Hello and welcome to the NIST 800-171 learning path. My name is Dave Hatter, your instructor for this course. And this is Course 6-NIST 800-171 and CMMC. In this course we'll take a look at, what is the cybersecurity maturity model certification or CMMC? What is the supplier performance risk system or SPRS? How to score a NIST 800-171 Assessment? And how to submit a NIST 800-171 Assessment to SPRS? So let's dive right in. So what is the CMMC? The cybersecurity model certification is unified standard designed to reduce the exfiltration of CUI from the Defense Industrial Base, better known as the DIB. It's prompted by data breaches and IP theft. These are impacting national security and originating with NFOs. Were now on version 2.0 which was published in November 2021. It's still based largely on NIST 800-171. And DFARS 252.204-7021, has the CMMC Requirements. A DIB contractor can achieve a specific CMMC level. There are three under version 2.0. More on that in a minute. For its enterprise network or for particular segments or enclaves, depending on where the CUI is handled and stored. And it's really important to keep this in mind because the smaller your scope for your CUI, the easier it's going to be to get in compliance. So again this is going to be entirely dependent on your particular situation. But the more you can limit that scope, the better off you're going to be. So this is a maturity model and from the CMMC version 2.0 documentation it says quote. The CMMC framework consists of the security requirements from NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information and Nonfederal Systems and Organizations, and a subset of the requirements from 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Informatio. A supplement to NIST Special Publication 800-171. The model framework organizes these practices into a set of domains, which map directly to NIST 800-171 Rev 2 families. And then this builds on President Biden's EO 14,028, improving the Nation's Cybersecurity. So how do we get to CMMC? Well, NIST 800-171 is a self-attestation standard. And although DoD mandated contracts must meet the requirements of 800-171 frankly, there've been few audits and very little accountability. Self-attestation, perpetual POAMs, and little to no audit risk created little incentive for NFOs to implement the 110 requirements of NIST 800-171. And these shortcomings coupled with increasingly frequent, sophisticated and costly cyberattacks and the theft of intellectual property have led to the creation of CMMC. That's how we got here. Why do you need to care about it? Well, if you're an NFO with a contract containing DFARS clause 252.204-7012, you must have at least a Basic Assessment against NIST 800-171 in order to receive a contract award after November 30, 2020. Request for Proposals or contracts may contain clauses or your Prime may ask you to report your CMMC score. More on that later videos. NFOs that are noncompliant with the required level will not be able to retain DoD contracts. By 2025, DoD will require ALL defense contractors to pass a CMMC audit to bid on jobs. And this only applies to RFPs/contracts with the claws embedded in them and then also have cause 252.204-7012 or some other indication that CUI is or will be processed under the contract. So again, limit your scope as much as you can. So, this quote is from the Office of the Under Secretary of Defense for Acquisition & Sustainment. They say quote, your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your Assessment. Your company will specify the level of the certification requested. Again in version 2.0, there are three levels. Based on your company's specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity and capabilities and organizational maturity to the satisfaction of the assessor and the certifier. So let's talk about the DoD Interim Rule. DoD issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements or DFARS Case 2019-D041, that implemented CMMC on 09/29/20. As of November 30th, 2020, contractors are required to self-assess or have DoD assess compliance and reported prior to any new contract, award or exercise of any contract option or extension. And this adds a DFARS Subpart 204.75 specifying policy and procedures for awarding a contract or exercising an option between Nov 30, 2020, and Oct 1, 2025. It requires contractors to achieve CMMC certificate at the level specified in the solicitation at the time of the award. Again, three levels. Contractors must maintain a current, which means less than three year old CMMC certificate at the specified level throughout the life of the contract or task or delivery order. DoD Contractors must immediately post Assessments of the cybersecurity compliance to the DoD's SPRS. We'll get to that here momentarily. And Primes are required to flow down the substance of DRARS 250.204-7020 to all subs excluding COTS suppliers. Primes must ensure subs have a current DoD Assessment posted in SPRS prior to awarding a subcontract. If a subcontractor does not have a summary level score of a current NIST 800-171 Assessment posted an SPRS, the sub may conduct and submit a Basic Assessment to SPRS. And subcontractors must ensure compliance for eligibility. So it's really important if you're doing business in the DIB. Interim DFARS contract clause 252.204.7019 requires the following reporting for a Basic DoD Assessment. The standard assessed, in this case NIST 800-171. The organization conducting assessment, again, in this case, if you're doing the self-assessment two. Your CAGE codes, your SSP, the date of assessment completion, the summary level score. Will talk more about scoring later as well. And then the date that all the requirements are expected to be implemented. So when you're going to have no other items on your POEM, and get the score of 110, meaning you've complied with all the requirements of 800-171. There are three assessment levels and each one has its own degrees of confidence. At the Basic Assessment level, the confidence level is low, because you're doing it yourself. At the medium assessment level, this is going to be a review by DoD personnel. The confidence level is medium. Again, it's just a review. And for a high level or a high confidence assessment, there will be an on-site or virtual assessment by DoD personnel. All three levels of CMMC start with the basic assessment that was performed by the contractor, and reporting your score to SPRS. Again, we'll get to that more in a minute. With the interim rule scoring, it's an objective assessment of 800-171 implementation. If you implement all 800-171 requirements and controls, that will be a score of 110 and essentially puts you at level 2 in CMMC. Except for controls scoring is built in for partial implementation, partial implementation is not credited. And there's very few requirements that allow partial credit. The score of 110 is reduced by each requirement not implemented. It is possible to get a negative score and we have definitely seen that