Why does DFARS exist?
Current requirements for companies with Controlled Unclassified Information (CUI) or DoD Covered Defense Information (CDI)
What is CMMC?
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
DFARS & CMMC Overview
1. WEBINAR SERIES. Part 2 31 March 2021 10:30 AM EST
Hosted by CATALYST CONNECTION
Max Aulakh
Founder &
CEO
DFARS & CMMC Overview
2. Who’s driving this webinar?
Max Aulakh
Founder & CEO
About our Speaker
C-SUITE DEFENSE & ASSURANCE LEADER
S
P
E
C
I
A
L
G
U
E
S
T
As a Data Security and Compliance Leader, he delivers DoD-tested security strategies and
compliance that safeguard mission-critical IT operations. Having trained and excelled in The
United States Air Force, he maintained and tested the InfoSec and ComSec functions of network
hardware, software, and IT infrastructure for global networks — both classified and unclassified.
He drove the Information Assurance (IA) programs for the U.S. Department of Defense (DoD).
Facilitated by
Connie Palucka
Vice President, Consulting at Catalyst Connection
Connie joined Catalyst Connection in 2005 and brings over 25 years
of global sales, business development, and product development
experience to her role as the Managing Director of Regional
Initiatives. She leads a team that secures and executes grants
initiatives to support manufacturers and build the region’s
vibrancy. She also works with regional academic institutions,
economic development organizations and regional manufacturers
to build new capabilities and help make Southwestern Pennsylvania
a model for the nation.
3. Session 3: DFARS NIST 800-171 Compliance Process
1. Setting up your compliance program at the corporate level
2. Conducting Rapid - Low Fidelity Assessment for generating SPRS Scores
3.Developing a completed SSP (System Security Plan).
4.How and why to create a POA&M (Plan of Actions & Milestones).
4. • Webinar 1: Laying the Foundation – The Need for Cybersecurity in U.S. Manufacturing
• Webinar 2: DFARS & CMMC Overview
• Webinar 3: DFARS NIST 800-171 Compliance Process
• Webinar 4: Real Company Examples
• Webinar 5: CMMC Breakdown
• Session 6: Risk Mitigation
6-Part Webinar Series: CYBER RESILIENCY FOR DEFENSE
CONTRACTORS
5. Why does DFARS exist?
Current requirements for
companies with CUI or CDI.
What is CMMC?
Today’s Lessons Learned
1
2
3
7. Reasons why does DFARS exist
Supply chain attacks, which exploit security weaknesses in third-party services to strike a target,
increased 78% just in one year alone (between 2017 and 2018) according to Symantec’s 2019
Internet Security Threat Report*, and the trend is increasing each year.
1
Defense contractors are increasingly investing in digital technologies to help accelerate product
development, improve existing processes, and increase efficiency. Digitization results in highly
sensitive and confidential data being stored long term and shared internally as well as externally.
2
*Symantec, 2019 Internet Security Threat Report, https://www. symantec.com/en/hk/security-center/threat-report.
8. Reasons why does DFARS exist
They share, exchange, and create Covered Defense Information (CDI) and Controlled Unclassified
Information (CUI) on program specifications, technology, and equipment performance as they
collaborate across research, design, development, and deployment of defense products.
3
4
Apart from a national security threat, cyberattacks can also cause significant financial and
reputational damage to defense contractors, which may disrupt supply chains and result in
cost and schedule overruns.
