DFARS Clause 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC) Webcast Overview

Chris NewbornDAU Cybersecurity Enterprise Team

Webcast - Why

Targeted for Acquisition Workforce Members (AWF) who are responsible to

• Deliver secure and resilient systems• Determining cybersecurity requirements

2

Webcast - Why

Provides a forum to bring the right set of disciplines together to provide clarification regarding

• AWF’s roles & responsibilities implementing the DFARS Clause and transitioning to the CMMC process

• Migration from current security requirements to the new CMMC process

• Challenges & issues concerning the implementation and execution of DFARS Clause on current and future procurements and the migration to the CMMC process

3

Webcast - Why

This is the first of five webcasts. The remaining webcasts will discuss the following:

• DoDI 5200.48• NIST 800-171 v1.1• Request For Information/ Request For Proposal

(RFI/RFP) Contract Strategy Considerations- CMMC Implementation Process

• Selection of CMMC Levels (I, III, and III+)- Sensitivity of the Information- Threat Capability

4

Outline• Why DFARS/CMMC• FY20 NDAA• Current Policy - DFARS• Related Policies

- DoDI 5200.48- DoDI 8582.01- Cloud Computing- NIST SP 800-171 v1.1 (DAM)

• Future Process - CMMC- CFR 52.204-201- Model Framework- Levels & Descriptions- Levels & Associated Focus

• CMMC Accreditation Board• CMMC Schedule• Migration from DFARS to

CMMC Level 3• Contractor’s Preparation• Summary

5

Why DFARS/CMMC

"They've pioneered an expansive approach to stealing innovation through a wide range of actors, including not just Chinese intelligence services but state-owned enterprises, ostensibly private companies, certain kinds of graduate students and researchers, and a whole variety of other actors all working on their behalf."

FBI is investigating more than 1,000 cases of Chinese theft of US technology

6

PresenterPresentation NotesOn February 6, 2020, the Center for Strategic and International Studies (CSIS) hosted a conference to bring the US private sector and the academic and research communities up to speed with the US government's investigations.

During the four hour conference, named the China Initiative Conference, the highest officials of the FBI and the Department of Justice spent a lot of time putting the private and academic sectors of the country on high alert for the threats of intellectual property theft from the Chinese.The Director of the FBI indicated that cases of theft by the Chinese have been piling up since 2018, ever since the Department of Justice launched the China Initiative Campaign. This campaign was created in order to counter and investigate the economic espionage by Beijing.

The FBI Assistant Director for the Counterintelligence Division, John Brown reported that this year the bureau has already made 19 arrests for charges of Chinese economic espionage. Last year, the total was only 24. To compare, the total number of arrests for these charges was only 15 in the year 2014.

During the conference, the United States Attorney General William Barr gave a speech urging the allies of the United States to invest in Nokia and Ericsson in order to combat the growing presence of Huawei on the 5G market.

FBI and the Department of Justice have confirmed that it is not just technology that the Chinese are stealing. They are not discriminating when it comes to stealing the intelligence of the United States. They are targeting anything from farming companies to software companies that produce medical devices.It doesn’t stop there though. The Chinese are also infiltrating the education sector of the United States as well. The education sector isn’t as heavily regulated as the business sector but uses just as much valuable information and technology.

In the last month, the United States charged the Department Chair for Harvard University’s Chemistry and Chemical Biology department for lying about his participation in China’s Thousand Talents Plan.

The talent program is said to seek out and lure Chinese overseas talent and experts into using their knowledge and experience to China and rewards them for stealing proprietary information. Because of the Department Chair’s involvement, the government now fears that work done with United States grants may end up in the hands of the Chinese government.

Currently, the United States FBI and Department of Justice are investigating over 1,000 cases of IP theft by the Chinese government.

