what subcontractors need to know about the cybersecurity ... · reducing risk of apts office of the...

3/4/2020

1

What Subcontractors Need to Know About the Cybersecurity Maturity Model Certification (CMMC)March 6, 2020

To Receive CPE Credit

• Individuals• Participate in entire webinar• Answer polls when they are provided

• Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to [email protected] within 24 hours of webinar

• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

Cybersecurity Maturity Model Certification (CMMC)

3/4/2020

2

Introducing

Rick Lucy, Ph.D., CISA®

DirectorIT Risk [email protected]

Learning Objectives


• What are DFARS, CUI & NIST SP 800-171?

• What is the new cybersecurity maturity model certification (CMMC) requirement?

• What are CMMC domains, capabilities & practices?

• What is the expected process for conducting CMMC assessments?

• What is the approximate timeline DoD has set for developing & implementing the CMMC?

• How will you manage certification?

Upon completion of this program, participants will have a basic understanding of the following

3/4/2020

3

Background

Background – DFARS


The Defense Federal Acquisition Regulation Supplement (DFARS) mandates that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled Unclassified Information (CUI)

Contractors that handle CUI must comply with DFARS provisions with, at minimum, a system security plan (SSP) that includes a plan of action & milestones (POA&M) before December 31, 2018, per Executive Order 13556, “Controlled Unclassified Information,” issued in November 2010

Contractors are also required to “flow down” DFARS requirements to all subcontracts where subcontract performance will involve CUI

Penalties for failure to comply with the DFARS may result in contract revocation

3/4/2020

4

Background – CUI


CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls

CUI Registry provides information on the specific categories & subcategories of information that the executive branch protects

CUI Registry can be found at: https://www.archives.gov/cui

Resources, including online training to better understand CUI can be found on National Archives’ website at: https://www.archives.gov/cui/training.html

Background – NIST SP 800-171


NIST SP 800-171 provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI

• When the information is resident in nonfederal systems & organizations; • When the nonfederal organization is not collecting or maintaining information on behalf of

a federal agency or using or operating a system on behalf of an agency; & • Where there are no specific safeguarding requirements for protecting the confidentiality of

CUI prescribed by the authorizing law, regulation or governmentwide policy for the CUI category listed in the CUI Registry

3/4/2020

5

What Is the New Cybersecurity Maturity Model Certification (CMMC)?

CMMC


The DoD has issued a new standard called the Cybersecurity Maturity Model Certification (CMMC) in January 2020

This standard will replace NIST 800-171 on DoD RFIs & RFPs beginning in mid-2020

In prior years, contracting authorities & prime contractors would request a system security plan (SSP) & plan of action & milestones (POA&M) “post award”

In contrast, CMMC will be assessed before or “pre-award”

3/4/2020

6

CMMC


The CMMC contains five levels, ranging from basic hygiene to state-of-the-art

Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime

According to the Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function

DoD has also indicated that all future RFPs may require a CMMC level whether or not the contractor handles CUI

CMMC


Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification Model v1.0, January 30, 2020

3/4/2020

7

CMMC


Basic Safeguarding of FCI

Transition to Protecting CUI

Safeguarding of CUI

Reducing Risk of APTs


CMMC – Level 1


Processes: Performed

• Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner & may or may not rely on documentation, process maturity is not assessed for Level 1

Practices: Basic Cyber Hygiene

• Level 1 focuses on the protection of FCI & consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)

Examples of Level 1 Practices

• Limit logical access• Control connections to outside systems• Identify “proxy” users or processes• Control publicly posted or processed

information• Sanitize of destroy media containing FCI• Limit physical access• Use segmentation• Regularly updated anti-virus• Network scanning• Inbound content scanning/filtering

3/4/2020

8

CMMC – Level 2


Processes: Documented

• Level 2 requires that an organization establish & document practices & policies to guide the implementation of their CMMC efforts

Practices: Intermediate Cyber Hygiene

• Level 2 serves as a progression from Level 1 to Level 3 & consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards & references


• Risk management• Security awareness & training• Backups & security continuity

CMMC – Level 3


Processes: Managed

• Level 3 requires that an organization establish, maintain & resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training & involvement of relevant stakeholders

Practices: Good Cyber Hygiene

• Level 3 focuses on the protection of CUI & encompasses all of the security requirements specified in NIST SP 800-171. DFARS also specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting


• All NIST SP 800-171 requirements are met

• Multifactor authentication• Information security continuity plan• Threat information is communicated to

key stakeholders in a timely manner

3/4/2020

9

CMMC – Level 4


Processes: Reviewed

• Level 4 requires that an organization review & measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary & inform higher level management of status or issues on a recurring basis

