In this webinar, Adam Rosenbaum, who leads our Federal System Integrator program here at SolarWinds, was joined by Jason Spezzano, Senior Director of Cybersecurity, and Dave Gray, Senior Cybersecurity Analyst, both of CyberDefenses, Inc., for a panel discussion about preparing for CMMC Compliance and what can be done now to get ready. During this interactive webinar, attendees learned from this panel: How to leverage NIST 800-171 compliance reports to track progress or support audits How to use tools like SolarWinds’ solutions to maintain IT hygiene How to leverage configuration and patch management tools to satisfy security controls or help implement and manage controls How to use configuration and log management to verify controls are implemented correctly[SWL1] How to navigate the process of obtaining certification How an assessment, from security services firms like CyberDefenses, can make the process more efficient

1. 1@solarwinds
Preparing for CMMC
Compliance Roundtable
Government Webinar
October 27, 2020

2. 2@solarwinds
Agenda
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
• Welcome
• Presenter and company intros
• CMMC level-setting
• Roundtable discussion
• Compliance requirements
• Objective evidence
requirements
• DFARS interim rule change
• Assessment methodology
• IT tools best practices
• Q&A – additional resources

3. 3@solarwinds
Presenters
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Adam Rosenbaum
Sr Sales Manager, Federal System Integrator Program,
SolarWinds
Dave Gray
Senior Cybersecurity Analyst,
CyberDefenses, Inc.
Jason Spezzano
Senior Director of Cybersecurity
Grammatech, Inc.

4. 4@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Adam Rosenbaum
Senior Manager – Federal Sales, SolarWinds
Adam Rosenbaum is responsible for leading and managing the SolarWinds
Federal System Integrator line of business for both “sell to” and “sell through”
engagements. He focuses on SolarWinds alignment with Federal requirements to
solve IT problems across government and the Defense Industrial Base customers.
Adam has worked within the Defense Industrial Base since 2010 as a consultant
and sales leader for Supply Chain and Logistics modernization, IoT initiatives, and
IT Operations Management. Prior to this, he was an Active Duty Army Officer and
currently serves as a Lieutenant Colonel in the Army Reserve. Adam is a graduate
of the Virginia Military Institute and Indiana University’s Kelley School of Business
Enterprise Resource Planning Graduate Certificate program in addition to
certification as a SOLE Demonstrated Senior Logistician and a Lean Six Sigma
Green Belt.

5. 5@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Dave Gray
Senior Cybersecurity Analyst, CyberDefenses, Inc.
Dave Gray is a CISSP, CMMC, CAP, Security+ and PMP certified CyberSecurity
Leader skilled in securing information systems to achieve information Confidentiality,
Integrity, and Availability. Dave’s focus is Governance, Risk Management, and
Compliance (GRC) using information security frameworks established by the
National Institute of Standards and Technology (NIST) and the DoD Cybersecurity
Maturity Model Certification (CMMC). Dave specializes in DoD CMMC, NIST 800-
171, NIST 800-53 and CIS CSC 20.
Dave retired in 2011 from the Texas Army National Guard as a Lieutenant Colonel
where he managed Information Security and IT Operations for 5,000 network users
spread across Texas. Dave teaches local community college classes for CISSP,
Security+, and ITIL certifications and volunteers for the ISSA Capitol of Texas
Chapter at Austin. Dave’s certifications include CISSP, CMMC, CAP, PMP, Security+,
ITIL, and CEH. Dave holds an MBA from the Jack Welch Management Institute.

