Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Federal Government Contracting - LIVE Q&A - Topic: CMMC / Cybersecurity

Jennifer Schaus & Associates - Washington DC based consulting firm for federal contractors - presents a 2021 Webinar Series on various topics in federal government contracing. Learn more about the series here and get the webinar recording: https://www.jenniferschaus.com/q-a-cafe

  • Be the first to comment

  • Be the first to like this

Federal Government Contracting - LIVE Q&A - Topic: CMMC / Cybersecurity

  1. 1. G O V C O N Q & A C A F E
  2. 2. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F E 2 N D F R I D AY O F E A C H M O N T H 1 2 P M – 1 . 3 0 P M [ E A S T E R N ] C O N T E N T & L I V E Q & A F R O M G O V C O N E X P E R T S R E C O R D I N G S AVA I L A B L E AT T H E S A M E R E G I S T R AT I O N L I N K P P T S AVA I L A B L E AT S L I D E S H A R E . N E T
  3. 3. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F E 8 J A N U A RY: C Y B E R S E C U R I T Y / C M M C 1 2 F E B R U A RY: O TA – O T H E R T R A N S A C T I O N A U T H O R I T I E S 1 2 M A R C H : B I D P R O T E S T 1 9 A P R I L : T E A M I N G A G R E E M E N T S 1 4 M AY: S U B - C O N T R A C T I N G 11 J U N E : S A L E S A N D C A P T U R E
  4. 4. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 9 J U LY: P R O P O S A L W R I T I N G 1 3 A U G U S T: C O M P L I A N C E 1 0 S E P T E M B E R : O R A L P R E S E N TAT I O N S 8 O C TO B E R : S E T- A S I D E S 1 2 N O V E M B E R : P R I C I N G 1 0 D E C E M B E R : M & A
  5. 5. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 A B O U T O U R C O N S U LT I N G S E RV I C E S F O R F E D E R A L C O N T R A C TO R S : * M A R K E T A N A LY S I S * P R O P O S A L W R I T I N G * P R I C I N G * C O M P L I A N C E / A D M I N I S T R AT I O N * M A R K E T I N G & B U S I N E S S D E V E L O P M E N T / C A P T U R E * G S A S C H E D U L E
  6. 6. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 A B O U T O U R W E B I N A R S  O V E R 4 0 0 + C O M P L I M E N TA RY G O V C O N W E B I N A R S O N O U R Y O U T U B E C H A N N E L C O V E R I N G G S A S C H E D U L E S TO P R I C I N G TO C O M P L I A N C E  J O I N U S O N W E D N E S D AY S I N 2 0 2 1 F O R A C O M P L I M E N TA RY S E R I E S C O V E R I N G E A C H PA R T O F T H E D FA R S , S E Q U E N T I A L LY  D F A R | G O V E R N M E N T C O N T R A C T S ( J E N N I F E R S C H A U S . C O M )  2 0 2 0 W E B I N A R S C O V E R E D E A C H PA R T O F T H E FA R , S E Q U E N T I A L LY  F A R | G O V E R N M E N T C O N T R A C T S ( J E N N I F E R S C H A U S . C O M )
  7. 7. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 THANK YOU TO OUR SPONSORS S P O N S O R I N F O : H E L L O # @ J E N N I F E R S C H A U S . C O M
  8. 8. C3 Integrated Solutions is a full-service IT provider, helping DoD contractors achieve CMMC compliance through cloud- based solutions including Microsoft 365 GCC and GCC High. No matter where you are on your journey to CMMC compliance, C3 can help. C3’s unique, step-by-step CMMC Readiness Program helps companies comply with NIST 800-171 and CMMC. Learn more at https://C3isit.com/cmmc
  9. 9. The National Veteran Small Business Coalition (NVSBC) is the largest non-profit trade association in the country representing veteran and service-disabled veteran-owned small business in the federal marketplace as prime and subcontractors. NVSBC provides networking, match- making, coaching, and training opportunities for members. Please visit: www.nvsbc.org
  10. 10. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 Set-Aside Alert is the premier federal government contract information service, focused on small businesses, minority-owned and women-owned businesses, veteran- and SDV-owned businesses, SBA 8(a)-certified companies and HUBzone businesses. The newsletter provides RFP opportunities for set-asides. www.setasidealert.com Tom Johnson 301-229-5561
