In this webinar, Adam Rosenbaum, who leads our Federal System Integrator program here at SolarWinds, was joined by Jason Spezzano, Senior Director of Cybersecurity, and Dave Gray, Senior Cybersecurity Analyst, both of CyberDefenses, Inc., for a panel discussion about preparing for CMMC Compliance and what can be done now to get ready.
During this interactive webinar, attendees learned from this panel:
How to leverage NIST 800-171 compliance reports to track progress or support audits
How to use tools like SolarWinds’ solutions to maintain IT hygiene
How to leverage configuration and patch management tools to satisfy security controls or help implement and manage controls
How to use configuration and log management to verify controls are implemented correctly[SWL1]
How to navigate the process of obtaining certification
How an assessment, from security services firms like CyberDefenses, can make the process more efficient
8. 8@solarwinds
CYBERDEFENSES OVERVIEW | WHO WE SERVE
Bringingbattle-tested, military-gradeCybersecurity Intelligence
Services that support some of our nation’s most critical defense
networks to commercialaccounts.
• Founded in 2001 by US Military veterans
• 50% of Staff Hold Security Clearances
• Industry Experts in CISO Advisory, Security
Operations, Cyber Intelligence, and Incident
Response
• SOC & HQ in Austin, Texas
• SDVOSB, HUB, GSA MAS and TIPS certified
• An MSSP Alert Top 100 MSSP (Global Ranking)
• SOC 2 Compliant
TOP ENTERPRISE
ORGANIZATIONS
PARTNERS
FEDERAL, STATE,
AND LOCAL
GOVERNMENT
SECRETARIES OF
STATE / ELECTIONS
INSTITUTIONS IN
CRITICAL INDUSTRIES
U.S. AIR
FORCE
10. CMMC Overview
CMMC is a Department of Defense (DoD) certification that measures a Defense
Industrial Base (DIB) sector company’s process maturity used to protect Federal
Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC combines multiple cybersecurity standards and maps practices and
processes to five maturity levels, ranging from basic cyber hygiene to highly
advanced practices.
CMMC will be phased in over 5 years, from FY21 thru FY25 (100% in FY26).
CMMC Maturity Levels
ML1 – FCI only (most common)
ML3 – CUI data managed by vendor.
ML4 and ML5 – Will be introduced in the coming years.
11. CMMC Scope
FCI – Federal Contract Information: FCI is information provided by or generated for
the Government under contract not intended for public release.
CUI – Controlled Unclassified Information: CUI is information that requires
safeguarding or dissemination controls pursuant to and consistent with laws,
regulations, and government-wide policies.
CMMC Scope – CMMC (Cybersecurity
Maturity Model Certification) scope covers
all information systems that process,
store, and/or transmit Federal Contract
Information (FCI) / Controlled
Unclassified Information (CUI), or that
provide protection for such components.
Scope extends to the end of the supply
chain regardless of location. CUI impact can
be minimized via redaction from subcontracts.
Where FCI/CUI data is comingled with
organizational data, scope extends to all
components where such comingling exists.
12. Preparing for CMMC Compliance
CMMC is a Department of Defense (DoD) certification that measures a Defense
Industrial Base (DIB) sector company’s process maturity used to protect Federal
Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC will be phased in from FY21 thru FY25 (100% in FY26).
DFARS Interim Rule 2019-D041 mandates vendors with CUI in existing contracts
conduct a self-assessment via the DoD Assessment Methodology and upload their
score to the Supplier Performance Risk System (SPRS) by November 30, 2020.
DFARS Interim Rule 2019-D041 fills the gap created by CMMC’s phased
implementation over 5 years.
13. Important versus Urgent
CMMC is important for all DoD vendors.
DFARS Interim Rule 2019-D041 is urgent for vendors that
- Intend to compete for new contracts.
- Have current contracts that include option years.
14. Phased Rollout
CMMC for New Contracts with CUI
Prime Contractors and Sub-Contractors
FY21 FY22 FY23 FY24 FY25 FY26
1,500 7,500 25,000 47,905 47,905 100%
DFARS Interim Rule for Existing Contracts with CUI
Prime Contractors and Sub-Contractors
FY21 FY22 FY23 FY24 FY25 FY26
100% 100% 100% 100% 100% 100%
16. Compliance – The Critical Path
Self-Assess NIST 800-171 DFARS 2019-D041 Compliance
- DoD Assessment Methodology (110 controls/practices)
Document DFARS 2019-D041 Shortfalls
- Build a POAM to Reach 100% on 110 controls/practices
Establish 100% Compliance with NIST 800-171, 800-171A
Implement CMMC Level 3
- Additional 20 Practices (no POAM allowed)
Schedule CMMC Assessment with C3PAO
17. CMMC Implementation Steps
Determine CMMC Certification Level Desired
Organizations with FCI minimally require CMMC Level 1
Organizations with CUI minimally require CMMC Level 3
CUI maturity levels 4 and 5 will be implemented in future years
Identify Scope for FCI and CUI environments.