6. 6@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Jason Spezzano
Senior Cybersecurity Consultant, Grammatech, Inc.
Jason Spezzano is an experienced cybersecurity services delivery leader and
cybersecurity consultant with expertise in risk management, compliance, and
cybersecurity operations supporting DoD, Federal, and Intelligence Agencies. He is
skilled in using information security frameworks established by the National Institute of
Standards and Technology (NIST) and the DoD Cybersecurity Maturity Model
Certification (CMMC). Jason specializes in DoD CMMC, NIST 800-171, and NIST 800-
53, and defensive cybersecurity.
Jason is a former Major in the United States Marine Corps where he managed the
design, installation, maintenance, and operation of communication networks and
information systems. Jason is the Senior Director of Cybersecurity at Grammatech, as
well as a Senior Cyber Security Consultant supporting NIST and CMMC initiatives. He is
a volunteer for the Cybersecurity Maturity Model Certification Accreditation Body
(CMMC-AB) and a Fellow with the Cyber Security Forum Initiative (CSFI).

7. 7@solarwinds
Who We Are
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
#1
in Network
Management1
320,000+
customers in 190
countries3
55+
IT management
products
22,000+ MSPs serving
450,000+
organizations
Every branch of the DoD, and
nearly every civilian and
intelligence agency
150,000+ registered members of THWACK®, our global IT community
Founded in 1999
More than 3,200
employees globally
Austin, TX headquarters
30+ offices globally
Leader
in Remote Monitoring
and Management
#3
in ITOM Performance
Analysis2
Growing
Security
Portfolio
499 of
Fortune 500®
1. IDC-defined Network Management Software functional market, IDC’s Worldwide Semiannual Software Tracker, October 15, 2020.
2. Gartner, Market Share Analysis: ITOM Performance Analysis Software, Worldwide, 2019. June 17, 2020. (AIOps/ITIM/Other Monitoring Tools Software Market). SolarWinds term, Systems Management, refers to the AIOps/ITIM/Other Monitoring Tools
Software Market Taxonomy referenced in the Gartner report. All statements in this report attributable to Gartner represent SolarWinds interpretation of data, research opinion, or viewpoints published as part of a syndicated subscription service by
Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this presentation). The opinions expressed in Gartner publications are not representations of fact and
are subject to change without notice.
3. Customers are defined as individuals or entities that have an active subscription for our subscription products or that have purchased one or more of our perpetual license products since our inception under a unique customer identification number.
We may have multiple purchasers of our products within a single organization, each of which may be assigned a unique customer identification number and deemed a separate customer.

8. 8@solarwinds
CYBERDEFENSES OVERVIEW | WHO WE SERVE
Bringingbattle-tested, military-gradeCybersecurity Intelligence
Services that support some of our nation’s most critical defense
networks to commercialaccounts.
• Founded in 2001 by US Military veterans
• 50% of Staff Hold Security Clearances
• Industry Experts in CISO Advisory, Security
Operations, Cyber Intelligence, and Incident
Response
• SOC & HQ in Austin, Texas
• SDVOSB, HUB, GSA MAS and TIPS certified
• An MSSP Alert Top 100 MSSP (Global Ranking)
• SOC 2 Compliant
TOP ENTERPRISE
ORGANIZATIONS
PARTNERS
FEDERAL, STATE,
AND LOCAL
GOVERNMENT
SECRETARIES OF
STATE / ELECTIONS
INSTITUTIONS IN
CRITICAL INDUSTRIES
U.S. AIR
FORCE

9. 9@solarwinds
CMMC Level-Setting

10. CMMC Overview
CMMC is a Department of Defense (DoD) certification that measures a Defense
Industrial Base (DIB) sector company’s process maturity used to protect Federal
Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC combines multiple cybersecurity standards and maps practices and
processes to five maturity levels, ranging from basic cyber hygiene to highly
advanced practices.
CMMC will be phased in over 5 years, from FY21 thru FY25 (100% in FY26).
CMMC Maturity Levels
ML1 – FCI only (most common)
ML3 – CUI data managed by vendor.
ML4 and ML5 – Will be introduced in the coming years.

