3/4/2020
1
What Subcontractors Need to Know About the Cybersecurity Maturity Model Certification (CMMC)March 6, 2020
To Receive CPE Credit
• Individuals• Participate in entire webinar• Answer polls when they are provided
• Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to [email protected] within 24 hours of webinar
• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar
Cybersecurity Maturity Model Certification (CMMC)
3/4/2020
2
Introducing
Rick Lucy, Ph.D., CISA®
DirectorIT Risk [email protected]
Learning Objectives
Cybersecurity Maturity Model Certification (CMMC)
• What are DFARS, CUI & NIST SP 800-171?
• What is the new cybersecurity maturity model certification (CMMC) requirement?
• What are CMMC domains, capabilities & practices?
• What is the expected process for conducting CMMC assessments?
• What is the approximate timeline DoD has set for developing & implementing the CMMC?
• How will you manage certification?
Upon completion of this program, participants will have a basic understanding of the following
3/4/2020
3
Background
Background – DFARS
Cybersecurity Maturity Model Certification (CMMC)
The Defense Federal Acquisition Regulation Supplement (DFARS) mandates that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled Unclassified Information (CUI)
Contractors that handle CUI must comply with DFARS provisions with, at minimum, a system security plan (SSP) that includes a plan of action & milestones (POA&M) before December 31, 2018, per Executive Order 13556, “Controlled Unclassified Information,” issued in November 2010
Contractors are also required to “flow down” DFARS requirements to all subcontracts where subcontract performance will involve CUI
Penalties for failure to comply with the DFARS may result in contract revocation
3/4/2020
4
Background – CUI
Cybersecurity Maturity Model Certification (CMMC)
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls
CUI Registry provides information on the specific categories & subcategories of information that the executive branch protects
CUI Registry can be found at: https://www.archives.gov/cui
Resources, including online training to better understand CUI can be found on National Archives’ website at: https://www.archives.gov/cui/training.html
Background – NIST SP 800-171
Cybersecurity Maturity Model Certification (CMMC)
NIST SP 800-171 provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI
• When the information is resident in nonfederal systems & organizations; • When the nonfederal organization is not collecting or maintaining information on behalf of
a federal agency or using or operating a system on behalf of an agency; & • Where there are no specific safeguarding requirements for protecting the confidentiality of
CUI prescribed by the authorizing law, regulation or governmentwide policy for the CUI category listed in the CUI Registry
3/4/2020
5
What Is the New Cybersecurity Maturity Model Certification (CMMC)?
CMMC
Cybersecurity Maturity Model Certification (CMMC)
The DoD has issued a new standard called the Cybersecurity Maturity Model Certification (CMMC) in January 2020
This standard will replace NIST 800-171 on DoD RFIs & RFPs beginning in mid-2020
In prior years, contracting authorities & prime contractors would request a system security plan (SSP) & plan of action & milestones (POA&M) “post award”
In contrast, CMMC will be assessed before or “pre-award”
3/4/2020
6
CMMC
Cybersecurity Maturity Model Certification (CMMC)
The CMMC contains five levels, ranging from basic hygiene to state-of-the-art
Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime
According to the Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function
DoD has also indicated that all future RFPs may require a CMMC level whether or not the contractor handles CUI
CMMC
Cybersecurity Maturity Model Certification (CMMC)
Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification Model v1.0, January 30, 2020
3/4/2020
7
CMMC
Cybersecurity Maturity Model Certification (CMMC)
Basic Safeguarding of FCI
Transition to Protecting CUI
Safeguarding of CUI
Reducing Risk of APTs
Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification Model v1.0, January 30, 2020
CMMC – Level 1
Cybersecurity Maturity Model Certification (CMMC)
Processes: Performed
• Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner & may or may not rely on documentation, process maturity is not assessed for Level 1
Practices: Basic Cyber Hygiene
• Level 1 focuses on the protection of FCI & consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)
Examples of Level 1 Practices
• Limit logical access• Control connections to outside systems• Identify “proxy” users or processes• Control publicly posted or processed
information• Sanitize of destroy media containing FCI• Limit physical access• Use segmentation• Regularly updated anti-virus• Network scanning• Inbound content scanning/filtering
3/4/2020
8
CMMC – Level 2
Cybersecurity Maturity Model Certification (CMMC)
Processes: Documented
• Level 2 requires that an organization establish & document practices & policies to guide the implementation of their CMMC efforts
Practices: Intermediate Cyber Hygiene
• Level 2 serves as a progression from Level 1 to Level 3 & consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards & references
Examples of Level 2 Practices
• Risk management• Security awareness & training• Backups & security continuity
CMMC – Level 3
Cybersecurity Maturity Model Certification (CMMC)
Processes: Managed
• Level 3 requires that an organization establish, maintain & resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training & involvement of relevant stakeholders
Practices: Good Cyber Hygiene
• Level 3 focuses on the protection of CUI & encompasses all of the security requirements specified in NIST SP 800-171. DFARS also specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting
Examples of Level 3 Practices
• All NIST SP 800-171 requirements are met
• Multifactor authentication• Information security continuity plan• Threat information is communicated to
key stakeholders in a timely manner
3/4/2020
9
CMMC – Level 4
Cybersecurity Maturity Model Certification (CMMC)
Processes: Reviewed
• Level 4 requires that an organization review & measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary & inform higher level management of status or issues on a recurring basis
Practices: Proactive
• Level 4 focuses on the protection of CUI from APTs & encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices
Examples of Level 4 Practices
• Consideration of supply chain risk• Threat hunting• Out-of-band administration• Data loss prevention (DLP)• Detonation chambers• Inclusion of mobile devices• Network segmentation
CMMC – Level 5
Cybersecurity Maturity Model Certification (CMMC)
Processes: Optimizing
• Level 5 requires an organization to standardize & optimize process implementation across the organization
Practices: Advanced/Proactive
• Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth & sophistication of cybersecurity capabilities
Examples of Level 5 Practices
• Deployment of custom cybersecurity solutions
• Cyber maneuver operations• Hardware root of trust for boot• Real-time asset tracking• 24x7 SOC• Content aware access control• Device authentication
CMMC Level 4 & 5 are targeted toward a small subset of contractors that support DoD critical programs & technologies
3/4/2020
10
CMMC Domains, Capabilities & Practices
CMMC – Domains, Capabilities & Practices
Cybersecurity Maturity Model Certification (CMMC)
Domain Capability
Access Control (AC)
• Establish system access requirements
• Control internal system access
• Control remote system access
• Limit data access to authorized users & processes
Identification and Authentication (IA)
• Grant access to authenticated entities
Systems and CommunicationsProtection (SC)
• Define security requirements for systems & communications
• Control communications at system boundaries
Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification Model v1.0, January 30, 2020
3/4/2020
11
CMMC – Domains, Capabilities & Practices
Cybersecurity Maturity Model Certification (CMMC)
*Note: 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, & in turn, 17 practices in CMMC**Note: 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0
CMMC – Domains, Capabilities & Practices
Cybersecurity Maturity Model Certification (CMMC)
Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification Model v1.0, January 30, 2020
3/4/2020
12
What Is the Expected Process for Conducting CMMC Assessments?
Recommended Process for Assessments
Cybersecurity Maturity Model Certification (CMMC)
Step Inputs Activities Outputs
Perform Evaluation
• CMMC self-evaluation• Policies & procedures• Understanding of
cybersecurity program (SSP)
• Conduct & document structured interviews
• Self-evaluation report
Analyze Identified Gaps
• CMMC self-evaluation report
• Organizational objectives• Impact to critical
infrastructure
• Analyze gaps in practices• Evaluate risk of gaps• Determine which gaps need
attention
• Gap analysis
Prioritize & Plan • List of gaps & consequences
• Organizational constraints
• Identify actions to address gaps• Prioritize actions• Develop a prioritized plan for
remediation
• Prioritized implementation plan
Implement Plans • Prioritized implementation plan (POAM)
• Track progress to remediation• Re-evaluate plan periodically or
in response to a major change
• Project tracking data
3/4/2020
13
Example Reporting – Domain View
Cybersecurity Maturity Model Certification (CMMC)
Department of Energy & Department of Homeland Security, Cybersecurity Capability Maturity Model (C2M2), Facilitator Guide, Version 1.1a, February 2017
Example Reporting – Domain View
Cybersecurity Maturity Model Certification (CMMC)
Department of Energy & Department of Homeland Security, Cybersecurity Capability Maturity Model (C2M2), Facilitator Guide, Version 1.1a, February 2017
3/4/2020
14
Example Reporting – Objective View
Cybersecurity Maturity Model Certification (CMMC)
Department of Energy & Department of Homeland Security, Cybersecurity Capability Maturity Model (C2M2), Facilitator Guide, Version 1.1a, February 2017
What Is the Approximate Timeline DoD Has Set for Developing & Implementing the CMMC?
3/4/2020
15
Cybersecurity Maturity Model Certification (CMMC)
Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification Model v1.0, January 30, 2020
How Will You Manage Certification?
3/4/2020
16
Certification
Your organization will coordinate directly with an accredited & independent third-party commercial certification organization to schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities & organizational maturity to the satisfaction of the assessor & certifier
Cybersecurity Maturity Model Certification (CMMC)
How will my organization become
certified?
Certification
Your certification level will be made public; however, details regarding specific findings will not be publicly accessible
Cybersecurity Maturity Model Certification (CMMC)
Are the results of my assessment public? Does the
DoD see my results?
3/4/2020
17
Certification
You will not lose your certification. However, depending on the circumstances of the compromise & the direction of the government program manager, you may be required to be recertified
Cybersecurity Maturity Model Certification (CMMC)
If my organization is certified CMMC & I am compromised, do I
lose my certification?
Certification
The cost of certification will be considered an allowable, reimbursable cost & will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified
Cybersecurity Maturity Model Certification (CMMC)
What if my organization cannot afford to be certified? Does that mean my organization
can no longer work on DoD contracts?
3/4/2020
18
Certification
Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes
Cybersecurity Maturity Model Certification (CMMC)
My organization does not handle Controlled Unclassified Information (CUI). Do I have to
be certified anyway?
Certification
The government will determine the appropriate tier, i.e., not everything requires the highest level, for the contracts they administer. The required CMMC level will be contained in sections L & M of the request for proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts
Cybersecurity Maturity Model Certification (CMMC)
How will I know what CMMC level is required for a contract?
3/4/2020
19
Certification
The duration of certification has not been determined by DoD
Cybersecurity Maturity Model Certification (CMMC)
How often does my organization need to be reassessed?
Questions?
3/4/2020
20
Continuing Professional Education (CPE) Credit
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
Cybersecurity Maturity Model Certification (CMMC)
CPE Credit
• CPE credit may be awarded upon verification of participant attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
Cybersecurity Maturity Model Certification (CMMC)