Government Contracting- The Dawn of the CMMC - Win Federal Contracts

FED GOV CON
Webinar
Wednesdays
2020 Series
JSchaus & Associates
Washington DC
+ 1 – 2 0 2 – 3 6 5 – 0 5 9 8

About Our Webinars:
- Every Wednesday;
- Complimentary;
- Recorded;
- YouTube & our Website;
- No Questions

About Us:
Professional Services for
Federal Contractors
- GSA Sched;
- SBA 8(a);
- Proposal Writing;
- Pricing;
- Contract Administration;
- Business Development

Upcoming Events:
FEB 10
5.30-7.30pm
Meet With STATE DPT
and
150 Federal Contractors
Sponsorships Available

Advertise In Our Newsletter:
Reach 16,600+ Subscribers!
Includes Government &
Government Contractors
Hello@JenniferSchaus.com

About Our Speaker:
David Dempsey
Dempsey Fontana, PLLC
www.deftlaw.com

The Dawn Of CMMC
Wednesday,
January 15, 2020

BACKGROUND TO “CYBERSECURITY”
Federal Information Security Management Act(s) 2002/2014
NARA Establishes A “Uniform” Program for “CUI” (32
C.F.R.2002; 81 FED. REG. 63336; Sept 14, 2016
(“CUI BASIC,” “CUI SPECIFIC,” “CUI REGISTRY’)
INFORMATION SECURITY OVERSIGHT OFFICE
REVISED THE NISP ON MAY 7, 2018 (INSIDER THREAT,
FOCI, ACCESS TO CLASSIFIED)
FISMA to NARA to ISSO to NIST SP-171 to CMMC (v.07)
© January 2020 All Rights Reserved. No part of this information may be reproduced without the prior written approval of the author.
8
2020 – Fed Gov Con Webinar Series - Washington DC

FEDERAL CYBERSECURITY AND SUPPLY CHAIN REQUIREMENTS
ISOO’S CUI REGULATION INCORPORATES:
NIST SP 800-53 r4 Security and Privacy Controls for Federal
Information Systems and Organizations (updated through Jan.
2015);*
NIST SP 800-171 r1, (Protecting [CUI] in Nonfederal Systems and
Organizations r1 (updated through June 2016)**
* Rev. 5 in final review
**Rev. B in final review
DAWN OF CMMC
9

BACKGROUND TO “SUPPLY CHAIN REQUIREMENTS”
2013 NDAA: § 806
2014 NDAA: §§ 325, 811, 391, 942, 3113
2015 NDAA: §§ 834, 1628, 1632
2016 NDAA: §§ 238, 346
2017 NDAA: §§ 1641, 1650, 1841-44
2018 NDAA: §§ 807 (Enhanced Supply Chain Scrutiny), 1631- 1649, 1656, 1659,
1696
2019 NDAA: §§ 880, 881, 889 (permanent authority on supply chain risk)
2020 NDAA: § 881 (technical assistance for SBIR and STTR programs)
10

Secure Technology Act – Pub. L. 115-390
§ 101(a) – DHS to “report security vulnerabilities” (US-CERT weekly vulnerability summaries
have been available for years (see “us-cert.gov” & “us-cert.gov/security-publications” &
“uscert.gov/resources” & “us- cert.gov/resources/smb”/ etc.)
► Cyber resilience review at us-cert.gov/resources
§ 201 “Federal Acquisition Supply Chain Security Act of 2018” (authority to review and
designate items / services that federal procurement personnel cannot purchase)
20+ DoD Memoranda (including Feb. 2019 DCMA guidance on CPSR – now at $50 million
threshold)
Culminating in the 2020 bridge to CMMC implementation
11

