SlideShare a Scribd company logo
Webinar
CMMC Basics
Presented by:
Erik Winkler, Partner, Federal, ControlCase
Shamala Boyd, Chief Risk Officer, ControlCase
ERIK WINKLER
Partner, Federal
ControlCase
SHAMALA BOYD
Chief Risk Officer
ControlCase
Presenters:
ControlCase. All Rights Reserved. 3
Agenda
ControlCase
Intro
DFARS, NIST
800-171, SPRS,
CMMC Overview
What is
DFARS?
What is NIST
800-171
01 02 03 04
What is an
SPRS Score?
What is CMMC? Status of CMMC
2.0 Rule
05 06 07 08
CMMC Next
Steps
ControlCase
Introduction
© ControlCase. All Rights Reserved.
© ControlCase. All Rights Reserved. 5
ControlCase Overview
Best-in-Class
Compliance
Platform
 ControlCase is revolutionizingthe way enterprises and organizationsdeal with the numerous and
frequently changingIT complianceand regulatory requirements
 Proprietary software, including appliance and SaaS solutions,that enable CaaS (GRC and Data Discovery)
 Compelling proprietary offering combining proprietarysoftware, certification/audits,and managed services on a
single platform.
 One AuditTMenablesour clienteleto Assess once:Comply to Many
 Leadership positionsin the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains
 Serving over 1,000 customers
 Global footprint with offices in the U.S., LATAM,UK, India, and Canada
 Leverages an offshore delivery infrastructure for competitiveadvantage
 IT compliancemanager for multiple industry segments including banking, service providers, retail,
hospitality,and telecom
Global Vision
& Solutions
Enhancement
Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC
software and managed services
Founded in 2004
Headquartered in Fairfax,
VA
Offices in U.S., Canada,
LATAM, UK, India
300+ employees
ControlCase Snapshot
© ControlCase. All Rights Reserved. 6
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal
resources to focus on
other priorities
Offload much of the
compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
300+
SECURITY
EXPERTS
ControlCase Snapshot – Solution
© ControlCase. All Rights Reserved. 7
Certification and
Continuous
Compliance Services
Partnership
Approach
Compliance
HUB
+ =
IT Certification
Services
Continuous
Compliance
Services
&
Certification Services
One Audit
Assess Once. Comply to Many.
© ControlCase. All Rights Reserved. 8
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
MARS-E PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
© ControlCase. All Rights Reserved.
DFARS, NIST 800-171,
SPRS, CMMC Overview
DFARS, NIST 800-171, SPRS, CMMC Overview
© ControlCase. All Rights Reserved. 10
DFARS are the overall
regulations
NIST 800-171 is the
control framework that
DFARS relies on
SPRS score is the
methodology for
scoring NIST 800-171
CMMC is the framework that
gets this all together
© ControlCase. All Rights Reserved.
What is
DFARS?
Defense Federal Acquisition Regulation Supplement (DFARS)
The Defense Federal Acquisition
Regulation Supplement (DFARS) to
the Federal Acquisition Regulation
(FAR) is administered by the
Department of Defense (DoD).
The DFARS implements and
supplements the FAR.
DFARS was established in
December of 2015 to protect the
confidentiality of Controlled
Unclassified Information (CUI)
within the Defense Industrial
Base (DIB).
In order to be awarded new DoD
contracts, a contractor or supplier must
be in compliance with this set of
cybersecurity regulations, also known
as the Defense Federal Acquisition
Regulation Supplement or DFARS.
What is DFARS?
© ControlCase. All Rights Reserved. 12
© ControlCase. All Rights Reserved.
What is NIST
800-171?
NIST SP800-171
NIST is the National Institute of
Standards and Technology at the U.S.
Department of Commerce. The NIST
Cybersecurity Framework helps
businesses of all sizes better
understand, manage, and reduce
their cybersecurity risk and protect
their networks and data.
Specifically, NIST 800-171 dictates how
contractors and sub-contractors of
Federal agencies should manage
Controlled Unclassified Information
(CUI).
The NIST 800-171 Basic Assessment
is a low-confidence self-assessment
conducted following the NIST 800-171
DoD Assessment Methodology.
The NIST 800-171 Basic Assessment
is a low-confidence self-assessment
conducted following the NIST 800-171
DoD Assessment Methodology.
As of November 30, 2020, all DoD
contractors must conduct a NIST 800-
171 Basic Assessment and submit
their score to the Supplier
Performance Risk System (SPRS).
What is NIST 800-171?
© ControlCase. All Rights Reserved. 14
NIST 800-171 Control Domains
110 security requirements broken down into 14 control domains taken from FIPS 200 and NIST 800-53:
© 2020 ControlCase. All Rights Reserved. 15
Access Control Identification & Authentication Physical Protection Security Assessment
Audit & Accountability Incident Response Personnel Security
System & Communications
Protection
Awareness & Training Maintenance
Risk
Assessment
Systems & Information Integrity