Practices: Proactive

• Level 4 focuses on the protection of CUI from APTs & encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices


• Consideration of supply chain risk• Threat hunting• Out-of-band administration• Data loss prevention (DLP)• Detonation chambers• Inclusion of mobile devices• Network segmentation

CMMC – Level 5


Processes: Optimizing

• Level 5 requires an organization to standardize & optimize process implementation across the organization

Practices: Advanced/Proactive

• Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth & sophistication of cybersecurity capabilities


• Deployment of custom cybersecurity solutions

• Cyber maneuver operations• Hardware root of trust for boot• Real-time asset tracking• 24x7 SOC• Content aware access control• Device authentication

CMMC Level 4 & 5 are targeted toward a small subset of contractors that support DoD critical programs & technologies

3/4/2020

10

CMMC Domains, Capabilities & Practices

CMMC – Domains, Capabilities & Practices


Domain Capability

Access Control (AC)

• Establish system access requirements

• Control internal system access

• Control remote system access

• Limit data access to authorized users & processes

Identification and Authentication (IA)

• Grant access to authenticated entities

Systems and CommunicationsProtection (SC)

• Define security requirements for systems & communications

• Control communications at system boundaries


3/4/2020

11



*Note: 15 safeguarding requirements from FAR clause 52.204-21 correspond to 17 security requirements from NIST SP 800-171r1, & in turn, 17 practices in CMMC**Note: 18 enhanced security requirements from Draft NIST SP 800-171B have been excluded from CMMC Model v1.0




3/4/2020

12

What Is the Expected Process for Conducting CMMC Assessments?

Recommended Process for Assessments


Step Inputs Activities Outputs

Perform Evaluation

• CMMC self-evaluation• Policies & procedures• Understanding of

cybersecurity program (SSP)

• Conduct & document structured interviews

• Self-evaluation report

Analyze Identified Gaps

• CMMC self-evaluation report

• Organizational objectives• Impact to critical

infrastructure

• Analyze gaps in practices• Evaluate risk of gaps• Determine which gaps need

attention

• Gap analysis

Prioritize & Plan • List of gaps & consequences

• Organizational constraints

• Identify actions to address gaps• Prioritize actions• Develop a prioritized plan for

remediation

• Prioritized implementation plan

Implement Plans • Prioritized implementation plan (POAM)

• Track progress to remediation• Re-evaluate plan periodically or

in response to a major change

• Project tracking data

3/4/2020

13

Example Reporting – Domain View


Department of Energy & Department of Homeland Security, Cybersecurity Capability Maturity Model (C2M2), Facilitator Guide, Version 1.1a, February 2017

Example Reporting – Domain View



3/4/2020

14

Example Reporting – Objective View



What Is the Approximate Timeline DoD Has Set for Developing & Implementing the CMMC?

3/4/2020

15



How Will You Manage Certification?

3/4/2020

16

Certification

Your organization will coordinate directly with an accredited & independent third-party commercial certification organization to schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities & organizational maturity to the satisfaction of the assessor & certifier


How will my organization become

certified?

Certification

Your certification level will be made public; however, details regarding specific findings will not be publicly accessible


Are the results of my assessment public? Does the

DoD see my results?

3/4/2020

17

Certification

You will not lose your certification. However, depending on the circumstances of the compromise & the direction of the government program manager, you may be required to be recertified


If my organization is certified CMMC & I am compromised, do I

lose my certification?

Certification

The cost of certification will be considered an allowable, reimbursable cost & will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified


What if my organization cannot afford to be certified? Does that mean my organization

can no longer work on DoD contracts?

3/4/2020

18

Certification

Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes


My organization does not handle Controlled Unclassified Information (CUI). Do I have to

be certified anyway?

Certification

The government will determine the appropriate tier, i.e., not everything requires the highest level, for the contracts they administer. The required CMMC level will be contained in sections L & M of the request for proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts


How will I know what CMMC level is required for a contract?

3/4/2020

19

Certification

The duration of certification has not been determined by DoD


How often does my organization need to be reassessed?

Questions?

3/4/2020

20

Continuing Professional Education (CPE) Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered


CPE Credit

• CPE credit may be awarded upon verification of participant attendance

• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]


3/4/2020

21

Thank You!Rick Lucy

[email protected]

what subcontractors need to know about the cybersecurity ... · reducing risk of apts office of the...

Documents