DOD’s CybersecurityRegulations:What the CMMC Means forDesign-BuildersSpeakers:Reggie JonesL. Shea De LutisDiana Lyn Curtis McGraw

Agenda1. Cybersecurity Maturity Model Certification FAR and DFARS Requirements Three Steps to Compliance CMMC Certification Cost Allowability2. Section 889

Alphabet SoupFISMA FISMA REFORM NIST 800-53 NIST800-171 FAR 52.204-21 DFARS 252-204-7012SSP POA E.O. 13556 CUI CTI CDI DODInstruction 5200.48 NIST 800-172 APT DODOUSD(A&S) CMMC Version 1.0 C3PAOCMMC-AB FedRAMP DIB SCC CyberAssistDFARS 252-204-7020 DFARS 252-204-7021

The Threat "It's no secret that the U.S. is at cyber war every day," Ellen Lord, theUndersecretary of Defense for Acquisition and Sustainment, said, aspart of a keynote address during the Professional Services Council's2020 Defense Services Conference. "Cybersecurity risks threatenthe defense industrial base, national security, as well as partners andallies." The CMMC, Lord said, is the DOD's metric to measure a company'sability to secure its supply chain from cyber threats, protecting boththe company and the berthreats-to-department-contractors/

The Goal To promote and achieve: Penetration-resistant cyber architecture; Damage limiting operations Designs to achieve cyber resiliency and survivabilityNIST 800-172 (Draft), Section 1.1, Lines 255-258 (July 2020)

The Path to Achieve the Goal FAR 52.204-21 (Basic Safeguarding of Covered ContractorInformation Systems) DFARS 252.204.7012 (Safeguarding Covered Defense Informationand Cyber Incident Reporting) DFARS 252.204.7010 (Cloud Computing Services) New Interim Rule: DFARS clause 252.204-7019 (Notice of NIST SP800-171 DoD Assessment Requirements) New Interim Rule: DFARS clause 252.204-7020, (NIST SP 800-171DoD Assessment Requirements) New Interim Rule: DFARS clause 252.204-7021 (CybersecurityMaturity Model Certification Requirements)

What is the Cybersecurity Maturity Model Certification(CMMC)? A mandatory third-party certification of DoD contractors andsubcontractors’ information systems that is intended to protectsensitive, but unclassified data against cyber threats (CUI). Created with federal funding by: Carnegie Mellon University Johns Hopkins University Applied Physics Laboratory, LLC First draft version released in September 2019 (Version 0.4) Final version released January 30, 2020 Reassessments/re-certification required every three years


CMMC-AB & C3PAOs The CMMC Accreditation Body (CMMC-AB) will train and certify CMMCThird Party Assessment Organizations (C3PAOs) to assesscontractors’ processes and practices. Based on those assessments,the CMMC-AB will award Level 1 through Level 5 certifications. C3PAOs will: Explain certification processProvide trainingGather information and report metrics on complianceThe first 25 Provisional Assessors have been certified; 72 are expected tobe certified in total by the end of October 2020. The certification will be documented in the Supplier Performance RiskAssessment (SPRS) at

Roll-Out: Crawl, Walk, RunJanuary 2020CMMC Version 1.0 releasedMarch 2020CUI Instruction released by DoD outline definitionsand handling requirements of CUIJune 2020(Original Goal)Oct. 2020(Current Goal)CMMC requirements added to certain RFPsAfter Oct. 2025CMMC will apply to all DOD solicitationsCMMC requirements added to certain RFPs asapproved by DOD’s OUSD for Acquisition &Sustainment

FAR 52.204-21 (Basic Safeguarding of Covered ContractorInformation Systems) Covers information systems, not information contained on thesystem (CUI) CUI Controlled Unclassified Information FAR 52.204-21 CMMC Level 1 First contract clause to meaningfully address cybersecurityinformation systems across all agencies, not just DOD Supposed to reflect actions that any “prudent business person”would use Rather basic requirements. No requirements for training, penetrationtesting, cyber incident reporting, or cybersecurity insurance

DFARS 252.204-7012 (Safeguarding Covered DefenseInformation and Cyber Incident Reporting) Covers information, not justinformation system itself Incorporates NIST SP 800-171 Requires implementation of 110 securityrequirements on covered contractor informationsystems; and (or under Interim Rule) Document in System Security Plan & Plans ofAction those requirements not yet implementedand when they will be implemented