Configuration Management Media Protection
© ControlCase. All Rights Reserved.
What is an
SPRS score?
SPRS Score
The Supplier Performance Risk
System (SPRS) is a Department of
Defense (DoD) application that
gathers, processes, and displays data
about supplier’s performance.
SPRS is a “self-certification” score
which is the result of a NIST SP 800-
171 DoD Assessment and provides
contracting officials a score for the
overall assessment of the supplier
performance and supplier risk.
Once you’ve generated your score,
the new DFARS rules require your
organization to maintain your current
score in the SPRS, meaning the Basic
DoD self-assessment can be no more
than three years old.
What is SPRS?
© ControlCase. All Rights Reserved. 17
© ControlCase. All Rights Reserved.
What is
CMMC?
Cybersecurity Maturity Model Certification (CMMC)
CMMC is a unifying standard for the
implementation of cybersecurity across
the Defense Industrial Base (DIB).
CMMC 1.0 was Released by the US
Department of Defense (DoD) and
became effective in November 2020.
CMMC 2.0 Released November 2021
CMMC ensures that DIB companies
implement appropriate cybersecurity
practices and processes to protect
Federal Contract Information (FCI) and
Controlled Unclassified Information
(CUI) within their unclassified networks.
What is CMMC?
© ControlCase. All Rights Reserved. 19
Who Does CMMC Apply To?
© ControlCase. All Rights Reserved. 20
Defense Industrial Base (DIB)
contractors whose unclassified
networks process, store,
or transmit Controlled
Unclassified Information (CUI).
Defense Industrial Base (DIB)
contractors whose unclassified
networks process Federal
Contract Information (FCI).
You have FCI Only You have CUI (in addition to FCI)
Level 1 Level 2 or 3
What CMMC Level Are You and Next Steps?
© ControlCase. All Rights Reserved. 21
WHAT YOU NEED TO DO
Level 1 Self Assessment (optionally assisted by ControlCase)
Level 2a
The information that you manage is not critical to national security - Self Assessment (optionally
assisted by ControlCase)
Level 2b
The information that you manage is critical to national security - C3PAO assessment (C3PAO
assessment once every three years)
Level 3
The information you manage involves highest priority, most critical defense programs -
Government conducts an audit (Once every three years)
© ControlCase. All Rights Reserved.
Next Steps for
CMMC
What You Need to Do
© ControlCase. All Rights Reserved. 23
First, submit your SPRS score here:
https://www.sprs.csd.disa.mil/
• DFARS 7019 – As of June 2022, requires compliance to NIST 800-
171 controls and the submission of your NIST 800-171 Score and
Report to the Supplier Performance Risk System (SPRS).
• For Entities with Federal Contract Information (FCI) and Controlled
Unclassified Information (CUI) within their unclassified networks,
you must:
⎻ Document your CMMC/NIST 800-171 System Security Plan (SSP)
⎻ Perform an assessment of all NIST 800-171 controls as documented in your
CMMC/NIST 800-171 System Security Plan, including formal evidence collection and
reporting.
⎻ Calculate your NIST 800-171 score as required by DFARS 7019.
⎻ Document any deficiencies with remediation steps in a Plan of Action and Milestones
(POA&M) document.
⎻ Complete affirmation using the Supplier Performance Risk System (SPRS) -
https://www.sprs.csd.disa.mil
⎻ Maintain evidence of your NIST 800-171 compliance to avoid DoJ False Claims Act
investigations.
CMMC Assessment (What you must do NOW!)
© ControlCase. All Rights Reserved. 24
CONTROLCASE
CMMC LEVEL 1 ASSESSMENT
PROCESS
CONTROLCASE
CMMC LEVEL 2A ASSESSMENT
PROCESS
1. Deploy Compliance Hub with NIST 800-171
controls covering 17 practices
2. Complete Scoping
3. Complete 50% Evidence Review
4. Complete 100% Evidence Review
5. *Publish Level 1 Self-Assessment Report
.
A. Deploy Compliance Hub with NIST 800-171
controls covering 110 practices
B. Complete Scoping
C. Complete 50% Evidence Review
D. Complete 100% Evidence Review
E. *Publish Level 2 Self Assessment Report
ControlCase CMMC Assessment Process
© ControlCase. All Rights Reserved. 25
© ControlCase. All Rights Reserved.
Status of
CMMC 2.0 Rule
Status of CMMC 2.0 Rule
© ControlCase. All Rights Reserved. 27
November 2023 –
OIRA completes
review of 9 CMMC
model documents
clearing the way for
rule publication.
December 2023 –
CMMC proposed
rule published in
the Federal
Register – 60-day
public comment
period begins.
Q1 2024 – Public
comment period
expected to be
closed. DoD
starts the process
to review all
comments and
finalize the rule.
Q1 2025 – CMMC
final rule is
published and goes
into effect. A 3-year
“phased roll-out” into
all DoD contracts
begins.
Q&A
ControlCase. All Rights Reserved. 28
• Please type your questions in the
questions window.
• Any unanswered questions will be
addressed via email following the
presentation.
THANK YOU
contact@controlcase.com
www.ControlCase.com

