DFARS & CMMC Overview
Download as PPTX, PDF0 likes112 views
The document outlines a webinar series focused on cybersecurity compliance for defense contractors, particularly related to DFARS and CMMC regulations. It discusses the necessity of implementing cybersecurity measures to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI), as well as the importance of aligning with NIST SP 800-171 standards. The series includes multiple sessions targeting various aspects of compliance, training, and practical applications within the defense manufacturing sector.
![CUI - Interpreted Definition
● CUI is defined in law by the way in which the information is handled.
● CUI is not clearly defined in policy and regulation regarding the content
of the information.
● In order to define CUI in a manner that is consistent with other
information classifications, CUI should be defined by the potential
impact to national defense that publicly releasing that information would
cause.
● For example, SECRET information is defined by 18 CFR § 3a.11 and says
“[t]he test for assigning Secret classification shall be whether its
unauthorized disclosure could reasonably be expected to cause serious
damage to the national security.”
CUI is lacking a similar legal definition, but it could be reasonable to define CUI as information that its unauthorized disclosure could
be aggregated with additional information and reasonably be expected to cause a negative impact to the national security.](https://image.slidesharecdn.com/catalystwebinar2-210421200837/85/DFARS-CMMC-Overview-18-320.jpg)
DFARS & CMMC Overview
- 1. WEBINAR SERIES. Part 2 31 March 2021 10:30 AM EST Hosted by CATALYST CONNECTION Max Aulakh Founder & CEO DFARS & CMMC Overview
- 2. Who’s driving this webinar? Max Aulakh Founder & CEO About our Speaker C-SUITE DEFENSE & ASSURANCE LEADER S P E C I A L G U E S T As a Data Security and Compliance Leader, he delivers DoD-tested security strategies and compliance that safeguard mission-critical IT operations. Having trained and excelled in The United States Air Force, he maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global networks — both classified and unclassified. He drove the Information Assurance (IA) programs for the U.S. Department of Defense (DoD). Facilitated by Connie Palucka Vice President, Consulting at Catalyst Connection Connie joined Catalyst Connection in 2005 and brings over 25 years of global sales, business development, and product development experience to her role as the Managing Director of Regional Initiatives. She leads a team that secures and executes grants initiatives to support manufacturers and build the region’s vibrancy. She also works with regional academic institutions, economic development organizations and regional manufacturers to build new capabilities and help make Southwestern Pennsylvania a model for the nation.
- 3. Session 3: DFARS NIST 800-171 Compliance Process 1. Setting up your compliance program at the corporate level 2. Conducting Rapid - Low Fidelity Assessment for generating SPRS Scores 3.Developing a completed SSP (System Security Plan). 4.How and why to create a POA&M (Plan of Actions & Milestones).
- 4. • Webinar 1: Laying the Foundation – The Need for Cybersecurity in U.S. Manufacturing • Webinar 2: DFARS & CMMC Overview • Webinar 3: DFARS NIST 800-171 Compliance Process • Webinar 4: Real Company Examples • Webinar 5: CMMC Breakdown • Session 6: Risk Mitigation 6-Part Webinar Series: CYBER RESILIENCY FOR DEFENSE CONTRACTORS
- 5. Why does DFARS exist? Current requirements for companies with CUI or CDI. What is CMMC? Today’s Lessons Learned 1 2 3
- 7. Reasons why does DFARS exist Supply chain attacks, which exploit security weaknesses in third-party services to strike a target, increased 78% just in one year alone (between 2017 and 2018) according to Symantec’s 2019 Internet Security Threat Report*, and the trend is increasing each year. 1 Defense contractors are increasingly investing in digital technologies to help accelerate product development, improve existing processes, and increase efficiency. Digitization results in highly sensitive and confidential data being stored long term and shared internally as well as externally. 2 *Symantec, 2019 Internet Security Threat Report, https://www. symantec.com/en/hk/security-center/threat-report.
- 8. Reasons why does DFARS exist They share, exchange, and create Covered Defense Information (CDI) and Controlled Unclassified Information (CUI) on program specifications, technology, and equipment performance as they collaborate across research, design, development, and deployment of defense products. 3 4 Apart from a national security threat, cyberattacks can also cause significant financial and reputational damage to defense contractors, which may disrupt supply chains and result in cost and schedule overruns.
- 9. DFARS-base Clause Requirements for Defense Contractors DFARS regulations and NIST guidance play an important role in the United States to enable cybersecurity robustness. For defense contractors and subcontractors, regulations can provide a minimum guidance to assist them with becoming cybersecure Adequate Security for all Covered Defense Information (CDI) Flow-down Requirements to Subcontractors Minimum Security Controls from NIST SP 800-171 72-hour Rapid Reporting Requirement for Breaches Multifactor Authentication Least-privileged Access
- 10. 4 2 1 3 4 Main Rules of DFARS 70 Series DFARS 252.204 7012: Safeguarding Covered Defense Information and Cyber Incident Reporting DFARS 252.204 7020: NIST SP 800-171 DoD Assessment Requirements DFARS 252.204 7019: Notice of NIST SP 800-171 DoD Assessment Requirements DFARS 252.204 7021: Cybersecurity Maturity Model Certification Requirements
- 11. DFARS 252.204 7012 Safeguarding Covered Defense Information and Cyber Incident Reporting • In the United States, the DFARS requirements and compliance with the NIST SP 800-171 govern the DIB and associated contractors. The DFARS 204.73006 requires contractors and subcontractors to protect CDI by applying specified network security requirements and necessitates reporting of cyber incidents. • DFARS 252.204-7012 further expands the definition of CUI and identifies the NIST SP 800-171 framework as a source document for cybersecurity requirements. • NIST SP 800-171, which lays down specific measures to safeguard sensitive information, acts as a minimum standard for companies in the DIB.
