mopdf.com

DOD’s CybersecurityRegulations:What the CMMC Means forDesign-BuildersSpeakers:Reggie JonesL. Shea De LutisDiana Lyn Curtis McGraw

Agenda1. Cybersecurity Maturity Model Certification FAR and DFARS Requirements Three Steps to Compliance CMMC Certification Cost Allowability2. Section 889

Alphabet SoupFISMA FISMA REFORM NIST 800-53 NIST800-171 FAR 52.204-21 DFARS 252-204-7012SSP POA E.O. 13556 CUI CTI CDI DODInstruction 5200.48 NIST 800-172 APT DODOUSD(A&S) CMMC Version 1.0 C3PAOCMMC-AB FedRAMP DIB SCC CyberAssistDFARS 252-204-7020 DFARS 252-204-7021

The Threat "It's no secret that the U.S. is at cyber war every day," Ellen Lord, theUndersecretary of Defense for Acquisition and Sustainment, said, aspart of a keynote address during the Professional Services Council's2020 Defense Services Conference. "Cybersecurity risks threatenthe defense industrial base, national security, as well as partners andallies." The CMMC, Lord said, is the DOD's metric to measure a company'sability to secure its supply chain from cyber threats, protecting boththe company and the berthreats-to-department-contractors/

The Goal To promote and achieve: Penetration-resistant cyber architecture; Damage limiting operations Designs to achieve cyber resiliency and survivabilityNIST 800-172 (Draft), Section 1.1, Lines 255-258 (July 2020)

The Path to Achieve the Goal FAR 52.204-21 (Basic Safeguarding of Covered ContractorInformation Systems) DFARS 252.204.7012 (Safeguarding Covered Defense Informationand Cyber Incident Reporting) DFARS 252.204.7010 (Cloud Computing Services) New Interim Rule: DFARS clause 252.204-7019 (Notice of NIST SP800-171 DoD Assessment Requirements) New Interim Rule: DFARS clause 252.204-7020, (NIST SP 800-171DoD Assessment Requirements) New Interim Rule: DFARS clause 252.204-7021 (CybersecurityMaturity Model Certification Requirements)

What is the Cybersecurity Maturity Model Certification(CMMC)? A mandatory third-party certification of DoD contractors andsubcontractors’ information systems that is intended to protectsensitive, but unclassified data against cyber threats (CUI). Created with federal funding by: Carnegie Mellon University Johns Hopkins University Applied Physics Laboratory, LLC First draft version released in September 2019 (Version 0.4) Final version released January 30, 2020 Reassessments/re-certification required every three years

COMPONENTS OF CMMCCOMPONENTS OF CMMCAIA NAS 9933ISO 27003NIST SP 800-171NIST SP 800-53FAR 52.204-21DFARS 252.204-7012

CMMC-AB & C3PAOs The CMMC Accreditation Body (CMMC-AB) will train and certify CMMCThird Party Assessment Organizations (C3PAOs) to assesscontractors’ processes and practices. Based on those assessments,the CMMC-AB will award Level 1 through Level 5 certifications. C3PAOs will: Explain certification processProvide trainingGather information and report metrics on complianceThe first 25 Provisional Assessors have been certified; 72 are expected tobe certified in total by the end of October 2020. The certification will be documented in the Supplier Performance RiskAssessment (SPRS) at https://www.sprs.csd.disa.mil/

Roll-Out: Crawl, Walk, RunJanuary 2020CMMC Version 1.0 releasedMarch 2020CUI Instruction released by DoD outline definitionsand handling requirements of CUIJune 2020(Original Goal)Oct. 2020(Current Goal)CMMC requirements added to certain RFPsAfter Oct. 2025CMMC will apply to all DOD solicitationsCMMC requirements added to certain RFPs asapproved by DOD’s OUSD for Acquisition &Sustainment

FAR 52.204-21 (Basic Safeguarding of Covered ContractorInformation Systems) Covers information systems, not information contained on thesystem (CUI) CUI Controlled Unclassified Information FAR 52.204-21 CMMC Level 1 First contract clause to meaningfully address cybersecurityinformation systems across all agencies, not just DOD Supposed to reflect actions that any “prudent business person”would use Rather basic requirements. No requirements for training, penetrationtesting, cyber incident reporting, or cybersecurity insurance

DFARS 252.204-7012 (Safeguarding Covered DefenseInformation and Cyber Incident Reporting) Covers information, not justinformation system itself Incorporates NIST SP 800-171 Requires implementation of 110 securityrequirements on covered contractor informationsystems; and (or under Interim Rule) Document in System Security Plan & Plans ofAction those requirements not yet implementedand when they will be implemented

What Role Does the NIST Play? The National Institute of Standards & Technology (NIST) isresponsible for developing information security standards andguidelines, including for federal systems. NIST SP 800-53 (Security and Privacy Controls for FederalInformation Systems and Organizations) NIST SP 800-171 (Protecting Controlled & Unclassified Informationin Nonfederal Systems and Organizations) New - NIST SP 800-172 (Enhanced Security Requirements forProtecting Controlled Unclassified Information in NonfederalSystems and Organizations)(July 2020)

DFARS 252.204-7020(NIST SP 800-171 DoD Assessment Requirements) New DoD Assessment Methodology! Requires contractors subject to DFARS252.204-7012 to self complete a BasicAssessment and upload the resulting scoreinto the Supplier Risk Management System(SPRS) prior to contract award. Medium and high assessments will becompleted by the Government. Transition Clause until October 1, 2025.

