Hello and welcome to the NIST 800-171 learning path. My name is Dave Herder, and I'm your instructor for this class and this is course 6, NIST 800-171 and CMMC Levels 1-3. In this course, we'll take a look at the CMMC or the Cybersecurity Maturity Model Certification. We'll look at the Supplier Performance Risk System, SPRS. We'll take a look at scoring a NIST 800-171 assessment, and we'll look at submitting a NIST 800-171 assessment to SPRS. Let's jump in. What is the CMMC? The Cybersecurity Maturity Model Certification is a unified standard designed to reduce the exfiltration of CUI from the Defense Industrial Base, DIB. It's been prompted by data breaches that have impacted national security and originating within NFOs. Obviously, you can't turn the news on and not see instances of this. The most recent version, version 1.02, was published in March of 2020. Version 1.02 combines various standards and best practices and for our purposes, it's important to know that it's based largely on NIST 800-171. If you've been working through the process of complying with NIST 800-171, you're already well on your way to getting in line with CMMC, which is the future of all of this stuff. CMMC version 1.02 says, " The Cybersecurity Maturity Model Certification framework contains five maturity processes and 171 security best practices progressing across five maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with the basic safeguarding at level 1, moving to the broad protection of Controlled Unclassified Information at level 3. " Again, where NIST 800-171 comes in, "and culminating with reducing the risk from Advanced Persistent Threats, APTs at levels 4 and 5. The CMMC framework is coupled with a certification program to verify the implementation of processes and practices." Again, that's from the CMMC version 1.02 documentation. It talks about CUI, which lines this up with NIST 800-171. As you'll see, the bulk of the controls are requirements at level 3 aligned with NIST 800-171. How did we get to CMMC? Well, NIST 800-171 is a self-attestation standard. You could just pretty much put down whatever you wanted. There's always the False Claims Act and things like that. But again, it's a self-attestation standard. How carefully that was implemented is hard to say in the past. DoD mandated the contractors meet the requirements of NIST 800-171, but again, self-attestation standard, few audits, and thus little accountability. Self-attestation, perpetual POAMs, and little to no audit risk created little incentive for NFOs to fully implement all 110 requirements of NIST 800-171. If you stop and think about it for a second, for a relatively small organization trying to implement all 110 or satisfy all 110 requirements of NIST 800-171 can be a pretty difficult task. Finally, all of these shortcomings lead to the implementation of CMMC. Obviously, the never increase in ending rise of more frequent, more sophisticated, and more costly cyberattacks have certainly increased the need for something like CMMC. That's how we got to where we are today. Why do you care about CMMC? Well, if you're a non-federal organization with contracts containing the DFARS 252.204-7012 language, you must have at least a current basic assessment against NIST 800-171 in order to receive a contract award after November 30th of last year. Request for proposals or contracts may contain clauses, or your Prime may ask you to report your CMMC score which we'll learn about in future videos here. NFOs that are not compliant with the required level in the contract will not be able to retain DoD contracts. That's the main reason to care about it is if you want to maintain your contracts, you're going to have to do this. Also of specific importance by 2026, Department of Defense will require all defense contractors to pass a CMMC audit to bid on jobs. Let me say that again. By 2026, DoD will require all defense contractors to pass a CMMC audit to bid on jobs. That's pretty important. It's also important to point out though it applies only to RFPs and contracts with the clause embedded in them. That also have clause 252.204-7020, or some other indication that CUIs will be processed under the contract. Again, we cared about CUI in this context. Let's take a look at the CMMC model. There are 17 capability domains and 43 capabilities. There are five processes across five levels to measure maturity, and there are a total of a 171 practices across five levels to measure technical capabilities. Again, we know there are a 110 requirements across the 14 families and NIST 800 171. If you want to reach a level 5, which is a pretty high bar, there are a 171 total practices. You can see from the graphic here, domains are key sets of capabilities for cybersecurity, capabilities are achievements to ensure cybersecurity within each domain, and practices and processes are activities required by level to achieve a capability. As we mentioned, there are 17 capability domains. You can see here, access control, asset management, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery, risk management, security assessment, situational awareness, system and communication protection and system and information integrity. You'll notice if you look at these carefully versus the NIST 800 171 requirements families, most of these align almost a 100 percent, and then there are few others thrown in for good measure like situational awareness, for example. If we take a look at the CMMC levels, again, there are five levels. You can see in this, this is all from the CMMC documentation. Level 1, you're performing processes, level 2, you're documenting processes, level 3, processes are managed, level 4 processes are reviewed, and at level 5, processes are optimizing. Again, it isn't maturity level and each level, you're becoming more mature, you're working your way towards optimizing your processes. Then on the practices side, at level 1, it's basic cyber hygiene. Those 17 practices there, it's the most basic things that every