Aaron McCray is the Chief Operations Officer at Ignyte Platform, Inc. He has over 28 years of experience in business, risk management, and cybersecurity for both the public and private sectors. He holds multiple cybersecurity certifications and has worked for organizations including the US Navy, NSA, and Delta Airlines. McCray presented on how the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) will impact companies. He discussed changes in CMMC 2.0, including focusing on controls versus maturity levels and scoping guidance for levels 1 and 2. McCray also covered audit preparation and answering attendee questions.
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business & how to prepare for the audit
1. Aaron William McCray I CISSP, HCISPP, CISA, CRISC, AWS CP
CDR USNR | Chief Operating Officer at Ignyte Platform, Inc.
How the DoD’s
Cybersecurity Maturity
Model Certification (CMMC)
will impact your business?
2. Why Ignyte for CMMC?
As an accomplished leader, Aaron brings over 28 years
of experience in business and risk management
operations.
Aaron McCray serves as a Commander in the United
States Navy, with 25 years of experience executing
strategic initiatives, organizational management,
intelligence, research, and analysis.
Aaron holds a master’s degree in strategic management
from Oakland City University and a bachelor’s degree in
operational management from Wilberforce University.
Aaron McCray, MBA, CISSP, CISA, CRISC
Chief Operations Officer
Cyber & Technology Industry Credentials
• CISSP
• HCISPP
• CISA
• Digital Defensive Programming
• OWASP
• AWS Certified Cloud Professional
• CRISC
• NIST RMF
• Threat Modeling
• USN
• USAF
• Navy
• Cyber Command
• NASIC
• NAIC
• NAVIOCOM
Georgia
• NSA
• Dept of Treasury
Federal & Corporate agency cybersecurity experience
• Delta Airlines
• NCR
• Dollar Bank
3. Agenda
• Health of the Defense Industrial Base (DIB)
• CMMC 2.0
o FCI vs CUI
o Practice vs Maturity Levels
o L1/L2 Scoping
o L1/L2 Assessments
• Audit Preparation
• Q&A
• Important Links
• Contact Information
5. Health of the Defense Industrial Base (DIB)
• Significant issues as reported by the National Defense Industrial Association
• 5 of 8 categories received a “failing” performance grade
• Supply Chain issues the result of the pandemic
• Demand and budget have increased
• Industrial Security remains the weakest area
• Chinese and Russian increase strategic competition
• Surge Readiness capabilities decline
• Innovation remains stagnant / Decline in R&D
• Impact of pending National Defense Strategy
6. DIB Condition Overview by Year
NDIA is worried about the health of the defense industrial base.
Condition 2019 2020 2021
Changes
2020 - 2021
Demand 82 88 94 +6
Production Inputs 66 66 67 +1
Innovation 69 69 69 =0
Supply Chain 60 71 63 -8
Competition 92 88 88 =0
Industrial Security 49 49 50 +1
Political & Regulatory 78 76 72 -4
Productive Capacity & Surge Readiness 80 67 52 -15
Overall Health & Readiness 72 72 69 -4
➢ -6 and worse
➢ -1 to -5
➢ No Change = 0
➢ +1 to +5
➢ +6 and better
Factor Score Key
8. Introducing CMMC 2.0
• Brief History
✓ FARS clause 52.204-21 & DFARS clause 252.204-7012
✓ Inspector General Report - 2019
✓ National Defense Authorization Act of 2020
• Supersedes CMMC 1.0
• Collaborative Partnership between the DoD and the DIB
• Enhanced Security for Sensitive, Non-Classified Information
• Heavy Focus on Continuous Monitoring
9. FCI vs CUI
Federal Contract Information or FCI,
which essentially is “government contract
information, that is not intended for public
release. It is provided or generated for the
Government, under a contract, to develop or
deliver a product or service to the Government…”
• Source: 48 CFR § 52.204-21
Controlled Unclassified Information or CUI,
is defined as information that requires safeguarding or
dissemination controls, consistent with laws, regulations,
