Transcription
11/5/2020Cybersecurity Resiliency for Defense Contractors Webinar Series:CMMC BreakdownNovember 5, 2020Jana White1Today’s Topics What is Cybersecurity Maturity ModelCertification (CMMC)? Levels of CMMC framework and how todetermine required level of compliance21
11/5/2020Service-Disabled Veteran OwnedSmall Business (SDVOSB)Areas of Focus:Cybersecurity TrainingPenetration TestingVulnerability AssessmentsCISO-as-a-ServiceCybersecurity StrategyDFARS 252.204-7012 & CMMCBased in Greater St. Louis Area3What is Cybersecurity Maturity ModelCertification (CMMC)?The CMMC is a maturity model which measures anorganization’s cybersecurity maturity with five levels andaligns a set of processes (based on security domains)and practices (based on current capabilities) with thetype and sensitivity of information to be protected (CUI)and the associated range of threats to that informationand the organization as a whole (risks).42
11/5/2020What is a maturity model?A maturity model is a set ofcharacteristics, attributes,indicators, or patterns thatrepresent capability andprogression in a particulardiscipline (best practicesand standards)A maturity model provides a benchmark for an organization toevaluate the current level of capability of its processes, practices, andmethods and set goals and priorities for improvement5CMMC: Securing the supply chainMalicious cyber actors have targeted and continue totarget the Defense Industrial Base (DIB) sector and thesupply chain of the Department of Defense (DoD).The DIB sector consists of over 300,000 companies thatsupport the United States military efforts and contributetowards the research, engineering, development,acquisition, production, delivery, sustainment, andoperations of DoD systems, networks, installations,capabilities, and services.63
11/5/2020Supply chain cybersecurity risks youneed to watch out for Third party suppliers (contractedto larger companies and oftentargeted because they are morevulnerable) Tier 2 suppliers (your suppliers’suppliers) Software solutions providers Social engineering – lack ofsecurity awareness training7Why is the DoD mandating CMMCcertification?CMMC is designed to provide increased assurance tothe DoD that a Defense Industrial Base contractor canadequately protect Controlled Unclassified Information(CUI) at a level commensurate with the risk, accountingfor information flow down to its subcontractors in amulti-tier supply chain.84
11/5/2020The Cybersecurity Maturity ModelCertification (CMMC) Framework9The 17 domains of the CMMC105
11/5/2020CapabilitiesEach domain consists of a set of processes and capabilities (and in turn,practices) across the five levels. Table 1 in the CMMC v 1.02 documentitemizes the 43 capabilities associated with the 17 domains in the CMMCmodel.11ProcessesWithin the context of the CMMC model, process institutionalizationprovides additional assurances that the practices associated witheach level are implemented effectively.– organizations perform practices at Level 1, but process maturity is notassessed for ML 1126
11/5/2020PracticesThe CMMC model measures not only process maturity but also theimplementation of practices. The model consists of 171 practices thatare mapped across the five levels for all capabilities and domains.13Levels of CMMC frameworkIn order for an organization to achieve a specific CMMC level itmust also demonstrate achievement of the preceding lower levels.147
11/5/2020You must have both the processesand the practices in place!An organization must demonstrate both the requisiteinstitutionalization of processes and the implementationof practices for a specific CMMC level and the precedinglower levels in order to achieve that level.If an organization demonstrates different achievementswith respect to process institutionalization and practiceimplementation, the organization will be certified at thelower of the two levels.15CMMC Level Focus Level 1: Safeguard Federal Contract Information (FCI)Level 2: Serve as transition step in cybersecurity maturityprogression to protect CUILevel 3: Protect Controlled Unclassified Information (CUI)Levels 4-5: Protect CUI and reduce risk of Advanced PersistentThreats (APTs)168
11/5/2020Level 1 – Basic Cyber Hygiene(17 practices)Processes: Performed Level 1 requires that an organization performs the specifiedpractices. Because the organization may only be able to performthese practices in an ad-hoc manner and may or may not rely ondocumentation, process maturity is not assessed for Level 1.Practices: Basic Cyber Hygiene Level 1 focuses on the protection of FCI and consists only ofpractices that correspond to the basic safeguarding requirementsspecified in 48 CFR 52.204-21 (“Basic Safeguarding of CoveredContractor Information Systems”)17Level 2- Intermediate Cyber Hygiene(72 practices)Processes: Documented Level 2 requires that an organization establish and documentpractices and policies to guide the implementation of their CMMCefforts. The documentation of practices enables individuals toperform them in a repeatable manner. Organizations developmature capabilities by documenting their processes and thenpracticing them as documented.Practices: Intermediate Cyber Hygiene Level 2 serves as a progression from Level 1 to Level 3 andconsists of a subset of the security requirements specified inNIST SP 800-171 as well as practices from other standards andreferences. Because this level represents a transitional stage, asubset of the practices reference the protection of CUI.189