More Related Content

PPTX
CMMC 2.0 Explained: Impact for SMBs
PPTX
Webinar - CMMC Certification.pptx
PPTX
SOC 2 presentation. Overview of SOC 2 assessment
PDF
Introduction to NIST Cybersecurity Framework
PDF
Compliance 101 HITRUST Update.pdf
PPTX
ISO 27001 In The Age Of Privacy
PDF
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
PDF
Iso 27001 Checklist
CMMC 2.0 Explained: Impact for SMBs
Webinar - CMMC Certification.pptx
SOC 2 presentation. Overview of SOC 2 assessment
Introduction to NIST Cybersecurity Framework
Compliance 101 HITRUST Update.pdf
ISO 27001 In The Age Of Privacy
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
Iso 27001 Checklist

What's hot (20)

PPS
ISO 27001 2013 isms final overview
PPTX
ISO_ 27001:2022 Controls & Clauses.pptx
PPT
ISO 27001 Benefits
PPTX
Iso27001 Risk Assessment Approach
PPTX
Iso iec 27001 foundation training course by interprom
PPTX
Basic introduction to iso27001
PDF
ISO 27005:2022 Overview 221028.pdf
PPTX
What is iso 27001 isms
PDF
Cybersecurity crisis management a prep guide
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
PDF
NIST - Cybersecurity Framework mindmap
PPTX
ISO 27001 - information security user awareness training presentation - Part 1
PPTX
Data Protection Officer Dashboard | GDPR
PPTX
Iso27001 Audit Services
PDF
Steps to iso 27001 implementation
PPT
Roadmap to IT Security Best Practices
PPTX
IT Audit For Non-IT Auditors
PDF
ISO 27001:2022 What has changed.pdf
ISO 27001 2013 isms final overview
ISO_ 27001:2022 Controls & Clauses.pptx
ISO 27001 Benefits
Iso27001 Risk Assessment Approach
Iso iec 27001 foundation training course by interprom
Basic introduction to iso27001
ISO 27005:2022 Overview 221028.pdf
What is iso 27001 isms
Cybersecurity crisis management a prep guide
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
NIST - Cybersecurity Framework mindmap
ISO 27001 - information security user awareness training presentation - Part 1
Data Protection Officer Dashboard | GDPR
Iso27001 Audit Services
Steps to iso 27001 implementation
Roadmap to IT Security Best Practices
IT Audit For Non-IT Auditors
ISO 27001:2022 What has changed.pdf
Ad

Similar to ControlCase CMMC Basics Deck Final.pdf (20)