- 12. DFARS 252.204 7019 Notice of NIST SP 800-171 DoD Assessment Requirements • In this clause, contractors are notified about the requirements to implement and maintain their NIST SP 800-171 assessments within the Supplier Performance Risk System (SPRS), as well as ensure their proper and in-time reporting every 3 years unless a lesser time is specified in the solicitation. • Each contractor will be required to maintain one of the three current levels of DoD assessments (Basic, Medium, or High) within the database accessible only for DoD personnel. • It also contains requirements and procedures for authorities to award or withhold awards based on properly reported assessment results.
- 13. DFARS 252.204 7020 NIST SP 800-171 DoD Assessment Requirements • This is a newly released follow-on clause to DFARS 7019 which grants the Government access to the contractor's facilities, systems, and personnel that manage, process, store, or transmit Controlled Unclassified Information, necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment. • There are some similarities carried from DFARS 7012, including reinforcement of flow- down requirements for the contractor to ensure all its suppliers comply with the NIST SP 800-171, make enough progress on a Plan of Actions and Milestones (POA&M), and have their current assessment results posted in the Supplier Performance Risk System (SPRS). • The contractor must also validate their compliance with 7019 prior to awarding a subcontract or purchase order of any kind, and include the contents of DFARS 7019 in the documented subcontract agreement.
- 14. DFARS 252.204 7021 Cybersecurity Maturity Model Certification Requirements • The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor’s cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes • Much like previously reviewed DFARS 7020, the DFARS 7021 clause requires contractors and their subs to enter their current assessment into the Supplier Performance Risk System (SPRS), although in this particular clause, maintaining the appropriate CMMC level with respect to each contract is also required both from contractors and their supply chain.
- 17. CUI Definition Section 2002.4 of Title 32 CFR (h) Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
- 18. CUI - Interpreted Definition ● CUI is defined in law by the way in which the information is handled. ● CUI is not clearly defined in policy and regulation regarding the content of the information. ● In order to define CUI in a manner that is consistent with other information classifications, CUI should be defined by the potential impact to national defense that publicly releasing that information would cause. ● For example, SECRET information is defined by 18 CFR § 3a.11 and says “[t]he test for assigning Secret classification shall be whether its unauthorized disclosure could reasonably be expected to cause serious damage to the national security.” CUI is lacking a similar legal definition, but it could be reasonable to define CUI as information that its unauthorized disclosure could be aggregated with additional information and reasonably be expected to cause a negative impact to the national security.
- 19. CUI Exceptions However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. ● Information government creates and/or created on behalf of the government ● No controls = CUI Basic ● Provide controls = CUI Specified
- 20. Major CUI Stakeholders • National Archives and Records Administration (NARA) The National Archives and Records Administration (NARA) serves as the Controlled Unclassified Information (CUI) Program's Executive Agent and has delegated CUI Executive Agent responsibilities to the Director of the Information Security Oversight Office (ISOO). As the CUI Executive Agent, ISOO issues guidance to Federal agencies on safeguarding and marking CUI. • Guidance from NARA to DoD Agencies (Prime Contractor Customers) Existing agency policy for all sensitive unclassified information remains in effect until your agency implements the CUI program. • DoD & Contractors (us) DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information Requirements for DoD Contractors (Section 5.3, Page 32)
- 21. DoD’s Guidance Requirements for DoD Contractors (Section 5.3, Page 32). DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative.
- 22. CUI Determination Methods • Original Classification Authorities (OCA) conducts a damage assessment to figure out what is CUI • Internal damage assessment • Scenario based (information type) and what-if analysis (how could it impact the DoD) - Non-formal example is below: o Types of items manufactured or sold o Specific DoD Units these items are sold to, time and amount sold o If aggregate this information was provided to our adversaries - could this information hurt the United States and/or specifically the unit these items are provided to? ▪ If so how? And If not, why not? Method 1: Using NARA and/or DOD’s Registry (similar to NARA) Method 2: Conducting an internal “damage assessment”
- 23. What is CDI? Covered Defense Information (CDI): Is a term defined in the DFAR clause 252.204-7012 Safeguarding Covered Defense Information as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and government wide policies and is (1) Marked or otherwise identified in a contract, task order or delivery order and provided to Purdue by or on behalf of the DoD in support of the performance of a contract or (2) collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.
