CMMC 2.0 - What's Changed?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey everybody welcome back and we are here to talk about cmmc 2.0 so last week the dod announced cmmc 2.0 by accidentally publishing the announcement to the federal register now that left a lot of us kind of hanging in the air wondering what was going on and at 9 00 a.m pacific time they released their new site with a lot of new guidance and honestly created as many questions as they answered now what i want to do here is i want to go through what has changed between cmmc 1.2 and 2.0 for convenience sake we're going to call it 1.0 and what that means for the defense industrial base so first off i want to go back through the stack of how we got to cmmc to begin with so far came about in 1979 as an attempt to streamline government acquisitions part of the far is a set of mandatory clauses that every contract must contain and that includes 15 safeguarding requirements for federal contract information now every cabinet level agency and department buys things differently and they can create their own supplements to the far for the dod this is dfars which came about in 2010 it is important to know that dfars adds on to the farm does not replace it all of these requirements stack however on december 21st d4s clause 7012 went into effect this required compliance with nist 800 171 in order to protect controlled unclassified information now the problem with this is that there's no certifying body and the government just trusts the contractors are doing the right thing and actually implementing these controls now contractors show their compliance with a system security plan and a plan of action and milestones the system security plan says what you do the poem says what you will do now the problem with this is that nobody was really doing it they built their ssps and poems in order to meet d4s 7012 and then didn't update them so this opens them up to issues the false claims act in 2019 the doj obtained over three billion dollars in false claims act settlements including an 8.6 million dollar settlement with cisco for undisclosed security vulnerabilities so it obviously wasn't working after a bunch of industry discussions the first draft of cmmc was made public in 2019 with version one of the document being published january 2020. now on november 30th dfar's supplement 7021 went into effect which set out a timeline for cmc to be rolled out so for the first time security was going to require a third party assessment now part of dfar's 7021 was that immediately all defense contractors needed to do a self-assessment against nist 800 171 and submit it to the dod supplier performance risk system spurs additionally it spelled out the time frame for cnmc and the five constituent levels this would require third-party certifications from c-3paos certified third-party assessment organizations they weren't going to take chances now last week cmmc 2.0 came around and now we have three levels they've gotten rid of levels two and levels four and sometimes it will require a third party certification and poems are back so what does that mean let's actually take a look at the broad sweeping changes between cmmc 1.0 to 2.0 and we'll go into where the questions are lying here so first off the goal of level one and two in cmmc 1.0 was to protect federal contract information now level two i think was doomed to begin with 72 controls two processes and it didn't give you any additional benefit to winning contracts because you were protecting fci with level one it was considered a transitional level moving into level three to protect cui so the dod killed it and left fci federal contract information totally under the foundational level one of cmmc 2.0 with 17 controls that are encapsulated in the federal acquisition regulation interesting to note if you've looked at cmc level 1 and you've looked at the far they are all the same controls cnmc just split up one of the controls into three constituent parts in order to make it easier to understand now of course the teeth of cmmc is around protecting controlled and classified information and the core level of that was cmc level three which contained all 101 controls of nest 800 171 as well as an additional 20 to facilitate good cyber hygiene again a lot of these controls were splits of nist 800 171 as well as something we'll get into here in a bit so now cui is going to be managed level 2 advanced and this is entirely aligned to nist 800 171 and removes all cmmc unique controls from the certification gonna talk a bit about the certifications here in a minute finally levels four and five which were meant to protect against advanced persistent threats were not really ever spelled out now since cmmc 1.0 nist 800 172 came out now the dod did a smart thing here brought four and five together and put them in under expert level three which has all controls of nist 800 171 and some specified controls from nist agent or 172. see the video we did a while back about ninth agenda 172 to understand why it's not the entirety of 800-172 so let's look at each of these levels and the main bullet points around it so cmmc level one is for federal contract information only it still has the 17 controls from cmmc 1.0 it is now a self-assessment that requires an annual re-certification so there is no longer a need to be concerned about having an assessment organization come in and see if it's performed they're