Good afternoon, everyone. My name is Craig Petronella. I'm an IT cybersecurity and compliance expert. I'm a CMMC certified registered practitioner with the CMMC ab.org. And I'll be your host for the presentation today. Today, we're going to talk about the cybersecurity maturity model certification or CMMC 2.0 for federal defense contracts. Who is Craig Petronella? That's me, your host. I'm in a long time cyber expert.
I'm a tech enthusiast focused on the strategic alignment of people, process and technology to empower organizations to thrive in this digital age of information.
Petronella technology group, or PTG provides security risk assessments, penetration testing, training and consulting services to help businesses reduce employees, improper handling of controlled unclassified information or CUI and federal contract information or FCI covered defense information, or C D I and personal identifiable information or PII. Fines and penalties for regulated breaches, cyber fraud, theft of credit card data. Good. Cyber hygiene is akin to a properly aligned spine.
No one really pays attention to it, but those that do easily stand at the. Protecting data is paramount and those who actively and proactively do so tend to be the most successful businesses. It's really the foundation of your business. And it's rewarding to see my clients with Stan cyber attacks and win new contracts. Are you prepared solutions to cyber security must be aligned with people, process and technology, and need to be both scalable and sustainable. Cyber crime is a growing threat.
Hackers are not going to wait for contractors, subcontractors, or vendors to get their cybersecurity whipped into shape. To start a cyber. Exfiltration of sensitive data by malicious actors around the globe is a threat to both national and economic security. The DOD is working with the defense industrial base or DIB to enhance protection of controlled unclassified information or CUI along the supply chain. What does this mean for your business?
2021, saw a 69% increase in cyber attack related complaints to the FBI. How does this impact you? Comply today. The requirements to comply are five plus years old. Now the CMMC combines various cybersecurity standards and best practices. It maps these controls across three different maturity levels. The maturity levels build on each other. They range from foundational cyber hygiene to expert for a given CMMC level.
The associated controls when implemented will reduce risks against a specific set of cyber threats. It's imperative for you to be compliant. Making a false claim is a serious offense with the false claims act. CMMC 2.0, what we know today. What is the CMMC the department of defense or DOD certification process that combines the various cybersecurity standards into one unified standard for cybersecurity. It measures the ability of members of the DIB or defense industrial base to protect data.
We've got federal contract information or FCI and CUI or controlled unclassified information. Cybersecurity maturity model certification 2.0 CMMC has been simplified, but it's not going away. We've reduced it from five to three maturity levels. Maturity level. Now is now self certifying D FARS 70 12 and NIST 801 171 are still required today. No changes to the clauses of 70, 19 or 7020 sPRs or spurs self attestation is still mandatory.
See DOD enforcement to be more aggressive from the DOD civil cyber fraud initiative creates more false claims act participants expect more aggressive requirements from the primes. Whistleblowers can report. Non-compliance.
On the left side here, we have the CMMC model one, which showed that five different levels ranging from basic level one with only 17 practices, all the way up to level five, with 171 practices, that's been simmered down and reduced on the right side with CMMC model 2.0, we still have level one, the foundational, which is 17 practices. We're an annual self assessment is okay. Moving up. We have maturity level too for advanced, which is 110 practices, which are aligned with NIST SP 800-1 71.
Tri- ennial third party assessments for critical national security information, annual self-assessments for select programs. And then moving up to maturity level three, we've got expert at 110 plus practices based on. And building on level one and two.
So we still have to do the NIST 800-1 71, but now we add on the supplemental 800-1 72, and this is triennial government led assessments to be clear on maturity level two, there are no longer allowing this was a recent change then no longer allowing self-assessing. So you have to do self assessments on your own. However, you still have to have a third party assessment done at maturity level two and higher, higher. The third one is government led.
So we have cybersecurity maturity model 2.0, the new requirements mirror. Very similar to NIST, 800-1 71. And now one 70. With CMMC 1.02, we had 20 Delta controls that were eliminated. We've eliminated a lot of the alternative levels and simmered it down from five levels to, two the maturity process has created a 50% to 100% level of effort for businesses. They were poorly defined and in the full year after CMMC was originally.
released, the DOD never provided an example of a passing policy, a procedure or a plan. CMMC 2.0 level to align. 800-1 71 CMMC 2.0, level three will include a subset of 800, 1 72 controls. The assessment changes for CMMC 2.0 level one, which is the self-assessment where we have the entity and the corporate officer at testation moving up to CMMC 2.0 level two. We've got the third party assessed. Which is prior, which needs to be awarded.
You have to have that third-party assessment before you'll get a new contract award and you'll still have to do your own annual self-assessments. But, but again, they made that change where you have to do the third-party assessment as well. And you also have to have buy-in at the C levels for the corporate officer at the station. And then the 2.0 level three, you'll have to get that assessment done by the. Self-assessment at maturity level. One is self at the station.
