This webinar will discuss how CMMC auditors recommend defending organizations and navigating CMMC compliance. Carahsoft is a government technology provider that offers various solutions, including Google Cloud and Workspace, to help contractors meet CMMC requirements. The webinar will provide an overview of CMMC and expectations for suppliers, explore how Google Cloud can help achieve compliance, and allow time for Q&A.
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2023.pptx
1. Webinar
Discover How CMMC Auditors
Recommend You Defend Your
Organization
Wednesday, March 22; 2:00pm ET; 11:00am PT
Q&A in Chat In partnership with:
2. Navigating Google Meet
Closed Captioning
Located on the bottom,
middle of your screen
Live Chat for Questions
Located on the bottom,
middle of your screen
Audio options
Listen through computer
speakers or click the three
dots and select “use a
phone for audio”
Activities
Access poll feature and
Q&A to ask questions and
answer polls
3. About Carahsoft Technology Corp.
Carahsoft Technology Corp. is a government-focused technology provider delivering information
technology products, services, and training to the Federal, State, Local and Education customers on
behalf of a select group of top-tier manufacturers.
Specialized Government teams focused on:
Google Solutions
VMware Solutions
F5 Solutions
Adobe Solutions
Open Source Solutions
Intelligence Solutions
HR/Workforce Automation Solutions
4. Cybersecurity Maturity Model Certification (CMMC)
What is CMMC?
• The Department of Defense’s effort to increase the overall cybersecurity
posture of the the defense industrial base and supply chain.
• Cybersecurity framework concerned with how a contractor controls information on
its IT Systems
• Tiered Model
• Cumulative maturity model, builds additional practices at each successive level
• Assessment Requirements:
• Self-Assessments
• Third-Party Assessments
• Government Assessments
• Implemented through Contracts
What does this mean for contractors?
• CMMC compliance will be critical to winning business with the Pentagon
• It will be a unified cybersecurity standard for DOD contractors.
• The initial implementation of CMMC will only affect DoD contracts, however
Civilian agencies are evaluating use of CMMC
Confidential and Proprietary
Carahsoft Confidential
Source:
https://www.acq.osd.mil/cmmc/model.html
5. Carahsoft is the trusted CMMC distributor
• We partner with great companies that address every CMMC maturity
level and capability domain
• Our CMMC subject matter experts can identify the right technology
for your unique environment
• We connect organizations with service providers and consultants that
help them prepare for CMMC audit
• We provide news, educational material, events, and other resources
to help organizations gather information and make decisions
• Please visit our website at carahsoft.com/CMMC
Confidential and Proprietary
Carahsoft Confidential
7. Understand solutions by CMMC Control Family
carah.io/CMMC
Confidential and Proprietary
Carahsoft Confidential
8. Explore Vendor solutions by CMMC domain
carah.io/CMMC
Confidential and Proprietary
Carahsoft Confidential
9. Acknowledgement & Disclaimer
These materials were prepared by the Ignyte Institute. These materials present general information about the law and are
not intended to provide legal advice about any particular set of circumstances. Legal advice may be given and relied upon
only on the basis of specific facts presented by a client to an attorney. Ignyte Institute and the authors of these materials
hereby disclaim any liability which may result from reliance on the information contained in these materials.
10. Meet Our Speakers
o Partner Solutions Evangelist
o Greg is a partner engineer with a background in infrastructure, networking,
security and cloud workload mobility.
o Has experience architecting private and public clouds around civilian and DoD
compliance frameworks.
o Tasked with technical enablement of Google’s distributors and partners.
