CMMC 1.0 vs. CMMC 2.0: How the Change Impacts Your Organization

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Applause] [Music] good day everyone uh my name is aaron mcintosh i am the director of product marketing here at act zero and joining me today is um adam messer adam is our vcso and head of sales engineering he's got about 15 years experience uh if not more in cyber security working on endpoints cloud network and we're here today to talk cmmc so that being said i'm going to pull up our slide deck and we're going to get going i'm hoping everybody can see the slides uh give me one second perfect okay so two weeks ago uh early into the evening on november 4th uh the day had gone really well and we closed some deals some great opportunities suddenly we start receiving word about some changes coming to cmmc there was a a short-lived host put up by ososd uh that was quickly taken down but that stirred a lot of questions within the industry um you know we don't know exactly what caused this uh we do know we were expecting changes to come we know that the ousd had received about 850 comments on cmmsc 1.0 uh we believe that from that you know based on what we're reading on their website and sessions we've been in it really boils down to three reasons uh why aren't they making the changes uh one being that you know moving to cmc 2.0 and all the changes within there will really help businesses reduce their costs and this is really particularly important for small businesses who may have found the process uh very cumbersome or even exclusionary number two the department wanted to increase trust in the cmmc assessment ecosystem and number three to help better clarify and align security cyber security requirements uh to the federal requirements and other common accepted standards uh now we'd anticipated the changes as i mentioned but uh like others we didn't know exactly what was going to come of it we had a ton of questions in terms of like why now you had a deadline of december 9th uh you know what are those changes and and what it means to us so without panic adam and team uh took some time to go and digest the materials that were out there attend the cmmcab sessions and others so on that note we're about to jump in to those questions and uh have the conversation with adam but before we do so uh for those audience members that um are live with us today if you do have any questions there are three tabs at the bottom of the screen one is the ability to submit questions or we've left lots of time at the end to get to those two uh there's a tab for attachments anything that we're providing during the session and number three there is a rate us section at the bottom as well so on that note uh adam help us break down cmsc 2.0 starting with what organizations still need to do i'm going to start off by saying that a lot of people who had dfar's requirements uh did not have them go away with this change i think a lot of people um need to just quickly you know readjust for um you know what was always a a requirement uh would have legal liabilities and potential contract loss uh for them if if they were you know storing things like ci and cui and they were not meeting those requirements but i'll start very quickly here with point number one um point number one is that cmmc 1.0 as it has existed uh including the audit guidance is now suspended right and that that means that for a 9 to 24 month period as they look to create new rulemaking for how this will essentially become cmmc2 and eventually part of contract requirements um essentially there are no cmmc specific requirements that are going to be put into contracts during this period which means we're basically in a holding pattern for this to become the new standard that's required but i want to be very clear when we get to point number two here that that does not eliminate your requirement to do nist 800 171 depending on the data you have as a matter of fact this has always existed independently of cmmc and so part of the commentary uh and definitely alignment with the with the standard within this is something that they're trying to to connect because they weren't ever eliminating the dpars requirements what they were using was nist as a starting point and choosing to augment cmmc 1.0 uh to include different processes and frankly a little bit of an alteration to audit guidance for some of the practices as well so while cmmc one was different than this 800 171 it included a lot of familiar uh clauses and it had asked for more things about them and so now they're basically saying um know to point number three that when two comes out we are going to align with this 800 171 and this 800 172 so that you are basically satisfying you know both uh requirements at the same time and they're not deviating uh from the dfars or fars clauses that are already part of doing uh business with the dod number four is that you know a lot of people are wondering you know where the you know adjudication is gonna come from how am i going to comply with these requirements right for for many years the dfar's requirements were submitted through self-assessment right you kind of told uh your primes or or as part of the contract anybody who was asking you know here's the uh existing uh you know mapping we have to this and sort of just plain language spreadsheets exostar other portals always existed to upload your information to uh and so now when you think about the certification requirement which was going to get a third party uh the c3paos to come and audit these companies across the board uh for cmmc certification in version one we now have a different set of requirements uh for version two meaning that you know level one now that they've condensed the levels uh both the c3paos and the government uh can can audit you depending on what kind of kui data you actually have which we're gonna get into in just a sec so that is sort of the mainstay of what you still need to do you should understand that you should not be doing cmmc 1.0 uh in this rule making