  11. 11. Free, confidential counseling + online resources & training SAM/DSBS Certifications & set-asides: 8(a), EDWOSB, WOSB, VOSB, SDVOSB, HUBZone NAICS Codes State & Local (eVA, SWAM) Capabilities statements Marketing to the government Market research Business development Proposals / RFP responses Security clearances Compliance Teaming / subcontracting strategies GSA Schedules Pricing Contract management Contract performance & more THIS PROCUREMENT TECHNICAL ASSISTANCE CENTER IS FUNDED IN PART T HROUGH A COOPERATIVE AGREEMENT WITH THE DEFENSE LOGISTICS AGENCY.  Step 1) Full training calendar: virginiaptac.org tip: click “year” above the calendar to see list form & use the filter features to find specific topics  Step 2) Register as client https://virginiaptac.org/services/counseling/ Outside Virginia? visit www.aptac-us.org to find your local PTAC Help with registration, counseling, classes – ptac@gmu.edu or 703-277-7750 Check out the Bid Match Service Subscription (110+ Federal, State, Local, International)
  12. 12. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 CYBER SECURITY / CMMC
  13. 13. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C WELCOME & THANK YOU TO OUR SPEAKERS
  14. 14. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C C H U C K B R O O K S B R O O K S C O N S U LT I N G I N T E R N AT I O N A L C H E T Z 1 8 @ A O L . C O M 5 7 1 - 2 9 6 - 2 1 6 4
  15. 15. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C J O D Y R E E D M C M A H O N , W E L C H A N D L E A R N E D , P L L C J R E E D @ M W L L E G A L . C O M 7 0 3 - 4 8 3 - 2 8 1 8
  16. 16. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C S U S A N WA R S H AW E B N E R S T I N S O N L L P S U S A N . E B N E R @ S T I N S O N . C O M 2 0 2 - 5 7 2 - 9 9 2 7
  17. 17. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C D AV I D D E M P S E Y D E M P S E Y F O N TA N A , P L L C d d e m p s e y @ d e f t l a w . c o m 7 0 3 - 8 8 0 - 9 1 7 1
  18. 18. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 CYBER SECURITY / CMMC
  19. 19. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C WHAT WE WILL COVER TODAY: I. WHY CMMC WAS CREATED II. BASIC ASSESSMENT REQUIREMENTS AND STATUS III.CMMC REQUIREMENTS AND STATUS IV. CMMC ROLL OUT ISSUES
  20. 20. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I . W H Y C M M C WA S C R E AT E D – C H U C K B R O O K S
  21. 21. CMMC BASICS: The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain DoD's prime contractors and subcontractors must satisfy 1/5 of CMMC's trust levels. These entities must prove sufficient cybersecurity implementation via completing independent validation activities. CMMC will be a phased in approach with new contracts starting Q4 2020 through 2026 While the CMMC framework is not finalized yet, it is known that this new umbrella standard will include requirements from NIST 800-171, FAR document 52.204-21, and beyond
  22. 22. The Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) in response to the increase of malicious cyber attacks, especially against supply chains. (Solar Winds now being the most pervasive) Examples of earlier attacks: Jan-Feb 2018: Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines. March 2019: US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers - The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal Sept-Dec 2019: Compromise of Emails and LinkedIn Accounts of military defense companies - the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools 2017-2020: The Chinese APT Threat to Cleared Defense Contractors - cybersecurity firm Lookout linked an APT15 malware sample to a Chinese defense contractor Feb-June 2020: DCSA Bulletin – US Defense Focused – DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities.
  23. 23. Five levels of CMMC certification: Each level will require more practices and controls than the previous with level one being the lowest and five being the highest level. The certification will be valid for three years. • Basic Cyber Hygiene • Intermediate Cyber Hygiene • Good Cyber Hygiene • Proactive • Advanced or Progressive J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1
  24. 24. Integrating new solutions for bolstering cybersecurity including:  Compliant platforms  Encrypted assets  Data back-ups  Monitoring  Management What’s Next? • In December 2020 DOD disclosed the first seven contracts that are likely to be the initial test cases for the Cybersecurity Maturity Model Certification (CMMC) program. • An interim rule that formally laid down the regulatory framework for CMMC began in December 2020. DoD is now reviewing comments from industry ahead of any potential changes the department might make to the rule. • Lawmakers have included nine provisions in the fiscal 2021 National Defense Authorization Act asking for more details and insights into how DoD will roll out CMMC.