FY 20 NDAA Section 1648

Required the Secretary of Defense to develop a comprehensive framework to enhance the cybersecurity of the U.S. DIB to address cybersecurity standards, regulations, metrics, ratings, and third-party certifications that prime contractors/ subcontractors must meet to successfully implement the current DFARS Clause 252.204-7012

Cybersecurity Maturity Model Certification (CMMC)

7

PresenterPresentation NotesFY2020 NDAA SEC 1648 Key Provisions:A framework to protect sensitive unclassified DoD information under the control of a DoD ContractorApplicable to the Prime Contractor & their Supply ChainImplementation is a Risk-based Approach & TailorableContractor & their supply chain compliance will be assessed through certification (future) & DoD oversightCyber Threat Information needs to be communicated to DoD Contractors & their Supply ChainEnhanced security requirements could apply – in accordance with the Cyber Threat

Current Policy – DFARS Clause 252.204-7012

Purpose:• DFARS Clause 252.204-7012 structured to ensure controlled

unclassified DoD information (CUI) residing on contractor’s internal information system is safeguarded from cyber incidents, and any consequences associated with the loss of this information are assessed & minimized via cyber incident reporting & damage assessment process

• Providing a single DoD-wide approach to safeguarding covered contractor information systems

Goal: To properly secure sensitive information (CUI) in the Defense Industrial Base (DIB)

8

PresenterPresentation NotesRequires the program office/requiring activity to:Mark or otherwise identify in the contract, task order, or delivery order covered defense information provided to the contractor by or on behalf of, DoD in support of the performance of the contractRequires the contractor/subcontractor to:Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or networkReport cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical supportSubmit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime CenterSubmit media/information as requested to support damage assessment activities Flow down the clause in subcontracts for operationally critical support, �or for which subcontract performance will involve covered defense information

PROTECTING THE DOD’SUNCLASSIFIED INFORMATION

DFARS Clause 252.204-7012, and/or FAR Clause 52.204-21, and security requirements from NIST SP 800-171 apply Cloud Service Provider (CSP)

System Operated on Behalf of the DoD

Contractor’s Internal System

Controlled Unclassified Information

Federal Contract Information

DoD CUI

Controlled Unclassified Information (USG-wide)

External CSPEquivalent

to FedRAMPModerate

CSP

Internal CloudNIST SP 800-171

DoD Information System

CSPDoD Cloud

Computing SRG Risk Management Framework and ‘Authority to

Operate’ shall applyDFARS Clause 252.239-7018,

may apply

When cloud services are used to process data on the DoD’s behalf, DFARS Clause 252.239-7010 and the DoD

Cloud Computing SRG apply

9

DFARS Roles/ResponsibilitiesRequires the program office/requiring activity to:

• Mark or otherwise identify in the contract, task order, or delivery order CUI provided to the contractor by or on behalf of, DoD in support of the performance of the contract

Requires the contractor/subcontractor to:• Provide adequate security to safeguard CUI that resides on or is transiting

through a contractor’s internal information system or network• Report cyber incidents that affect a covered contractor information system or

the CUI residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support

• Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve CUI 10

Related Policies – Controlled Unclassified Information (CUI)

DoDI 5200.48, Controlled Unclassified Information:• Supersedes DoD Manual 5200.01, Volume 4• Establishes policy, assigns responsibilities, and prescribes procedures for CUI

throughout the DoD IAW DFARS Sections 252.204-7008 and 252.204-7012• Establishes the official DoD CUI Registry

General DoD CUI Procedures:• Unclassified information associated with a law, regulation, or government-wide policy

and identified as needing safeguarding is considered CUI- DoD CUI replaces all references to Covered Defense Information (CDI)- Authorized holder is responsible for determining whether information in a document

or material falls into a CUI category, and applying CUI markings and dissemination instructions accordingly

- At minimum, CUI markings for DoD CUI documents will include the acronym “CUI” in the banner and footer of the document (FOUO not valid for new documents) 11

PresenterPresentation NotesAfter 11 long years of waiting, the Office of the Under Secretary of Defense for Intelligence and Security formally released DoDI 5200.48, titled Controlled Unclassified Information on March 6, 2020.

3.4. MARKING REQUIREMENTS.This paragraph covers the essential marking requirements for initial phased implementation of the DoD CUI Program.At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document.