and government-wide policies, excluding information that
is classified under EO 13526 – Classified National Security
Information…”
• Source: NIST SP 800-171 rev 2
• Refer to the DoD CUI Registry 19AUG2021 for further classification of CUI
10. Practice vs Maturity Level
• Practice = Control Objectives
✓ Based on NIST
• Maturity = Effectiveness of Controls
✓ Based on CMMI
13. L1 Scoping Guidance for FCI
• FCI Assets = Process, Store, or Transmit FCI
✓ Are assessed against all applicable CMMC practices
• Additional Considerations: Areas that Process, Store, or Transmit FCI
✓ People
✓ Technology
✓ Facilities
✓ External Service Providers (ESPs)
14. L2 Scoping Guidance for CUI
L2 Assets: mapped into one of 5 categories
✓ CUI – part of CMMC assessment
✓ Security Protection Assets – part of CMMC assessment
✓ Contractor Risk Managed not part of CMMC assessment*
✓ Specialized Assets – not part of CMMC assessment*
✓ Same additional considerations as L1 apply for L2 Scoping
* Include in Asset Inventory and System Security Plan (SSP)
15. L2 Scoping Guidance – Scope Reduction & Use
Cases
o Scope Reduction
✓ Logical Separation (e.g., Firewalls, VLANs, SDNs)
✓ Physical Separation (e.g., Gates, Locks, Badge Access, Guards)
o Use Cases
✓ FCI and CUI within the same assessment scope
• Single scope vs Dual scope
• Certification is at the highest certification level (e.g., L2)
• External Service Providers are Considered (e.g., responsibility matrix, SLAs, Contracts, etc.)
17. Focus of L1 and L2 Self-Assessments
Protection of Federal Contract Information (FCI)
• Government contract information
• Not intended for public use
• Annual assessment and requires senior company official’s signature
Protection of Controlled Unclassified Information (CUI)
• Requires safeguarding
• Requires dissemination controls
• Excludes information that is classified (EO 13526)
• Annual and requires senior company official’s signature
Level
1
Level
2
18. Assessment Criteria and Methodology
Applicable to either an L1 or L2 Self-Assessment:
✓ Leverage the assessment procedures found in NIST 800-171A (section 2.1)
✓ Each procedure contains an assessment object and potential assessment methods
✓ Assessment objects contain determination statements regarding:
* specifications, mechanisms, activities, and individuals
✓ Assessment Methods define the nature and extent of your actions (three types):
* examining, interviewing, and testing
✓ Organizations can choose what assessment objects and methods they will use, based
on LOE and Cost Effectiveness
19. Primary Outcome of a L1 or L2 Assessment
• Self-Assessment Report
✓ Contains the findings from the assessment
✓ Captures the results of each practice (control) assessed
• Finding Types
✓ Met – fully compliant
✓ Not Met – include statements as to why not
✓ Not Applicable – does not apply to in-scope assets
* maintain artifacts & evidence to support your findings for each
• L2 is Bifurcated – may require an independent assessment by a C3PAO*
20. Audit Preparation
• Ignyte is Going Through the Audit Process
✓ One of the first in line to complete the accreditation
✓ Utilize our expertise to perform hundreds of pre-assessments
• What We’ve Learned
✓ Establish a Program vs Tech Only Approach
✓ Ensure Separation of Duties with MSPs/MSSPs
✓ Leverage Institutional Knowledge for Protection of FCI/CUI
✓ Ensure Inclusion of FARs & DFARs Requirements
✓ Executives Must Have a High-Level Understanding of FCI/CUI
22. Important Resources
▪ Understanding NIST and CMMC Control Structure
▪ Cybersecurity Maturity Model Certification (CMMC)
▪ CMMC 2.0 v2 Control Mapping
▪ CMMC 2.0 Glossary of Terms
▪ Scoping Guidance L1 version 2.0 Final
▪ Scoping Guidance L2 version 2.0 Final
▪ Assessment Guidance L1 version 2.0 Final
▪ Assessment Guidance L2 version 2.0 Final
▪ FAR Clause 52.204-21
▪ DFARS Clause 252.204-7012