period um you uh instead should focus your energy on the defaults requirements you already have to map to this 800 171 and 172. we're going to show you just exactly how to do that but expect that when 2.0 comes out depending on your buoy data cmmc2 will be part of contract requirements once that rule making is put into force um the other thing we're kind of uh walking through is you know a lot of questions of what will happen to the certification and stuff we're going to get into a lot of those other questions as we go through yeah in in terms of the self-assessment do you know how regularly or how frequently they're going to happen like level one level two or three yeah when we go through uh you know annual requirements for uh 800 171 it will apply to level one and a subset of level two uh level three and and part of level two requirements will require a tri-annual audit which will either include the c3pao or or the government in the contracting body themselves not perfect i think we're gonna talk about that a little bit later on as we go through so um so the next big question is we kind of have an understanding of where we are how's it gonna affect the timelines originally one of the goals uh set up by the cmc bab and of course ousd were to try to get everyone uh in the dib you know certified by 2026 right and so you know as you started to look at a lot of the uh training materials what they were coaching us on was that they were going to have this sort of very gradual ramp period uh throughout the next couple of years obviously the suspension changes the targets for um the actual certification itself right and so you know uh the timelines have not necessarily changed we don't know if their goals still are to meet 2026 and that the uh the refractory period we have now where they're looking at this uh rule making period of nine to 24 months is that to make it easier to make sure you hit the targets because a lot of the the assessment guidance and a lot of the comments are just you know a lot easier uh in something like nist 800 171 they're a lot less great right and of course not having to go through a third party to get your assessment done means they can probably hit the goals of meeting that cmnc certification uh without you know having to certify sort of you know assessment bodies and all these other things for a large number of jibs right so you know that's what i'd say about the compliance but let's break some of these points down on the slide for everybody so you know nist 800 171 is is and always was a requirement for people storing cui um the timeline for that is you know years ago for those of you on the phone that have this requirement uh similarly right when we think about fci level one data fars clauses as you know you might have remembered them uh you've been doing probably a self-assessment against this already uh and so you know to the third point about 2026 right do we know if this new timeline has changed um i mean who knows if the idea is that they're going to keep the original timeline and use the refractory period to make it easier for everybody to hit it or are they going to you know extend the timeline right beyond that you have obviously uh you know contract requirements so you know when you say contracts will not require a certification right because there won't be third parties that are actually certifying people in the rule making time you have about nine to 24 months where you can expect that no contracts will require your cnmc certification it should be very clear though that whether it's written in the contract or not if you have cui data dfar's clauses always apply right so we want to make sure that you understand that there are um you know false claims acts and the christian doctrine and other illegal ramifications liability ramifications for not following the standard if you have cui today yeah and for those who uh you may be new to the game and have questions about fci and cui within our tracker that we'll be providing at the end of the session uh we there are links to that into the breakdown descriptions as well so uh the next question is you know you talked about the cmma uh cmcab and rpos and c3paos uh let's let's chat a little bit about that how how have these changes affected the timelines affected the certification requirements uh training and the like well i'm going to say that you know obviously there was a bit of a surprise there was a you know a town hall meeting uh i believe uh a week or so ago uh from the cmmcab where a lot of the administrators for the program the ceo himself you know a lot of those uh people that had worked really hard to build the training program around cmmc one and started to get those provisional assessors and the people actually receiving uh you know their designations a lot of people had spent you know thousands of dollars to join the program there was probably about 2 200 people in the call and about 450 plus uh comments in the channel and uh as they laid it all out for us basically some of the major elements that affect the program are on the slide here right so uh what the expectation was for the c3paos was that there'd be a certification exam sometime near the end of the year uh where a lot of them could finally you know get their credentials to start conducting these assessments uh for the people that already had their credentials that were already see as we were just we were talking to at act 0 a lot of them were sort of in a holding pattern waiting for a green light to actually go and assess and so that's all now been kind of uh cancelled for them right extended into the ether they're not sure exactly when the cmfcab.org will publish the 2.0 requirements or when the ousd and then the cmc pairing their information to get people trained on it we'll begin again but the the premise is that they're they want to try to get you know the new standard up and ready in a few weeks right and then it'll probably be many weeks from then before uh c3paos and rp's like ourselves are given training materials