securing the dod supply chain - sera-brynn.com€¦ · securing the dod supply chain cybersecurity...
TRANSCRIPT
Securing the DoD Supply ChainCybersecurity Maturity Model Certification
Ms. Katie ArringtonChief Information Security Officer
for Acquisition
DISTRIBUTION A. Approved for public releaseAs of 9 Dec 2019
Without a Secure Foundation
All Functions are at Risk
Cyber Security
Co
st
Sch
ed
ule
Pe
rfo
rm
an
ce
Co
st
Sc
he
du
le
Pe
rfo
rma
nc
e
Cost, Schedule, PerformanceARE ONLY EFFECTIVE IN A SECURE ENVIRONMENT
DISTRIBUTION A. Approved for public release2
• CMMC will be a unified cybersecurity standard for DoD acquisitions
– Iterative draft versions are being developed, working towards v1.0 in Jan 2020
• Draft CMMC Model 1 v0.7 encompasses:
– 17 capability domains; 43 capabilities
– 173 practices across five CMMC levels to measure technical capabilities
– 9 processes across five CMMC levels to measure process maturity
• Draft CMMC Model v0.7 focuses on refining Levels 4 and 5
– Reduces Levels 4 and 5 by 52% from v0.6 (i.e. removes 46 practices)
– Provides new draft discussion and clarification content for Level 2, Level 3, and maturity processes
CMMC Level Practices Processes
Level 1 17
Level 2 55 3
Level 3 59 2
Level 4 26 2
Level 5 16 2
Draft CMMC Model v0.7 Summary
3
Draft CMMC Model v0.7 Practices and Processes per Level
DISTRIBUTION A. Approved for public release
CMMC Model Structure
4
Access Control
(AC)
Asset
Management
(AM)
Awareness and
Training
(AT)
Audit and
Accountability
(AA)
Configuration
Management
(CM)
Identification and
Authentication
(IDA)
Incident
Response
(IR)
Maintenance
(MA)
Media Protection
(MP)
Personnel
Security
(PS)
System and
Information
Integrity (SII)
System and
Communications
Protection (SCP)
Situational
Awareness
(SA)
Security
Assessment
(SAS)
Physical
Protection
(PP)
Risk
Management
(RM)
Level 1 – Performed
Level 2 – Documented
Level 3 – Managed
Level 4 – Reviewed
Level 5 – Optimized
Level 1 – Basic Cyber
Hygiene
Level 2 – Intermediate
Cyber Hygiene
Level 3 – Good Cyber
Hygiene
Level 4 – Proactive
Level 5 – Advanced /
Progressive
Pra
ctice
s
Pro
ce
sse
s
17 Capability Domains (v0.7) Capabilities are assessed for
Practice and Process Maturity
Recovery
(RE)
DISTRIBUTION A. Approved for public release
Recent Changes to Draft CMMC Model v0.4 to v0.5 to v0.6 to v0.7
5
380
85
316
59
219
44
173
43
Practices Capabilities
35
115
92 96
4233
78 83 85
37
17
58 56 62
2617
55 59
2616
Level 1 Level 2 Level 3 Level 4 Level 5
Practices by Level
40
19
26
16
21 21
17
41
9
13
5
17
8
36
16 17
45
13
39
1720
1618
7
16
30
9 10
3
12
8
27
16 16
40
12
34
5
15
5
15
0
1618
79
46
4
15
11
5
35
15
26
3
14
5
11
0
1114
68
2
64
12
8
3
27
13
AC AM AA AT CM CG IDA IR MA MP PS PP RE RM SAS SA SCP SII
Practices by Domain
V0.4 V0.5 V0.6 V0.7
DISTRIBUTION A. Approved for public release
CMMC
Level
Total Number
Practices per
CMMC Level
Source
48 CFR
52.204-21
NIST
SP 800-171r1
Draft NIST
SP 800-171BOther
Level 1 17 17 * 17 - -
Level 2 55 - 48 - 7
Level 3 59 - 45 - 14
Level 4 26 - - 13 13
Level 5 16 - - 5 11
Excluded - - - 15 -
• Draft CMMC Model leverages multiple sources and references
– CMMC Level 1 only includes practices from FAR Clause 52.204-21
– CMMC Levels 4 and 5 do not include QTY 15 practices from Draft NIST SP 800-171B because of cost or implementation challenges
Draft CMMC Model v0.7 Source Counts
6
Draft CMMC Model v0.7: Number of Practices per Source
* Note: QTY 15 safeguarding requirements from FAR clause 52.204-21 correspond to
QTY 17 security requirements from NIST SP 800-171r1, and in turn, QTY 17 practices in CMMC
DISTRIBUTION A. Approved for public release
Grant
Certification
Conduct
Certification
Certificate
Update
Internet Accessible
Lookup
Advance to
Level
Options:
1. Internal
2. SVC Provider
3. Partner
Source
Selection
(Go/No-Go)
RFP Award
Self-
EvaluateCompanies
Create
Database
Est. PMO
Office
ACQ Review
RFI “Level x”
& DateDevelop
Model
CMMC
Concept
CMMC REQT
PMRequiring Activity
Select
Certifier
CertifierDevelop
Accreditation
Body REQT.
Est. MOU
Accrd. Body
BID
Verify CMMC
Level
Find
Certifier
Document
Cert
Accreditation Body
CMMC Gov’t
Gov’t PM
Certifier
Company
SRM
Database
Sr. Advisory
Council
Begin
work
Accrd. Body
IOC
Notional CMMC Implementation Flow
Begin
Work
Accrd. Body
IOCMarket Place
CMMC
Certificate
Database
Create
Database
7DISTRIBUTION A. Approved for public release
Notional CMMC Accreditation Body Activities
8
Accreditation
Body (AB)
Manager
Training Accreditation CredentialingInfrastructure
(Support
Systems)
• Train
Individuals
• Train
Organizations
• Train Instructors
• Knowledge
Store
• Market Place
• Artifact Store
• Records Mgmt.
• Grant C3PAO
accreditations
• Audit C3PAO
• Process Complaints
• Grant Individual
credentials
• Certifiers
• Accredited Certifiers
• Coordinate w/ CMMC PMO and
CMMC Advisory Council
• Dispute resolution
• Capture metrics
• Integrate and coordinate functional
areas
Assessment
Operations
• Technical Appeals
• Quality Control
• Manage
Assessment Tool
• Publish CMMC
Certificates
AB Populated /
Managed and
accessible by DoD
systems
CMMC
Database
DISTRIBUTION A. Approved for public release
Draft CMMC Development Schedule
Oct Nov Dec MarFebJan
2020Apr May Jun
AB Established
Establish Online
Market Place
Accreditation
Body (AB)
Receive CMMC
Model v1.0
RFI Published AB Kickoff
RFI review
Training
(C3PAO)
CMMC and Model Overview Training
Level 1/2/3 Assessor Training
9
Assessment
Guidance Level 1/2/3
GuidesInitial Drafts:
9 Domains
Initiate Level 1/2/3 Training
Level 4/5 Assessor Training
Initiate Level 4/5 Training
Model
Development v1.0v0.6 v0.7
Level 4/5
Guides
Begin C3PAO Accreditations Initiate C3PAO-led Assessments
DoD
Requirements
Initial CMMC
RFIs Released
Establish MOU
with ABInitiate DFARS
Rulemaking
CMMC
Database
Development Development
DISTRIBUTION A. Approved for public release
1 0
https://www.acq.osd.mil/cmmc/index.html
DISTRIBUTION A. Approved for public release