DFARS 252.204-7021 (Cybersecurity Maturity ModelCertification Requirements) New DoD Assessment Methodology! Requires contractors to maintain the requisiteCMMC level for the duration of the contract. Both requires contractors to flow samerequirement down to subcontractors in “allsubcontracts and other contractual instruments” 7020 Clause for SP 800-171 Assessments“information systems relevant to its offer”7021 Clause for CMMC Requirements“CMMC level that is appropriate for the information” See 85 Fed. Reg. 61,505 (Sept. 29, 2020).

How do Flow-Down Requirements Work in Practice? DFARS – mandatory flow down With CMMC, subcontractors not necessarily required to meet samecertification level as the prime contractor Required certification depends on data involved While prime contractors will need to use subcontractors that havemet CMMC requirements, third party will determine certification Other considerations Identifying CMMC levels for subcontractors? How does prime know subcontractor certification levels? Providers on existing programs?

How Do You Meet the DFARS Requirements? Step 1 – What information is covered? Step 2 – What are the cyber incidentreporting requirements? Step 3 – Develop a system securityplan and a plan of action

Step 1 - What Information is Covered? The clause applies to “all covered defense information” (CDI),which is defined as: Unclassifed Controlled Technical Information (CTI) ail/controlledtechnical-info.html; or Controlled Unclassified Information (CUI) t Executive Order 13556 defines & calls upon management of CUI

DOD Instruction 5200.48(March 6, 2020) 5.3.a. – “Whenever DOD provides information to contractors, itmust identify whether any of the information is CUI via thecontracting vehicle and mark such documents .” 5.3.b. – “Whenever the DOD provides CUI to, or CUI isgenerated by, non-DOD entities, protective measures anddissemination controls will be articulated in the contract.” Creates a parallel, more detailed DOD CUI Registry. No requirement to remark legacy material unless sharedoutside of DOD.

NIST 800-172 (Enhanced Security Requirements forProtecting CUI)(Draft July 2020) Applies to nonfederal systems that process, store, or transmitCUI or that provide security protection for such componentswhen the designated CUI is associated with a critical programor high value asset. Examples include: financial services, providing web and e-mailservices to federal agencies, processing security clearances orhealthcare data; providing cloud services; and developingcommunications, satellite, and weapons systems). To fight the Advanced Persistent Threat (APT).

Step 2 - What are the Cyber Incident ReportingRequirements? Must “rapidly report” cyber incident within “72 hours of discovery.” Report “whatever information is available” Continuing obligation to disclose new information Must preserve and protect images of all known affected information systems for at least 90 days toallow DOD to request the media A cyber incident is defined as: “actions taken through the use of computer networks thatresult in a compromise or an actual or potential adverse effect on an information systemand/or the information residing therein” Much faster than the mandatory disclosures required under FAR 52.203-13 (ContractorCode of Business Ethics) Have agreement with third-party forensic consultant already in place!

Step 3 – Develop a System Security Plan & Plans of Action

So What Is CMMC? Need for more consistency from contractors NIST 800-171 requirements were often too rigid, while companies couldextend Plan of Action and Milestones (POA&M) to cover gaps indefinitely THIRD PARTY VERIFICATION Findings that contractors were non-compliant with NIST SP 800-171 “DOD contractors did not consistently implement DoD-mandated systemsecurity controls for safeguarding Defense information.” (Findings in July2019 DoD OIG Report) Information losses included theft of transport plane and fighter jet data,among other losses FAQs: https://www.acq.osd.mil/cmmc/faq.html

The Basics Basic underpinnings of maturity model for Defense IndustrialBase (DIB) cybersecurity: Retain all practices from NIST 800-171 Method by which DIB members of varying cyber-sophistication canparticipate without POA&Ms Practices go beyond NIST 800-171 Level 3 Example: NIST 800-171 consists of 110 security requirements CMMC adds 20 practices and 2 processes

CMMC Structure 5 maturity levels 17 domains 171 best practices5 maturity levels17 domains171 bestpractices

Five Maturity Levels Level 1: Basic Cyber Hygiene Level 2: Intermediate CyberHygiene Level 3: Good Cyber Hygiene Level 4: Proactive Level 5: Advanced/Progressive

Maturity Process ProgressionProcess Maturity: extent to which activity isembedded in operations. Continued performance Consistent, repeatable outcomes

Practice ProgressionPractices performed ateach level of the domain

Domains

What Is the Difference between Level 1 and Level 3? The majority of the practices (110 of 171)originate from the safeguardingrequirements and security requirementsspecified in FAR 52.204-21 andDFARS 252.204-7012, respectively. Level 1 is equivalent to all of thesafeguarding requirements fromFAR 52.204-21 Level 3, building on Levels 1 and 2,includes all of the securityrequirements in NIST SP 800-171plus other practices