11. CMMC Scope
FCI – Federal Contract Information: FCI is information provided by or generated for
the Government under contract not intended for public release.
CUI – Controlled Unclassified Information: CUI is information that requires
safeguarding or dissemination controls pursuant to and consistent with laws,
regulations, and government-wide policies.
CMMC Scope – CMMC (Cybersecurity
Maturity Model Certification) scope covers
all information systems that process,
store, and/or transmit Federal Contract
Information (FCI) / Controlled
Unclassified Information (CUI), or that
provide protection for such components.
Scope extends to the end of the supply
chain regardless of location. CUI impact can
be minimized via redaction from subcontracts.
Where FCI/CUI data is comingled with
organizational data, scope extends to all
components where such comingling exists.

12. Preparing for CMMC Compliance
CMMC is a Department of Defense (DoD) certification that measures a Defense
Industrial Base (DIB) sector company’s process maturity used to protect Federal
Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC will be phased in from FY21 thru FY25 (100% in FY26).
DFARS Interim Rule 2019-D041 mandates vendors with CUI in existing contracts
conduct a self-assessment via the DoD Assessment Methodology and upload their
score to the Supplier Performance Risk System (SPRS) by November 30, 2020.
DFARS Interim Rule 2019-D041 fills the gap created by CMMC’s phased
implementation over 5 years.

13. Important versus Urgent
CMMC is important for all DoD vendors.
DFARS Interim Rule 2019-D041 is urgent for vendors that
- Intend to compete for new contracts.
- Have current contracts that include option years.

14. Phased Rollout
CMMC for New Contracts with CUI
Prime Contractors and Sub-Contractors
FY21 FY22 FY23 FY24 FY25 FY26
1,500 7,500 25,000 47,905 47,905 100%
DFARS Interim Rule for Existing Contracts with CUI
Prime Contractors and Sub-Contractors
FY21 FY22 FY23 FY24 FY25 FY26
100% 100% 100% 100% 100% 100%

15. 15@solarwinds
Roundtable Discussion

16. Compliance – The Critical Path
Self-Assess NIST 800-171 DFARS 2019-D041 Compliance
- DoD Assessment Methodology (110 controls/practices)
Document DFARS 2019-D041 Shortfalls
- Build a POAM to Reach 100% on 110 controls/practices
Establish 100% Compliance with NIST 800-171, 800-171A
Implement CMMC Level 3
- Additional 20 Practices (no POAM allowed)
Schedule CMMC Assessment with C3PAO

17. CMMC Implementation Steps
Determine CMMC Certification Level Desired
Organizations with FCI minimally require CMMC Level 1
Organizations with CUI minimally require CMMC Level 3
CUI maturity levels 4 and 5 will be implemented in future years
Identify Scope for FCI and CUI environments.
Locate and (preferably) diagram FCI and CUI, including MSP/MSSP
Document System Security Plan (SSP)
Integrate CMMC into Business Practices
Identify Objective Evidence (Artifacts) to satisfy Assessors
Conduct Gap Analysis
Implement CMMC Practices (no POAM allowed)
Schedule Assessment with C3PAO

18. Objective Evidence (Artifacts)
Three Types of evidence; Interview, Examine, and Test.
Minimum of Two types of evidence (preferably more) for each practice.
Interview participants must be the person(s) performing the practice.
Evidence/Artifacts are Cumulative, i.e., The target maturity level determines the
types of artifacts for all assessed practices.
Level 1 – Evidence of “Performance” e.g., service desk history logs
Level 2 – Evidence of Performance, Procedures, and Policies
Level 3 – Evidence of Performance, Procedures, Policies, and Plans
Evidence must be Historical i.e., not created at the last minute just to pass an
assessment. The assessment expects a culture of secure practices over time.

