Present-day in our galaxy, right here … The US Department of Defense (DoD) recently developed and established the Cybersecurity Maturity Model Certification (CMMC) as the new standard for the Defense Industrial Base (DIB). More plainly, it’s a certification process that provides assurance to the DoD that a required entity is equipped to protect unclassified information, including any data that transfers between its vendors and partners. That’s a simplified definition of what a CMMC and CMMC compliance is and it already sounds complicated. It doesn’t have to be, though. Etactics and Rea & Associates have joined forces to break down every facet of this new certification into a comprehensive webinar series entitled Security Wars. The first webinar in our Security Wars series serves as a necessary introduction to CMMC. Join Matt Moneypenny, senior marketing and sales analyst at Etactics, and Ty Whittenburg, senior information assurance manager at Rea & Associates, as they unpack the DoD’s newest standard by starting with its three maturity levels and their implications on data protection. #SecurityWarsSeries #CMMC #Cybersecurity Learn more about Rea & Associates at https://www.reacpa.com Discover how Etactics can help your business at https://etactics.com/

2. Introducing...
Ty Whittenburg
Sr. Information Assurance Manager
Rea & Associates
As a Senior Information Assurance Manager and
CMMC- Registered Practitioner on Rea’s Cybersecurity
team, Ty can be found ensuring organizations
technology and networks drive business objectives by
identifying potential loss events, reducing their
frequency, and loss magnitude. With more than 10
years of industry experience, he is involved with the
Central Ohio ISSA, the Greater Ohio FAIR chapter, the
Ohio River Valley Cloud Security Alliance, and InfraGard
Columbus.

3. J.P. Cervo
Regional Sales Manager
Etactics
Introducing...
Since receiving a B.A. in English from Kent State
University, J.P
. has accumulated over 10 years of
project management and sales experience within the
healthcare space. Currently, he is a regional sales
manager for Etactics, Inc. and has lead multiple
product development efforts including Etactics’ K2
Compliance™ cloud-based governance, risk, and
compliance management solution.

4. J.P. Cervo
Regional Sales Manager
Etactics
Introducing...
Since receiving a B.A. in English from Kent State
University, J.P
. has accumulated over 10 years of
project management and sales experience within the
healthcare space. Currently, he is a regional sales
manager for Etactics, Inc. and has lead multiple
product development efforts including Etactics’ K2
Compliance™ cloud-based governance, risk, and
compliance management solution.
R
E
C
A
S
T

5. Matt Moneypenny
Senior Marketing & Sales Analyst
Etactics
Introducing...
Matt Moneypenny is the lead Marketing and Sales
Analyst at Etactics, a revenue cycle technology
company located in Northeast Ohio. Previously, he
served as the Senior Content Strategist at an online
news source for Amazon’s Twitch Interactive, for
three years while attending The University of Akron in
pursuit of a Bachelor’s of Business Administration in
Marketing Management.

6. Poll Time!
Q: What do you expect to get out of this webinar?

7. Understanding CMMC
If you look at the DOD’s website that explains CMMC...

8. CMMC In a Nutshell
● Officially published on January 31, 2020
● It’s a new, unified certification process that provides assurance to the DOD that a
required entity is equipped to protect unclassified information, including any data
that transfers between its vendors and partners.

9. Who’s Affected by CMMC?
● Over 300,000 DoD suppliers who deal with Controlled Unclassified Information (CUI)
must obtain a certification
Small Subcontractors Big Prime

10. CMMC Important Dates
January 2020
DoD introduces Version
1.0 of the CMMC
June 2020
Opens registration for C3PAOs
and third-party assessors
July 2020
DoD to creates and
publishes a CMMC training
September 2020
Implement CMMC into the
DFARS regulation
November 2020
Incorporate requirements
in Requests for Proposals
2021 - 2026
Implementation of the CMMC
through a phased rollout
2026
CMMC certification
becomes a requirement

11. Don’t Delay
All new DoD
contracts will
contain CMMC
requirement
starting in
FY2026

12. Poll Time!
Q: Have you begun preparation for CMMC?

13. CMMC Timeline

15. Step 1
Identify desired maturity level
you want to be audited for and
complete a self-assessment

17. Step 2
Start drafting a budget for CMMC compliance to include
costs for enhancing security requirements, updating
policies, leveraging applications, contracting a
Registered Provider Organization , and any additional

19. Step 3
Configure your existing security environment to align to:
● FAR 50. 204-21
● DFARS 252.204-7012
● NIST 800-171
Contractors that implement all controls should be able
to achieve CMMC Level 3

21. Step 4
Build a Plan of Action & Milestones (POA&M) to ensure
compliance will be achieved in a defined time period.

23. Step 5
Find an available RPO or
C3PAO who will schedule
the assessment with the
certified independent
assessor

25. Step 6
“6 month waiting period
between application and
certification”
Culture takes time

26. Estimated Costs of CMMC

27. CMMC Levels of Maturity
1
2
3
4
5

28. CMMC Levels of Maturity
DoD contractors who wish to pass an audit at this
level must implement 17 practices of FAR 52.204-21
Level 1
Demonstrates
“Basic Cyber Hygiene”

29. CMMC Levels of Maturity
1
2
3
4
5

30. CMMC Levels of Maturity
Here, DoD contractors must implement another 55
practices (72 total). Complying w/ FAR & including a
select subset of 48 practices from NIST 800-171
rev1 plus seven new practices to support
intermediate cyber hygiene.
Level 2
Demonstrates
“Intermediate Cyber Hygiene”

31. CMMC Levels of Maturity
1
2
3
4
5

32. CMMC Levels of Maturity
To achieve level 3 certification, the final 58 practices
of NIST 800-171 Rev1 plus 20 additional practices
to support good cyber hygiene.
Level 3
Demonstrates
“Good Cyber Hygiene”

33. CMMC Levels of Maturity
1
2
3
4
5

34. CMMC Levels of Maturity
In addition to the controls in levels 1 through 3, 11
more controls of NIST 800-171 Rev1 plus 22 new
practices must be implemented.
Level 4
Demonstrates
“Proactive Cybersecurity”

35. CMMC Levels of Maturity
1
2
3
4
5

36. CMMC Levels of Maturity
To achieve this highest level, DoD contractors must
implement the final fifteen practices
Level 5
Demonstrates
“Advanced Cybersecurity”

37. Poll Time!
Q: What Maturity level do you need to achieve?

38. Any Further Questions?