9. DFARS-base Clause Requirements for Defense Contractors
DFARS regulations and NIST guidance play an important role in the United States to enable cybersecurity robustness. For
defense contractors and subcontractors, regulations can provide a minimum guidance to assist them with becoming
cybersecure
Adequate Security for all Covered
Defense Information (CDI) Flow-down Requirements to
Subcontractors
Minimum Security Controls from
NIST SP 800-171
72-hour Rapid Reporting
Requirement for Breaches Multifactor Authentication Least-privileged Access
10. 4
2
1
3
4 Main Rules of DFARS 70 Series
DFARS 252.204 7012:
Safeguarding Covered Defense
Information and Cyber Incident Reporting
DFARS 252.204 7020:
NIST SP 800-171 DoD Assessment
Requirements
DFARS 252.204 7019:
Notice of NIST SP 800-171 DoD
Assessment Requirements
DFARS 252.204 7021:
Cybersecurity Maturity Model Certification
Requirements
11. DFARS 252.204 7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
• In the United States, the DFARS requirements and compliance with the NIST SP 800-171
govern the DIB and associated contractors. The DFARS 204.73006 requires contractors
and subcontractors to protect CDI by applying specified network security requirements
and necessitates reporting of cyber incidents.
• DFARS 252.204-7012 further expands the definition of CUI and identifies the NIST SP
800-171 framework as a source document for cybersecurity requirements.
• NIST SP 800-171, which lays down specific measures to safeguard sensitive information,
acts as a minimum standard for companies in the DIB.
12. DFARS 252.204 7019
Notice of NIST SP 800-171 DoD Assessment Requirements
• In this clause, contractors are notified about the requirements to implement and
maintain their NIST SP 800-171 assessments within the Supplier Performance Risk
System (SPRS), as well as ensure their proper and in-time reporting every 3 years
unless a lesser time is specified in the solicitation.
• Each contractor will be required to maintain one of the three current levels of DoD
assessments (Basic, Medium, or High) within the database accessible only for DoD
personnel.
• It also contains requirements and procedures for authorities to award or withhold
awards based on properly reported assessment results.
13. DFARS 252.204 7020
NIST SP 800-171 DoD Assessment Requirements
• This is a newly released follow-on clause to DFARS 7019 which grants the
Government access to the contractor's facilities, systems, and personnel that manage,
process, store, or transmit Controlled Unclassified Information, necessary for the
Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
• There are some similarities carried from DFARS 7012, including reinforcement of flow-
down requirements for the contractor to ensure all its suppliers comply with the NIST
SP 800-171, make enough progress on a Plan of Actions and Milestones (POA&M),
and have their current assessment results posted in the Supplier Performance Risk
System (SPRS).
• The contractor must also validate their compliance with 7019 prior to awarding a
subcontract or purchase order of any kind, and include the contents of DFARS 7019 in
the documented subcontract agreement.
14. DFARS 252.204 7021
Cybersecurity Maturity Model Certification Requirements
• The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that
measures a contractor’s cybersecurity maturity to include the implementation of
cybersecurity practices and institutionalization of processes
• Much like previously reviewed DFARS 7020, the DFARS 7021 clause
requires contractors and their subs to enter their current assessment into
the Supplier Performance Risk System (SPRS), although in this particular clause,
maintaining the appropriate CMMC level with respect to each contract is also
required both from contractors and their supply chain.
17. CUI Definition
Section 2002.4 of Title 32 CFR
(h) Controlled Unclassified Information (CUI) is information the
Government creates or possesses, or that an entity creates or
possesses for or on behalf of the Government, that a law,
regulation, or Government-wide policy requires or permits an
agency to handle using safeguarding or dissemination controls.
18. CUI - Interpreted Definition
● CUI is defined in law by the way in which the information is handled.
● CUI is not clearly defined in policy and regulation regarding the content
of the information.
● In order to define CUI in a manner that is consistent with other
information classifications, CUI should be defined by the potential
impact to national defense that publicly releasing that information would
cause.
● For example, SECRET information is defined by 18 CFR § 3a.11 and says
“[t]he test for assigning Secret classification shall be whether its
unauthorized disclosure could reasonably be expected to cause serious
damage to the national security.”
CUI is lacking a similar legal definition, but it could be reasonable to define CUI as information that its unauthorized disclosure could
be aggregated with additional information and reasonably be expected to cause a negative impact to the national security.
19. CUI Exceptions
However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and
maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for
an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or
permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or
permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or
requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified,
but with CUI Basic controls where the authority does not specify.