and new you know test requirements to make sure that we are in line with those with those changes right so um that that essentially is uh what happens to the program um however you know for for many in the program who are already providing things like fedramp consulting or um you know working with nist 800 171 requirements with customers um you know the idea is still the same right it's not like there's a restriction in participating uh in in helping clients getting their nist 800 171 self-assessments uh together and and helping them collect evidence uh and explain these these claws or controls um but obviously as this becomes more solidified over the next couple of months uh we're expecting that there'll be more of a maturation of of how to adjudicate how to just like a professional code of conduct and other things we had to work through uh with tmmc one extending to 2.0 okay and we're still like you know part of our role is always a guide as well so i think part of this process is we're still learning as we go along um you know we're finding out additional information you're going to go through additional training for those who are attending today we'll provide this information as we move forward as well on a regular basis you'll probably receive some updates from us keep an eye on the website as well we'll be constantly updating our materials there so the big one of the biggest changes to this is the assessment process um you know being able to to move to the asses to self-assessment but it also means that there's been changes in the control structure before we had five levels now it's three so let's walk a little bit through that process for the attendees um starting with that self-assessment process can you walk us through that a little bit adam and you know the steps in that and what's the perfect things that people need to be aware of yeah i think that for many people on the call this is almost eerily uh similar to the the gdpr deadline uh where i think a lot of people may have let things uh lapse uh in terms of you know their meeting of the deadline uh but uh i just want to be very clear that you should understand uh what controlled unclassified information and federal contract information are uh and that you know it's it's not a lot of you know contracting agencies or other responsibilities of the people that you're bidding with to explain those things to you right there is a understanding that whether you write it out of the contract or put it in the contract or notify people it is your responsibility to understand whether you are exchanging this information uh between parties and if you are that there are uh dfars regulations around you meeting uh a certain level of cyber security protections around it right so the the link here in the first uh bullet is about just being able to understand what controlled unclassified information actually is and so there's a lot of references to different types of information that you can sort of peruse through that'll help you basically you know self-diagnose and say okay do i actually have you know kui data you know if so you know where and how much of it is is there multiple categories that i have how big is you know how big is my enclave in terms of where this stuff is so you can start to take stock of of this requirement the you know the second one is that you know when you when you think about fci there was always uh clauses that mapped to nist 800 171. uh for cmmc 2.0 right i think that if you're already kind of collecting data and you're wondering if the 17 practices are the same as cmmc one or if they're the same as the bars clauses and you're really just looking for cmmc2 self-assessment guidance you probably can wait until they publish the standard in a few weeks and you know try to answer your level one requirements there uh but certainly for people in level three requirements uh and two requirements right it's now you start to have to think a little bit like you know like they are trying to um for for enforcement so if you think about point number three here if you think you have kui data that's not just the end of it right and so one of the distinctions between being assessed by a third party being assessed by yourself and being assessed by the government is actually whether or not your kui data represents a critical or highly sensitive uh you know category and those aren't labeled yet right so how does a you know an agency know that if they're making you know if they're a chicken farmer and they're supplying a forward operating base is a critical information because an increase in supply may be somebody that you know is very important is visiting the base right is that critical information to protecting the warfighter and so obviously we could examine a lot of scenarios where you know there's there's potential for harm all right you're potentially you know in a highly uh sensitive area and collection but as a as a rule of thumb we know that at least rule you know level two is nist 800 171 and the level three is 800 172 right so as a as a a piece of guidance it's good to know and assess where you are with both of those now if you have kui data and then as they start to uh you know as part of contract and and you know as part of the the 2.0 rule making process become much more prescriptive about what high and critical are uh so that you can get a heads up that it's you or it's not you um you know you're more prepared right yeah and one of the other components in preparation here is that um you know certainly the idea that you are going to meet all of the requirements uh for a long time as people self-assessed was uh not always the expectation right i think a lot of people were using their system security plans their poems uh that uh defined a kind of resource project budget timeline to achieving the gaps uh that they may be at missing and the guidance that they've given us is that in 2.0 once rulemaking's in effect they will still include a capability for a certain requirements that haven't been met uh when