  25. 25. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I I . B A S I C A S S E S S M E N T R E Q U I R E M E N T S A N D S TAT U S J O D Y R E E D M C M A H O N , W E L C H & L E A R N E D , P L L C
  26. 26. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 A . D FA R S I N T E R I M R U L E I S S U E D S E P T E M B E R 2 9 , 2 0 2 0 • Effective Date: November 30, 2020 • The Rule added three new DFARS Clauses • DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements • DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements • DFARS 252.204-7021 Contractor Compliance with The Cybersecurity Maturity Model Certification Level Requirement • Once the Rule became effective, DoD was not supposed to awarded any contracts that included the DFARS 252.204-7012 clause to any contractors who did not comply with DFARS 252.204- 7019. There is no exception for FAR Part 12 commercial contracts. The only exception is for COTS.
  27. 27. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 B . D FA R S 2 5 2 . 2 0 4 - 7 0 1 9 N O T I C E O F N I S T S P 8 0 0 - 1 7 1 D O D A S S E S S M E N T R E Q U I R E M E N T S • Key Definitions: • Assessment levels – Basic, Medium & High all have the meanings from NIST SP 800-171 • Covered contractor information system – definition from DFARS 252.204-7012 • Requirement – after November 30, 2020 a contractor cannot be awarded a contract unless they have a recent assessment (within 3 years) posted in the Supplier Performance Risk System (SPRS) at https:/sprs.csd.disa.mil/ for all covered contractor information systems relevant to the offer. The contract must also include DFARS 252.204-7012 for this requirement to be applicable. • Unless the assessment is at the Basic level, the assessment is conducted by another organization. The assessment is based on a spreadsheet which results in a “summary level score” of the contractor’s compliance with NIST SP 800-171. Each security requirement is weighted based on the impact to the information system and any covered defense information (CDI) that passes through the system. A contractor may have negative scores and a maximum score is 110. • If a contractor does not have any summary scores from a current assessment, it may conduct its own assessment and submit it to webptsmh@navy.mil who will post it to SPRS. • Oddly enough there is no requirement in the clause that a contractor have a particular score in order to be awarded a contract.
  28. 28. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 C . D FA R S 2 5 2 . 2 0 4 - 7 0 2 0 N I S T S P 8 0 0 - 1 7 1 D O D A S S E S S M E N T R E Q U I R E M E N T S • Key Definitions: • Basic Assessment – the self assessment by a contractor that results in a “Low” confidence rating. • Medium Assessment – the assessment is conducted by the Government, but at a lower level than a High assessment and the confidence level is “Medium.” • High Assessment – the assessment is conducted by Government personnel and results in a confidence level of “High.” • Covered contractor information system – definition from DFARS 252.204-7012 • This clause requires a contractor to provide access to its facilities, its self assessments, the documentation associated with the information system/assessment and personnel based on the risk associated with the CDI/CUI (Controlled Unclassified Information) data that a contractor handles such that the contractor must be at either High or Medium.
  29. 29. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 D . P O T E N T I A L I S S U E S • A potential big issue for small businesses – you have been awarded contracts with DFARS 252.204-7012 since December 31, 2017 (or earlier) and you have not performed any assessment of your IT system. Would this matter if you were never provided any CDI/CUI? • You have never had a DoD contract where you have handled CDI/CUI and therefore, you have never done a self-assessment and your contract award date slipped past the originally planned award date that was prior to November 30, 2020. The issue will be whether or not your “new” contract includes DFARS 252.204-7012. Since the new requirements are not based on the actual data that is handled as part of the contract, i.e., you could have DFARS 252.204-7012 in your contract but there is no access to CDI/CUI, (first bullet), the DFARS 252.204-7019 requirement does not care. You must have the assessment because your contract contains DFARS 252.204-7012. • An issue for all contractors – you have a POAM and you never hit your milestones, instead you keep changing the date.