● Information government creates and/or created on behalf of the government
● No controls = CUI Basic
● Provide controls = CUI Specified
20. Major CUI Stakeholders
• National Archives and Records Administration (NARA)
The National Archives and Records Administration (NARA) serves as the Controlled Unclassified Information (CUI) Program's Executive Agent
and has delegated CUI Executive Agent responsibilities to the Director of the Information Security Oversight Office (ISOO). As the CUI
Executive Agent, ISOO issues guidance to Federal agencies on safeguarding and marking CUI.
• Guidance from NARA to DoD Agencies (Prime Contractor Customers)
Existing agency policy for all sensitive unclassified information remains in effect until your agency implements the CUI program.
• DoD & Contractors (us)
DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified
information pursuant to security classification guidance addressing the accumulation of unclassified data or information Requirements for
DoD Contractors (Section 5.3, Page 32)
21. DoD’s Guidance
Requirements for DoD Contractors (Section 5.3, Page 32).
DoD contracts must require contractors to monitor CUI for
aggregation and compilation based on the potential to
generate classified information pursuant to security
classification guidance addressing the accumulation of
unclassified data or information. DoD contracts shall require
contractors to report the potential classification of
aggregated or compiled CUI
to a DoD representative.
22. CUI Determination Methods
• Original Classification Authorities (OCA) conducts a damage assessment to figure out what is CUI
• Internal damage assessment
• Scenario based (information type) and what-if analysis (how could it impact the DoD) - Non-formal example is
below:
o Types of items manufactured or sold
o Specific DoD Units these items are sold to, time and amount sold
o If aggregate this information was provided to our adversaries - could this information hurt the United States
and/or specifically the unit these items are provided to?
▪ If so how? And If not, why not?
Method 1: Using NARA and/or DOD’s Registry (similar to NARA)
Method 2: Conducting an internal “damage assessment”
23. What is CDI?
Covered Defense Information (CDI): Is a term defined in the DFAR
clause 252.204-7012 Safeguarding Covered Defense Information
as unclassified controlled technical information or other information,
as described in the Controlled Unclassified Information (CUI) registry
that requires safeguarding or dissemination controls pursuant to and
consistent with law, regulations and government wide policies and is
(1) Marked or otherwise identified in a contract, task order or delivery
order and provided to Purdue by or on behalf of the DoD in support of
the performance of a contract or (2) collected, developed, received,
transmitted, used or stored by or on behalf of the contractor in
support of the performance of the contract.
24. What Federal Requirements Apply?
DoD Contractors are required to adhere to the following federal requirements when handling CUI/CDI:
• Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information Program
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
• DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
• National Institute of Standards and Technology (NIST) Special Publication (SP) Rev. 2
• DFARS 252.204-7021, Cybersecurity Maturity Model Certification (CMMC) Requirements
30. Understanding DFARS NIST 800-171 and CMMC Relationship
Who needs to be DFARS compliant?
All DoD contractors that process, store or transmit Controlled Unclassified
Information (CUI) must meet DFARS minimum security standards or risk losing
their DoD contracts. Based on NIST Special Publication 800-171, manufacturers
must implement these security controls through all levels of their supply chain.
Where is DFARS included?
DFARS clause 252.204-7012 is included in all solicitations and contracts, including
those using Federal Acquisition Regulation (FAR) part 12 commercial item
procedures, except for acquisitions solely for commercially available
off- the-shelf (COTS) items. The clause requires contractors to apply the security
requirements of NIST SP 800-171 to “covered contractor information systems”.
How do NIST controls overlap with the emerging CMMC framework?
NIST 800-171 is the backbone of the CMMC framework and it is required by all
CMMC levels. For example, NIST domains cover 110 controls out of 130 required
for Level 3 of CMMC.
Would CMMC potentially replace NIST?
The CMMC is an advanced step in the DoD’s efforts to properly secure the Defense
Industrial Base (DIB). It complements and enforces NIST 800-171
as part of its requirements.