you're actually applying for a bid to be uh you know submitted with a poem so you can say look i'm not all the way there but if i get the contract there's a period of time that i can use to close these gaps because it's now i guess financially beneficial for me to do that now that i have this contract um they're also going to include a um a couple of you know requirements that at their own will that is um sorry i'm getting a bit of an echo error hearing that no no okay great um they're also going to include certain requirements that will not be able to be uh you know uh addressed via poem so it is going to be very subjective if you think about point three and four here uh i think it's lack of clarity that we're getting here on exactly what our requirements are um so obviously the guidance and lack of clarity is just you know make sure that you understand that the spirit of this is to protect your data to protect your systems and that if we do these things they are going to help us as a business as well as you know uh help us in contracting down the road and that we should probably you know use these guidelines to measure ourselves anyways and and try to use this uh in the spirit it was designed just to protect us so check out all the requirements they're perfect we've we're going between mutant i'm mute so bear with me um yeah so that's a really important uh you know question four i've actually gone into something as well and it seems that this is actually opening up the opportunities a little bit for the smb market as well who may be a little bit more immature in their controls and and they don't necessarily know what they need to know at the end so i'm happy to see that as well because so much of our base is smb in the mid market okay uh so the next is you know let's get into the controls a little bit um obviously we know it's not a one for one you know level one two three doesn't necessarily go over into a certain level in cmc model 2.0 but can you walk us through uh this a little bit this comes directly from the ousd this slide yeah i think one of the unfortunate things that has happened as a result of uh changing the standard very rapidly and delisting some of the guidance from cmmc one is just how many legal firms and education providers and you know contractors and things that have put guidance out on the web i think if you actually google you know uh cmmc dfar's requirements you're probably going to get a lot of old information and misinformation as a result uh about what's required because a lot of that indexing on the internet just takes a long time to update even our own blogs we have to go back and sort of you know put the red ink on but um as this as this slide obviously makes the rounds uh in a lot of other guidance from what's happening with 2.0 um you can see just how uh much it mirrored uh you know fars and dfr's requirements of old right that you know when we think about level one and self-certification and fci right federal contract information only uh you have you know the 17 practices that they were very close to the 17 that were in you know level one of of previous right of cmmc one but um even in the default clauses right uh or farce clauses level two of course you have 110 now right which obviously collapses uh what seems to be the old level three right a lot of what level three uh was all about was protecting kui data uh you started to see people talk about as you got to like look the old level fours and fives let's just talk about things like control technical information design information uh which you know those agencies almost always know that they're dealing with you know the very very sensitive uh you know planes and and plans that you know are you know they're checked on a much more regularly but when you think about uh level three and kui data that was where a lot of people especially in the smb market were targeting um their their certification right very few uh you know conversations even provided audit guidance for level four and level five so it was almost not even inked completely uh for for people to even understand how to audit themselves on four or five nor have there been any cas uh i think that that got that certification and somebody can correct me or if i'm wrong on that but i didn't i didn't meet any on uh on level three um obviously this is you know where collapse is sort of four and five so uh now you can start to see where it becomes a little bit more subjective where you have to sort of analyze yourself and say well if i'm at level two and i've got kui data and i'm doing 800-171 on the one hand right you can have an annual self-assessment right like it says in the bullet and if it's critical to national security right i might have you know third-party assessments which may include a c-3pao right at level three you start to see a non-distinction between cui there and saying okay well you could be nist 800 172 required and it's a tri-annual government-led assessment right so that's a you know obviously a very different um you know design than the previous one which was that the c3paos would certify you on every one of these levels as they as they became you know aware of the audit guidance uh so now we have some self-assessment we have some third-party assessment at c3pao and some government-led assessments uh for the higher levels so and the unfortunate part is that there's no nara or archives.gov database of um you know the types of kui that are or not right and even when you try to interpret whether you have fci information it's a little big right you have to you have to go out there and read the the bullet points we're going to give you a minute and you'll see um any information exchanged and all this other stuff so it's pretty wide blanket yeah and and the cmc level requirements that's basically based on the contract itself right yeah i think when obviously when you go through contracting uh again they won't they won't write down these clauses in every case right and then they're they're not even uh necessarily the