST 800 -171
- 17. Methodical 5 year roll-out 2021 1,500 Certified ● 899@ML1 ● 149@ML2 ● 452@ML3 2022 7,500 Certified ● 44900@ML1 ● 749@ML2 ● 2245@ML3 ● 8 @ML4 &5 2023 25,000 Certified ● 14981@ML1 ● 2497@ML@ ● 7,490 @ML# ● 16@ML4r & % 2024 47,905 Certified Organizations Seeking Certification and Recertification will be taking place 2025 47,905 Certified New OSC and OSCs seeing recertification.
- 18. Rollout will allow for development of practices and processes. ML 1 99.9% Majority of organizations will be need to be at Maturity Levels 1-3. ML 4 .1% This will primarily be your Primary Contractors. ML 2 ML 3 ML 5 Basic Cyber Hygiene 17 Practices Intermediate Hygiene 72 Practices Good Cyber Hygiene 130 Practices Proactive Cyber 156Practices Progressive Hygiene 17 1 Practices
- 19. Proposed solution The Organization Seek Certification needs to make Self-Assessment available, scope their systems boundaries, and request maturity level sought.
- 20. Process 0 1 Self Assessment Conduct internal assessment or hire RPO to conduct GAP Analysis 0 2 Close POAM Plan of action milestones must be achieved before Maturity Level Assessment 0 3 Hire C3PAO to Assess C3PAO assigns Certified Assessor as Lead Assessor. That Lead Assessor reviews preparatory information and makes a Go/no-go decision based on OE provided.
Editor's Notes
- Defending the information & intellectual property of the DoD is getting increasingly harder and Self-Assessments were not effective. The CMMC is intended to serve as a verification mechanism to ensure that companies implement the appropriate measures.
- Federal Contract Information: Information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. Maturity Level 1 focuses purely on safeguarding this information.
- Unclassified information associated with a law, regulation, or government-wide policy and identified as needing safeguarding is considered CUI • DoD CUI replaces all references to CDI • Authorized holder is responsible for determining whether information in a document or material falls into a CUI category, and applying CUI markings and dissemination instructions accordingly • At minimum, CUI markings for DoD CUI documents will include the acronym “CUI” in the banner and footer of the document (FOUO not valid for new documents)
- FAR 52.204-21 established 17 baseline controls that orgs (contractors) need to achieve to conduct business with the govt. The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls: Here’s a portion of the controls. (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (DoD) issued an interim rule on Sept. 29, 2020 to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) framework. This interim rule includes new DFARS clause 252.204-7021, which specifies CMMC requirements and enables the department to verify. DFARS interim rule became effective on November 30, 2020. The public review and comment period for DFARS Case 2019-D041 ended on November 30, 2020. Due to its designation as a major rule change, the interim rule must also complete a Congressional Review. Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171.
- • Engaging C3PAO ○ OSC registers with CMMC-AB ○ OSC requests CMMC Cert, and timing ○ CMMC-AB puts OSC in contact with available C3PAO's § Those who need Cert are prioritized(provisional) • Selecting C3PAO ○ Select ○ Make available read-ahead info to incd: § Pre/Self-TAssessment results § Scope Boundaries § Recent Certification results (e.g. ISO, Etc) § Maturity Level sought ○ C3PAO assigns Certified Assessor as Lead Assessor ○ Lead Assessor rvws info ○ Go/no-go decision is rendered based on info provided ○ Assuming GO decision § Lead assessor and OSC determine/confirm scope □ Staffing □ Dates/duration □ pricing
- Each practice must be satisfied based on at least 2 forms of objective evidence. Interviews Evidence review (preferred is demonstration) Testing Findings are categorized as Pass – addresses CMMC practice Fail – a failure to address some aspect of CMMC req Not Applicable