19. DFARS Interim Rule Change – Sep 2020
Establishes DoD Assessment Methodology as an additional requirement
As of November 30, 2020, in ADDITION to CMMC >>
DFARS Interim Rules Change 2019-D041
- Establishes new reporting requirements
- Applies to vendors with Controlled Unclassified Information (CUI).
- DFARS 252.204-7012 Safeguarding CDI and Cyber Incident Reporting.
- Conducted in parallel with CMMC
Vendor impact on current contracts
- Self assess and score per the DoD Assessment Methodology.
- Submit “basic” self-assessment score to the SPRS* database by Nov 30.
- Include a POAM completion date where appropriate.
- No SPRS entry = no option year extensions
Vendor impact on future contracts
- No SPRS entry = no consideration for future contracts.
*SPRS – Supplier Performance Risk System, https://www.sprs.csd.disa.mil

20. New Contract Clauses
The Interim Rule establishes new CUI reporting requirements.
252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements.
252.204-7020
NIST SP 800-171 DoD Assessment Requirements.
252.204-7021
Cybersecurity Maturity Model Certification Requirements.

21. DoD Assessment Methodology*
New DFARS requirement in addition to CMMC
Applies to vendors with CUI data on current contracts.
Assesses NIST 800-171 compliance using a weighted point system.
Starts with 110 points, one each for the 110 NIST 800-171 controls.
Institutes a 1, 3, or 5 point penalty for each non-compliant control.
Requires an estimated POAM date for full compliance.
Three assessment types
“Basic” – self assessment per NIST 800-171A conducted by Vendor.
“Moderate” – independent 800-171A SSP assessment conducted by DoD
“High” – independent 800-171A SSP and controls assessment conducted by DoD.
* https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf

22. Report Basic Assessment Results to SPRS
New DFARS requirement in addition to CMMC
Applies to DoD vendors with Controlled Unclassified Information (CUI)
Enter DoD Assessment Methodology (Basic self-assessment) into SPRS*
Required Information
CAGE code mapped to the specific in-scope System Security Plan (SSP)
Company Supply code, DUNS and MPIN
Date of the assessment
Summary level score (e.g., 95 out of 110, NOT the individual value for each
requirement)
POAM Completion Date – to achieve a score of 110 for the specific SSP
* SPRS – Supplier Performance Risk System, https://www.sprs.csd.disa.mil

23. 23@solarwinds
Q&A – Additional Resources

24. Q&A –
Is there a self-assessment process?
What does certification cost?
When is compliance required?
When do CMMC assessments start?
What companies can provide CMMC consulting?
What companies can provide assessments leading to certification?
What training is available for staff?
What is the best method to “jumpstart” internal staff training?
What is the best method to ensure long-term CMMC staff expertise?
24

25. Q&A –
Is there a self-assessment process?
The CMMC Assessment guide for Assessors is still in draft.
Self-assessment (basic) is required for DFARS Interim Rule.
Independent assessment is required for CMMC certification.
Organizations should focus on the CMMC documents, NIST 800-171, NIST 800-171A, DFARS
252.204-7012, FAR 52.204-21, DFARS 2019-D041 Interim Rule, and the NIST SP 800-171
DoD Assessment Methodology.
What does certification cost?
Cost is driven by scope, preparation, and CUI data location.
Scope can be reduced via security enclaves.
Preparing objective evidence (i.e., artifacts) in advance reduces assessment time.
CUI data confined to a security enclave is advantageous over being commingled everywhere.
25

26. Q&A –
When is compliance required?
Two topics drive the compliance process: CMMC and the DFARS Interim Rule
- CMMC certification must be complete before an organization can accept a contract. CMMC will be
phased from FY21 thru FY25. Starting in FY26, all DoD contracts will require CMMC.
- DFARS Interim Rule Basic score must be submitted to SPRS before new contract consideration and
existing contract option years.
When do CMMC assessments start?
Provisional assessors can conduct provisional ML1 assessments immediately.
CMMC C3PAOs require ML3 assessment from DCMA DIBCAC.
DCMA DIBCAC assessors begin assessing C3PAO’s in late 2020.
C3PAO ML2 and ML3 assessments begin in early 2021.
The CMMC Assessment guide for Assessors is still in draft.
26

