Jennifer Schaus & Associates - Washington DC based consulting firm for federal contractors - presents a 2021 Webinar Series on various topics in federal government contracing. Learn more about the series here and get the webinar recording: https://www.jenniferschaus.com/q-a-cafe
2. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F E
2 N D F R I D AY O F E A C H M O N T H
1 2 P M – 1 . 3 0 P M [ E A S T E R N ]
C O N T E N T & L I V E Q & A F R O M G O V C O N E X P E R T S
R E C O R D I N G S AVA I L A B L E AT T H E S A M E R E G I S T R AT I O N L I N K
P P T S AVA I L A B L E AT S L I D E S H A R E . N E T
3. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F E
8 J A N U A RY: C Y B E R S E C U R I T Y / C M M C
1 2 F E B R U A RY: O TA – O T H E R T R A N S A C T I O N A U T H O R I T I E S
1 2 M A R C H : B I D P R O T E S T
1 9 A P R I L : T E A M I N G A G R E E M E N T S
1 4 M AY: S U B - C O N T R A C T I N G
11 J U N E : S A L E S A N D C A P T U R E
4. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
9 J U LY: P R O P O S A L W R I T I N G
1 3 A U G U S T: C O M P L I A N C E
1 0 S E P T E M B E R : O R A L P R E S E N TAT I O N S
8 O C TO B E R : S E T- A S I D E S
1 2 N O V E M B E R : P R I C I N G
1 0 D E C E M B E R : M & A
5. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
A B O U T O U R
C O N S U LT I N G S E RV I C E S F O R F E D E R A L C O N T R A C TO R S :
* M A R K E T A N A LY S I S
* P R O P O S A L W R I T I N G
* P R I C I N G
* C O M P L I A N C E / A D M I N I S T R AT I O N
* M A R K E T I N G & B U S I N E S S D E V E L O P M E N T / C A P T U R E
* G S A S C H E D U L E
6. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
A B O U T O U R W E B I N A R S
O V E R 4 0 0 + C O M P L I M E N TA RY G O V C O N W E B I N A R S O N O U R
Y O U T U B E C H A N N E L C O V E R I N G G S A S C H E D U L E S TO
P R I C I N G TO C O M P L I A N C E
J O I N U S O N W E D N E S D AY S I N 2 0 2 1 F O R A
C O M P L I M E N TA RY S E R I E S C O V E R I N G E A C H PA R T O F T H E
D FA R S , S E Q U E N T I A L LY
D F A R | G O V E R N M E N T C O N T R A C T S ( J E N N I F E R S C H A U S . C O M )
2 0 2 0 W E B I N A R S C O V E R E D E A C H PA R T O F T H E FA R ,
S E Q U E N T I A L LY
F A R | G O V E R N M E N T C O N T R A C T S ( J E N N I F E R S C H A U S . C O M )
7. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
THANK YOU TO OUR SPONSORS
S P O N S O R I N F O :
H E L L O # @ J E N N I F E R S C H A U S . C O M
8. C3 Integrated Solutions is a full-service IT provider, helping
DoD contractors achieve CMMC compliance through cloud-
based solutions including Microsoft 365 GCC and GCC
High.
No matter
where you are
on your journey
to CMMC
compliance, C3
can help.
C3’s unique, step-by-step CMMC
Readiness Program helps companies
comply with NIST 800-171 and
CMMC.
Learn more at https://C3isit.com/cmmc
9. The National Veteran Small Business Coalition
(NVSBC)
is the largest non-profit trade association in the country
representing veteran and service-disabled veteran-owned
small business in the federal marketplace as prime and
subcontractors. NVSBC provides networking, match-
making, coaching, and training opportunities for members.
Please visit: www.nvsbc.org
10. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
Set-Aside Alert is the premier federal government
contract information service, focused on small
businesses, minority-owned and women-owned
businesses, veteran- and SDV-owned businesses,
SBA 8(a)-certified companies and HUBzone
businesses. The newsletter provides RFP
opportunities for set-asides.
www.setasidealert.com
Tom Johnson
301-229-5561
11. Free, confidential counseling + online resources & training
SAM/DSBS
Certifications & set-asides: 8(a),
EDWOSB, WOSB, VOSB, SDVOSB,
HUBZone
NAICS Codes
State & Local (eVA, SWAM)
Capabilities statements
Marketing to the government
Market research
Business development
Proposals / RFP responses
Security clearances
Compliance
Teaming / subcontracting strategies
GSA Schedules
Pricing
Contract management
Contract performance & more
THIS PROCUREMENT TECHNICAL ASSISTANCE CENTER IS FUNDED IN PART T HROUGH A COOPERATIVE
AGREEMENT WITH THE DEFENSE LOGISTICS AGENCY.