3.6. GENERAL DOD CUI PROCEDURES.DoD CUI is clustered into organizational indexes (e.g., defense, privacy, proprietary) with associated categories, and is categorized by the DoD according to the specific law, regulation, or government-wide policy requiring control. Unclassified information associated with a law, regulation, or government-wide policy and identified as needing safeguarding is considered CUI. It requires access control, handling, marking, dissemination controls, and other protective measures for safeguarding.The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.In accordance with this issuance, every individual at every level, including DoD civilian and military personnel as well as contractors providing support to the DoD pursuant to contractual requirements, will comply with the requirements

HandlingOriginators and authorized CUI holders must ensure documents are reviewed and approved for public release in accordance with DoDI 5230.29 to protect CUI from unauthorized disclosure.Originators and/or Original Classification Authorities (OCAs) identified in SCGs containing CUI markings are authorized to decontrol or release CUI information.OCAs will determine if aggregated CUI information should be classified.MarkingAt a minimum, include “CUI” in the header and footer.“(CUI)” portion marks are not required but if they are used, the entire document must be portion marked.“CUI” will NOT appear in banner or portion markings in co-mingled documents containing both classified and controlled unclassified information.Classified documents with CUI information must also include a CUI warning box alerting recipients to the presence of CUI.CUI markings in classified documents will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with “(CUI).”The first page or cover of any document or material containing CUI, including a document with commingled classified information, will include a CUI designation indicator, to include the following:Controlled By: [Name of DoD Component]Controlled By: [Name of Office]CUI Category: [list Category or Categories]Distribution/Dissemination Control: [if applicable]POC: [phone or email].In accordance with DoDI 5200.48, limited dissemination controls (LDC) are to be used in new CUI documents and materials except export controlled technical information, which must be marked with an export control warning in accordance with DoDI 5230.24, DoDD 5230.25, and Part 250 of Title 32, CFR. Another exception is CTI that must be marked with one of the Distribution Statements B through F in accordance with DoDI 5230.24.

Four are pertinent to the DoDControlled Technical InformationExamples: research / engineering data / drawings / lists, specifications, standards, process sheets, manuals, technical reports /orders, catalog-item identifications, data sets, studies /analyses, software executable / source code DoD Critical Infrastructure Security InformationNaval Nuclear Propulsion InformationUnclassified Controlled Nuclear Information – Defense

Related Policies - Other TransactionsDoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information:

• Applies to all unclassified non-DoD information systems (to the extent provided by applicable contracts, grants, or other legal agreements with the DoD) that process, store, or transmit unclassified nonpublic DoD information.

• It is DoD policy that non-DoD information systems provide adequate security for all unclassified nonpublic DoD information. Appropriate requirements must be incorporated into all contracts, grants, and other legal agreements with non-DoD entities

• Non-DoD information systems processing, storing, or transmitting DoD CUI must be protected in accordance with NIST SP 800-171

• Also addresses cyber incident reporting and compliance requirements 12

PresenterPresentation NotesThe Office of the Chief Information Officer of the Department of Defense formally released on December 9, 2019 DoDI 5200.48, titled Security of Non-DOD Information Systems Processing Unclassified Nonpublic DOD Information. This instruction cancels DoD Instruction 8582.01, “Security of Unclassified DoD Information on Non-DoD Information Systems,” June 6, 2012 and establishes policy, assigns responsibilities, and provides direction for managing the security of non-DoD information systems that process, store, or transmit unclassified nonpublic DoD information, including controlled unclassified information (CUI).

Related Policies - Cloud Computing

Safeguarding DoD CUI and Cyber Incident Reporting 48 CFR Parts 202, 204, 212, and 252, DFARS Clause 252.204-7012• Applies when a contractor uses an external cloud service provider to store, process,

or transmit CUI on the contractor’s behalf• Ensures that the cloud service provider:

— Meets requirements equivalent to those established for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline

— Complies with requirements for cyber incident reporting and damage assessmentCloud Computing Services 48 CFR Parts 239 and 252, DFARS Clause 252.239-7010• Applies when a cloud solution is being used to process data on the DoD's behalf or

DoD is contracting with Cloud Service Provider to host/process data in a cloud• Requires the cloud service provider to:

— Comply with the DoD Cloud Computing Security Requirements Guide— Comply with requirements for cyber incident reporting and damage assessment

13

Related Policies - DoD Assessment Methodology (DAM) Tool

NIST SP 800-171 v1.1, DoD Assessment Methodology Tool• A methodology that enables assessment of a contractor's

implementation of NIST SP 800-171, a requirement forcompliance with DFARS Clause 252.204-7012

• Consists of three levels of assessments (Basic, Medium,and High) that reflect the depth of the assessment andlevel of confidence in the assessment results