organization should have. At level 2, it's intermediate cyber hygiene, at level 3, it's good cyber hygiene again, it's a 110 requirements from NIST 800 171 plus another 20 requirements thrown in from different standards for good measure. We'll take a look at that in a minute. At level 4, you have proactive practices and at level 5 you have advanced and progressive practices. If you take a look at the process progression here, level 1, we're performing, you can see zero processes select practices are documented where required. At level 2 documented, there are two processes, each practice is documented, including level 1 practices, a policy exists that includes all activities. Level 3 managed, we have three processes, each practice is documented including the lower levels, policy exist that covers all activities and a plan exists, is maintained and resourced that includes all activities. Again, you can see we're becoming more mature in our progression here. Level 4 reviewed, each practice is documented including lower levels, a policy exists, a plan exists, and activities are reviewed and measured for effectiveness. Then finally, optimizing the highest level again, we've implemented all 171 practices. We have five processes, each practice is documented, a policy exists, a plan exists, activities are reviewed, and there's a standardized documented approach across all applicable organizational units. Again, that's a pretty high bar to get to, especially if you're a small and medium business. You can see here then the levels for the practices at level 1 are 17 practices equivalent to all practices in Federal Acquisition Regulation 48 CFR 52.20421. At level 2, we're at intermediate cyber hygiene, we jump up to 72 practices, we're going to comply with everything in the Federal Acquisition Regulation. It includes a select subset of 48 practices from NIST 800 171. Then it includes an additional seven practices to support intermediate cyber hygiene. At level 3, again, a huge jump, we go to a 130 practices. Comply with for encompasses all the practices from NIST 800 171. We've been at 110 of the requirements in this 171 plus an additional 20 practices. The level 4 proactive level, we go to a 156 practices, so we have everything that we've seen so far and then includes a subset of 11 practices from the draft special publication, 800 171 B, which is an additional subset of 30 requirements above and beyond those NIST 800 171. An additional 15 practices to demonstrate a proactive cybersecurity program, again, these are coming from other standards, we'll look at those in a minute. Then finally, level 5 advanced progressive, so we have all of the first three we talked about plus another 11 practices that are coming from different standards. Again, a pretty high bar for most smaller organizations. In most cases, level three is probably where you're going to want to be, and again, if you've been working towards a 800 171 compliance, you should be well on your way there. This chart just shows again how the various practices increase. Level 1, basic cyber hygiene 17 practices, Level 2 immediate, 72 practices, we're adding 55 practices. Level 3, we go to a good cyber hygiene 130 practices, we're picking up 58 practices. Again, we're 20 more than NIST 800-171 but NIST 800-171 is entirely encompassed in this. At Level 4, we have 156 with 26 new practices and Level 5, we max out at 171 practices with 15 additional practices added. I like this chart because it makes this pretty easy to understand, it really summarizes it nicely. I won't read the whole thing to you, but you can see here it shows you for each level, the number of new practices that are being added and the processes that go along with it. Basically, again, Level 3, protect controlled, unclassified information, the 130 practices that encompass NIST 800-171 plus the 20 other practices, it's where most organizations are going to need to be. But again, that's also going to depend on what level your contract stipulates. This also, I like this because it shows the process progression, I won't read the whole thing to you, but it shows you the 17 domains, and then where the practices fit in. This shows a list of all the different sources that were used to create the CMMC version 1.02. You've got the FAR clause, 52.204-21, obviously NIST 800-171, 800-171B, the CIS Controls version 7.1. It's worth noting there is a new version of the CIS controls that just came out, I'm a big fan of the CIS controls. It'll be interesting to see how that plays into the next version of CMMC. You can see the NIST framework for improving critical Infrastructure Cybersecurity, Version 1.1, CERT Resilience Management Model, version 1,2, NIST special publication 800-53 Revision 4, and then some others, the UK NCSC, Cyber Essentials, and the Australian ACSC Essential Eight. Again, a lot of sources were used to pull the material that CMMC version 1.02 is based on. I like this chart because it does a nice job of breaking down each level and where the bulk of the resources came from. As you can see here, Level 1, 15 of the practices came from 48 CFR 52.204-21. You can see here how this breaks down. Again, I'm not going to read the whole thing to you, you can obviously read it for yourself. But again, as you see here, we pick up all of the requirements from this 800-171, which is what's important to us at this point as we work our way towards, CMMC Version 1.02 Level 3. Again, another nice chart. It shows you from the maturity perspective as you move forward. Basic safeguarding of FCI, transition step to protecting CUI, and then we should achieve protection of CUI with Level 3. Then obviously we want to work our way towards reducing the risk of advanced persistent threats, which we see more of all the time like the recent solar winds and [inaudible] issue. Here's what the DoD has to say on assessments, "Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company's specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity and capabilities and