This webinar discusses key concepts related to IT compliance for defense contractors, including DFARS, NIST 800-171, SPRS scoring, and CMMC. It introduces ControlCase as a partner that can help contractors achieve and maintain compliance through automated assessment and continuous monitoring services. ControlCase's platform collects evidence, analyzes vulnerabilities, and reviews firewalls, logs, and user access on an ongoing basis to address compliance gaps. The webinar encourages attendees to complete their SPRS self-assessment and start implementing NIST 800-171 controls while preparing for upcoming CMMC requirements.

1. WEBINAR:
DFARS, SPRS, NIST 800-171,
CMMC EXPLAINER FOR DIB
CONTRACTORS
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST

2. Agenda
© ControlCase. All Rights Reserved. 2
1. ControlCase Introduction
2. How Do the Acronyms Interplay?
3. What is DFARS?
4. What is NIST 800-171?
5. What is an SPRS Score?
6. What is CMMC?
7. What Do You Need to Do Now?
8. Why ControlCase?

3. CONTROLCASE
INTRODUCTION
1
© ControlCase. All Rights Reserved. 3

4. ControlCase Snapshot
© ControlCase. All Rights Reserved. 4
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+
10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

5. Solution
© ControlCase. All Rights Reserved. 5
Certification and Continuous Compliance Services
“
I’ve worked on both sides of auditing. I
have not seen any other firm deliver
the same product and service with the
same value. No other firm provides that
continuous improvement and the level of
detail and responsiveness.
— Security and Compliance Manager,
Data Center

6. CMMC RPO FedRAMP NIST 800-171 SPRS
HIPAA HITRUST PCI DSS GDPR
PCI PIN ISO 27001-2 SOC 1,2,3,&
Cybersecurity
PCI 3DS
One Audit™
Assess Once. Comply to Many.
Certification Services
© ControlCase. All Rights Reserved. 6
“
You have 27 seconds to make a first
impression. And after our initial meeting,
it became clear that they were more
interested in helping our business and
building a relationship, not just getting
the business.
— Sr. Director, Information Risk & Compliance,
Large Merchant

7. HOW DO DFARS, SPRS, NIST 800-171,
AND CMMC INTERPLAY?
2
© ControlCase. All Rights Reserved. 7

8. How do DFARS, SPRS, NIST 800-171 and CMMC Interplay?
© ControlCase. All Rights Reserved. 8
DFARS are the overall
regulations
NIST 800-171 is the
control framework that
DFARS relies on
SPRS score is the
methodology for
scoring NIST 800-171
CMMC is the
future framework that
brings this all together

9. WHAT IS DFARS?
3
© ControlCase. All Rights Reserved. 9

10. Defense Federal Acquisition Regulation Supplement (DFARS)
The Defense Federal Acquisition
Regulation Supplement (DFARS) to
the Federal Acquisition Regulation
(FAR) is administered by the
Department of Defense (DoD).
The DFARS implements and
supplements the FAR.
DFARS was established in
December of 2015 to protect the
confidentiality of Controlled
Unclassified Information (CUI)
within the Defense Industrial
Base (DIB).
In order to be awarded new DoD
contracts, a contractor or supplier must
be in compliance with this set of
cybersecurity regulations, also known
as the Defense Federal Acquisition
Regulation Supplement or DFARS.
What is DFARS?
© ControlCase. All Rights Reserved. 10

11. WHAT IS
NIST 800-171?
4
© ControlCase. All Rights Reserved. 11

12. NIST SP 800-171
NIST is the National Institute of
Standards and Technology at the U.S.
Department of Commerce. The NIST
Cybersecurity Framework helps
businesses of all sizes better
understand, manage, and reduce
their cybersecurity risk and protect
their networks and data.
Specifically, NIST 800-171 outlines
how contractors and sub-contractors
of Federal agencies should manage
Controlled Unclassified Information
(CUI).
The NIST 800-171 Assessment is a
self-assessment conducted following
the NIST 800-171 DoD Assessment
Methodology.
As of November 30, 2020, all DoD
contractors must conduct a NIST 800-
171 Assessment and submit their
score to the Supplier Performance
Risk System (SPRS).
What is NIST 800-171?
© ControlCase. All Rights Reserved. 12

13. NIST 800-171 Control Domains
110 security requirements broken down into 14 control families taken from FIPS 200 and NIST 800-53:
© 2020 ControlCase. All Rights Reserved. 13
Access Control Identification & Authentication Physical Protection Security Assessment
Audit & Accountability Incident Response Personnel Security
System & Communications
Protection
Awareness & Training Maintenance
Risk
Assessment
Systems & Information Integrity
Configuration Management Media Protection

14. WHAT IS A
SPRS SCORE?
5
© ControlCase. All Rights Reserved. 14

15. SPRS Score
The Supplier Performance Risk
System (SPRS) is a Department of
Defense (DoD) application that
gathers, processes, and displays data
about supplier’s performance.
SPRS is a “self-certification” score
which is the result of a NIST SP 800-
171 DoD Assessment and provides
contracting officials a score for the
overall assessment of the supplier
performance and supplier risk.
Once you’ve generated your score,
the new DFARS rules require your
organization to maintain your current
score in the SPRS, meaning the DoD
self-assessment can be no more than
three years old.
What is CMMC?
© ControlCase. All Rights Reserved. 15