Step 1) Full training calendar: virginiaptac.org
tip: click “year” above the calendar to see list form & use the filter features to find specific topics
Step 2) Register as client https://virginiaptac.org/services/counseling/
Outside Virginia? visit www.aptac-us.org to find your local PTAC
Help with registration, counseling, classes – ptac@gmu.edu or 703-277-7750
Check out the Bid Match Service Subscription
(110+ Federal, State, Local, International)
12. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1
CYBER SECURITY / CMMC
13. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C
WELCOME & THANK YOU TO OUR
SPEAKERS
14. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C
C H U C K B R O O K S
B R O O K S C O N S U LT I N G
I N T E R N AT I O N A L
C H E T Z 1 8 @ A O L . C O M
5 7 1 - 2 9 6 - 2 1 6 4
15. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C
J O D Y R E E D
M C M A H O N , W E L C H A N D
L E A R N E D , P L L C
J R E E D @ M W L L E G A L . C O M
7 0 3 - 4 8 3 - 2 8 1 8
16. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C
S U S A N WA R S H AW E B N E R
S T I N S O N L L P
S U S A N . E B N E R @ S T I N S O N . C O M
2 0 2 - 5 7 2 - 9 9 2 7
17. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1 – C Y B E R S E C U R I T Y / C M M C
D AV I D D E M P S E Y
D E M P S E Y F O N TA N A , P L L C
d d e m p s e y @ d e f t l a w . c o m
7 0 3 - 8 8 0 - 9 1 7 1
18. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1
CYBER SECURITY / CMMC
19. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
WHAT WE WILL COVER TODAY:
I. WHY CMMC WAS CREATED
II. BASIC ASSESSMENT REQUIREMENTS AND STATUS
III.CMMC REQUIREMENTS AND STATUS
IV. CMMC ROLL OUT ISSUES
20. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I . W H Y C M M C WA S C R E AT E D – C H U C K B R O O K S
21. CMMC BASICS:
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing
cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the
supply chain
DoD's prime contractors and subcontractors must satisfy 1/5 of CMMC's trust levels. These entities must
prove sufficient cybersecurity implementation via completing independent validation activities.
CMMC will be a phased in approach with new contracts starting Q4 2020 through 2026
While the CMMC framework is not finalized yet, it is known that this new umbrella standard will
include requirements from NIST 800-171, FAR document 52.204-21, and beyond
22. The Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) in
response to the increase of malicious cyber attacks, especially against supply chains.
(Solar Winds now being the most pervasive) Examples of earlier attacks:
Jan-Feb 2018: Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy
submarine plans from Rhode Island DoD contractor Chinese government hackers compromised the computers of a U.S.
Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare,
including plans for a supersonic anti-ship missile for use on U.S. submarines.
March 2019: US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers - The Wall Street
Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even
universities that partner with the service. “We are under siege,” a senior Navy official told The Journal
Sept-Dec 2019: Compromise of Emails and LinkedIn Accounts of military defense companies - the attackers used
social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial
foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools
2017-2020: The Chinese APT Threat to Cleared Defense Contractors - cybersecurity firm Lookout linked an APT15
malware sample to a Chinese defense contractor
Feb-June 2020: DCSA Bulletin – US Defense Focused – DCSA’s cyber division detected nearly 600 “inbound and
outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities.
23. Five levels of CMMC
certification:
Each level will require more
practices and controls than
the previous with level one
being the lowest and five
being the highest level. The
certification will be valid for
three years.
• Basic Cyber Hygiene
• Intermediate Cyber
Hygiene
• Good Cyber Hygiene
• Proactive
• Advanced or
Progressive
J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
24. Integrating new solutions for bolstering cybersecurity including:
Compliant platforms
Encrypted assets
Data back-ups
Monitoring
Management
What’s Next?