- 24. What Federal Requirements Apply? DoD Contractors are required to adhere to the following federal requirements when handling CUI/CDI: • Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information Program • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. • DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements • National Institute of Standards and Technology (NIST) Special Publication (SP) Rev. 2 • DFARS 252.204-7021, Cybersecurity Maturity Model Certification (CMMC) Requirements
- 26. Small Business Classification (Example)
- 27. What is CMMC?
- 30. Understanding DFARS NIST 800-171 and CMMC Relationship Who needs to be DFARS compliant? All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. Based on NIST Special Publication 800-171, manufacturers must implement these security controls through all levels of their supply chain. Where is DFARS included? DFARS clause 252.204-7012 is included in all solicitations and contracts, including those using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for acquisitions solely for commercially available off- the-shelf (COTS) items. The clause requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems”. How do NIST controls overlap with the emerging CMMC framework? NIST 800-171 is the backbone of the CMMC framework and it is required by all CMMC levels. For example, NIST domains cover 110 controls out of 130 required for Level 3 of CMMC. Would CMMC potentially replace NIST? The CMMC is an advanced step in the DoD’s efforts to properly secure the Defense Industrial Base (DIB). It complements and enforces NIST 800-171 as part of its requirements. Note: The CMMC was released by the DoD on 31 January 2020. The CMMC Accreditation Body members are working to produce additional guidance to support the certification path. For now, Ignyte recommends implementing NIST 800-171. NIST SP 800-171r1 CMMC REQUIREMENTS 20 Additional Practices 51 Maturity Processes DFARS REQUIREMENTS FedRAMP Mod Paragraphs C-G 72 Hour Report
- 31. • CMMC Level 1 • Meeting the basic requirements to protect Federal Contract Information (FCI): • an up-to-date antivirus software application, • strong passwords, • unauthorized third parties protection. • FCI is not intended for public release. • Minimal efforts required to strengthen the cybersecurity defenses. Which CMMC level is right for your business? • CMMC Level 2 • Introducing Controlled Unclassified Information (CUI) • Standard cybersecurity practices, policies, and strategic plans. • Major subset of the security requirements specified in NIST SP 800-171. • 55 new practices for a total of 72 total practices. • CMMC Level 3 • Good cyber hygiene and controls necessary to protect CUI. • Continuous review of all activities based on their cybersecurity policy. • All requirements specified in NIST SP 800-171 and other similar standards. • 130 required security controls, grouped into 17 domains. • CMMC Level 4 and Level 5 • Addressing the changing tactics, techniques, and procedures used by Advanced Persistent Threats (APTs). • Proactive cybersecurity program and standardized processes to achieve consistency across the entire organization. • 171 security controls, which are grouped into 17 domains.
- 32. Starting CMMC Process ⮚ Pre-Diligence ⮚ RMF ⮚ CMMC ⮚ FedRAMP ⮚ ITAR ⮚ Business Requirements ⮚ Corporate Risk Management & Business Process ⮚ Business Integration Requirements (i.e ISO, departments, etc..) ⮚ Reusability of low fidelity scoring, IT resources, etc.. ⮚ Standardization ⮚ People, Process & Technology ⮚ Create efficiencies; minimize rework and exceptions Level 3: Managed Level 2: Documented Level 1: Performed Level 4: Reviewed Level 5: Optimized Processes
- 33. Cost of Compliance for SMB ● Cost of Management Factors ○ Program Development & Management ○ Technology & Engineering Implementation ○ Audit & Certification ● Pricing can range from $20K to $200K depending on several factors. ● Market pricing for 100% of CMMC requirements is not completely understood due to changing requirements and/or interpretation of requirements. *Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) CMMC Level Yearly Non- Recurring Engineering Yearly Recurring Engineering Yearly Assessment Costs++ Total Yearly Costs Level 1 $0 $0 $1,000 $1,000 Level 2 $407 $20,154 $7,489 $28,050 Level 3 $1,311 $41,666 $17,032 $60,009 Level 4 $46,917 $301,514 $23,355 $371,786 Level 5 $61,511 $384,666 $36,697 $482,874
- 34. Program Resources Resources are aligned with various stages of managing the CMMC program for small business Program Metrics & Management SSP & POA&M Deliverables Guided Assessment Training Program Deliverables ● DoD Training Website - https://securityhub.usalearning.gov/content/story.html ● Ignyte Institute Practitioner Level & Top Management Training - https://www.ignyteinstitute.org/ ● CMMC System Security Plan Development - https://www.dfars-nist-800-171.com/ ● NIST 171 Documentaton - https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final ● SSP & Other Plan of Action & Milestones (POA&M) - https://www.dfars-nist-800-171.com/
- 35. CMMC Education & Training Ignyte Institute Courses Senior Management Course (20 Mins) Practitioner Level Course (1 hour) DoD Issued CUI Training What is CUI and How to recognize it?
- 36. Next Week
- 37. Questions? Thank you! Point of Contact Connie Palucka Vice President, Consulting Max Aulakh, MBA, CISSP, PMP Founder & CEO Point of Contact info@ignyteplatform.com cpalucka@catalystconnection.org