• DCMA, Defense Counterintelligence and Security Agency(DCSA) and DoD Components completed High Assessmentsfor the Department's largest contractors; captured in theSupplier Performance Risk System (SPRS)

• DoD will use methodology to assess the implementationof NIST SP 800-171 by its prime contractors. Prime contractorsmay use this methodology to assess the implementation status of NIST SP 800-171 by subcontractors

14

PresenterPresentation NotesAssessment of contractors with contracts containing DFARS clause 252.204-7012 is anticipated to be once every three years unless other factors, such as program criticality/risk or a security-relevant change, drive the need for a different assessment frequency.The NIST SP 800-171 DoD Assessment consists of three levels of assessments. These three types of assessments reflect the depth of the assessment, and the associated level of confidence in the assessment results.

The Basic Assessment is the Contractor's self- assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with Section 5 and Annex A of this document.

The Medium Assessment consists of a review of the Basic Assessment and a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed.

The High Assessment consists of a review of the Basic Assessment, a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed, combined with government validation that the security requirements have been implemented as described in the system security plan. Network access by the assessor(s) is not required.

Future Process - CMMC

• A certification process that measures a DefenseIndustrial Base (DIB) company’s ability to protectFederal Contract Information (FCI) & ControlledUnclassified Information (CUI), within the supply chain

- FCI is information provided by or generated for the Government under contract not intended for public release

- CUI is sensitive information that requires protection under laws, regulations and Government-wide policies

• Combines cybersecurity standards and maps practices and processes to maturity levels; from “basic cyber hygiene” to “highly advanced”

• Builds from existing regulation (48 Code of Federal Regulations (CFR) 52.204-21 & DFARS 252.204-7012)

15

PresenterPresentation NotesOUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it is creating a cybersecurity assessment model and certification program. Since that time, several draft versions of CMMC were publicly released: 0.4. 0.6, and 0.7    CMMC 1.0 is now available.

In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.

CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'pre-award'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.

https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf

PROTECTING THE DOD’SUNCLASSIFIED INFORMATION

DFARS Clause 252.204-7012, and/or FAR Clause 52.204-21, and security requirements from NIST SP 800-171 apply Cloud Service Provider (CSP)

System Operated on Behalf of the DoD

Contractor’s Internal System

Controlled Unclassified Information

Federal Contract Information

DoD CUI

Controlled Unclassified Information (USG-wide)

External CSPEquivalent

to FedRAMPModerate

CSP

Internal CloudNIST SP 800-171

DoD Information System

CSPDoD Cloud

Computing SRG Risk Management Framework and ‘Authority to

Operate’ shall applyDFARS Clause 252.239-7018,

may apply

When cloud services are used to process data on the DoD’s behalf, DFARS Clause 252.239-7010 and the DoD

Cloud Computing SRG apply

16

CMMC Roles/ResponsibilitiesRequires the program office/requiring activity to:

• Identify FCI/CUI Data and Marking Requirements• Develop/Update Security Classification Guide (SCG)• Identify CMMC Level(s)

Requires the contractor/subcontractor to:• Develop/Update Artifacts/Deliverables per RFI/RFP• Initiate/Hire C3PAO to perform CMMC assessment• Develop Supply Chain/Tier 1 & below Contractor Support

Agreements

17

Related Policies - Basic Safeguarding of Covered Contractor Information Systems

Code of Federal Regulations (CFR) 52.204-201, Basic Safeguarding of Covered Contractor Information Systems:• Covered contractor information system means an information

system that is owned or operated by a contractor that processes, stores, or transmits Federal Contract Information (FCI)

• Supplier Requirements:– Provide basic security - CFR 52.204-201(b)

• Limit Access, Authenticate, Sanitize, Monitor, Find/ Fix Flaws, Patch, Detect Malware, Scans, etc.

