Cybersecurity Maturity Model Certification (CMMC)

okay um and um if someone i guess you can hear me okay because you sent a chat to the box great so we'll start the presentation this is the cmc overview and this is tailored for security professionals and and the main things that i think security professionals need to know about cmmc the um the the one of the reasons we're doing this is because america spends billions of dollars developing weapon systems and it's taken years to develop these weapons systems and all the the different technologies that are needed and other countries shortcut that process by stealing the intellectual property that we use to create our weapon systems so um this is an example one of these is the america f-35 joint

strike fighter and the other one is built by another country which one is the american version can you all unbeaten some some i tell tell me which is the american version both not correct one is built by another country bro one's built by china which one yang the top pitcher the bottom pitcher

top picture the top picture you're correct uh because the u.s air force logo is on the bottom picture and uh but other than that they're pretty close and china was able to accomplish this you know building this so quickly because they were able to steal the technology uh on how the airplanes are built and the you hear in the news when there's when there's classified information that's stolen um you tend to hear that in the news um but actually that's you know it doesn't happen a whole lot um the classified systems are actually protected pretty well and that's usually like a human did something um that took the classified information and gave it to the foreign adversary

but there's tons of theft from non-classified data from military contractors and this is not necessarily from a human you know giving the adversary the information this is them um going through the cyber defenses to get the information and it's the supply chain because a lot of this data that's not classified isn't being protected as well as it should be and that's what's allowing the foreign adversaries to steal it so so most of the classified information because it's protected so well it is a human you know giving that information to the foreign adversary when the classified data gets stolen but for the unclassified data um it's it's they're able to use tools and techniques in order to extract the data and that's

where a vast majority of the data is is leaving um the country and so you know example is the company i work for you know we're building uh army um propellants this is for our propellants for though for weapon systems and all of this data is unclassified everything that we're doing to build this army ammunition plant no classified data on there and of course we talk about on our website what we're doing and another example is missile silos and so again this is public information on our public facing website that we're doing um construction of underground nuclear weapons storage and handling facilities at the fe warren uh base in cheyenne wyoming so this is an example of you know two

weapon systems projects that we're doing but these are totally unclassified projects that we're working on and so there is expectations of the government for how we're protecting the data but um but this is this is where the big shortcoming has been and that's why the department of defense feels like they need to implement a more formal program on how to protect the data and so that is what the goal of the cmmc project is and this is the cyber security maturity model certification is what it stands for this is actually not coming from the i.t department at the pentagon this is coming from the supply chain section of the pentagon and so the um the

office of the under secretary of defense for acquisition and sustainment is actually putting the certification model in place to help protect government data in the supply chain so their goal is they they don't want if you get you know if you need to if you're building a airplane and you need a component built for that airplane they don't want you to send the drawings for the entire airplane to the subcontractor that's going to build a component for you they want you to only send the information that's required and and that's it takes effort for for the contractor to to carve out the work and only send the information that's required to do the the task at hand but

that is a major part of cmmc is having you segment your data that only provide to subcontractors the exact data that they need and they also want you to make sure your subcontractors are protecting the data too so the same level that you as a prime contractor are protecting the data there's an expectation that the subcontractor is protecting it the same way and so it's it's been um there's been some things in place over the evolution through the years and so there's um something called cui that's a new um data um i can't think of the word classification how do you classify the data if you've heard of ouo official use only or if you've heard of

it was replaced with f-o-u-o for official use only but those were kind of broad terms and that that's where we started and now we're at cui and it has um international traffic and arms regulation and export controlled information and so that means basically only americans can see it and that's that's basically the control only only americans are u.s persons sorry can see the data but how you protect it's not defined they just say you know only u.s persons can see it so then they came out with a standard and said okay for nist 800-171 this is a government agency that publishes standards and so the department of defense said well you have to follow nist 800-171

when you're protecting our data and but it's on the honor system and so you self attest hey i am following this 800-171 and then they came out with a clause for a contract and um the dfar means defense federal acquisition register and they came out with the clause um 252.204.712 and that ones that re that requires you contractually to do the nest 800 171 and they can come choose to automate you um on whether you're meeting it or not but the problem is the department of defense doesn't have a lot of auditors they don't have a lot of people that can do this so our company has been audited one time against this standard and um and that's