The third party assessment is required for maturity level two and limited plan of action and milestones or poems or waivers are allowed. These will only be temporary waivers though, and there'll be really difficult to attain the parameters for poems and waivers will be defined during the rule-making stage. Poems are allowed under 2.0, but only for a 180 day period. I recommend trying to not use poems at all, because poems are really like a band-aid.
So why even haven't been able to begin with, try to just go straight and fix the problem. If you can. DOD certifications at maturity level three, have an increased responsibility and role contractors are encouraged to comply with heavily weightedness controls as soon as possible to be positioned for a delusion of CUI being released under coming, procure. Here's the deforest interim rule. Katie Arrington once said the COC certification is like your driver's license on the information.
Super highway coming Le lay in of CMMC 2.0 has added new contracting requirements. We've got the 70 19, which advises. Contractors that they must maintain and report the 800-1 71 compliance in the spurs system. It also explains the three types of assessments or audits, which are basic medium and high 70 20 outlines the requirements of contractors to provide the government access to its facilities. If the DOD is renewing a contract or conducting a medium or highest.
70 21 discusses integration of CMMC maturity levels. One through three, the interim rule, the supplier performance risk system or spurs, and the DOD assessment methodology or dote M score the SPRs or self-assessment effectively reinforces self access station of NIST 801 70.
Have you completed your spur self-assessment yet because it was due on back on December 1st, 2020, currently it included most RFPs, not recommended that contractors wait, the DOD wants all subcontractors and primes to self attest as soon as possible CMMC will rollout after rulemaking, but until then you must complete the spurs. Self-assess. You need a guide and we are here to help you.
The benefits of NIST and CMMC compliance are increased security, a competitive advantage, peace of mind and NIST 800-53 being NIST 800-1 71 compliant will significantly reduce the likelihood of a breach. And if you're breached, it will decrease the impact of the breach. Once you have put in the time, energy and money, it requires to be NIST 800-1 71 compliant. You gain a competitive advantage over other businesses who are not gain peace of mind and don't lose sleep.
Wondering if you're going to lose your contract and your reputation because you failed to comply with NIST 800-53. You're that much closer to being. compliant, taking just a few steps will gain that much more of a competitive advantage. The PTG process, your journey is smooth and measurable. A supplier, a simple risk assessment produces a customized blueprint towards total compliance. Your people are encouraged to perform a risk assessed.
Provided with policies that form a guided framework and train to use technologies. As the active principle in cybersecurity, you'll join a group of high-level DOD contractors working with very sensitive information that we've helped and kept in the flow of new contract awards with strategic AI driven tools. CMMC 2.0 takeaways. Poems have changed dramatically. They're only good for up to 180 days. Most heavily weighted of the 110 controls cannot be part of a poem.
We suggest identifying those and commencing maturity prescription to comply with 800-1 71 is found in most one, almost 100% of DOD prime and sub contracts. When you sign a contract yourself, a testing compliance with both the far 52 dot 2 0 4 21. And the 2 5 2, 2 0 4 70 12 controlled unclassified information or CUI will become routine. In most procurements expect a flood of CUI to gain access to CUI. It will likely require the right maturity level or spurs score.
DOD major primes will be some of the strictest enforcers of NIST, 70 12, 70 13 compliance. If you rely on a third party MSP that does not relieve you of the obligation and the compliance in any manner, you can't outsource that responsibility. We suggest having early meetings with your MSP to discuss the responsibilities and the roles, and we highly recommend that they're CMMC AB certified registered provider organizations and you work work with certified registered practitioner.
With your DFR CMMC and NIST compliance, the MSA MSP should be compliant as well. What our clients say we've got five star reviews. We've been trusted to work with the largest corporations in the world. We've recently won the 20 21 UpCity award of excellence, as well as the better business bureaus, 2021 small business award. So what do we do next? Our recommendation is to review your system security plan against NIST 800-1 71.
Perform a gap analysis and a risk assessment to identify your vulnerabilities in your system security plan. Poems or plan of action and milestones should be tailored to your gap analysis and put your score into the supplier performance risk system or spurs. Be sure to customize your policies, to align with any poem goals, implement PTG suggested pro-ams in sequential order to catapult your SPRs score upward.
Revisit your system security plan, your POAMs and policies to ensure they're all in alignment, final adjustment of people, process and technology to mirror the alignment, maintain cyber synergy throughout the PTG, manage maintenance. You can succeed with our guidance. We suggest you talk right away to us. Please call us at 9 1 9 -6 0 1- 1 6 0 1 or visit Petronellatech.com