What Role Does the NIST Play? The National Institute of Standards & Technology (NIST) isresponsible for developing information security standards andguidelines, including for federal systems. NIST SP 800-53 (Security and Privacy Controls for FederalInformation Systems and Organizations) NIST SP 800-171 (Protecting Controlled & Unclassified Informationin Nonfederal Systems and Organizations) New - NIST SP 800-172 (Enhanced Security Requirements forProtecting Controlled Unclassified Information in NonfederalSystems and Organizations)(July 2020)

DFARS 252.204-7020(NIST SP 800-171 DoD Assessment Requirements) New DoD Assessment Methodology! Requires contractors subject to DFARS252.204-7012 to self complete a BasicAssessment and upload the resulting scoreinto the Supplier Risk Management System(SPRS) prior to contract award. Medium and high assessments will becompleted by the Government. Transition Clause until October 1, 2025.

DFARS 252.204-7021 (Cybersecurity Maturity ModelCertification Requirements) New DoD Assessment Methodology! Requires contractors to maintain the requisiteCMMC level for the duration of the contract. Both requires contractors to flow samerequirement down to subcontractors in “allsubcontracts and other contractual instruments” 7020 Clause for SP 800-171 Assessments“information systems relevant to its offer”7021 Clause for CMMC Requirements“CMMC level that is appropriate for the information” See 85 Fed. Reg. 61,505 (Sept. 29, 2020).

How do Flow-Down Requirements Work in Practice? DFARS – mandatory flow down With CMMC, subcontractors not necessarily required to meet samecertification level as the prime contractor Required certification depends on data involved While prime contractors will need to use subcontractors that havemet CMMC requirements, third party will determine certification Other considerations Identifying CMMC levels for subcontractors? How does prime know subcontractor certification levels? Providers on existing programs?

How Do You Meet the DFARS Requirements? Step 1 – What information is covered? Step 2 – What are the cyber incidentreporting requirements? Step 3 – Develop a system securityplan and a plan of action

Step 1 - What Information is Covered? The clause applies to “all covered defense information” (CDI),which is defined as: Unclassifed Controlled Technical Information (CTI) ail/controlledtechnical-info.html; or Controlled Unclassified Information (CUI) t Executive Order 13556 defines & calls upon management of CUI

DOD Instruction 5200.48(March 6, 2020) 5.3.a. – “Whenever DOD provides information to contractors, itmust identify whether any of the information is CUI via thecontracting vehicle and mark such documents .” 5.3.b. – “Whenever the DOD provides CUI to, or CUI isgenerated by, non-DOD entities, protective measures anddissemination controls will be articulated in the contract.” Creates a parallel, more detailed DOD CUI Registry. No requirement to remark legacy material unless sharedoutside of DOD.

NIST 800-172 (Enhanced Security Requirements forProtecting CUI)(Draft July 2020) Applies to nonfederal systems that process, store, or transmitCUI or that provide security protection for such componentswhen the designated CUI is associated with a critical programor high value asset. Examples include: financial services, providing web and e-mailservices to federal agencies, processing security clearances orhealthcare data; providing cloud services; and developingcommunications, satellite, and weapons systems). To fight the Advanced Persistent Threat (APT).

Step 2 - What are the Cyber Incident ReportingRequirements? Must “rapidly report” cyber incident within “72 hours of discovery.” Report “whatever information is available” Continuing obligation to disclose new information Must preserve and protect images of all known affected information systems for at least 90 days toallow DOD to request the media A cyber incident is defined as: “actions taken through the use of computer networks thatresult in a compromise or an actual or potential adverse effect on an information systemand/or the information residing therein” Much faster than the mandatory disclosures required under FAR 52.203-13 (ContractorCode of Business Ethics) Have agreement with third-party forensic consultant already in place!

Step 3 – Develop a System Security Plan & Plans of Action

So What Is CMMC? Need for more consistency from contractors NIST 800-171 requirements were often too rigid, while companies couldextend Plan of Action and Milestones (POA&M) to cover gaps indefinitely THIRD PARTY VERIFICATION Findings that contractors were non-compliant with NIST SP 800-171 “DOD contractors did not consistently implement DoD-mandated systemsecurity controls for safeguarding Defense information.” (Findings in July2019 DoD OIG Report) Information losses included theft of transport plane and fighter jet data,among other losses FAQs:

The Basics Basic underpinnings of maturity model for Defense IndustrialBase (DIB) cybersecurity: Retain all practices from NIST 800-171 Method by which DIB members of varying cyber-sophistication canparticipate without POA&Ms Practices go beyond NIST 800-171 Level 3 Example: NIST 800-171 consists of 110 security requirements CMMC adds 20 practices and 2 processes