ones that are are putting them in this contract clauses so the the the other part that's hard to see here is that uh these requirements always exist even outside of contract right they exist as part of the defarts clause for any procurement that happens that even if you said these clauses don't apply to us if they apply to you because of your you're holding a fue data you still have you know liability for something like false claims and things like that yeah okay so perfect so moving ahead uh some next steps you know the big question always it comes is you know we're professionals in the space you're in our rpo um how can we help you know what are the tools that we have that can assist those on the line yeah i think people are seeking information right first and foremost right they want to make sure i don't think it's because of uh you know any type of misalignment with the objective i think everybody wants to keep their own business safe i think everybody wants to protect intellectual property they want to protect the war fire the homeland they want to do these things but they're they're starved for accurate objective simple information and right now um googling is not going to help right so i i you know i think we have to almost assert ourselves and start making it easier for you to see this stuff and read it and understand it if you're a customer or if you're not and and so you know as an rp which doesn't hold a lot of weight anymore if 1.0 is what we were interpreting for you uh but certainly before you know for our defense customers aerospace customers other customers in the supply chain you know our job was to make sure they understood how to secure themselves with controls right so for this specific liability for this specific risk much like privacy risk that affects our customers we're going to keep ourselves uh you know ear to the ground we're gonna make it as simple to provide people updates uh as they want and webinars like this materials like we're about to go through and um q a anywhere we can um so that we're not you know stage gating this information paywalling this information or in some way trying to you know obfuscate it and say oh it's so difficult you need to go through us we think we should be present and useful to help you understand the stuff so that's that's job number one is that by the end of the month when there is a 2.0 posted on the ousd we're gonna try to make it as simple to collect the audit guidance and the assessment and anything else that we can use to kind of point you in the direction of how to help you document this stuff um and certainly you know number two is that we're obviously gonna shift uh back to the nist guideline right there was always a nist guideline we were always using this guideline we'll continue to use the disk guideline for d4s requirements and now cmmc2 readiness simultaneously and of course if the cmcab or the ousd decide to change the nist guidelines we were we're going to update it just like we're going to update you on on any changes that we see to uh uh you know publications of those documents right like two and the old ones third uh for customers right our vc so service maturity we're still going to align to this we're still mapping to this you still have to do this we still have to do this so uh we are we are obviously going to use those sessions uh to assess our customers um this might make it easy for those people who are using this just as a benchmark right a lot of customers hardening against data loss and ransomware uh we use this you know standards successfully to design their networks to be resilient to those attacks and anybody listening on this call that is in financial services or they make something that doesn't go to the defense industrial base is probably wondering how this applies to you it still applies in in terms of you know hardening your systems against attack and the last one is sort of a forthcoming statement and is that you know as our commitment to versioning the controls that we assess within our portal so for customers of act zero you you have a you know a portal that we use to exchange everything from the vulnerability information to other types of you know threat escalations and of course you know your own adherence to these best practices frameworks and compliance standards and so we're going to make sure that we uh we amend that uh like we do everything from cis to others to to maintain uh once 2.0 is published to you know make sure that it's up to date perfect now we are about 30 minutes in right now um let's talk resources so we're going to leave three with you today for all audience members um we have the framework tracker which adam's uh talked about and actually adam i'll have you go through that in a couple of minutes uh we do have numerous blogs up on the website uh one that we did thought would be helpful will be you know how cmc help with multiple the compliance certifications and then we also have our incident response guide in there um you know we've had a lot of traction on that a lot of customers find it extremely useful and it does apply to a number of the controls within in within cmmc uh 1.0 and 2.0 so take a look at those but adam where why we do have some time i do want to get to some customer or some audience questions a little bit later but can you take uh five minutes or so to walk us through the framework tracker sure uh for those of you that are online now and can obviously access this uh just fyi we are going to update this so that you know as things change if anything changes to these requirements you'll see the current version of them there so what's what's live is the current version as of you know today uh but i will share my screen and we can just quickly dive into uh the sheet itself right so when you get the sheet our job is to make this as simple as possible right we're not here to judge if you didn't you know know there was fci or cei requirements or you're worried that you do have them right our job is first is a disclaimer that we're not a law