out in the field working with clients. NIST does not prioritize controls in terms of impact, but some have more impact than others. And controls are weighted based on impact. So CMMC 2.0, will replace 1.0, it eliminates levels 2 and 4 from CMMC 1.0. And you end up with three progressive levels. Level 1, which is the foundational level. Information requires protection but is not critical to national security. At level 2 or the advanced level, it's for companies with CUI. And level 3 or the expert levels, the highest priority programs with CUI. This definitely simplifies CMMC for companies while still attempting to protect DoD information being shared with contractors. The goals are to safeguard sensitive information to enable and protect the warfighter. And force DIB cybersecurity standards to meet evolving threats. Ensure accountability while minimizing barriers to compliance with DoD requirements. Perpetuate a collaborative culture of cybersecurity and cyber resilience. And maintain public trust through high professional and ethical standards. All of which are good things. You can see again, some of the high level thoughts here. It's a Streamlined Model. It's focused on the most critical requirements. We go from 5 to 3 levels. It's aligned with widely accepted standards. In this case NIST 800-171 and 172. It has Reliable Assessments. You reduce your cost for the assessments. You have higher accountability, because you have the oversight of professionals and you are being upheld with ethical standards of third-party assessors. And Flexible Implementation. There's a spirit of collaboration. In some cases you may be able to use a Plan of Action Milestones to achieve certification. And it does in some instances allow the Government to waive inclusion of these requirements in limited circumstances. Again, we'll get a little bit more detail on that in a minute. This is a nice chart here that shows you the difference between 1.0 and 2.0. You can see in 2.0 you just have the three levels. So it's a little bit easier to understand, and a little bit easier to comply with. This does a nice job too then for looking at the three levels and showing you where they stack up. So at level 1, with FCI information you've got 17 practices, and all you need is an annual self-assessment. With level 2, the advanced level, it's all 110 requirements from 800-171. And for most organizations it's going to require a triennial third-party assessment. Annual self-assessment for select program. So there will be some organizations that will still be able to do the self-assessment, but most will require a third party assessment. And then at level three, the expert level, it's 110 practices from 800-171 plus some from 800-172. And it will require a triennial government led assessment. This kind of shows you how it breaks down a little further. So you can see at level 1, the foundation level, FCI not critical to national security. It's an annual self-assessment. And you can see there for non-prioritized acquisitions with CUI at level 2. You may be able to do a self-assessment. But most organizations will probably land in the CUI, prioritized acquisitions for the triennial third-party assessment. Then at level 3, or the expert level assessment. That's the highest priority programs. Again, the triennial government led assessments. A couple of the key changes here. Under CMMC 1.0, there was no allowance for POA&Ms, but under 2.0 you can have a POA&M for a limited period of time. Usually they all need to be resolved within 180 days. You can see here the highest weighted requirements cannot be on the POA&M list. So the most important controls you can't have on the POA&M, you're going to have to comply with them. And the DoD can establish a minimum score requirement to support certification with POA&Ms. And then also under CMMC 1.0, there was no allowance for waivers, but with 2.0, the government may provide waivers on a specific but limited basis. As you can see there when you read down through the list of items. So a few key changes from 1.0 to 2.0. If we talk about self-assessments here, again, when permitted for level 1 for example, or in some cases for level 2, required on an annual basis should be completed using the CMMC Assessment guide for your appropriate level. You can see there's a link to the Assessment guide there, strongly encourage you to get your hands on that and take a look at that as soon as possible. And it does require annual affirmation by a senior company official. So it's important to make sure that you're being honest and open when you complete these things, because someone is going to sign off on it. And with things like the False Claims Act out there, that could come back to bite you if you're not completely honest. So for level 2 you have the third-party assessments. Contractors must obtain a third-party level 2 assessment for a subset of acquisitions with information critical to national security. You have the CMMC Accreditation Body or The Cyber AB, which accredits CMMC Third Party Assessment Organizations, C3PAOs, and the CMMC Assessors and Instructors Certification Organization or CAICO. Accredited C3PAOs will be listed on The Cyber AB Marketplace. So, if you're looking for an assessor, that's the place you want to go. And a DIB company is responsible for obtaining the needed assessment and certification. The C3PAOs will upload the Assessment report into CMMC EMASS. Then for level 3, you're going to need the DoD Assessment. As you can see intends for Level 3 cybersecurity requirements to be assessed by government officials. And the Defense Industrial Base Cybersecurity Assessment Center DIBCAC will be responsible for that as of this writing. So CMMC is evolving. Rulemaking is underway, changes are released through an interim rule. There should be a 60-day public comment period. Per the Acquisition and Sustainment website, Updates to the CMMC website will be limited during the CMMC 2.0 Rulemaking Process. The Department encourages contractors to continue to enhance their posture during the interim period while the rulemaking is underway. And I think that's an important point. Again, they're saying, don't wait get started now. For anyone who's taking a look at NIST 800-171 and 110 controls, you realize it's a lot of work to be in compliance. And with this just on the horizon, as you can see in this next bullet, May 2023 for these requirements to start showing up in new contracts. The time to get active and get started on this is now. And then CMMC Director Stacy Bostjancic said quote, May 2023 is the critical point. That's when we think we'll be able to start putting the requirements in the contracts. You're probably going to see RFIs, RFPs coming out in the summer of 2023. So that's a good intro into the changes from CMMC level 1 to level 2. Here's a list of resources that will be helpful in learning more information and getting yourself prepared. And with that we will wrap up this video and I will see you soon in video two, thanks.