• In December 2020 DOD disclosed the first seven contracts that are likely to be the initial test cases for the
Cybersecurity Maturity Model Certification (CMMC) program.
• An interim rule that formally laid down the regulatory framework for CMMC began in December 2020. DoD is
now reviewing comments from industry ahead of any potential changes the department might make to the
rule.
• Lawmakers have included nine provisions in the fiscal 2021 National Defense Authorization Act asking for
more details and insights into how DoD will roll out CMMC.
25. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I I . B A S I C A S S E S S M E N T R E Q U I R E M E N T S A N D S TAT U S
J O D Y R E E D
M C M A H O N , W E L C H & L E A R N E D , P L L C
26. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
A . D FA R S I N T E R I M R U L E I S S U E D S E P T E M B E R 2 9 , 2 0 2 0
• Effective Date: November 30, 2020
• The Rule added three new DFARS Clauses
• DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7021 Contractor Compliance with The Cybersecurity Maturity Model
Certification Level Requirement
• Once the Rule became effective, DoD was not supposed to awarded any contracts that included
the DFARS 252.204-7012 clause to any contractors who did not comply with DFARS 252.204-
7019. There is no exception for FAR Part 12 commercial contracts. The only exception is for
COTS.
27. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
B . D FA R S 2 5 2 . 2 0 4 - 7 0 1 9 N O T I C E O F N I S T S P 8 0 0 - 1 7 1 D O D A S S E S S M E N T
R E Q U I R E M E N T S
• Key Definitions:
• Assessment levels – Basic, Medium & High all have the meanings from NIST SP 800-171
• Covered contractor information system – definition from DFARS 252.204-7012
• Requirement – after November 30, 2020 a contractor cannot be awarded a contract unless they have a recent
assessment (within 3 years) posted in the Supplier Performance Risk System (SPRS) at https:/sprs.csd.disa.mil/ for all
covered contractor information systems relevant to the offer. The contract must also include DFARS 252.204-7012 for
this requirement to be applicable.
• Unless the assessment is at the Basic level, the assessment is conducted by another organization. The assessment is
based on a spreadsheet which results in a “summary level score” of the contractor’s compliance with NIST SP 800-171.
Each security requirement is weighted based on the impact to the information system and any covered defense
information (CDI) that passes through the system. A contractor may have negative scores and a maximum score is
110.
• If a contractor does not have any summary scores from a current assessment, it may conduct its own assessment and
submit it to webptsmh@navy.mil who will post it to SPRS.
• Oddly enough there is no requirement in the clause that a contractor have a particular score in order to be awarded a
contract.
28. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
C . D FA R S 2 5 2 . 2 0 4 - 7 0 2 0 N I S T S P 8 0 0 - 1 7 1 D O D A S S E S S M E N T R E Q U I R E M E N T S
• Key Definitions:
• Basic Assessment – the self assessment by a contractor that results in a “Low” confidence
rating.
• Medium Assessment – the assessment is conducted by the Government, but at a lower
level than a High assessment and the confidence level is “Medium.”
• High Assessment – the assessment is conducted by Government personnel and results in a
confidence level of “High.”
• Covered contractor information system – definition from DFARS 252.204-7012
• This clause requires a contractor to provide access to its facilities, its self assessments, the
documentation associated with the information system/assessment and personnel based on the
risk associated with the CDI/CUI (Controlled Unclassified Information) data that a contractor
handles such that the contractor must be at either High or Medium.
29. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
D . P O T E N T I A L I S S U E S
• A potential big issue for small businesses – you have been awarded contracts with DFARS
252.204-7012 since December 31, 2017 (or earlier) and you have not performed any
assessment of your IT system. Would this matter if you were never provided any CDI/CUI?
• You have never had a DoD contract where you have handled CDI/CUI and therefore, you have
never done a self-assessment and your contract award date slipped past the originally planned
award date that was prior to November 30, 2020. The issue will be whether or not your “new”
contract includes DFARS 252.204-7012. Since the new requirements are not based on the
actual data that is handled as part of the contract, i.e., you could have DFARS 252.204-7012 in
your contract but there is no access to CDI/CUI, (first bullet), the DFARS 252.204-7019
requirement does not care. You must have the assessment because your contract contains
DFARS 252.204-7012.
• An issue for all contractors – you have a POAM and you never hit your milestones, instead you
keep changing the date.
30. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I I I . C Y B E R S E C U R I T Y M AT U R I T Y M O D E L C E R T I F I C AT I O N
R E Q U I R E M E N T S A N D S TAT U S
S U S A N WA R S H A W E B N E R
S T I N S O N L L P
31. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
A . C y b e r s e c u r i t y M a t u r i t y M o d e l C e r t i f i c a t i o n i s a U n i f y i n g
C o m p r e h e n s i v e a n d S c a l a b l e S t a n d a r d f o r I m p l e m e n t a t i o n o f
C y b e r s e c u r i t y A c r o s s t h e D I B
• New Clause: DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, Effective
November 30, 2020
• Requires Present Contractor’s Compliance with Identified CMMC Level for Contract Award and Life of
Contract
• CMMC Establishes 5 Levels Of Cyber Compliance:
• Level 1 – Basic Cyber Hygiene – 52.204-21 (FCI and CUI)
• Level 2 - Intermediate Cyber Hygiene - Getting Ready for Handling DoD CUI
• Level 3 – Good Cyber Hygiene - Lowest level for handling DoD CUI
• Level 4 – Proactive Cyber Hygiene, Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)
• Level 5 – Advanced/Progressive Cyber Hygiene, Protect CUI and Reduce Risk of Advanced Persistent Threats
(APTs)
• Coverage at Appropriate “Entire Enterprise Network”, “Segment”, “Enclave”
• All Contracts, Except Exclusively COTS, Require Contractor CMMC Certification for Award
• Requires Flowdown Throughout Contractor’s Entire Supply Chain
32. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
B . C M M C A S S E S S M E N T S A N D C E R T I F I C AT I O N S
• Historically DCMA/DIBCAC Conducts Assessments
• Moving Forward CMMC Advisory Board (CMMC-AB) Has Been Established for Third Party
Assessment Matters
• C3PAOs Must Be Accredited and Meet All DoD Requirements and Fully Comply with ISO/IEC 17020
• Only Authorized or Certified CMMC Assessors May Conduct CMMC Assessments
• US Citizenship Required for CA-1, -3, -5 Assessors
• International C3PAOs
• Must Be Citizens of the Country Where the C3PAO is Based
• Authorized Only to Assess Contractors Based in that Country per Bi-Lateral Agreements
• CMMC-AB Marketplace
• Contractor’s C3PAO Assessment Will Be Sent to DoD for CMMC Certification
• Generally, CMMC Certificate Will Be Valid for 3 Years
33. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
D . D I S P U T E R E S O L U T I O N P R O C E S S E S
• C3PAO Assesses; CMMC-AB Maintains/Stores the Reports
• DIB Contractor Receives C3PAO Assessment
• May Submit Dispute Adjudication Request to CMMC-AB, e.g., Support with Information re Errors,
Malfeasance, Ethical Lapses by C3PAO
• CMMC-AB Will Follow Formal Process to Review Adjudication Request and Provide Preliminary Finding
• If Contractor Disagrees, CMMC-AB Staff will perform Additional Assessment
• What If Contractor Still Disagrees? Can It bring a Protest? Raise a Claim?
E. DOD ROLL OUT:
• 5 Year Phased In Roll Out Plan Runs Until September 30, 2025, Where 252.204-7012 Clause in Contract and
SOW Requires a CMMC Level, Except Exclusively COTS Contract
• Primes Required to Flow Down Appropriate CMMC Requirement to Subcontractors
* H T T P S : / / W W W . A C Q . O S D . M I L / C M M C / F A Q . H T M L
34. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I V . C M M C R O L L - O U T I S S U E S
A . C Y B E R S E C U R I T Y A N D C M M C V O C A B U L A R Y
B . C U I
C . O T H E R I S S U E S
D AV I D D E M P S E Y
D E M P S E Y F O N TA N A , P L L C
35. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I V. C M M C R O L L - O U T I S S U E S
A . C Y B E R S E C U R I T Y A N D C M M C V O C A B U L A R Y
S O U R C E S : C M M C G L O S S A R Y ( N O V . 3 0 , 2 0 2 0 )
N I S T ( N U M E R O U S S P s A N D I R s )
C N S S I 4 0 0 9 G L O S S A R Y ( A P R . 6 , 2 0 1 5 )
F I P S
D o D I N S T R U C T I O N S
→ C M M C C E R T I F I C A T I O N B O U N D A R Y ( A S S E S S M E N T B O U N D A R Y )
→ S E C U R I T Y C O N T R O L A S S E S S M E N T
→ E N A B L I N G A S S E T
→ F C I , C U I , C D I , C T I , S I ( S E N S I T I V E I N F O R M A T I O N )
→ B A S E L I N E , B A S E L I N E C O N F I G U R A T I O N , B A S E L I N E S E C U R I T Y
→ C H A N G E C O N T R O L ( C H A N G E M A N A G E M E N T )
→ C O N T A I N E R ( I N F O R M A T I O N A S S E T C O N T A I N E R )
→ L E A S T P R I V I L E G E
→ S A N D B O X I N G
36. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I V. C M M C R O L L - O U T I S S U E S
B . C U I
► D O E S F C I = C U I ?