just going to take your word for it with an ssp now cmmc level 2 is the one that's probably going to be the most important for our audience today so it has all 110 controls as i mentioned of nist 800 171 but it's split and this is where the questions are going to lie so it's split between organizations that handle critical national security information and then others it remains to be seen what is critical national security information and that will probably be coming out with guidance as the dod releases their documentation on cmc 2.0 now if you do have that critical national security information you will be required to have a third party assessment every three years however if you aren't and you fall into that other category that can be a self-assessment however that self-assessment needs to be completed every year so it's that again the annual re-certification now cnmc level 3 is still being worked on as i said it encapsulates levels 4 and 5 from cmmc 1.0 it includes some controls from nist 800 172 and will require a government-led assessment every three years this will not be a third-party assessment it will be done by the dod so probably dibcac and again no c-3pos so really where the impact to cmc 2.0 came from is where the assessment organizations were okay so let's get down to the nutshells here so first off i'm sure we're all excited that there is a new time frame that means that the dod is going to go through the rule making process which can take anywhere from 9 to 24 months 36 48 we know government timelines so we do not really have time to relax we need to continue hardening our cyber security postures and really fighting back against advanced persistent threats and nation state actors i can't say it enough this is not a mandate it's a mission please stop giving away our classified information so poems are back however poems must have a very specific and actionable timeline they will probably be enforced on an annual basis not sure how that's going to work yet but the other thing is there's going to be a subset of those 110 controls that cannot exist in a poem that must be implemented before bidding on a federal contract next we're looking at 110 controls so whoops 61 controls went out the window not so fast if you spent any time looking at the sleep implementation guides or looking at nist 800 171 sp2 you know that cmmc is laid out in a very easy to follow way and a lot of the nist 800 171 controls are broken out well if you look at appendix e of 800 171 what you're going to find are nfo controls non-federal organization most of these are drawn from nist 853 and they include things that are just basic and simple a lot of what is in cmmc that could be considered cmmc unique by the dod actually fall into the 853 column of nfo controls so as you're looking at nist 800 171 again we do want to wait for federal guidance to come out on this consider that appendix e will probably be included in some way if or if not it is actually assessed so waivers waivers will be permitted for not for a control but for the entire cmmc program now again we're reading tea leaves trying to see the future but i expect that these this waiver clause is there for extremely time sensitive mission critical capabilities so if suddenly the defense department needs a capability and needs it right now and needs a contract they're going to waive the entire cmmc program for that contract in order to quickly deploy these mission critical capabilities and over time will be allowed to come back into cnmc as the contract persists finally self-assessments i'm actually pretty happy about self-assessments i always felt that cmmc 1.0 level ones is getting complicated i'm only going to talk about cnmc2 from now on but i always felt that the federal contract information side should be self-assessed and there should be some sort of program on the dod side to assist now there's project spectrum which i will have a link to in the comments down below that helps organizations do this however beware of self-assessments because what's going to happen is if you decide that oh i can do that and pencil whip your self-assessment and lie and then something happens where you have an incident and you have to go back to the dod and say well i didn't quite do that right well now you've got the issue of the false claims act again you want to check out our video on the history of the false claims act to understand why your biggest risk will be whistleblowers from inside your own organization and how they can make money by turning you in for lying on your self-assessment so don't please please just take it seriously so there's a lot to unwrap around cmmc 2.0 i'm going to have a another video up here today around how cmmc 2.0 impacts microsoft 365 commercial gcc and gcc hi and as soon as the dod comes out with new documentation around cmc 2.0 i'll be here to help you with it thanks a lot give us a like and follow if you do have any questions as we all do please ask them down in the comments down below i love to be engaged with the audience thanks a lot hope this was useful [Music]
Info
Channel: Agile IT
Views: 484
Rating: undefined out of 5
Keywords: Microsoft, Cloud Computing, CMMC 2.0, CMMC, Cybersecurity Maturity Model Certification, DOD, DIB, NIST 800-171, C3PAO, NIST 800-172
Id: nrIUq9b5TUQ
Channel Id: undefined
Length: 13min 14sec (794 seconds)
Published: Mon Nov 08 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.