just you know they just don't have enough people to go around or enough budget or enough experts to go around to to audit all the companies and so what what the this new cmmc is as a new default requirement that was put into the first contracts this year and it was just a handful of contracts this year it's going to grow to more next year and then more the year after and this is where the cmmc accreditation comes in and the difference from what's been done in the past is um third parties will be coming in to to assess you with the cmc accreditation so instead of the u.s government doing it like they did with

the 800 or 171 with cmmc you will hire a third party to come in and do the assessment and then that third party will tell the us government how you did so that's that's this is the evolution of how we got to where we are now there's five different levels of cmmc and the level depends on the type of data that you're going to be um working with and so if you just have commercial off the self projects things you're just buying there is no cmc requirement for that that's the far left-hand side of the graph for level one this is if you're going to receive an rfp special data

okay so for level one this is when you're going to be building something for for the government or doing something you know um there was something that's not off the shelf and so you're going to get a um a contract saying these are our contract requirements and this is what we need you to do to fulfill those requirements that's what level one is and that is a federal contract information for level three this is the controlled unclassified information that's o-u-o f-o-u-o export control weapon systems type stuff actually weapon systems comes in level four but level three is is the um the data that the government wants the minimum protections for and then level four and

five is for the weapon systems and so that's the the different levels of data so it depends on the data you gotta have as to the protections and and the cmc level of certification that you have to achieve and so for the accreditation process level one is a questionnaire that you have to fill out there's 17 controls you have to meet and then um an assessor will look at the answers to your questions and and give you a level one and then there's up to a year for someone the government will send someone to come to your company within a year to to validate that you meet the level one controls for level three four and five you have

to hire a company to come in and do an assessment of you and you have to pass that assessment before you're given the level 345 approval to operate and these are the department of defense estimates of the number of companies that are going to receive these accreditations so they're anticipating 28 000 will receive a level one and they're anticipating 14 000 will get the level three and um about 50 to 60 companies will get the level 4 and level 5. so again level 4 and level 5 is not classified so when i say weapon systems that doesn't mean classified i gave you examples earlier in the presentation of work my company's doing it's not classified so um so again it's it's

unclassified data but still has to do with weapon systems and for level two um the level two is companies that tried to get to a level three and didn't make it and so they they attempted to get to a level three and those companies would be awarded level two it doesn't mean that you can see the data that's required for a level three but it shows that you tried and there's companies that might be at a level one and tell you hey we intend to be a level three well they probably don't um otherwise they wouldn't have done the level one whereas if someone does a level two that shows you that they tried but there was a gap and

they're going to tell you that you know they're trying to fill that gap the important thing with cmc to remember is you don't have to be at the level during the proposal phase you have to be at the level to do the work and so you could actually not be a level three and submit a proposal to do the work while you still work on closing your gaps to achieve a level three but if they make the award and your company wins the award you have to be at the level three in order to to to do the award to do the work and some procurements you know it could take six months some takes nine months

so so it does take a while for you to get an rfp and see what level you need to be at and then there's time where you prepare your proposal and then there's time for the government to evaluate the proposal there may even be a protest period so there is a there is a time gap where companies do have a chance to to get up to a certain level this is very important when you're talking about contracts because if you're a company like my company and and we bid on level three work again we typically don't do everything ourselves we subcontract things to other companies and so we're going to have to divide up the information and some of

the subcontractors will not need a certification at all some will need a level one and some will need a level three and so as we look for subcontractors you know of course it's the least risky if we can find people that are already at a level three but if they're not you know we we need to have confidence that if they claim they're going to get there and they can demonstrate that they're working on it and we can't include them as a subcontractor in our proposal even though they don't have a level three yet um and you know with their assurances that they're going to get there by the time the contract's rewarded so um so that's an important

differentiation you have to be at the level at the time of award not at the time of proposal

foot certification process again on level one that's the questionnaire that you fill out and you can engage something called a registered provider organization in order to help you with the questionnaire and the 17 controls to help determine if you're meeting those controls or what you need to do to meet those controls and then um someone will review your responses and then you'll have a site visit within 365 days and then the department of defense will place the cmc level in the supplier performance risk system and for the level three four or five a dod contractor can engage a registered provider organization an rpo we're going to talk about that in a minute and that's the company that helps you