PDF
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
PDF
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
PPTX
How I Woke Up from the CMMC Compliance Nightmare
PPTX
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
PPTX
DFARS & CMMC Overview
PPTX
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
PPTX
Demystifying CMMC: Real-World Insights from ControlCase Experts
PPTX
MCGlobalTech CMMC Managed Compliance Service
PPTX
CMMC Certification
PDF
Cybersecurity Maturity Model Certification
PPTX
CMMC DFARS/NIST SP 800-171
PPTX
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
PPTX
Cybersecurity Maturity Model Certification (CMMC)
PPTX
Government Contracting- The Dawn of the CMMC - Win Federal Contracts
PPTX
Government Webinar: Preparing for CMMC Compliance Roundtable
PPTX
PDF
The CMMC Has Arrived. Are You Ready?
PDF
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
PPTX
CMMC for Contractors and Manufacturers – What to Know for 2023
PPTX
Webinar: Critical Steps For NIST Compliance
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
How I Woke Up from the CMMC Compliance Nightmare
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
DFARS & CMMC Overview
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Demystifying CMMC: Real-World Insights from ControlCase Experts
MCGlobalTech CMMC Managed Compliance Service
CMMC Certification
Cybersecurity Maturity Model Certification
CMMC DFARS/NIST SP 800-171
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
Cybersecurity Maturity Model Certification (CMMC)
Government Contracting- The Dawn of the CMMC - Win Federal Contracts
Government Webinar: Preparing for CMMC Compliance Roundtable
The CMMC Has Arrived. Are You Ready?
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
CMMC for Contractors and Manufacturers – What to Know for 2023
Webinar: Critical Steps For NIST Compliance
Ad

More from AmyPoblete3 (7)

PDF
Data Protection & Resilience in Focus.pdf
PPTX
HITRUST Overview and AI Assessments Webinar.pptx
PDF
Penetration Testing Basics Spanish Webinar.pdf
PDF
PCI v4.0.1 Future Dated Requirements Webinar - ControlCase
PDF
ControlCase PCI v4.0.1 Webinar Future Dates Requirements
PDF
ISO Update Webinar_Spanish1.20.2023.pdf
PDF
CSA STAR Webinar (FINAL).pdf
Data Protection & Resilience in Focus.pdf
HITRUST Overview and AI Assessments Webinar.pptx
Penetration Testing Basics Spanish Webinar.pdf
PCI v4.0.1 Future Dated Requirements Webinar - ControlCase
ControlCase PCI v4.0.1 Webinar Future Dates Requirements
ISO Update Webinar_Spanish1.20.2023.pdf
CSA STAR Webinar (FINAL).pdf

Recently uploaded (20)

PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
PPTX
international classification of diseases ICD-10 review PPT.pptx
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
PPTX
Introuction about WHO-FIC in ICD-10.pptx
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
PPTX
SAP Ariba Sourcing PPT for learning material
PPT
tcp ip networks nd ip layering assotred slides
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
PPTX
presentation_pfe-universite-molay-seltan.pptx
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
PDF
Paper PDF World Game (s) Great Redesign.pdf
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
PPTX
Funds Management Learning Material for Beg
PptxGenJS_Demo_Chart_20250317130215833.pptx
522797556-Unit-2-Temperature-measurement-1-1.pptx
international classification of diseases ICD-10 review PPT.pptx
Cloud-Scale Log Monitoring _ Datadog.pdf
Introuction about WHO-FIC in ICD-10.pptx
Unit-1 introduction to cyber security discuss about how to secure a system
SASE Traffic Flow - ZTNA Connector-1.pdf
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
SAP Ariba Sourcing PPT for learning material
tcp ip networks nd ip layering assotred slides
Module 1 - Cyber Law and Ethics 101.pptx
Design_with_Watersergyerge45hrbgre4top (1).ppt
QR Codes Qr codecodecodecodecocodedecodecode
The New Creative Director: How AI Tools for Social Media Content Creation Are...
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
presentation_pfe-universite-molay-seltan.pptx
RPKI Status Update, presented by Makito Lay at IDNOG 10
Paper PDF World Game (s) Great Redesign.pdf
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Funds Management Learning Material for Beg