Nov. 14, 2019 OUSD Memorandum on “Assessing Contractor Implementation of
Cybersecurity Requirements” – guidance for 2020
► NIST SP 800-171, Rev. 1 DoD Assessment Methodology, Version 1.0
♥ Levels of Assessment (Basic, Medium, High)
● Annex A - NIST SP 800-171, Rev.1 DoD Assessment Scoring Template
regarding the 110 NIST SP 800-171, Rev. 1 elements
● Annex B – Basic (Contractor Self-Assessment) NIST SP 800-171, Rev. 1
DoD Assessment Results Format
“Annex A” is the final version of the April 24, 2018 “DoD Guidance for Reviewing System
Security Plans and the NIST SP 800-171, Rev. 1 Security Requirements Not Yet
Implemented (Draft)”
12

July 2019: DoD’s CMMC Initiative: Cybersecurity Model Maturity Certification
► https://www.acq.osd.mil/cmmc/
August – December 2019:CMMC Draft v.0.4 (58 pages), 0.6 and 0.7 (190 pages) seeking
a “unified cybersecurity standard” for DoD by mapping cybersecurity standards from
NARA, NIST, ISO 27001:2013, CERT and “best practices” from the Defense Industrial
Base community (e.g., Center for Internet Security (cisecurity.org), NDIA, AIA National
Aerospace Standards)
13

CMMC:
♦ measures maturity of a company’s cybersecurity practices/processes
♦ uses “CUI” and “CDI” as in DFARS 252.204-7012 (safeguard and
reporting clause)
♦ CO identifies the CMMC Level for each contract in §§ L and M
♦ all businesses dealing with DoD (including subcontractors) must be certified by
an accredited third-party auditor regardless …
♦ role of DCMA and DCSA (formerly DSS) uncertain for audits
♦ CMMC v.1 to facilitate training and by June 2020, CMMI requirements
may appear in RFIs and in RFP §§L and M by September 2020
14

CMMC objective: cost effective cybersecurity for large and small companies per:
17 “domains” comprised of capabilities (e.g., processes and controls regarding
such “domains” as access control, training, ID/authentication, media protection,
asset inventory, risk assessment, security assessment) (NIST has 14 domains)
Resulting in 5 Maturity Levels:
Basic Cyber Hygiene (FAR 52.204-21) Level 1
Intermediate Cyber Hygiene Level 2
Good Cyber Hygiene (DFARS 252.204-7012) Level 3
Proactive Level 4
Advanced Level 5
15

►CMMC Level 1, Basic Cyber Hygiene (17 technical controls): FAR 52.204-21, “Basic
Safeguarding of Covered Contractor Information Systems” (June 2016) identifies specific
responsibilities for those receiving or possessing “Federal Contract Information” or “FCI”
► Per 52.204-21(b)(1) The Contractor shall apply the following basic safeguarding
requirements and procedures:
♦ Limit information system access to authorized users; (NIST 3.1.1, 3.1.2)
♦ Verify and control/limit connections to and use of information systems; (NIST 3.1.20)
♦ Control information posted or processed on publicly accessible information systems;
(NIST 3.1.22)
♦ Identify information system users, processes acting on behalf of users, or devices; (NIST
3.5.1)
♦ Verify the identities of those users as a prerequisite to allowing access; (NIST 3.5.2)
16

♦ Sanitize or destroy information system media containing Federal Contract Information
before disposal or reuse; (NIST 3.8.3)
♦ Escort visitors and monitor visitor activity; maintain audit logs of physical access; and
control and manage physical access devices; (NIST 3.10.1, 3.10.3, 3.10.4, 3.10.5)
♦ Monitor, control, and protect organizational communications at the external boundaries
and key internal boundaries of the information systems; (NIST 3.13.1)
♦ Implement subnetworks for publicly accessible system components that are physically or
logically separated from internal networks; (NIST 3.13.1)
♦ Timely identify, report, and correct system flaws; (NIST 3.14.1)
♦ Provide protection from malicious code; (NIST 3.14.21)
♦ Update malicious code protection mechanisms; (NIST 3.14.4)
♦ Perform periodic scans of the information system (NIST 3.14.5)
Source: OUSD Memorandum on “Assessing Contractor Implementation of Cybersecurity
Requirements,” Annex A (assessment template for NIST SP 800-171, Rev. 1)
17