► C U I M A R K I N G S : C U I / / S P - P R O C U R E ; C U I ; C U I / / S P - C T I ; C U I / / S P - E X P T ; C U I / / S P -
P R O P I N
● C U I B A S I C ● C U I S P E C I F I E D
● P L U S O T H E R M A R K I N G S : F A R 1 5 . 2 1 5 - 1 ( e ) t i t l e p a g e ; D F A R S t e c h d a t a
a n d s o f t w a r e m a r k i n g s ; D o D D i s t r i b u t i o n S t a t e m e n t s f o r C T I ; c o m p a n y
p r o p r i e t a r y m a r k i n g s
► “ A U T H O R I Z E D H O L D E R ” ( P E R M I T T E D T O D E S I G N A T E O R H A N D L E C U I )
● D O D I 5 2 0 0 . 4 8 , C o n t r o l l e d U n c l a s s i f i e d I n f o r m a t i o n ( M a r c h 6 , 2 0 2 0 ) ;
C o n t r o l l e d U n c l a s s i f i e d I n f o r m a t i o n M a r k i n g s ( N o v . 4 , 2 0 2 0 ) ( L D C s s u c h
a s F E D C O N , N O F O R N , N O C O N , D L O N L Y )
● D O D p h a s e d C U I p r o g r a m i m p l e m e n t a t i o n – I G N O R E I S O O C U I M A R K I N G S
► C U I A N D C L A S S I F I E D M A R K I N G S : C O M M I N G L E D ( 3 2 C F R 1 1 7 . 1 3 / 1 4 ) ( F E B 2 0 2 1 )
37. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
I V. C M M C R O L L - O U T I S S U E S
C . O T H E R I S S U E S
► P I L O T P R O G R A M S I D E N T I F I E D
► C M M C A S S E S S M E N T G U I D A N C E :
● L E V E L 1 A S S E S S M E N T G U I D E ( V . 1 . 1 0 ) : T h e L e v e l 1 a s s e s s m e n t c r i t e r i a a r e
a u t h o r i t a t i v e a n d p r o v i d e a b a s i s f o r a c e r t i f i e d a s s e s s o r t o c o n d u c t a n
a s s e s s m e n t o f a p r a c t i c e .
● L E V E L 3 A S S E S S M E N T G U I D E ( V . 1 . 1 0 ) : ( 1 ) C e r t i f i e d a s s e s s o r s w i l l u s e t h i s
a s s e s s m e n t g u i d e t o c o n d u c t C M M C L e v e l 2 a n d L e v e l 3 a s s e s s m e n t s ;
( 2 ) A c o n t r a c t o r c a n a c h i e v e a C M M C c e r t i f i c a t i o n f o r t h e e n t e r p r i s e n e t w o r k
o r p a r t i c u l a r s e g m e n t ( s ) ” d e p e n d i n g o n t h e s c o p e o f t h e C M M C a s s e s s m e n t ;
( 3 ) P r i o r t o a C M M C a s s e s s m e n t , t h e c o n t r a c t o r m u s t d e f i n e t h e s c o p e f o r
t h e a s s e s s m e n t t h a t r e p r e s e n t s t h e b o u n d a r y f o r w h i c h t h e C M M C c e r t i f i c a t e
w i l l b e i s s u e d .