Locate and (preferably) diagram FCI and CUI, including MSP/MSSP
Document System Security Plan (SSP)
Integrate CMMC into Business Practices
Identify Objective Evidence (Artifacts) to satisfy Assessors
Conduct Gap Analysis
Implement CMMC Practices (no POAM allowed)
Schedule Assessment with C3PAO
18. Objective Evidence (Artifacts)
Three Types of evidence; Interview, Examine, and Test.
Minimum of Two types of evidence (preferably more) for each practice.
Interview participants must be the person(s) performing the practice.
Evidence/Artifacts are Cumulative, i.e., The target maturity level determines the
types of artifacts for all assessed practices.
Level 1 – Evidence of “Performance” e.g., service desk history logs
Level 2 – Evidence of Performance, Procedures, and Policies
Level 3 – Evidence of Performance, Procedures, Policies, and Plans
Evidence must be Historical i.e., not created at the last minute just to pass an
assessment. The assessment expects a culture of secure practices over time.
19. DFARS Interim Rule Change – Sep 2020
Establishes DoD Assessment Methodology as an additional requirement
As of November 30, 2020, in ADDITION to CMMC >>
DFARS Interim Rules Change 2019-D041
- Establishes new reporting requirements
- Applies to vendors with Controlled Unclassified Information (CUI).
- DFARS 252.204-7012 Safeguarding CDI and Cyber Incident Reporting.
- Conducted in parallel with CMMC
Vendor impact on current contracts
- Self assess and score per the DoD Assessment Methodology.
- Submit “basic” self-assessment score to the SPRS* database by Nov 30.
- Include a POAM completion date where appropriate.
- No SPRS entry = no option year extensions
Vendor impact on future contracts
- No SPRS entry = no consideration for future contracts.
*SPRS – Supplier Performance Risk System, https://www.sprs.csd.disa.mil
20. New Contract Clauses
The Interim Rule establishes new CUI reporting requirements.
252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements.
252.204-7020
NIST SP 800-171 DoD Assessment Requirements.
252.204-7021
Cybersecurity Maturity Model Certification Requirements.
21. DoD Assessment Methodology*
New DFARS requirement in addition to CMMC
Applies to vendors with CUI data on current contracts.
Assesses NIST 800-171 compliance using a weighted point system.
Starts with 110 points, one each for the 110 NIST 800-171 controls.
Institutes a 1, 3, or 5 point penalty for each non-compliant control.
Requires an estimated POAM date for full compliance.
Three assessment types
“Basic” – self assessment per NIST 800-171A conducted by Vendor.
“Moderate” – independent 800-171A SSP assessment conducted by DoD
“High” – independent 800-171A SSP and controls assessment conducted by DoD.
* https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
22. Report Basic Assessment Results to SPRS
New DFARS requirement in addition to CMMC
Applies to DoD vendors with Controlled Unclassified Information (CUI)
Enter DoD Assessment Methodology (Basic self-assessment) into SPRS*
Required Information
CAGE code mapped to the specific in-scope System Security Plan (SSP)
Company Supply code, DUNS and MPIN
Date of the assessment
Summary level score (e.g., 95 out of 110, NOT the individual value for each
requirement)
POAM Completion Date – to achieve a score of 110 for the specific SSP
* SPRS – Supplier Performance Risk System, https://www.sprs.csd.disa.mil
24. Q&A –
Is there a self-assessment process?
What does certification cost?
When is compliance required?
When do CMMC assessments start?
What companies can provide CMMC consulting?
What companies can provide assessments leading to certification?
What training is available for staff?
What is the best method to “jumpstart” internal staff training?
What is the best method to ensure long-term CMMC staff expertise?
24
25. Q&A –
Is there a self-assessment process?
The CMMC Assessment guide for Assessors is still in draft.
Self-assessment (basic) is required for DFARS Interim Rule.
Independent assessment is required for CMMC certification.
Organizations should focus on the CMMC documents, NIST 800-171, NIST 800-171A, DFARS
252.204-7012, FAR 52.204-21, DFARS 2019-D041 Interim Rule, and the NIST SP 800-171
DoD Assessment Methodology.
What does certification cost?
Cost is driven by scope, preparation, and CUI data location.
Scope can be reduced via security enclaves.
Preparing objective evidence (i.e., artifacts) in advance reduces assessment time.
CUI data confined to a security enclave is advantageous over being commingled everywhere.
25
26. Q&A –
When is compliance required?
Two topics drive the compliance process: CMMC and the DFARS Interim Rule
- CMMC certification must be complete before an organization can accept a contract. CMMC will be
phased from FY21 thru FY25. Starting in FY26, all DoD contracts will require CMMC.
- DFARS Interim Rule Basic score must be submitted to SPRS before new contract consideration and
existing contract option years.
When do CMMC assessments start?
Provisional assessors can conduct provisional ML1 assessments immediately.
CMMC C3PAOs require ML3 assessment from DCMA DIBCAC.