ControlCase CMMC Basics Deck Final.pdf

  • 1. Webinar CMMC Basics Presented by: Erik Winkler, Partner, Federal, ControlCase Shamala Boyd, Chief Risk Officer, ControlCase
  • 2. ERIK WINKLER Partner, Federal ControlCase SHAMALA BOYD Chief Risk Officer ControlCase Presenters:
  • 3. ControlCase. All Rights Reserved. 3 Agenda ControlCase Intro DFARS, NIST 800-171, SPRS, CMMC Overview What is DFARS? What is NIST 800-171 01 02 03 04 What is an SPRS Score? What is CMMC? Status of CMMC 2.0 Rule 05 06 07 08 CMMC Next Steps
  • 5. © ControlCase. All Rights Reserved. 5 ControlCase Overview Best-in-Class Compliance Platform  ControlCase is revolutionizingthe way enterprises and organizationsdeal with the numerous and frequently changingIT complianceand regulatory requirements  Proprietary software, including appliance and SaaS solutions,that enable CaaS (GRC and Data Discovery)  Compelling proprietary offering combining proprietarysoftware, certification/audits,and managed services on a single platform.  One AuditTMenablesour clienteleto Assess once:Comply to Many  Leadership positionsin the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains  Serving over 1,000 customers  Global footprint with offices in the U.S., LATAM,UK, India, and Canada  Leverages an offshore delivery infrastructure for competitiveadvantage  IT compliancemanager for multiple industry segments including banking, service providers, retail, hospitality,and telecom Global Vision & Solutions Enhancement Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC software and managed services Founded in 2004 Headquartered in Fairfax, VA Offices in U.S., Canada, LATAM, UK, India 300+ employees
  • 6. ControlCase Snapshot © ControlCase. All Rights Reserved. 6 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified. Demonstrate compliance more efficiently and cost effectively (cost certainty) Free up your internal resources to focus on other priorities Offload much of the compliance burden to a trusted compliance partner Improve efficiencies by doing more with less resources and gain compliance peace of mind 1,000+ CLIENTS 10,000+ IT SECURITY CERTIFICATIONS 300+ SECURITY EXPERTS
  • 7. ControlCase Snapshot – Solution © ControlCase. All Rights Reserved. 7 Certification and Continuous Compliance Services Partnership Approach Compliance HUB + = IT Certification Services Continuous Compliance Services &
  • 8. Certification Services One Audit Assess Once. Comply to Many. © ControlCase. All Rights Reserved. 8 PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity HIPAA MARS-E PCI P2PE GDPR NIST 800-53 PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
  • 9. © ControlCase. All Rights Reserved. DFARS, NIST 800-171, SPRS, CMMC Overview
  • 10. DFARS, NIST 800-171, SPRS, CMMC Overview © ControlCase. All Rights Reserved. 10 DFARS are the overall regulations NIST 800-171 is the control framework that DFARS relies on SPRS score is the methodology for scoring NIST 800-171 CMMC is the framework that gets this all together
  • 11. © ControlCase. All Rights Reserved. What is DFARS?
  • 12. Defense Federal Acquisition Regulation Supplement (DFARS) The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) is administered by the Department of Defense (DoD). The DFARS implements and supplements the FAR. DFARS was established in December of 2015 to protect the confidentiality of Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). In order to be awarded new DoD contracts, a contractor or supplier must be in compliance with this set of cybersecurity regulations, also known as the Defense Federal Acquisition Regulation Supplement or DFARS. What is DFARS? © ControlCase. All Rights Reserved. 12
  • 13. © ControlCase. All Rights Reserved. What is NIST 800-171?
  • 14. NIST SP800-171 NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. Specifically, NIST 800-171 dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI). The NIST 800-171 Basic Assessment is a low-confidence self-assessment conducted following the NIST 800-171 DoD Assessment Methodology. The NIST 800-171 Basic Assessment is a low-confidence self-assessment conducted following the NIST 800-171 DoD Assessment Methodology. As of November 30, 2020, all DoD contractors must conduct a NIST 800- 171 Basic Assessment and submit their score to the Supplier Performance Risk System (SPRS). What is NIST 800-171? © ControlCase. All Rights Reserved. 14
  • 15. NIST 800-171 Control Domains 110 security requirements broken down into 14 control domains taken from FIPS 200 and NIST 800-53: © 2020 ControlCase. All Rights Reserved. 15 Access Control Identification & Authentication Physical Protection Security Assessment Audit & Accountability Incident Response Personnel Security System & Communications Protection Awareness & Training Maintenance Risk Assessment Systems & Information Integrity Configuration Management Media Protection