► P R O T E S T S , C O N T R A C T / S U B C O N T R A C T R E A s a n d C L A I M S
38. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
H O W W I L L T H E R E C E N T S O L A R W I N D S C Y B E R AT TA C K A N D O T H E R S I M PA C T
C M M C T H R E S H O L D S ?
C H U C K B R O O K S
C H E T Z 1 8 @ A O L . C O M
39. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
• YOU HAVE SUBMITTED A PROPOSAL THAT WAS TO BE AWARED PRIOR TO NOV 30
BUT IT NOW HAS BEEN DELAYED. ARE YOU STILL ELIGIBLE FOR AWARD?
• WAS YOUR SOLICITATION REVISED TO ADD THE 252.204-7019 CLAUSE?
• AND IF NOT, WOULD THE CHRISTIAN DOCTIRINE WRITE IT IN?
• WOULD THIS BE PROTESIBLE? WHATE ARE YOUR CHANES TO PREVAIL IN A
PROTEST?
JODY REED
J R E E D @ M W L L E G A L . C O M
40. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
H A S C M M C - A B S TA R T E D T O C E R T I F Y C 3 PA O S A N D A S S E S S O R S ?
S U S A N WA R S H A W E B N E R
S U S A N . E B N E R @ S T I N S O N . C O M
41. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
P L E A S E I D E N T I F Y A N D E X P L A I N W H AT Y O U C O N S I D E R
T H E F O U N D AT I O N F O R C O N T R A C T O R I M P L E M E N TAT I O N
D AV I D D E M P S E Y
D D E M P S E Y @ D E F T L AW . C O M
7 0 3 - 8 8 0 - 9 1 7 1
42. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
W H AT R E C O M M E N D AT I O N S D O Y O U S U G G E S T C O M PA N I E S P U R S U E
T O M A K E T H E M S E LV E S M O R E C Y E R - S E C U R E ?
C H U C K B R O O K S
C H E T Z 1 8 @ A O L . C O M
43. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
W H AT L E V E L O F C M M C M U S T P R I M E C O N T R A C T O R S
R E Q U I R E O F T H E I R S U B - C O N T R A C T O R S ?
S U S A N WA R H S A W E B N E R
S U S A N . E B N E R @ S T I N S O N . C O M
2 0 2 - 5 7 2 - 9 9 2 7
44. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
W H O I S S U P P O S E D T O D E C I D E O N W H E T H E R A PA R T I C U L A R P R O G R A M
R E Q U I R E S D FA R S 2 5 2 . 2 0 4 - 7 0 1 2 A N D T H E A S S E S S M E N T L E V E L P U R S U A N T T O
D FA R S 2 5 2 . 2 0 4 - 7 0 1 9 ?
J O D Y R E E D
J R E E D @ M W L L E G A L . C O M
45. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
W I L L C M M C L E V E L 2 B E U S E D B E T W E E N N O W A N D F Y 2 0 2 5 ?
D AV I D D E M P S E Y
D D E M P S E Y @ D E F T L AW . C O M
46. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
NOW OPEN FOR AUDIENCE QUESTIONS
47. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A RY 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
T H A N K Y O U F O R AT T E N D I N G
T H A N K Y O U T O O U R S P E A K E R S
P P T S A R E AVA I L A B L E O N S L I D E S H A R E . N E T
48. J S C H A U S & A S S O C I A T E S - W A S H D C
H E L L O @ J E N N I F E R S C H A U S . C O M
G O V C O N - Q & A C A F É - 2 0 2 1
J A N U A R Y 8 , 2 0 2 1 - C Y B E R S E C U R I T Y / C M M C
A D D I T I O N A L Q U E S T I O N S F O R O U R S P E A K E R S
C H U C K B R O O K S S U S A N WA R S H AW E B N E R
C H E T Z 1 8 @ A O L . C O M S U S A N . E B N E R @ S T I N S O N . C O M
5 7 1 - 2 9 6 - 2 1 6 4 2 0 2 - 5 7 2 - 9 9 2 7
D AV I D D E M P S E Y J O D Y R E E D
D D E M P S E Y @ D E F T L A W . C O M J R E E D @ M W L L E G A L . C O M
7 0 3 - 8 8 0 - 9 1 7 1 7 0 3 - 4 8 3 - 2 8 1 8
49. G O V C O N
Q & A
C A F E
Hello@JenniferSchaus.com
Washington, DC
202-365-0598