– Flow down these requirements to Subcontracts - CFR 52.204-201 (c)18

PresenterPresentation NotesCovered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).Safeguarding means measures or controls that are prescribed to protect information systems.(b) Safeguarding requirements and procedures.(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.(iii) Verify and control/limit connections to and use of external information systems.(iv) Control information posted or processed on publicly accessible information systems.(v) Identify information system users, processes acting on behalf of users, or devices.(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.(xii) Identify, report, and correct information and information system flaws in a timely manner.(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.(xiv) Update malicious code protection mechanisms when new releases are available.(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.(2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

CMMC Model Framework

DIB companies will be accredited under the CMMC only if they can demonstrate compliance with therequired practices and demonstrate mature processes required for the given CMMC level

CMMC Categorizes cybersecurity best practices at the highest level by 17 Domains

19

PresenterPresentation NotesThe CMMC framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the DIB and DoD stakeholders. The model framework organizes these processes and practices into 17 domains and maps them across five levels which will be demonstrated in the next slide. In order to provide additional structure, the framework also aligns the practices to the 43 capabilities that are distributed within the 17 domains.

CMMC Levels and Descriptions

20

PresenterPresentation NotesThe CMMC model measures cybersecurity maturity with five levels. Each of these levels in turn, consist of a set of processes and practices as displayed in the following figure. The processes range from “performed” at Level 1 to “Optimizing” at Level 5 and the practices range from “Basic Cyber Hygiene” at Level 1 to “Advanced/Progressive” at Level 5. The CMMC levels and associate sets of processes and practices across domains are cumulative. More specially, in order for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. The CMMC model measures not only the processes maturity but also the implementation of the practices. Basically, the model consists of 171 practices that are mapped across the five levels for the 43 capabilities within the 17 domains.

CMMC Levels and Associated Focus

CMMC is designed to provide increased assurance to the DoD that a DIB can adequately protect CUI at a level commensurate with the risk

21

PresenterPresentation NotesIn addition to the previous CMMC level description, the specification and mapping of processes and practices to a particular level take into account multiple considerations including regulations, type and sensitivity of information, threats, costs, implementation, complexity, diversity within the DIB sector, assessment implementation, and other factors. The CMMC model, in effect, provides a means to align the processes and practices with the type/sensitivity of information to be protected and the range of threats. As a result, the CMMC levels can be characterized by this alignment illustrated with the focus on the following: Level 1: Safeguarding Federal Contract Information (FCI)Level 2: Transition Step to Protect Controlled Unclassified Information (CUI)Level 3: Protecting DoD CUILevel 4&5: Increasing the Protection of DoD CUI and reducing the risk of Advanced Persistence Threats (APTs). The CMMC is designed to provide increased assurance to the DoD that a DIB can adequately protect CUI at a level commensurate with the risk.

CMMC Levels Comparison Levels 1-3: Moderate Threats & Below• Security Requirements:

- CFR 52.204-21, DFARS 252.204-7012, NIST SP 800-171

• Risk Based Approach:- Risk = Consequence * Threat * Vulnerability

• What is the threat likely to do?- Inventoried assets w/ perimeter defense

Levels 4-5: Advanced Persistent Threats• Security Requirements:

- Level1-3 + NIST SP 800-172 (171B)• Threat Centric Approach

- Worst Case Scenario• What could the threat do?

- Zero trust architecture, analysis, & dynamic defense

CMMC Level

Number of Practices

Introduced at CMMC Level

Source

48 CFR 52.204-21 NIST SP 800 171 NIST SP 800-172 Other1 17 15 172 55 48 73 58 45 134 26 11 155 15 4 11

Total 171 15 110 15 46

22

PresenterPresentation NotesCMMC primarily leans on NIST 800-171; however, many frameworks are being considered and integrated for the new Cybersecurity Maturity Model (CMM). NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others are influencing the new model. Other federal agencies, industries (the financial sector for example), and industry experts will be consulted for lessons learned.

CMMC primarily leans on NIST 800-171; however, many frameworks are being considered and integrated for the new Cybersecurity Maturity Model (CMM) process. NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others are influencing the new framework. The majority of the practices (110 of 171) originate from the safeguarding requirements and security requirements from FAR Clause 52.204-21 and DFARS Clause 252-204-7012, which include NIST SP 800-171. These are applicable to CMMC Level 1 through 3 that provide protection of information classified as FCI and CUI at the moderate confidentiality impact level. For CUI that is part of a critical program or a high value asset, and above the moderate confidentiality impact level, a subset of the enhanced security requirements from NIST SP 800-172 have been incorporated into CMMC Levels 4&5. As of CMMC 1.1 release, here is a Level by Level breakdown of the requirements going beyond or outside NIST 800-171. 