Max Aulakh | Ignyte Founder & CEO
o Ignyte Assurance Platform™ AI enabled risk management software designed
to help Chief Security Officers in managing cyber & regulatory risk.
o Serves as CEO for multiple small businesses to help them manage technology
& cyber risk.
o After leaving the USAF, he drove the Information Assurance (IA) programs for
multiple Department of Defense (DoD) Agencies.
o Started his career as a security specialist in the United States Air Force
Greg Butler | Google
11. Agenda
● CMMC - Brief History
● Supplier Risk & Supplier Expectations
● Google Cloud & CMMC
● Next Up
● Q&A
13. Brief CMMC History
• 2007, Government Established Defense Industrial Base (DIB)
Cybersecurity Task Force to protect CUI
• 2015, DoD contracts require Safeguarding Covered Defense
Information (CDI), a type of CUI, and Cyber Incident Reporting
with DFARS clause 252.204.7012
• 2016, NIST SP 800-171rev1 Released
• 2017, Deadline for contractors to implement 252.204.7012
• 2019, Development of CMMC program starts
17. Basic Expectations
● Develop a corporate cybersecurity program
● Document your program
● Leverage cybersecurity enabling technology
● Self Assess your program
● Prepare for 3rd party audit
18. What CMMC Means to Subcontractors
● Primes have a reporting requirement
● Clauses (FAR and DFARs) flow down to
small business (all subcontractors).
● Primes are motivated to help but not
incentivized
19. ● DoD’s current internal standard of enforcement
● Don’t tell me - show me
○ Practices versus controls
● Don’t just document it but prove it
○ Institutionalize
● Demonstrate that you can control flow of CUI within your
entire organization
○ Unrealistic enclaves, non-operational environments,
too much data flowing in hands of overseas
subcontractors, etc….
Implied Expectations
22. The issue with
GovClouds
Constrained Disparate Expensive
The capacity of GovClouds is
limited, constraining elasticity
and restricting growth.
There is massive feature drift
between the commercial and
government offerings of
cloud service providers.
Commodity services cost 20%
to 40% more in GovCloud
regions because the economies
of scale are inhibited.
C D E
23. 23
US Public Sector compliance and certifications
Federal
FedRAMP Moderate -
83+ Services - across 18 worldwide regions than
any other cloud provider.
21 Workspace Products and APIs
FedRAMP High
27+ GCP services across 7 US Regions
12 Workspace Products
NIST 800-171
NIST 800-53 Rev 4
DoD
DoD IL 2
DoD IL4 PA-Announcement
DoD IL5 PA - Announcement
DFARS - A number of Google Cloud products meet
NIST 800-171 or FedRamp requirements that can help
customers maintain DFARS compliance
CMMC - In Process
State and Local
IRS Pub 1075
FERPA - Pursuant to ISO 27018 controls and
contractual terms
CJIS
Other
ITAR - Private preview
Protected B - Canada
Sarbanes Oxley
HIPAA
FIPS L1 Validated
FIPS L3 Physical Validation
NIST 800-34 Contingency Planning
ISO 27001, 27017, 27018
SOC 1, 2, 3
Section 508, EN 301 549, WCAG
24. United States Regions
Google Cloud Platform operates in 10
Regions and 22 Availability Zones
within the United States. 17 Services
support regionalized configuration
support for data localization
requirements.
Workspace operates in 7 locations
across US and support US Data
regionalization across 10 different
services.
South Carolina
N. Virginia
Iowa
Oregon
Los Angeles
las Vegas
Available data centers
FedRAMP High
Salt Lake City
Oklahoma
Columbus
Dallas
25. Workspace Security
● All traffic at Google between the end user and Google’s Edge is encrypted in transit. All data is encrypted at rest on Google’s storage
● Zero-trust architecture - Workspace is secured by Google’s ZTA known as context-aware access
● Workspace users have on average 40% fewer security incidents than users of other cloud-based productivity suites
● Largest malware database in the world in VirusTotal
● 99.9%+ accuracy in blocking spam and email scams
● 10 million spam emails blocked from Gmail users every minute
● Titan security chip - reduced “vendor in the middle” risk
26. Security Investigation
● Search all Gmail activity
● Search Google Drive - Instantly find all files that have been shared outside
of the organization
● Manage permissions for files inside of Google Drive quickly
27. Google - CMMC Status
● DoD has not yet completed rulemaking
● Until rulemaking is competed, accreditation cannot be
performed by a C3PAO
● A readiness review has been completed by a C3PAO and
both GCP and Workspace are ready for a CMMC
accreditation assessment based on current draft rules
● Accreditation assessment anticipated in early 2024 based
on forecasted final rules publishing