DCMA DIBCAC assessors begin assessing C3PAO’s in late 2020.
C3PAO ML2 and ML3 assessments begin in early 2021.
The CMMC Assessment guide for Assessors is still in draft.
26
27. Q&A –
What companies can provide CMMC consulting?
Registered Provider Organizations (RPO) can provide trained consultants immediately.
RPOs can provide mock assessments as a gap analysis.
RPOs cannot provide assessments leading to CMMC AB certification.
What companies can provide assessments leading to certification?
C3PAO’s can assess and consult, but not for the same client.
C3PAO’s must first be assessed at ML3 by DCMA DIBCAC.
27
28. Q&A –
What training is available for staff?
Provisional assessor training conducted in September, October, and November.
Registered Practitioner (RP) is available now (online, 8-hour self-paced course)
Certified Professional (CP) training starts in February 2021.
Certified Assessor (CA) training starts in February 2021.
What is the best method to “jumpstart” internal staff training?
Registered Practitioner (RP) training.
What is the best method to ensure long-term CMMC staff expertise?
Certified Professional (CP) or Certified Assessor (CA) training.
28
29. Where are additional resources?
DoD CMMC Documentation
https://www.acq.osd.mil/cmmc/draft.html
CMMC Accreditation Body
https://www.cmmcab.org/
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1
https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-
171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC
https://www.acq.osd.mil/cmmc/draft.html
29
30. Where are additional resources?
DFARS 2019-D041 Interim Rule
https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-
acquisition-regulation-supplement-assessing-contractor-implementa
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
https://acquisition.gov/far/52.204-21-0
30
31. Where are additional resources?
NIST Special Publication 800-171
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST Special Publication 800-171A
https://csrc.nist.gov/publications/detail/sp/800-171a/final
NIST Special Publication 800-53 r4
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
NIST Special Publication 800-53 r5
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
31
32. Where are additional resources?
DoD CUI Program
https://www.dodcui.mil/
DoD CUI Marking
https://www.dodcui.mil/Portals/109/Documents/Desktop%20Aid%20Docs/20-S-
2093%20cleared%20training%20guide.pdf?ver=asnRYY26VDJkHS7uHgTLUA%3d%3d
NARA Controlled Unclassified Information (CUI)
https://www.archives.gov/cui
NARA CUI Marking Handbook
https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf
32
33. Where are additional resources?
Supplier Performance Risk System (SPRS)
https://www.sprs.csd.disa.mil/
SPRS User Guide for Awardees
https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf
33
38. 38@solarwinds
The SolarWinds, SolarWinds & Design, Orion, and THWACK
trademarks are the exclusive property of SolarWinds Worldwide,
LLC or its affiliates, are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration
in other countries. All other SolarWinds trademarks, service
marks, and logos may be common law marks or are registered or
pending registration. All other trademarks mentioned herein are
used for identification purposes only and are trademarks of (and
may be registered trademarks) of their respective companies.
Keith Ingram. Expand Texas Elections info. Include TX SOS
Federal Contract Information (FCI) is defined as nonpublic information that is “provided for or generated for the government” under a contract to “develop or deliver a product or service to the government, but not including information provided to the public or simple transactional information (48 CFR § 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems)
Controlled unclassified information (CUI) - CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and Law Enforcement Sensitive (LES) categories. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified
CDI – Covered Defense Information
DoD – Department of Defense
DCMA – Defense Contract Management Agency
DIBCAC – Defense Industrial Base Cybersecurity Assessment Center
C3PAO – CMMC Third Party Assessment Organization
DoD NIST SP 800-171 Assessment Methodology Version 1.2.1
https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf.
SPRS – Supplier Performance Risk System
https://www.sprs.csd.disa.mil
CDI – Covered Defense Information
DoD – Department of Defense
DCMA – Defense Contract Management Agency
DIBCAC – Defense Industrial Base Cybersecurity Assessment Center
C3PAO – CMMC Third Party Assessment Organization
DoD NIST SP 800-171 Assessment Methodology Version 1.2.1
https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf.
SPRS – Supplier Performance Risk System
https://www.sprs.csd.disa.mil
CDI – Covered Defense Information
DoD – Department of Defense
DCMA – Defense Contract Management Agency
DIBCAC – Defense Industrial Base Cybersecurity Assessment Center
C3PAO – CMMC Third Party Assessment Organization
DoD NIST SP 800-171 Assessment Methodology Version 1.2.1
https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf.
SPRS – Supplier Performance Risk System
https://www.sprs.csd.disa.mil
CDI – Covered Defense Information
DoD – Department of Defense
DCMA – Defense Contract Management Agency
DIBCAC – Defense Industrial Base Cybersecurity Assessment Center
C3PAO – CMMC Third Party Assessment Organization
DoD NIST SP 800-171 Assessment Methodology Version 1.2.1
https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf.
SPRS – Supplier Performance Risk System
https://www.sprs.csd.disa.mil