Level 1: 17 NIST 800-171 RequirementsLevel 2: 72 Practices  (65 NIST 800-171 Requirements PLUS 7 Other Practices)Level 3: 130 Practices (110 NIST 800-171 Requirements PLUS 20 Other Practices)Level 4: 156 Practices (110 NIST 800-171 Requirements  PLUS 46 Additional Practices)Level 5: 171 Practices (110 NIST 800-171 Requirements PLUS 61 Additional Practices)

DSB Threat TiersTier Typical

Organizations Vulnerability Exploitation

Resources Motivation Scope of Access Skills and Capabilities

I Script Kiddies Exploits pre-existing known vulnerabilities.

$ Hundreds Bragging rights Minimal.

II Hackers for hire Exploits pre-

existing known vulnerabilities.

$ Thousands Theft/sale of business, financial data

Minimal.

III Small teams of

hackers, e.g., non-state actors

Discovers unknown vulnerabilities

$ Millions Theft/sale of corporate, govt leaders’ personal or organizational data, political impact

Localized or sparse physical presence. Minimal supply chain access.

IV Larger, well-

organized teams – criminal, non-state, or state sponsored

Discovers unknown vulnerabilities

$ Millions Theft/sale of corporate, govt leaders’ personal or organizational data, political impact

Localized or sparse physical presence. Minimal supply chain access.

V Highly capable

state actors Creates vulnerabilities

$ Billions. Can pursue a few complex attacks concurrently.

Political, military, economic impact

Physically present and/or supplies technology world-wide and in space.

VI Most capable state actors (U.S. rivals)

Creates vulnerabilities

$ Billions. Can pursue many complex attacks concurrently over a long time

Political, military, economic impact

Physically present and/or supplies technology world-wide and in space.

23

PresenterPresentation NotesCMMC has four levels of threat actors:Unskilled Threat ActorModerately Skilled Threat ActorAdvanced Threat ActorMost-advanced Threat Actor

What are the differences in capabilities acrossThese threat actors to act as a(n):External AttackerInternal ThreatSupply Chain Attacker

Tier

Typical Organizations

Vulnerability Exploitation

Resources

Motivation

Scope of Access

Skills and Capabilities

I

Script Kiddies

Exploits pre-existing known vulnerabilities.

$ Hundreds

Bragging rights

Minimal.

II

Hackers for hire

Exploits pre-existing known vulnerabilities.

$ Thousands

Theft/sale of business, financial data

Minimal.

III

Small teams of hackers, e.g., non-state actors

Discovers unknown vulnerabilities

$ Millions

Theft/sale of corporate, govt leaders’ personal or organizational data, political impact

Localized or sparse physical presence. Minimal supply chain access.

IV

Larger, well-organized teams – criminal, non-state, or state sponsored

Discovers unknown vulnerabilities

$ Millions

Theft/sale of corporate, govt leaders’ personal or organizational data, political impact

Localized or sparse physical presence. Minimal supply chain access.

V

Highly capable state actors

Creates vulnerabilities

$ Billions. Can pursue a few complex attacks concurrently.

Political, military, economic impact

Physically present and/or supplies technology world-wide and in space.

VI

Most capable state actors (U.S. rivals)

Creates vulnerabilities

$ Billions. Can pursue many complex attacks concurrently over a long time

Political, military, economic impact

Physically present and/or supplies technology world-wide and in space.

CMMC Accreditation Board (CMMC AB)• CMMC AB is responsible for training and certifying third-party

auditors (C3PAO) that will validate cybersecurity practices and compliance of defense contractors

• Consists of 14 members from industry- Board Chairman: Ty Shieber, senior director of business development at the

University of Virginia's Darden School of Business

24

PresenterPresentation NotesThe CMMC Accreditation Body (CMMC AB) will oversee the training, quality, and administration of the third party assessment organizations. The CMMC AB will consist of 13 individuals from industry, the cybersecurity community, and academia. Strict conflict of interest clauses will be integrated throughout a future memorandum or MOU that will dictate the activities and influence these 13 individuals have over certifications and audits.

CMMC Third Party Assessment Organizations, C3PAO's, will be the organizations deemed fit for auditing after training and assessment by the CMMC AB. There was also the introduction of Pathfinders - a group of test contracts and respective DIB suppliers where the CMMC OUSD team will assign various levels to these existing suppliers. This will better define which contracts will need which level and what future RFP's will require.