Note: The CMMC was released by the DoD on 31 January 2020. The CMMC Accreditation Body members are working to
produce additional guidance to support the certification path. For now, Ignyte recommends implementing NIST 800-171.
NIST SP
800-171r1
CMMC
REQUIREMENTS
20 Additional Practices
51 Maturity Processes
DFARS
REQUIREMENTS
FedRAMP Mod
Paragraphs C-G
72 Hour Report
31. • CMMC Level 1
• Meeting the basic requirements to protect Federal Contract Information (FCI):
• an up-to-date antivirus software application,
• strong passwords,
• unauthorized third parties protection.
• FCI is not intended for public release.
• Minimal efforts required to strengthen the cybersecurity defenses.
Which CMMC level is right for your business?
• CMMC Level 2
• Introducing Controlled Unclassified Information (CUI)
• Standard cybersecurity practices, policies, and strategic plans.
• Major subset of the security requirements specified in NIST SP 800-171.
• 55 new practices for a total of 72 total practices.
• CMMC Level 3
• Good cyber hygiene and controls necessary to protect CUI.
• Continuous review of all activities based on their cybersecurity policy.
• All requirements specified in NIST SP 800-171 and other similar standards.
• 130 required security controls, grouped into 17 domains.
• CMMC Level 4 and Level 5
• Addressing the changing tactics, techniques, and procedures used by Advanced
Persistent Threats (APTs).
• Proactive cybersecurity program and standardized processes to achieve
consistency across the entire organization.
• 171 security controls, which are grouped into 17 domains.
32. Starting CMMC Process
⮚ Pre-Diligence
⮚ RMF
⮚ CMMC
⮚ FedRAMP
⮚ ITAR
⮚ Business Requirements
⮚ Corporate Risk Management & Business Process
⮚ Business Integration Requirements (i.e ISO, departments,
etc..)
⮚ Reusability of low fidelity scoring, IT resources, etc..
⮚ Standardization
⮚ People, Process & Technology
⮚ Create efficiencies; minimize rework and exceptions
Level 3: Managed
Level 2: Documented
Level 1: Performed
Level 4: Reviewed
Level 5: Optimized
Processes
33. Cost of Compliance for SMB
● Cost of Management Factors
○ Program Development & Management
○ Technology & Engineering Implementation
○ Audit & Certification
● Pricing can range from $20K to $200K depending
on several factors.
● Market pricing for 100% of CMMC requirements is
not completely understood due to changing
requirements and/or interpretation of requirements.
*Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
CMMC
Level
Yearly Non-
Recurring
Engineering
Yearly
Recurring
Engineering
Yearly
Assessment
Costs++
Total
Yearly
Costs
Level 1 $0 $0 $1,000 $1,000
Level 2 $407 $20,154 $7,489 $28,050
Level 3 $1,311 $41,666 $17,032 $60,009
Level 4 $46,917 $301,514 $23,355 $371,786
Level 5 $61,511 $384,666 $36,697 $482,874
34. Program Resources
Resources are aligned with various stages of managing the CMMC program for small business
Program Metrics &
Management
SSP & POA&M
Deliverables
Guided Assessment
Training
Program Deliverables
● DoD Training Website - https://securityhub.usalearning.gov/content/story.html
● Ignyte Institute Practitioner Level & Top Management Training - https://www.ignyteinstitute.org/
● CMMC System Security Plan Development - https://www.dfars-nist-800-171.com/
● NIST 171 Documentaton - https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
● SSP & Other Plan of Action & Milestones (POA&M) - https://www.dfars-nist-800-171.com/
35. CMMC Education & Training
Ignyte Institute Courses
Senior Management Course (20 Mins)
Practitioner Level Course (1 hour)
DoD Issued CUI Training
What is CUI and How to recognize it?
37. Questions?
Thank you!
Point of Contact
Connie Palucka
Vice President, Consulting
Max Aulakh, MBA, CISSP, PMP
Founder & CEO
Point of Contact
info@ignyteplatform.com cpalucka@catalystconnection.org