CMMC Structure 5 maturity levels 17 domains 171 best practices5 maturity levels17 domains171 bestpractices

Five Maturity Levels Level 1: Basic Cyber Hygiene Level 2: Intermediate CyberHygiene Level 3: Good Cyber Hygiene Level 4: Proactive Level 5: Advanced/Progressive

Maturity Process ProgressionProcess Maturity: extent to which activity isembedded in operations. Continued performance Consistent, repeatable outcomes

Practice ProgressionPractices performed ateach level of the domain


What Is the Difference between Level 1 and Level 3? The majority of the practices (110 of 171)originate from the safeguardingrequirements and security requirementsspecified in FAR 52.204-21 andDFARS 252.204-7012, respectively. Level 1 is equivalent to all of thesafeguarding requirements fromFAR 52.204-21 Level 3, building on Levels 1 and 2,includes all of the securityrequirements in NIST SP 800-171plus other practices

Using SSPs and POAs as Tools for CMMC Certification Use SSP to organize best practices into your already existingsystem Use domains as a guide to help with organization Can be helpful tool in efficiently delegating duties and cutting down oncost “The CMMC framework does not allow a DoD contractor orsubcontractor to achieve compliance status through the use ofplans of action.” BUT, POAs can help you reach next CMMC level Use as plan on how to efficiently achieve next certification level Will allow you to make a determination on what you can realistically do

Cybersecurity Maturity Model Certification (CMMC)

Certification & Disputes Certifications and assessments current forthree years Agency may modify SP 800-171 Assessments Rebuttal process CMMC Certifications Submit dispute adjudication request to CMMC-AB May request additional assessment

DOD’s Estimated Costs of Compliance forSmall EntitiesLevelCertification Costs(Est.)Total AnnualAssessment Costs (Est.)1 2,999.56 1,000.002 22,466.88 28,050.003 51,095.60 60,009.004 70,065.04 371,786.005 110,090.80 482,874.00

Who Pays for Certification?Direct CostsIndirectOverheadDirectcostsIndirect Overhead Costs Cost of actual certification Costs of all of the Likely to be a fewplanning, implementationthousand dollarsetc. it will take to become In practice- cost of havingcompliantsomeone from the Likely several thousandaccreditation body certifydollars if not moreyour business Can be added to yourindirect overheadovertime Contractors likely to bearmost of the burden

What Are the Potential Consequences of Noncompliance? False Claims ActSuspensionDebarmentCPARS EvaluationsSoft Consequences Less likely to be awarded a contract ifnot compliant

Section 889 - BackgroundOn August 13, 2018, Congress passed the John S. McCainNational Defense Authorization Act (NDAA) for Fiscal Year 2019Section 889 of the NDAA includes two prohibitions regardingcertain telecommunications and video surveillance equipmentand services (telecom): Part A Part B

Section 889 Part AEffective August 13, 2019, the Government may not obtaincertain telecommunications equipment or services produced bythe following companies or their subsidiaries and affiliates: Huawei Technology Company ZTE Corporation Hytera Communications Corporation Hangzhou Hikvision Digital Technology Company Dahua Technology Company

Section 889 Part BEffective August 13, 2020, the Government may not contract with anentity that uses telecommunications equipment or services, as asubstantial or essential component of any system, or as criticaltechnology as party of any system, produced by any of the Chinesecompanies listed below: Huawei Technology Company ZTE Corporation Hytera Communications Corporation Hangzhou Hikvision Digital Technology Company Dahua Technology Company

Section 889 – Interim FAR RulesThe FAR now includes: Representation Provision (FAR 52.204-24) SAM Representation Provision (FAR 52.204-26) Reporting Clause (FAR 52.204-25)

Section 889 – Flowdown RequirementsPart A is required to flowdown to subcontractors at any tier.This contrasts with the requirements of Part B. The interim ruleprovides that the requirements of Part B "will not flow downbecause the prime contractor is the only 'entity' that the agency'enters into a contract' with, and an agency does not directly'enter into a contract' with any subcontractors, at any tier.”


L. Shea De 2Reggie [email protected] Lyn Curtis [email protected]

SSP POA E.O. 13556 CUI CTI CDI DOD Instruction 5200.48 NIST 800-172 APT DOD OUSD(A&S) CMMC Version 1.0 C3PAO CMMC-AB FedRAMP DIB SCC CyberAssist DFARS 252-204-7020 DFARS 252-204-7021. The Threat "It's no secret that the U.S. is at cyber war every day," Ellen Lord, the . Level 3 Example: NIST 800-171 consists of 110 security .