Do's1. When mentioning CMMC, always place the word DRAFT in front of it, so as not to mislead readers that the standard is complete and released.2. Share valid information about the CMMC standard acquired from this site or the Official DoD site located at https://www.acq.osd.mil/cmmc/index.html.3. Prepare your clients for CMMC by training and educating them for DFARS regulations and NIST 800-171 guidance. It is the law and there is an increasing number of audits being performed right now, in 2020.4. Become an expert on CMMC by reading the standard, assessment guidance, and training materials that will be published on https://www.acq.osd.mil/cmmc/index.html. These materials ARE NOT YET AVAILABLE as the standard is not complete and released. Familiarize now. Actively prep later.

Don'ts1. Do not state that you are an expert on CMMC. You are not. The standard is not yet released. No trainer nor educator is currently accredited. No certified training exists yet.2. Currently, DFARS regulation requires self-assessments under NIST 800-171 guidance. Do not focus training on future requirements (CMMC) at the expense of current requirements.3. Do not charge clients for workshops, seminars, and training that promise CMMC compliance. The CMMC-AB will provide training and certifications to empower you with those opportunities.4. Do not sell or promote tools that promise CMMC compliance with certainty. The CMMC-AB will create standards for tool producers to use. For now, ensure that any tools promoted focus first on completed and released standards, or best practices."

CMMC AB – Do’s & Don’tsDo's1. When mentioning CMMC, always place the word DRAFT in front of it, so as not to mislead readers that the standard is complete and released.2. Share valid information about the CMMC standard acquired from this site or the Official DoD site located at https://www.acq.osd.mil/cmmc/index.html.3. Prepare your clients for CMMC by training and educating them for DFARS regulations and NIST 800-171 guidance. It is the law and there is an increasing number of audits being performed right now, in 2020.4. Become an expert on CMMC by reading the standard, assessment guidance, and training materials that will be published on https://www.acq.osd.mil/cmmc/index.html. These materials ARE NOT YET AVAILABLE as the standard is not complete and released.

Don'ts1. Do not state that you are an expert on CMMC. The standard is not yet released. No certified training exists yet.2. Currently, DFARS regulation requires self-assessments under NIST 800-171 guidance. Do not focus training on future requirements (CMMC) at the expense of current requirements.3. Do not charge clients for workshops, seminars, and training that promise CMMC compliance. The CMMC-AB will provide training and certifications to empower you with those opportunities.4. Do not sell or promote tools that promise CMMC compliance with certainty. The CMMC-AB will create standards for tool producers to use. For now, ensure that any tools promoted focus first on completed and released standards, or best practices."

25

CMMC Deployment Schedule

26

PresenterPresentation NotesDoD plans to finalize the CMMC training and assessment guides in March.. Bostjanick said those documents will tell vendors what it takes to be certified at levels 1, 2 and 3.

Then sometime between April and June, the accreditation body will develop the training classes for third party assessors.

Finally in the June or July timeframe, the first set of vendors can begin going through the assessment process in preparation for the first 15 procurements to call out CMMC requirements.

DoD expects CMMC to take five years to fully roll out, and not really get going until 2021. The Pentagon estimates the third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023.

CMMC AB - Deliverable a training and certification framework expected first on April 17, followed by the contours of an exam for assessors on April 24. By April 30, working groups are expected to have reviewed a provisional CMMC assessment method definition and to have given feedback and suggestions on the methodology used to conduct consistent CMMC certification assessments with a demonstration of its iteration.    Specific exam questions for assessors aren’t anticipated till May 27.

Contractor’s Preparation for CMMC

• DIB legally bound to follow the provisions of DFARS Clause 252.204-7012:

- Safeguarding DoD CUI- Reporting Cyber Incidents- Flow-down DFARS Clause to subs/vendors

• Identify/focus efforts on deltas between DFARS Clause and CMMC process

• From the CMMC Accreditation Board:“… Do not focus training on future requirements (CMMC) at the expense of current requirements ...“

27

PresenterPresentation Notes

Training on acquisition policy/guidance, access to representative DoD customers, and knowledge on best practices for protection of sensitive DoDinformation on non-DoD networks. This training is being provided by:

Defense Acquisition UniversityNIST Manufacturing Extension Partnerships (MEPs)Defense Logistics Agency (DLA) Procurement Technical Assistance Centers (PTACs));Affiliated national non-profits (such as DAU Alumni Association, National Defense Industrial Association, and San Diego CyberCenter of Excellence)- Partner state/local governments to include the State of California Advanced Supply Chain and Diversification Effort (CASCADE)program office;Local and regional Economic Development Corporations (such as the San Diego Regional Economic Development Corp)Training by local Universities, Colleges, and Community Colleges.