11/5/2020Level 3 – Good Cyber Hygiene(130 practices)Processes: Managed Level 3 requires that an organization establish, maintain, andresource a plan demonstrating the management of activities forpractice implementation. The plan may include information onmissions, goals, project plans, resourcing, required training, andinvolvement of relevant stakeholders. (SSP, POAM)Practices: Good Cyber Hygiene Level 3 focuses on the protection of CUI and encompasses all ofthe security requirements specified in NIST SP 800-171 as wellas additional practices from other standards and references tomitigate threats.– It is noted that DFARS clause 252.204-7012 (“Safeguarding of CoveredDefense Information and Cyber Incident Reporting”) [5] specifies additionalrequirements beyond the NIST SP 800-171 security requirements such asincident reporting. (IRP)19Level 4 – Proactive Practices(156 Practices)Processes: Reviewed Level 4 requires that an organization review and measurepractices for effectiveness. In addition to measuring practices foreffectiveness, organizations at this level are able to takecorrective action when necessary and inform higher levelmanagement of status or issues on a recurring basis.Practices: Proactive Level 4 focuses on the protection of CUI from APTs andencompasses a subset of the enhanced security requirementsfrom Draft NIST SP 800-171B as well as other cybersecurity bestpractices. These practices enhance the detection and responsecapabilities of an organization to address and adapt to thechanging tactics, techniques, and procedures (TTPs) used byAPTs.2010
11/5/2020Level 5- Advanced/ProgressivePractices (171 Practices)Processes: Optimizing Level 5 requires an organization to standardize andoptimize process implementation across theorganization.Practices: Advanced/Proactive Level 5 focuses on the protection of CUI from APTs.The additional practices increase the depth andsophistication of cybersecurity capabilities.21Where do I have to implement CMMCwithin my network?When implementing CMMC, a DIBcontractor can achieve a specific CMMClevel for its entire enterprise network orfor particular segment(s) or enclave(s),depending upon where the informationto be protected is handled and stored.Reducing your CUI Information System(IS) is a fantastic way to better controland secure your CUI and reduceresources needed for theimplementation of DFARS and CMMCcontrols!2211
11/5/2020How to determine your required level ofcomplianceFor now, look at your contracts/analyzeyour data- vendors that only have contracts (FCI)with the DoD or a vendor in the supplychain but do not build components,have or usediagrams/schematics/drawings (orpieces of these documents) may onlyneed level 1 (examples – lawn careservice for Boeing building, paymentprocessor for supply chain vendor)- If you have anything else (CUI), worktowards level 3!23How to leverage my existing SSP and POAMto determine my compliance level Review your SSP and POAM and look at the NISTSP 800-171 controls you believe you have fullyimplemented– Use the NIST SP 800-171A to dive deeper Check off the 110 NIST SP 800-171 controls fromyour CMMC spreadsheet Identify your gaps, add the missing CMMC controlsto your existing POAM Implement the missing controls2412
11/5/2020C3PAOs – These are theassessors you are looking for CMMC 3rd Party AssessorOrganizations https://www.cmmcab.org/marketplace This process is still underdevelopment, check backoften!!!25How long will my certification be valid?The certification must be inplace prior to contract award(rather than at the time ofproposal submission or afteraward), and will be valid for threeyears2613
11/5/2020CMMC dos and don’tsDo get ready for certification now and get your assessmentas soon as you can (220,000 vendors in line!)Don’t tell anyone your certification level unless it is neededfor a contract/DoD27When will I have to be CMMCcompliant? DFARS interim rule clauses 252.204-7019-7021 go into effectNovember 30, 2020Office of the Under Secretary of Defense for Acquisition &Sustainment (OUSD [A&S]) must approve use of the clause onnew acquisitions until October 2025After October 2025 CMMC is required for all contracts (abovemicro-purchase threshold [ 10K]), excluding COTSPrimes will have to ensure subs are certified prior to awardingsubcontracts2814
11/5/2020What should I do to begin my CMMC journey?1. Conduct your DoD required basic assessment of theNIST SP 800-171 controls (submit your score to SPRS byNov. 30, 2020)2. Make sure your organization has an SSP, POAM, and IRP3. Begin implementing any NIST SP 800-171 controls notimplemented (POAM)4. Review the CMMC Level 3 control requirements, includegaps or missing controls on current POAM (20 controls)5. Use NIST SP 800-171A to ensure you are implementingboth processes and practices for the 800-171 controls29Other Helpful Resources (Freebies!) OUSD A&S page for CMMC https://www.acq.osd.mil/cmmc/draft.html CMMC Model version 1.02 https://www.acq.osd.mil/cmmc/docs/CMMC ModelMain V1.02 20200318.pdf CMMC Version 1.02 Audit Spreadsheet3015
11/5/2020What We Covered Today What is Cybersecurity Maturity ModelCertification (CMMC)? Levels of CMMC framework and how todetermine required level of compliance31Jana ty.cominfo@alpinesecurity.com(844) 925-74633216
resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. (SSP, POAM) Practices: Good Cyber Hygiene Level 3 focuses on the protection of CUI and encompasses all of