prepare for the cmmc assessment so they come in and they they look at you and tell you if you're ready and tell you what gaps you have and then when you get those gaps filled you can hire a different company that actually does the accreditation for you and that's called a c3pao and that is the certified third-party assessor organization and this does have to be two different companies you can't use the same company to do your gap analysis that you do to do your actual assessment assessment it has to be two different companies and then if you pass then the c3pa will provide a copy of that to your cmmc level to the department of defense and

that's placed in the supplier performance risk system one of one of the gaps we have right now is that we can't look inside the supplier performance risk system and so we have to rely on a subcontractor telling us what their cmmc rating is we currently don't have a way to look it up ourselves um hopefully when cmc gets a little bit more mature that'll be that'll be changed but for right now we just have to trust somebody when they tell us what they are this is a turn in the proposal phase now when the award is actually made and you say okay these are the subcontractors i'm planning to use the government will tell you at time of

award oh by the way company b didn't get their level three certification and um but but you know right now the way that things are based right now it's kind of we just have to go with what our subcontractors are telling us we don't have a way to independently verify it the government can verify that west is a subcontractor camp but hopefully that that's a gap that'll figure out a way to get around to make that better so a third uh non-profit accreditation body was formed as because the department of defense didn't want to manage all this themselves so the department of defense is publishing like the kind of the requirements that you get a

certification but they're not defining what the certification is and so there's a third party uh company that was formed a non-profit that was formed and this is the company that's putting together how to do the assessments and how to how to determine if you're meeting the again it's based on the nist controls but they also added some controls too it's not 100 nest controls they've added some beyond this controls too and this agency is the one that has the program to get the companies that are doing the assessments and getting the companies that are doing the preparation or the gap analysis and getting the certification test put in place for the people to pass it so this is the

main website it's called the cmmc accreditation body or cmmcab and we're going to go through some of the different things that they have available on their website and so this has a list of the c3pao which is the assessors this is those companies that have the assessors and then the next block is actual assessors themselves the next circle is the register provider organizations these are the ones that do the gap analysis for you and then the next block is the registered practitioners themselves these are the people that the people that work for the assessor company i'm sorry the gap analysis companies that will come to your site and then these are the organizations that are

seeking the certification and then these are the training partners these are the companies that have the training that you need to take in order to become a registered practitioner or an accessor there's also a marketplace link up here and at the marketplace link you can find the companies that are um that are that are meet these requirements so let's go dive a little bit deeper in so the registry provider organization um the block that i've highlighted these are the companies that will do the gap analysis for you so they will come in and look at your environment and see if you're meeting the requirements meeting the nest requirements and again you can go to the marketplace

tab and get a list of the registered provider organizations and then you work with them in order to to put a agreement a place for them to come in and do a gap analysis for you and the people that work for the registered provider organizations are called registered practitioners and so these these are the people that work for the registered provider organizations and there's a certification they have to go through there's there's training they have to take and there's a test they have to take in order to become a registered practitioner keep your accreditation up to date so again these are the people that come in and do the gap analysis and look at the companies and tell them you

know if if they feel like um you know according to this test criteria that's been provided the this accreditation body has provided use and they're the ones who are supposed to tell you if you're ready to go through the certification process so these the the register providers have to pass the commercial background check they have to complete the online training they must sign a professional code of conduct and again an annual fee that they have to provide so they need lots of security professionals you know in order to do these gap analysis because again these people are also the ones um you know there's going to be a lot of preparation that the companies are going to need to do and so

there's going to need to have a lot of rpos and this is the kind of the entry level um to this this is this is kind of the easiest one to get because you're just doing the gap analysis so again this is the the registered practitioners and these are the people that work for the registered provider organizations to do the gap now so now we're going to move on to the these are the third party assessor organizations again 3pao these are the companies that actually do the accreditation for you and the people that work for c3pas paos are the assessors and there's different levels of assessors and so there's four different levels the entry one is a certified cbmc