CMMC Level 2 Intermediate Cyber Hygiene (72 technical controls) Demonstrate
documented processes for each control IAW contractor’s cybersecurity program
For example:
♦ least privilege (NIST 3.1.5; UK NCSC Cyber Essentials)
♦ audit logging (NIST 3.3.7)
♦ awareness and training (NIST 3.2.1, 3.2.2; CERT RMM* v1.2)
♦ password (NIST 3.5.7, 3.5.8; 3.5.9, 3.5.10; UK NCSC Cyber Essentials)
♦ vulnerability scanning / remediate (NIST 3.11.2, 3.113)
♦ control user-installed software (NIST 3.4.9)
♦ monitor and control remote access (NIST 3.1.12)
* CERT Resilience Management Model, v. 1.2
18

CMMC Level 3 Good Cyber Hygiene (DFARS 252.204-7012)
131 technical controls to safeguard CUI and Covered Defense Information (CDI)
Demonstrate managed processes for each control with adequate resources and review
adherence to policies and procedures
For example:
♦ control connection and encrypt CUI on mobile devices (NIST 3.1.18, 3.1.19; UK NCSC
Cyber Essentials)
♦ multi-factor authentication (NIST 3.5.3; Australian ACSC Essential Eight)
♦ encryption (FIPS)(NIST 3.1.11, 3.1.13, 3.1.17, 3.1.19, 3.13.8, 3.13.10, 3.8.6)
♦ off-site, off-line backup (CIS* v.7.1 10.1, 10.2 and 10.5
♦ email protection (CIS v.7.1 17.10; CMMC)
*Center for Internet Security, Critical Security Controls, v. 7.1 (July 2019)
19

In addition to CMMC Level 1, 2 or 3 requirements contractors are subject to:
DFARS 252.204-7008, COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE
INFORMATION CONTROLS (OCT 2016)(by submission of this offer certifies it will implement
NIST SP 800-171, Rev.1 …)
DFARS 252.204-12: (a) have a SSP (NIST 3.12.4) and a POA&M (NIST 3.12.2); (b)applies to
CDI which is marked by CO; (c) report cyber incidents within 72 hours with medium
assurance certificate; (d) flow down clause throughout supply chain (no exceptions)
DFARS 252.239-7018, SUPPLY CHAIN RISK (FEB 2019)(the contractor shall mitigate supply
chain risk and government can exclude a source perceived to be a supply chain risk)
20

Prepare for CMMC third party audit to obtain certification:
In the context of the NIST SP 800-171, Rev.1:
♦ review current cybersecurity status (i.e., VPN, password, anti-malware software, access,
etc.) in your operating environment / network (describe and illustrate) conduct an IT
inventory (workstations, laptops, handhelds, iPads, smart phones, printers, etc.)
♦ Conduct a network vulnerability assessment on your network
♦ Establish a System Security Plan and a Plan of Action & Milestones based on:
https://csrc.nist.gov/publications/sp and us-cert.gov/resources and OUSD’s “Assessing
Contractor Implementation of Cybersecurity Requirements”
♦ Implement the controls for Level 3 because contracting officers by late 2020 are likely to
require this level because DFARS 252.204-7012 has been in effect since October 2016
21

THANK YOU!
Washington DC
hello@JenniferSchaus.com
www.JenniferSchaus.com
+ 1 – 2 0 2 – 3 6 5 – 0 5 9 8
David B. Dempsey
ddempsey@deftlaw.com
(703) 880-9171
© January 2020 All Rights Reserved. No part of this
information may be reproduced without the prior written
approval of the author.
22

Government Contracting- The Dawn of the CMMC - Win Federal Contracts

Recommended

Recommended

More Related Content

Similar to Government Contracting- The Dawn of the CMMC - Win Federal Contracts

Similar to Government Contracting- The Dawn of the CMMC - Win Federal Contracts (20)

More from JSchaus & Associates

More from JSchaus & Associates (20)

Recently uploaded

Recently uploaded (20)

Government Contracting- The Dawn of the CMMC - Win Federal Contracts