  30. 30. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I I I . C Y B E R S E C U R I T Y M AT U R I T Y M O D E L C E R T I F I C AT I O N R E Q U I R E M E N T S A N D S TAT U S S U S A N WA R S H A W E B N E R S T I N S O N L L P
  31. 31. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 A . C y b e r s e c u r i t y M a t u r i t y M o d e l C e r t i f i c a t i o n i s a U n i f y i n g C o m p r e h e n s i v e a n d S c a l a b l e S t a n d a r d f o r I m p l e m e n t a t i o n o f C y b e r s e c u r i t y A c r o s s t h e D I B • New Clause: DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, Effective November 30, 2020 • Requires Present Contractor’s Compliance with Identified CMMC Level for Contract Award and Life of Contract • CMMC Establishes 5 Levels Of Cyber Compliance: • Level 1 – Basic Cyber Hygiene – 52.204-21 (FCI and CUI) • Level 2 - Intermediate Cyber Hygiene - Getting Ready for Handling DoD CUI • Level 3 – Good Cyber Hygiene - Lowest level for handling DoD CUI • Level 4 – Proactive Cyber Hygiene, Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs) • Level 5 – Advanced/Progressive Cyber Hygiene, Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs) • Coverage at Appropriate “Entire Enterprise Network”, “Segment”, “Enclave” • All Contracts, Except Exclusively COTS, Require Contractor CMMC Certification for Award • Requires Flowdown Throughout Contractor’s Entire Supply Chain
  32. 32. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 B . C M M C A S S E S S M E N T S A N D C E R T I F I C AT I O N S • Historically DCMA/DIBCAC Conducts Assessments • Moving Forward CMMC Advisory Board (CMMC-AB) Has Been Established for Third Party Assessment Matters • C3PAOs Must Be Accredited and Meet All DoD Requirements and Fully Comply with ISO/IEC 17020 • Only Authorized or Certified CMMC Assessors May Conduct CMMC Assessments • US Citizenship Required for CA-1, -3, -5 Assessors • International C3PAOs • Must Be Citizens of the Country Where the C3PAO is Based • Authorized Only to Assess Contractors Based in that Country per Bi-Lateral Agreements • CMMC-AB Marketplace • Contractor’s C3PAO Assessment Will Be Sent to DoD for CMMC Certification • Generally, CMMC Certificate Will Be Valid for 3 Years
  33. 33. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 D . D I S P U T E R E S O L U T I O N P R O C E S S E S • C3PAO Assesses; CMMC-AB Maintains/Stores the Reports • DIB Contractor Receives C3PAO Assessment • May Submit Dispute Adjudication Request to CMMC-AB, e.g., Support with Information re Errors, Malfeasance, Ethical Lapses by C3PAO • CMMC-AB Will Follow Formal Process to Review Adjudication Request and Provide Preliminary Finding • If Contractor Disagrees, CMMC-AB Staff will perform Additional Assessment • What If Contractor Still Disagrees? Can It bring a Protest? Raise a Claim? E. DOD ROLL OUT: • 5 Year Phased In Roll Out Plan Runs Until September 30, 2025, Where 252.204-7012 Clause in Contract and SOW Requires a CMMC Level, Except Exclusively COTS Contract • Primes Required to Flow Down Appropriate CMMC Requirement to Subcontractors * H T T P S : / / W W W . A C Q . O S D . M I L / C M M C / F A Q . H T M L
  34. 34. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I V . C M M C R O L L - O U T I S S U E S A . C Y B E R S E C U R I T Y A N D C M M C V O C A B U L A R Y B . C U I C . O T H E R I S S U E S D AV I D D E M P S E Y D E M P S E Y F O N TA N A , P L L C
