CMMC (Cybersecurity Maturity Model Certification) brings together a standard for the implementation of cybersecurity for those companies doing or wanting to do business with the Department of Defense (DoD). The framework includes comprehensive, and scalable certification elements to verify your implementation of process and practices associated with the cybersecurity maturity level your organization needs to achieve to win proposals. This on-demand webinar presentation featuring Andrew Geiser, a senior manager on Rea & Associates' manufacturing and distribution team, and Ty Whittenburg, a senior information systems analyst on the firm's cybersecurity and data protection, will explain how will CMMC impact manufacturing companies. The duo will also go through the various levels associated with CMMC and explain how to know which CMMC level you need based on your company's business model.
This presentation is co-sponsored by Rea & Associates and the Southeast Ohio MEP and is designed to provide insight on CMMC standards for your Manufacturing organization.
During this free webinar, you will hear how CMMC compliance aligns with NIST 800-171, NIST 800-53, and whether your organization need to comply with specific CMMC levels, including CMMC level 3.
For more information, contact Andrew or Ty directly or visit https:www.reacpa.com for more.
#CMMC #DepartmentOfDefense #cybersecurity
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
[ON-DEMAND RECORDING] Deep Impact: Is Your Manufacturing Company On A Collision Course With CMMC?
1.
2. Presenters
01 | Senior Manager, Rea & Associates – Millersburg, Ohio
02 | 8+ years of Manufacturing experience
03 | Consulting – Product Costing, Profitability, Inventory, & Operations
04 | Tax Planning and Advisory
05 | Rea Manufacturing & Distribution
● Andrew Geiser, CPA
3. Presenters
01 | Sr. InformationAssurance Manager, Rea & Associates
02 | 10+ years of Information Technology experience
03 | Consulting – CMMC, Governance| Risk | Compliance
04 | FBI InfraGard Member
05 | Rea Cyberservices Division
● Tyrone Whittenburg, RP
4. What is your biggest issue right now?
Labor
What effects are we seeing?
Higher Costs – wages & benefits
Unfilled positions
5. How are you going to grow?
Consider these questions
How many open positions do you currently
have, and how long have you been trying
to fill them?
How many MORE positions would you
need to fill to support your current growth
objectives?
Is that realistic? What do you do?
9. If your organization …
● Currently holds, bids, or reviews federal contract information;
● Has ever logged into the Procurement Integrated Enterprise
Environment (PIEE) or the Supplier Performance Risk System (SPRS);
● Produces specific materials for a government contract or for company
that currently holds, bids, or reviews government contracts;
● Plans to bid on government work at any point in the future; or
● Has a current or future need to review federal contract information
You have a CMMC requirement.
10. Overview
The “cybersecurity maturity model certification” is unifying
the implementation of cybersecurity across the Defense
Industrial Base (DIB).
14. CMMC objective
The DoD is a policy creation organization.
Oversight is not their area of expertise.
An Independent Accreditation Body was
created to authorize and accredit 3rd party
assessors and practitioners.
16. The foundation
The regulations and
frameworks to address
physical and electronic
controls for safeguarding
Covered Defense
Information and Cyber
Incident Reporting.
Federal Acquistion Regulation
52.204-21
Defense Federal Acquistion
Supplement 252.204-7012
NIST 800 -171
17. Methodical 5 year roll-out
2021
1,500 Certified
● 899@ML1
● 149@ML2
● 452@ML3
2022
7,500 Certified
● 44900@ML1
● 749@ML2
● 2245@ML3
● 8 @ML4 &5
2023
25,000 Certified
● 14981@ML1
● 2497@ML@
● 7,490 @ML#
● 16@ML4r & %
2024
47,905 Certified
Organizations Seeking Certification and
Recertification will be taking place
2025
47,905 Certified
New OSC and OSCs seeing recertification.
18. Rollout will allow for development of
practices and processes.
ML 1
99.9%
Majority of organizations will be
need to be at Maturity Levels 1-3.
ML 4
.1%
This will primarily be your Primary
Contractors.
ML 2 ML 3
ML 5
Basic Cyber
Hygiene
17 Practices
Intermediate
Hygiene
72 Practices
Good Cyber
Hygiene
130 Practices
Proactive
Cyber
156Practices
Progressive
Hygiene
17 1 Practices
19. Proposed solution
The Organization Seek Certification needs
to make Self-Assessment available, scope
their systems boundaries, and request
maturity level sought.
20. Process
0
1
Self Assessment
Conduct internal assessment or hire RPO to
conduct GAP Analysis
0
2
Close POAM
Plan of action milestones must be achieved
before Maturity Level Assessment
0
3
Hire C3PAO to Assess
C3PAO assigns Certified Assessor as Lead
Assessor. That Lead Assessor reviews
preparatory information and makes a
Go/no-go decision based on OE provided.
Editor's Notes
Defending the information & intellectual property of the DoD is getting increasingly harder and Self-Assessments were not effective.
The CMMC is intended to serve as a verification mechanism to ensure that companies implement the appropriate measures.
Federal Contract Information: Information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such
as on public Web sites) or simple transactional information, such as necessary to process
payments. Maturity Level 1 focuses purely on safeguarding this information.
Unclassified information associated with a law,
regulation, or government-wide policy and identified as
needing safeguarding is considered CUI
• DoD CUI replaces all references to CDI
• Authorized holder is responsible for determining whether
information in a document or material falls into a CUI
category, and applying CUI markings and dissemination
instructions accordingly
• At minimum, CUI markings for DoD CUI documents will
include the acronym “CUI” in the banner and footer of the
document (FOUO not valid for new documents)
FAR 52.204-21 established 17 baseline controls that orgs (contractors) need to achieve to conduct business with the govt.The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:
Here’s a portion of the controls.
(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.(DoD) issued an interim rule on Sept. 29, 2020 to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) framework. This interim rule includes new DFARS clause 252.204-7021, which specifies CMMC requirements and enables the department to verify.
DFARS interim rule became effective on November 30, 2020. The public review and comment period for DFARS Case 2019-D041 ended on November 30, 2020. Due to its designation as a major rule change, the interim rule must also complete a Congressional Review.Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171.
• Engaging C3PAO
○ OSC registers with CMMC-AB
○ OSC requests CMMC Cert, and timing
○ CMMC-AB puts OSC in contact with available C3PAO's
§ Those who need Cert are prioritized(provisional)
• Selecting C3PAO
○ Select
○ Make available read-ahead info to incd:
§ Pre/Self-TAssessment results
§ Scope Boundaries
§ Recent Certification results (e.g. ISO, Etc)
§ Maturity Level sought
○ C3PAO assigns Certified Assessor as Lead Assessor
○ Lead Assessor rvws info
○ Go/no-go decision is rendered based on info provided
○ Assuming GO decision
§ Lead assessor and OSC determine/confirm scope
□ Staffing
□ Dates/duration
□ pricing
Each practice must be satisfied based on at least 2 forms of objective evidence.
Interviews
Evidence review (preferred is demonstration)
Testing
Findings are categorized as
Pass – addresses CMMC practice
Fail – a failure to address some aspect of CMMC req
Not Applicable