16. WHAT IS CMMC?
6
© ControlCase. All Rights Reserved. 16

17. Cybersecurity Maturity Model Certification (CMMC)
CMMC is a unifying standard for the
implementation of cybersecurity across
the Defense Industrial Base (DIB).
CMMC 1.0 Released by the US
Department of Defense (DoD) and
became effective November 2020.
CMMC 2.0 Released November 2021.
CMMC ensures that DIB companies
implement appropriate cybersecurity
practices and processes to protect
Federal Contract Information (FCI) and
Controlled Unclassified Information
(CUI) within their unclassified networks.
What is CMMC?
© ControlCase. All Rights Reserved. 17

18. Who Does CMMC Apply To?
© ControlCase. All Rights Reserved. 18
Defense Industrial Base (DIB)
contractors whose unclassified
networks possess, store,
or transmit Controlled
Unclassified Information (CUI).
Defense Industrial Base (DIB)
contractors whose unclassified
networks possess Federal
Contract Information (FCI).

19. You have FCI Only You have CUI (in addition to FCI)
Level 1 Level 2 or 3
What CMMC Level Are You and Next Steps?
© ControlCase. All Rights Reserved. 19
WHAT YOU NEED TO DO
Level 1 Self Assessment (optionally assisted by ControlCase)
Level 2a
The information that you manage is not critical to national security - Self Assessment (optionally
assisted by ControlCase)
Level 2b
The information that you manage is critical to national security - C3PAO assessment (C3PAO
assessment once every three years)
Level 3
The information you manage involves highest priority, most critical defense programs -
Government conducts an audit (Once every three years)

20. CONTROLCASE
CMMC LEVEL 1 ASSESSMENT
PROCESS
CONTROLCASE
CMMC LEVEL 2A ASSESSMENT
PROCESS
1. Deploy Compliance Hub with NIST 800-171
controls covering 17 practices
2. Complete Scoping
3. Complete 50% Evidence Review
4. Complete 100% Evidence Review
5. *Publish Level 1 Self Assessment Report
.
A. Deploy Compliance Hub with NIST 800-171
controls covering 110 practices
B. Complete Scoping
C. Complete 50% Evidence Review
D. Complete 100% Evidence Review
E. *Publish Level 2 Self Assessment Report
ControlCase CMMC Assessment Process
© ControlCase. All Rights Reserved. 20

21. WHAT DO YOU
NEED TO DO NOW?
7
© ControlCase. All Rights Reserved. 21

22. What You Need to Do
© ControlCase. All Rights Reserved. 22
First do your SPRS score here
https://www.sprs.csd.disa.mil/

23. • The changes reflected in CMMC 2.0 will be implemented through
the rulemaking process. Until the rulemaking happens DoD will
not approve inclusion of a CMMC requirement under any DoD
solicitation
• DoD has provide resources to companies in the meantime. Its
called Project Spectrum at https://www.projectspectrum.io/
• Companies can take this time to implement NIST 800-171 controls
and other accompanying documents such as the System Security
Plan (SSP)
CMMC Current Status (and what can you do now)
© ControlCase. All Rights Reserved. 23

24. WHY CONTROLCASE?
8
© ControlCase. All Rights Reserved. 24

25. CMMC RPO FedRAMP NIST 800-171 SPRS HIPAA HITRUST
PCI DSS GDPR PCI PIN ISO 27001-2 SOC1,2,3 & Cybersec PCI 3DS
One Audit™
© ControlCase. All Rights Reserved. 25
Assess Once. Comply to Many.

26. ControlCase Compliance Hub®
© ControlCase. All Rights Reserved. 26
Automated
Compliance
Engine
(ACE)
• Collect evidence such
as configurations
remotely.
ControlCase
Data Discovery
(CDD)
• Scan end user
workstations for PII.
Vulnerability
Assessment &
Penetration Testing
(VAPT)
• Perform remote
vulnerability scans and
penetration tests.
Automated Log
Analysis
(LOGS)
• Review log settings
and identify missing
logs remotely.

27. Continuous Compliance Services
ControlCase Addresses Common non-compliant situations that may leave you vulnerable:
© ControlCase. All Rights Reserved. 27
In-scope assets
not reporting logs
In-scope assets missed
from vulnerability scans
Critical, overlooked
vulnerabilities due to volume
Risky firewall rule sets
go undetected
Non-compliant user access
scenarios not flagged
FEATURE: Package 1 - With Cybersecurity Services* Package 2 - Without Cybersecurity Services*
Quarterly Review of 15 to 25 Compliance Questions ✓ ✓
Quarterly Review of Scope ✓ ✓
Collecting & Analyzing Data through connectors from client systems — ✓
Vulnerability Assessment ✓ —
Penetration Testing ✓ —
Sensitive Data Discovery ✓ —
Firewall Ruleset Review ✓ —
Security Awareness Training ✓ —
Logging & Automated Alerting ✓ —
* Hybrid package can be selected.

28. Summary – Why ControlCase
© ControlCase. All Rights Reserved. 28
“They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company

29. THANK YOU FOR THE OPPORTUNITY
TO CONTRIBUTE TO YOUR IT
COMPLIANCE PROGRAM.
www.controlcase.com
contact@controlcase.com
Download CMMC Compliance Checklist
CMMC Compliance Blog
Schedule CMMC Compliance Discussion