  35. 35. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I V. C M M C R O L L - O U T I S S U E S A . C Y B E R S E C U R I T Y A N D C M M C V O C A B U L A R Y S O U R C E S : C M M C G L O S S A R Y ( N O V . 3 0 , 2 0 2 0 ) N I S T ( N U M E R O U S S P s A N D I R s ) C N S S I 4 0 0 9 G L O S S A R Y ( A P R . 6 , 2 0 1 5 ) F I P S D o D I N S T R U C T I O N S → C M M C C E R T I F I C A T I O N B O U N D A R Y ( A S S E S S M E N T B O U N D A R Y ) → S E C U R I T Y C O N T R O L A S S E S S M E N T → E N A B L I N G A S S E T → F C I , C U I , C D I , C T I , S I ( S E N S I T I V E I N F O R M A T I O N ) → B A S E L I N E , B A S E L I N E C O N F I G U R A T I O N , B A S E L I N E S E C U R I T Y → C H A N G E C O N T R O L ( C H A N G E M A N A G E M E N T ) → C O N T A I N E R ( I N F O R M A T I O N A S S E T C O N T A I N E R ) → L E A S T P R I V I L E G E → S A N D B O X I N G
  36. 36. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I V. C M M C R O L L - O U T I S S U E S B . C U I ► D O E S F C I = C U I ? ► C U I M A R K I N G S : C U I / / S P - P R O C U R E ; C U I ; C U I / / S P - C T I ; C U I / / S P - E X P T ; C U I / / S P - P R O P I N ● C U I B A S I C ● C U I S P E C I F I E D ● P L U S O T H E R M A R K I N G S : F A R 1 5 . 2 1 5 - 1 ( e ) t i t l e p a g e ; D F A R S t e c h d a t a a n d s o f t w a r e m a r k i n g s ; D o D D i s t r i b u t i o n S t a t e m e n t s f o r C T I ; c o m p a n y p r o p r i e t a r y m a r k i n g s ► “ A U T H O R I Z E D H O L D E R ” ( P E R M I T T E D T O D E S I G N A T E O R H A N D L E C U I ) ● D O D I 5 2 0 0 . 4 8 , C o n t r o l l e d U n c l a s s i f i e d I n f o r m a t i o n ( M a r c h 6 , 2 0 2 0 ) ; C o n t r o l l e d U n c l a s s i f i e d I n f o r m a t i o n M a r k i n g s ( N o v . 4 , 2 0 2 0 ) ( L D C s s u c h a s F E D C O N , N O F O R N , N O C O N , D L O N L Y ) ● D O D p h a s e d C U I p r o g r a m i m p l e m e n t a t i o n – I G N O R E I S O O C U I M A R K I N G S ► C U I A N D C L A S S I F I E D M A R K I N G S : C O M M I N G L E D ( 3 2 C F R 1 1 7 . 1 3 / 1 4 ) ( F E B 2 0 2 1 )
  37. 37. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C I V. C M M C R O L L - O U T I S S U E S C . O T H E R I S S U E S ► P I L O T P R O G R A M S I D E N T I F I E D ► C M M C A S S E S S M E N T G U I D A N C E : ● L E V E L 1 A S S E S S M E N T G U I D E ( V . 1 . 1 0 ) : T h e L e v e l 1 a s s e s s m e n t c r i t e r i a a r e a u t h o r i t a t i v e a n d p r o v i d e a b a s i s f o r a c e r t i f i e d a s s e s s o r t o c o n d u c t a n a s s e s s m e n t o f a p r a c t i c e . ● L E V E L 3 A S S E S S M E N T G U I D E ( V . 1 . 1 0 ) : ( 1 ) C e r t i f i e d a s s e s s o r s w i l l u s e t h i s a s s e s s m e n t g u i d e t o c o n d u c t C M M C L e v e l 2 a n d L e v e l 3 a s s e s s m e n t s ; ( 2 ) A c o n t r a c t o r c a n a c h i e v e a C M M C c e r t i f i c a t i o n f o r t h e e n t e r p r i s e n e t w o r k o r p a r t i c u l a r s e g m e n t ( s ) ” d e p e n d i n g o n t h e s c o p e o f t h e C M M C a s s e s s m e n t ; ( 3 ) P r i o r t o a C M M C a s s e s s m e n t , t h e c o n t r a c t o r m u s t d e f i n e t h e s c o p e f o r t h e a s s e s s m e n t t h a t r e p r e s e n t s t h e b o u n d a r y f o r w h i c h t h e C M M C c e r t i f i c a t e w i l l b e i s s u e d . ► P R O T E S T S , C O N T R A C T / S U B C O N T R A C T R E A s a n d C L A I M S