professional as a member of the team they're not they're not actually able to to sign off themselves and when they send a testers to your company they send a team of people and they're eligible to be a member of the team when they get some more experience they can then go to the second column where their certified assessor at level one and they're able to look at those questionnaires that companies filled out and they're able to determine based on those questionnaires if a company is able to be given a level one certification or not they're also able to participate um in the other [Music] level three ones again as the member of a team the next one over is a level three

assessor and they're able to conduct assessors at the um at the level one and the level three and and so they have experience required to actually pass you on the level three certification and then going up there's a certified assessor level five and they're able to to assess you at level four and level five and say that you passed the criteria to be at the level four and level five so there's five different positions um there's four on this slide that talks about the assessors and then the one we talked about previously that was the registered practitioner which is again the one that does the gap analysis so the you know this is where they need

hundreds and hundreds of people that understand how to do the gap analysis and how to do the assessments in order to help make this program successful and this is the marketplace where you can go look companies up and so you can come and see well who are the registered provider companies who are the registered practitioners who are the c3pa assessment companies so you can come to this marketplace and look up companies and see who they are so this is an example from a screenshot of the some c-3paos it actually lists the company information on here and then there's more companies now it changes weekly but these are the these are like three of the companies that are able to do

level three assessments they've completed everything that they need to do in order to do a level three certification and so these companies actually had to be approved by the us government and so the us government agency that came to my company a couple years ago and did our nist 800 171 assessment that same agency is the one that did these companies but again with it with the dod they do one assessment of redstone or one assessment of cash or credit gratos and then these companies are able to go assess other companies so this is a way again the department of defense isn't having to expend all this manpower they expand the manpower getting these commercial companies able

to do the assessments and then these commercial companies will go off and do hundreds of other companies themselves

um but this is still a work in progress it's not um it's not you know 100 ready yet the training is one of the things that's you know you know coming out they've had provisional training um in the past and this is for the uh registered practitioners but they're they're just coming out now with the final with the final training and so you know this is a warning that you know be careful that you don't get tricked into paying for classes because it wasn't ready yet the dod is still working to finalize the course objectives so someone might tell you they're offering cmc training but it's just you know it's just kind of what they came up with it's not the

authorized training yet and um so the last thing um the last town hall i attended they said october is when they hope to have this training um out and ready uh but you can see that you know that the um they have the registered provider training out um but it's not it's for the assessors that they don't have the training out yet and so they're just there's again this is still a program that's under development and um they have town hall the cmmc advisory board that's how town hall meetings on the last tuesday of every month to get you give you a status of where you're at and they also have replays of previous town halls and so if you go to

the um to the cmmc website here one of the links is um town halls where you can go and hear the previous town hall meetings and this is a projected rollout from the department of defense they are behind schedule the biden administration decided to do a review of the program and so they put up a pause on rolling out any new rfes and that that assessment is still underway on whether the crmc program is going to be rolled out the the way it was designed and so the buying administration is looking at the whole program top to bottom and they may make changes in it um but before it rolls out any further so that review is underway

and so there haven't been any new uh rfps so where they had 15 and fiscal year 2021 they did not achieve that goal um because um you know halfway through the fiscal year there was an administration change that put a hold on rolling out anything else for cmmc so the accreditation board is still working to get the test ready and getting all the assessors ready um because again assess the cmc a b is a separate non-profit entity so they're still doing their part to get ready for everything um the part that's on hold is this the department of defense actually putting um cmfc in new rfps they're not doing that right now until they decide if they want to change

anything as the program was designed under the previous administration um there could be changes um to how they do it an example for instance is um with level one um they can be very expensive for a small company to meet level one requirements and you know there's you know obviously complaints about that expense and so one of the big questions is well does a level one company actually need you know an assessor to do that on site visit could they just review the questionnaire only and not have to do the on-site visit well with the previous administration it was they have to do the on-site visit um there's a chance that the current administration could change that and say

we'll take the questionnaire only and we won't actually require the on-site visit that's an example of a change that the you know the new administration could do that would have a huge cost impact on the companies um that are that are pursuing the level one that is a tremendous cost impact difference there's also a tremendous risk difference too on whether you just fill out a questionnaire and you may or may not be doing that stuff and if you know you're not going to get an on-site assessment yeah you might not worry about it but if you if you know a company is going to come visit you and and validate you that your answers to your questions are correct you know