A partnership for exchange of content, videos, and case studies with the State of California Governor's office and representative California state colleges (University of California Colleges, California State Colleges, andCalifornia Community Colleges). The intent is to assist a variety of like-minded organizations to providing workforce development and education to a broad base of emerging cybersecurity workforce professionals. This workincludes training and paid internships across the state of California through the State of California Employment Training Panel (ETP)

Summary• The new CMMC process will eliminate self-certification of

compliance• DIB Contractors will be required to undergo 3rd-party Audits

of their IT Systems and Cybersecurity Policies by Independent Assessors (C3PAOs) to receive a CMMC compliance ranging from Level 1 to Level 5– All practices for the required CMMC level must be met for contract

eligibility (RFI or RFP)– Expected to appear in RFPs Sep 2020– Compliance expenses are “allowable cost” that may be included in

DoD contract bids.– Certifications from C3PAO audits good for three years.

28

PresenterPresentation NotesThe Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it is creating a cybersecurity assessment model and certification program. Since that time, several draft versions of CMMC were publicly released: 0.4. 0.6, and 0.7    CMMC 1.0 is now available.

In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.

CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'pre-award'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.

In support of implementing the new CMMC process, the Office of the Under Secretary of Defense for Acquisition and Support (OUSD(A&S)) is working with the DoD Components to identify candidate programs that will have the new Cybersecurity Maturity Model Certification (CMMC) requirement during its Fiscal Year (FY) 2021 to FY 2025 phased roll-out. All new DoD contracts will contain the CMMC requirement starting in FY 2026. At a minimum, CMMC Level 3, is required to ensure adequate protection of DoD CUI. Depending on the sensitivity of the DoD acquisition program, CMMC Level 4 or 5 may be required to ensure that the additional practices are applied to reduce the risk posed by Advanced Persistent Threats (APTs) to a minimally acceptable level.   DoD sources were quoted as saying that they “expect to certify 1,500 contractors this year with CMMC requirements to be included in 10 contract proposals by the 1QFY21 with full implementation by FY25.” While CMMC requirements won’t appear in RFPs until the 1QFY21, there is a distinct possibility that it will show up in RFIs issued this summer.  Make sure your contractors are aware there are third-party entities that are already marketing how they can "help" other companies obtain the needed CMMC certification – even though they have not been accredited by the CMMC AB!. Companies should hold off engaging with one of these "self-proclaimed" auditing organizations/companies until the CMMC Accreditation Board determines who can and can’t be a certifying organization.  Finally, don't confuse CMMC with controls needed for classified systems. This is all about CONTROLLED UNCLASSIFIED INFORMATION (CUI)!  Thank you.

For additional questions, please contact Chris Newborn at

chris.newborn@dau.edu or 619-370-3076

29

Slide Number 1Webcast - WhyWebcast - WhyWebcast - WhyOutlineWhy DFARS/CMMCFY 20 NDAA Section 1648Current Policy – DFARS Clause 252.204-7012Protecting the DoD’s�Unclassified InformationDFARS Roles/ResponsibilitiesRelated Policies – Controlled Unclassified Information (CUI)Related Policies - Other TransactionsRelated Policies - Cloud ComputingRelated Policies - DoD Assessment Methodology (DAM) ToolFuture Process - CMMC��Protecting the DoD’s�Unclassified InformationCMMC Roles/ResponsibilitiesRelated Policies - Basic Safeguarding of Covered Contractor Information SystemsCMMC Model FrameworkCMMC Levels and DescriptionsCMMC Levels and Associated FocusCMMC Levels Comparison DSB Threat TiersCMMC Accreditation Board (CMMC AB)CMMC AB – Do’s & Don’tsCMMC Deployment ScheduleContractor’s Preparation for CMMCSummarySlide Number 29