27. Q&A –
What companies can provide CMMC consulting?
Registered Provider Organizations (RPO) can provide trained consultants immediately.
RPOs can provide mock assessments as a gap analysis.
RPOs cannot provide assessments leading to CMMC AB certification.
What companies can provide assessments leading to certification?
C3PAO’s can assess and consult, but not for the same client.
C3PAO’s must first be assessed at ML3 by DCMA DIBCAC.
27

28. Q&A –
What training is available for staff?
Provisional assessor training conducted in September, October, and November.
Registered Practitioner (RP) is available now (online, 8-hour self-paced course)
Certified Professional (CP) training starts in February 2021.
Certified Assessor (CA) training starts in February 2021.
What is the best method to “jumpstart” internal staff training?
Registered Practitioner (RP) training.
What is the best method to ensure long-term CMMC staff expertise?
Certified Professional (CP) or Certified Assessor (CA) training.
28

29. Where are additional resources?
DoD CMMC Documentation
https://www.acq.osd.mil/cmmc/draft.html
CMMC Accreditation Body
https://www.cmmcab.org/
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1
https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-
171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC
https://www.acq.osd.mil/cmmc/draft.html
29

30. Where are additional resources?
DFARS 2019-D041 Interim Rule
https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-
acquisition-regulation-supplement-assessing-contractor-implementa
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
https://acquisition.gov/far/52.204-21-0
30

31. Where are additional resources?
NIST Special Publication 800-171
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST Special Publication 800-171A
https://csrc.nist.gov/publications/detail/sp/800-171a/final
NIST Special Publication 800-53 r4
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
NIST Special Publication 800-53 r5
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
31

32. Where are additional resources?
DoD CUI Program
https://www.dodcui.mil/
DoD CUI Marking
https://www.dodcui.mil/Portals/109/Documents/Desktop%20Aid%20Docs/20-S-
2093%20cleared%20training%20guide.pdf?ver=asnRYY26VDJkHS7uHgTLUA%3d%3d
NARA Controlled Unclassified Information (CUI)
https://www.archives.gov/cui
NARA CUI Marking Handbook
https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf
32

33. Where are additional resources?
Supplier Performance Risk System (SPRS)
https://www.sprs.csd.disa.mil/
SPRS User Guide for Awardees
https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf
33

34. How can CyberDefenses help?
www.cyberdefenses.com info@cyberdefenses.com
34

35. 35@solarwinds
THANK
YOU
© 2020 SolarWinds Worldwide, LLC. All rights reserved.

36. 36@solarwinds
Sign Up for Q1 CMMC Webcast
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
CMMC Compliance – How
SolarWinds Can Help
January 21, 2020
2:00 p.m. ET
Register here
Topics:
• Leverage configuration and patch
management tools to satisfy security
controls or help implement and
manage controls
• Use configuration and log
management to verify controls have
been implemented correctly
• Employ configuration and
management tools to monitor that
controls are working as expected
• Leverage NIST compliance reports to
track progress or support audits

37. 37@solarwinds
Contact Us
• Call government sales: 877.946.3751
• Email SolarWinds federal government sales: federalsales@solarwinds.com
• Email SolarWinds state and local government sales:
governmentsales@solarwinds.com
• Email SolarWinds education sales: educationsales@solarwinds.com
• Visit our THWACK® government group: http://thwack.com/government
• Watch a short demo video: http://demo.solarwinds.com/sedemo/
• Download a free trial: http://www.solarwinds.com/downloads/
• Visit our government website: http://www.solarwinds.com/government
• Follow us on LinkedIn®: https://www.linkedin.com/company/solarwinds-
government
Let us know how we can help you
© 2020 SolarWinds Worldwide, LLC. All rights reserved.

38. 38@solarwinds
The SolarWinds, SolarWinds & Design, Orion, and THWACK
trademarks are the exclusive property of SolarWinds Worldwide,
LLC or its affiliates, are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration
in other countries. All other SolarWinds trademarks, service
marks, and logos may be common law marks or are registered or
pending registration. All other trademarks mentioned herein are
used for identification purposes only and are trademarks of (and
may be registered trademarks) of their respective companies.