  38. 38. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C H O W W I L L T H E R E C E N T S O L A R W I N D S C Y B E R AT TA C K A N D O T H E R S I M PA C T C M M C T H R E S H O L D S ? C H U C K B R O O K S C H E T Z 1 8 @ A O L . C O M
  39. 39. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C • YOU HAVE SUBMITTED A PROPOSAL THAT WAS TO BE AWARED PRIOR TO NOV 30 BUT IT NOW HAS BEEN DELAYED. ARE YOU STILL ELIGIBLE FOR AWARD? • WAS YOUR SOLICITATION REVISED TO ADD THE 252.204-7019 CLAUSE? • AND IF NOT, WOULD THE CHRISTIAN DOCTIRINE WRITE IT IN? • WOULD THIS BE PROTESIBLE? WHATE ARE YOUR CHANES TO PREVAIL IN A PROTEST? JODY REED J R E E D @ M W L L E G A L . C O M
  40. 40. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C H A S C M M C - A B S TA R T E D T O C E R T I F Y C 3 PA O S A N D A S S E S S O R S ? S U S A N WA R S H A W E B N E R S U S A N . E B N E R @ S T I N S O N . C O M
  41. 41. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C P L E A S E I D E N T I F Y A N D E X P L A I N W H AT Y O U C O N S I D E R T H E F O U N D AT I O N F O R C O N T R A C T O R I M P L E M E N TAT I O N D AV I D D E M P S E Y D D E M P S E Y @ D E F T L AW . C O M 7 0 3 - 8 8 0 - 9 1 7 1
  42. 42. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C W H AT R E C O M M E N D AT I O N S D O Y O U S U G G E S T C O M PA N I E S P U R S U E T O M A K E T H E M S E LV E S M O R E C Y E R - S E C U R E ? C H U C K B R O O K S C H E T Z 1 8 @ A O L . C O M
  43. 43. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C W H AT L E V E L O F C M M C M U S T P R I M E C O N T R A C T O R S R E Q U I R E O F T H E I R S U B - C O N T R A C T O R S ? S U S A N WA R H S A W E B N E R S U S A N . E B N E R @ S T I N S O N . C O M 2 0 2 - 5 7 2 - 9 9 2 7
  44. 44. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C W H O I S S U P P O S E D T O D E C I D E O N W H E T H E R A PA R T I C U L A R P R O G R A M R E Q U I R E S D FA R S 2 5 2 . 2 0 4 - 7 0 1 2 A N D T H E A S S E S S M E N T L E V E L P U R S U A N T T O D FA R S 2 5 2 . 2 0 4 - 7 0 1 9 ? J O D Y R E E D J R E E D @ M W L L E G A L . C O M
  45. 45. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C W I L L C M M C L E V E L 2 B E U S E D B E T W E E N N O W A N D F Y 2 0 2 5 ? D AV I D D E M P S E Y D D E M P S E Y @ D E F T L AW . C O M
  46. 46. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C NOW OPEN FOR AUDIENCE QUESTIONS
  47. 47. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A RY 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C T H A N K Y O U F O R AT T E N D I N G T H A N K Y O U T O O U R S P E A K E R S P P T S A R E AVA I L A B L E O N S L I D E S H A R E . N E T
  48. 48. J S C H A U S & A S S O C I A T E S - W A S H D C H E L L O @ J E N N I F E R S C H A U S . C O M G O V C O N - Q & A C A F É - 2 0 2 1 J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C A D D I T I O N A L Q U E S T I O N S F O R O U R S P E A K E R S C H U C K B R O O K S S U S A N WA R S H AW E B N E R C H E T Z 1 8 @ A O L . C O M S U S A N . E B N E R @ S T I N S O N . C O M 5 7 1 - 2 9 6 - 2 1 6 4 2 0 2 - 5 7 2 - 9 9 2 7 D AV I D D E M P S E Y J O D Y R E E D D D E M P S E Y @ D E F T L A W . C O M J R E E D @ M W L L E G A L . C O M 7 0 3 - 8 8 0 - 9 1 7 1 7 0 3 - 4 8 3 - 2 8 1 8
  49. 49. G O V C O N Q & A C A F E Hello@JenniferSchaus.com Washington, DC 202-365-0598

×