organizational maturity to the satisfaction of the assessor and the certifier." That's from the Office of the Under Secretary of Defense for Acquisition and sustainment. That's obviously a direct quote there. The interim rule on CMMC basically set all of this up. You can see here, DoD issued an interim rule assessing contractor implementation of cybersecurity requirements that implemented CMMC in September of last year. As of November 30th of last year, contractors are required to a self-assess or have DoD assess, although most people are going to self-assess compliance and report it prior to any new DoD contract award. Again, it's this idea that we're going to report this to SPARS, we'll get to that in another video here shortly. The interim rule also added a new DFR subpart 204.75, with specified policies and procedures for awarding a contract or exercising an option between November 30th, 2020 and October 1st, 2025. Again, if you're in the government contracting business, this stuff is all pretty critical. The interim rule requires contractors to achieve the CMMC certificate at the level specified in the solicitation at the time of the award. Contractors must maintain a current less than three-year-old CMMC certificate at the specified level throughout the life of the contract or task or delivery order. Again, it's a Maturity Model Certification. Once you've achieved it, then you have to keep doing all the things to ensure that you maintain that as you can see here through the life of the contract for however long that is. DoD contractors must immediately post assessments of their cybersecurity compliance on the DoD's SPRS site. Well again, we'll learn more about that in upcoming video here shortly. Primes are required to flow down the substance of DFARS 252.204-1720 to all subcontractors, excluding commercial off-the-shelf software suppliers. So that flow down rule is critical. If you're a subcontract or working for a prime and the prime has a contract that requires compliance with level 3, you are going to have to comply with it as well. Primes must ensure subcontractors have a current DoD assessment posted in SPRS. Again, flow down prior to awarding a subcontracts. So if you're a subcontractor, you're going to have to do this. If a subcontractor does not have a summary level scores, sorry, if a subcontractor does not have summary level scores of a current in this 871 assessment posted in SPRS, the Sub may conductance submit a basic assessment to SPRS, which is what we'll show you how to do in a coming video here shortly. Subcontractors must ensure compliance for eligibility. So if you want to be eligible for these contracts, you've got to do this. The interim default contract clause 252.204-7019 requires the following; when you're going to submit your basic assessment, your basic NIST SP 800-171 assessment to SPRS, these are the things that we'll need to include. Obviously, the standard assessed in our case, 800-171, the organization that conducted it, your gauge codes. I'm sorry, cage codes. I misspoke there. Cage codes. That's commercial and government entity codes, your system security plan, the date of the assessment completion, your summary level score, and the date that you expect to implement all of the requirements or satisfy all of the requirements of 800-171. Again, when you would hit the score of 110, that's the maximum score, which we'll take a look at here in just a second. There are three different assessment levels as of the interim rule. For most people, all you're really going to care about is the basic assessment level. Again, it's a self-assessment and has low confidence. You may, though, depending on the contract or your Prime, have to do a medium assessment which includes a review of your system security plan by DoD personnel that has medium confidence, and then a high assessment is on-site or virtual assessment by DoD personnel and has a high degree of confidence. In all cases, you start with a basic assessment performed by the contractor. But again, depending on the contract, you may be required to submit one of these higher levels. We're going to focus on the basic assessment, how you would score that in upcoming video here shortly, and then also how you would submit that to SPRS. The objective assessment. From the scoring perspective, the objective assessment is 871 implementation. If you implement all or I should say if you satisfy all 110 requirements of 800-171, that will yield the maximum score of 110, again, which is the basis for level 3 of the CMMC. There are another 20 controls, but if you can reach the score of 110, meaning you have satisfied all the requirements of NIST 800-171, you're very close. I bolded this because I think this is so important, except for controls were scoring is built-in for partial implementation. Partial implementation is not credited. Bottom line is, as you'll see when we get to the scoring in the next coming video, you either satisfy the requirement and you get all the points, or you don't satisfy the requirement and you deduct the points. There are a few requirements where you can earn partial points, but generally speaking, that's not going to be the case. The score of 110 is reduced by each requirement that you have not satisfied, it is possible to get a negative score. Frankly, not all that uncommon for smaller businesses who've never done this before. NIST does not prioritize controls in terms of impact, but some have more impact than others obviously, and controls are weighted based on impact. That gets us pretty much to the end of this video. Again, we're going to take a look in the next two videos in this particular course on SPRS, how to do the scoring and some tools you might use for that, and then ultimately how to submit your score. This is a list of resources here that will help you with understanding how to score all the resources you need to get into SPRS, et cetera. So with that, I will wrap it up for this video and I will see you in the next video. Thanks.