firm right we are a technical managed protection response company who has customers that have these requirements and so we want to make it very easy to make sure that both them and us are complying with these regulations as the updated tracker is you know published it'll be here for you to link um so you can always get a fresh copy when it's amended uh it'll be a little more dynamic for you um but the first instruction obviously is that you know outside of understanding what these requirements are uh which are just sort of extra resources below the job is to look at the controls and try to answer the questions very basically right in a self-assessment this is how you do it you uh would and still can you know download the latest 800-171 standard you very likely will take it out of the pdf format so that you can start using it and so that's what we've done with this tracker to make it easy for you we've taken both the 171 and 172 requirements which apply to people with kui data which may be you know level two level three requirements and then each one of the controls is sort of listed here and the way to uh you know work with this is just to answer the questions right so when you're assessing this for yourself uh the the mep guidance the the the audit guidance for nist is actually a lot more straightforward than the former audit guidance of cmmc 1.0 it's a lot more specific in the standard and included a little less but certainly makes it easier for people to work with right so what we're encouraging you to do is of course you know start answering the questions one by one in the cells so that you have an answer to whether or not you are uh over uh complete or incomplete partially or reviewing this um you know with uh with your submission in mind right so as you answer these these questions right they also say uh specifically what kind of documentation or systems or something you can get this detail from over here is a helpful sort of business case if you feel like you know the requirements for things like log management and advanced endpoint you know indicators of compromise dark web monitoring vulnerability scanning and remediation if those things are sort of um you know still in flight for you as a provider uh you know i think one of the things you can do is take a look at this column h and just say hey you know can act 0 or an mdr actually help me address this right and so as you go through them it'll kind of say well maybe i'm not doing it and then you can kind of understand uh whether or not you have a somebody you can call here that can help you not doing that yeah and for those wondering where you can download the form we did have a question come in in the attachment section uh tab at the bottom of the presenter at the bottom of the screen you'll be able to get the um the link there additionally it is on our website under the resources section so we'll have that available to you and if you can't find it uh please do feel free to reach out to info x0.ai and we'll make sure to get it to you as well perfect so awesome thanks adam uh so we are at uh we've got about 10 minutes left so i'm going to pop up the slides again and hopefully everyone can see them as we toggle sometimes they do drop off okay so as i mentioned these are the resources so some of the before we do that some of the questions that we do have we have uh four have that have come in here so let me uh take a read through these the first is does prioritization include cui um or cnsi only and are they the same thing so if you look at the uh the older guidance for cmmc one as you started to look at federal contract information cui was the one that they had mentioned having 800 171 defar's requirements there are other acronyms to define other more very specialized data right that is not necessarily in scope uh for this uh but they're all very related right if you go to the archives.gov and look at cui specifically uh you can see almost like a blending of where like it's it is fci it is cui and it could be cti and other types of uh information simultaneously which means you are increasing uh the the protections and the requirements to try to to to safeguard that information right now fci and cui are the only things mentioned uh across the cmmc discussions uh and certainly you know i don't pretend to interpret every one of the fars clauses or defaults clauses just the ones that you know are discussing um you know fci and cui and so that's what that's what this framework is entitled to do so if you have if you have other requirements maybe some of those things you might extend to like a legal team to find out uh for you because um you definitely don't want to mess around with that kind of liability okay thank you uh the next question here is will non-certified contractors be able to be awarded new contracts a cnc 1.0 stated they wouldn't be eligible sorry could you repeat that i just got lost and who was certified and who could apply and who couldn't apply yeah uh will non-certified contractors uh be awarded new contracts right so yeah so for the rule making period it's important to understand contract award is not contingent on you certifying there is not a certification that is available to you and therefore in the rulemaking process as they have suspended one and are going to do they are not going to withhold any bids from anybody who is not certified as part of this process however when you are awarded these contracts you have the liability of fars and defarts clauses and have always had that assuming that you are you know exchanging this information so while they award the contract to you and you self-assess like you had against the dpars requirements the whole time you're not certified and not held you're not you know awarded or not awarded the contract based on your certification after the fact you have a liability and a potential breach of contract that can occur because you didn't follow the nis 300 171 standard much like gdpr right there was a deadline to be you know compliant there was not a certification