there's going to be a higher level of diligence that are you responding correctly and making sure that you're meeting the requirements so under the prior administration they were adamant that there has to be an on-site review in order to determine companies are meeting the goals properly and that those people aren't there anymore and so there's a chance with with the new administration that that could change and um and there won't be um for instance level one on site assessments so so everything with the programs being reviewed right now so what i'm presenting of course is what the prior administration laid out and um and this was the prior administration's rollout plan and again it shows again the number number of

companies so again you know 895 level one companies rolling up to about um fiscal year 25 28 000 level one companies and the these numbers um are the cumulative as they grow to the right and again it shows the difference and um and and and these are also again subcontracts this is not prime contracts from the government that these counts are um these accounts are companies that do this is multiple contracts i guess that's what i'm trying to say the um so so the prime contracts are at the top and so if you see for instance um in fiscal year 25 they expect to have 479 prime contracts but they expect to have 47 000 contractors working on those 479

contracts so that just gives you an idea of the tremendous scope that when they award one contract to lockheed martin lockheed martin might have a you know 150 to 200 subcontractors or more um doing work for one prime contract and again so it's not as much that the lucky martin that they're worried about is the lucky martin's 200 subcontractors where a lot of this leakage has taken place out okay so um we definitely need security professionals you know in order to make these things happen and um the town hall that i mentioned earlier you go to the cmmc advisory board um you can see that view the town hall videos that have been done in the

past and um so lots of opportunities for security professionals lots of need for people to come in and do the assessments and for people that come in and do the the readiness gap analysis so that's the end of my presentation and uh if anybody wants to take themselves off me and i'm gonna ask a question

good job sir okay so we'll do we have um i showed there's 20 participants and i'm one of those and i think ryan is too and so we've got the random number generator me not come up let's see so the random number generator i think we've got 18 people if we don't count ryan why how about that if that's been a chord it's been a chord in attendance yes sir i am that's awesome that was the winner of the first um the first prize which is let's see speaking that is the uh yes that's your prize and uh ben is the winner of a gift certificate to uh 20 buck e voucher for that's off my

screen no charge press uh 20 dollars and put been a quarter in there excellent thank you okay all right we have seven more minutes in this track any other questions or comments if anybody wants to share any information they know

mark one question i do have for you is will there be less of a reliance on 800 171 as as the government transitions to cmmc will that be the sole governing requirements body there well the um it's the primary um the the the requirements that they have is primarily 800 171 and then they've added 20 additional controls for level 3. and so i think it's going to remain the primary thank you and this is the this is the live website and again this is where it defines if you want to see the assessor requirements you can click on the assessment tab on the website and see what the requirements are you go to the marketplace

and see the companies that have met the requirements you can come to the town hall so the september channel video is out there um it was uh i guess two weeks ago now um that was last tuesday yeah tuesday week ago so the meeting from the september 28th is out there you can go back and watch that town hall video and um and then you can use there's just information about the um registered providers the sensors if you come to the marketplace

why it's not coming up okay my computer just decided it doesn't want to work today um this is the website again this is not the department of defense this is a non-profit agency that they contracted with to to come up with the accreditation criteria the training classes that are required um all of that is being come up by the cmmc accreditation body is the one for putting all that material together so this is the marketplace and this is where you can come say well i want to see you know how many companies do we have now that are c3paos these are companies that actually can do the assessments themselves so now there's four companies that have completed all the steps

required to do the assessment itself if you want to look for companies to do the um the um the rpo is registered provider organizations these are the ones that can do the gap analysis there's 1977 companies that can do the gap analysis for you that's the registered provider organizations

so lots of information there and then um you know if you click on the links here it will tell you what you need to do to become a registered practitioner or tell you what you need to do to become an assessor again the registered practitioners do the gap analysis for you

that's all the information about the the training that you have to do um online this is online training um for the for the the registered practitioner then do an online training sign the code of professional contact conduct um you know pass all of the all the training and then you'll get a registration uh where you can work for a registered provider organization or you can do gap analysis for other companies

okay no other questions all right so the next session starts i believe at 10 15. um at 1005. sorry 1005 we'll be streamlining report writing with mr ben accord so that's a 1005. okay thanks everyone for attending