  • 16. © ControlCase. All Rights Reserved. What is an SPRS score?
  • 17. SPRS Score The Supplier Performance Risk System (SPRS) is a Department of Defense (DoD) application that gathers, processes, and displays data about supplier’s performance. SPRS is a “self-certification” score which is the result of a NIST SP 800- 171 DoD Assessment and provides contracting officials a score for the overall assessment of the supplier performance and supplier risk. Once you’ve generated your score, the new DFARS rules require your organization to maintain your current score in the SPRS, meaning the Basic DoD self-assessment can be no more than three years old. What is SPRS? © ControlCase. All Rights Reserved. 17
  • 18. © ControlCase. All Rights Reserved. What is CMMC?
  • 19. Cybersecurity Maturity Model Certification (CMMC) CMMC is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). CMMC 1.0 was Released by the US Department of Defense (DoD) and became effective in November 2020. CMMC 2.0 Released November 2021 CMMC ensures that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks. What is CMMC? © ControlCase. All Rights Reserved. 19
  • 20. Who Does CMMC Apply To? © ControlCase. All Rights Reserved. 20 Defense Industrial Base (DIB) contractors whose unclassified networks process, store, or transmit Controlled Unclassified Information (CUI). Defense Industrial Base (DIB) contractors whose unclassified networks process Federal Contract Information (FCI).
  • 21. You have FCI Only You have CUI (in addition to FCI) Level 1 Level 2 or 3 What CMMC Level Are You and Next Steps? © ControlCase. All Rights Reserved. 21 WHAT YOU NEED TO DO Level 1 Self Assessment (optionally assisted by ControlCase) Level 2a The information that you manage is not critical to national security - Self Assessment (optionally assisted by ControlCase) Level 2b The information that you manage is critical to national security - C3PAO assessment (C3PAO assessment once every three years) Level 3 The information you manage involves highest priority, most critical defense programs - Government conducts an audit (Once every three years)
  • 22. © ControlCase. All Rights Reserved. Next Steps for CMMC
  • 23. What You Need to Do © ControlCase. All Rights Reserved. 23 First, submit your SPRS score here: https://www.sprs.csd.disa.mil/
  • 24. • DFARS 7019 – As of June 2022, requires compliance to NIST 800- 171 controls and the submission of your NIST 800-171 Score and Report to the Supplier Performance Risk System (SPRS). • For Entities with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks, you must: ⎻ Document your CMMC/NIST 800-171 System Security Plan (SSP) ⎻ Perform an assessment of all NIST 800-171 controls as documented in your CMMC/NIST 800-171 System Security Plan, including formal evidence collection and reporting. ⎻ Calculate your NIST 800-171 score as required by DFARS 7019. ⎻ Document any deficiencies with remediation steps in a Plan of Action and Milestones (POA&M) document. ⎻ Complete affirmation using the Supplier Performance Risk System (SPRS) - https://www.sprs.csd.disa.mil ⎻ Maintain evidence of your NIST 800-171 compliance to avoid DoJ False Claims Act investigations. CMMC Assessment (What you must do NOW!) © ControlCase. All Rights Reserved. 24
  • 25. CONTROLCASE CMMC LEVEL 1 ASSESSMENT PROCESS CONTROLCASE CMMC LEVEL 2A ASSESSMENT PROCESS 1. Deploy Compliance Hub with NIST 800-171 controls covering 17 practices 2. Complete Scoping 3. Complete 50% Evidence Review 4. Complete 100% Evidence Review 5. *Publish Level 1 Self-Assessment Report . A. Deploy Compliance Hub with NIST 800-171 controls covering 110 practices B. Complete Scoping C. Complete 50% Evidence Review D. Complete 100% Evidence Review E. *Publish Level 2 Self Assessment Report ControlCase CMMC Assessment Process © ControlCase. All Rights Reserved. 25
  • 26. © ControlCase. All Rights Reserved. Status of CMMC 2.0 Rule
  • 27. Status of CMMC 2.0 Rule © ControlCase. All Rights Reserved. 27 November 2023 – OIRA completes review of 9 CMMC model documents clearing the way for rule publication. December 2023 – CMMC proposed rule published in the Federal Register – 60-day public comment period begins. Q1 2024 – Public comment period expected to be closed. DoD starts the process to review all comments and finalize the rule. Q1 2025 – CMMC final rule is published and goes into effect. A 3-year “phased roll-out” into all DoD contracts begins.
  • 28. Q&A ControlCase. All Rights Reserved. 28 • Please type your questions in the questions window. • Any unanswered questions will be addressed via email following the presentation.