body that made you compliant but there was an ico office in europe that fined you if you were found to be almost like a whistleblower program uh which is exactly what we have here there is a whistleblower program people who blow the whistle get ten percent of the liability they collect from people who are or are false claim acts right and this has happened to cisco and microsoft and others right um you you you still have that liability right so that that's why you want to self-assess because much like gdpr they're going to come and look at how you've interpreted these articles that they had and say yeah you were negligent you didn't do any of this or you didn't interpret it properly or something that's the liability but you're not they're not going to hold back contracts if you're not certified and you can't get certified so let's just start with the the answer to that question yes i i know there's a lot of nuances and it's not a simple yes or no answer to any of the stuff right so uh the next question i have is this one's fairly specific are we um ac ac.2.016 maps to nist 800 171 uh 3.13 won't these just become cnc 2.0 level 2. yeah i've already uh does that carry forward i think it's probably the gist of the question aaron and i have blown our brains out mapping the cmmc uh to virtually every potentially applicable cyber check that you can think of in our old tracker we had fedramp ace i think we had hipaa we had pci we had wires like cis we had um anticipated that because of the comments there was going to be some reform and that the bodies that were contributing that reform were going to source from some materials and i agree with you and and disagree with you in the same in the same breath because while we had prepped for any and all eventualities that what 2.0 would be was an amalgam of some of these things and wanted to know where we and our customers stood on all fronts um you know we don't know what the cmtc 2.0 standard is until it's published in a few weeks that might mean that that will become 800 171 872 ace become the requirements maybe it won't right we're still waiting on them to publish yeah and we've got about four minutes left so i have one more question um there are lots of manufacturers at 100 percent of say nist 800-171 or 171 a um what document document documentation changes uh will be dealt with in like tier two three four supply chain and that's a tough question so uh what kind of documentation will be changed for tier two three and four supply chain if you mean by tears you mean subs to a prime so you're saying like there's a clause here and you work for like lockheed or raytheon or northrop grumman or somebody and you're just a supplier down the stream you make a screw that goes into the tank that is then going to this you know war fighter the the idea is that the entire defense industrial base is is you exchanging this information right so the concept is that even if you're a one-person contractor that works over here and you're exchanging the information you are part of the enclave now your subs are part of the enclave now and so i've seen consulting companies being issued laptops by these organizations that have to maintain this standard to exchange kui data exclusively on that machine that is still part of their own claims always vpn in and they have all the monitoring and all the clauses addressed on that workstation and then they have a separate workstation where they just do their regular job right so you know when you think about the downstream contractor and i'm sure this was part of the comments i haven't you know other than them right they don't they don't send the comments and publicly post them uh from from what i've seen so i don't know that this wasn't one of the major things which is do i have to be compliant if i'm just the guy that shows up on the shop floor to drop off a package that has the screws in it because the logistics information show you where the factory is like it just gets really really extended so the goal by 2026 was the whole dip which was everybody in that sphere but the exchange of that information in the enclave was always how they were trying to sort of set the bounds of the scope of your certification and i don't want to be even more gray on this if you were commercially off the shelf software like office 365 and gcc high you got an exemption from having to do it right that was another clause that i think a lot of people were like well when am i off the shelf side is that zero off the shelf software um i'd say arguably we're not but you know that's the kind of thing that will come off the shelf very easy um yeah the yeah so that's that's what i'd say to that perfect thanks uh we are almost under time i think we have less than we're just about a minute or so left so adam thank you very much as usual um i love doing these webinars with you i learn all the time um you know for those audience members if you do have any questions um i think we got to all of them that we're in the queue if you have any afterwards that you're thinking of please do send them to us at info x0.ai we'll get to them as soon as we can um you know as always take a few moments to rate us was the material up to par did you get the questions answered that you were looking for we're constantly improving um we want to make sure that we're hitting these out of the park for you and that you're finding true value and then when you come and additionally um you know thanks for joining us today um hopefully where we helped you out in your journey to cmmc and uh we look forward to hearing from you soon thank you you

Info

Channel: ActZero

Views: 204

Rating: undefined out of 5

Keywords: cmmc, cybersecuritymaturitymodelcertification, The Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense, DoD, CMMC 2.0, CMMC 1.0, cybersecurity compliance, NIST, cybersecurity framework, NIST800-171, DFARS, cybersecurity checklist, cybersecurity audit

Id: LMOJXzccNfQ

Channel Id: undefined

Length: 43min 45sec (2625 seconds)

Published: Thu Nov 18 2021