CMMC DFARS/NIST SP 800-171

1. IGNYTE ASSURANCE PLATFORMCybersecurity Maturity Model Certification (CMMC) April 2020 ©️ 2020 IGNYTE | All Rights Reserved

2. AGENDA • Introductions • CMMC/DFARS/NIST SP 800-171 • CMMC Framework • CMMC Levels & Requirements • The CMMC effort builds upon existing regulation • CMMC – Asset Management • CMMC Practices Across Domains per Maturity Levels • NIST 800-171 to CMMC Gaps • Certification & Accreditation Details • CMMC Training • Challenges being solved by Ignyte | Training • Challenges being solved by Ignyte | Automation • What is included within the Full CMMC Accreditation Package? • CMMC Accreditation Process Automated ©️ 2018 IGNYTE | All Rights Reserved

3. Max Aulakh, MBA, CISSP, PMP, ITIL-F General Partner | Ignyte Platform Ignyte AssurancePlatform Defense Cyber Security Professional US Military Top SecretClearance • Experience: • Enterprise Risk Leader 15 years of Business and Security Technology Leadership experience • Corporate security experience – WorldPay, NCR, IBM, Dell, Credit Union, GDRTA, etc.. • Federal agency cyber experience – USAF, Army, Navy, DOS, NRO, NGA, CIA, NSA, NASIC and others units for system accreditations • Formal Education &Credentials: • Wright State University – MBA(2014) • American Military University – B.S Information Security, Computer Science(2009) • Community College of the Air Force – Criminal Justice (2009) • Cyber & Technology Industry Credentials: CISSP, PMP, Linux+, Security+, Network+, ITIL-F, Certified ScrumMaster • Cigital Defensing Programming, OWASP, Threat Modeling,etc.. • Cyber Regulatory/Frameworks – NIST, HIPAA, HITRUST, SOC 1/2, CIS, FFIEC, ISO 27K,FISMA • Formal Military Physical Security Training: Counter Terrorism, HAZMAT, Explosive Ordinance, Customs, Use of Force, LOAC, Force Protection, Combat Leadership, Ground Defense Command, SERE, Bloodborne Pathogens • Formalized Weapon Systems Training: M9, M4, M2, M249 & M240B • US Military Operational - Security Focused Global Tour ofDuties: • 2007-2009: Iraq – Security ForcesMember • 2006-2007: Afghanistan – Security Forces Member/Linguist • 2005-2006: Iraq – Security Forces/Classified SystemsMember • 2003-2005: Turkey – US Nuclear Weapons Systems Administrator & SecurityMember 1

4. CMMC/DFARS/NIST SP 800-171 • Cybersecurity Maturity Model Certification (CMMC) • The DoD released v1.2 of the CMMC on March 18, 2020 • They created CMMC in response to the continued exfiltration of controlled unclassified information (CUI) from its supply chain. • Does not allow POA&Ms like the current DFARS requirement does. • CMMC will serve as the unified standard for cybersecurity that will be incorporated as a “go/no-go” requirement for DoD acquisitions. • The DoD will require certified Third-Party Assessment Organizations (C3PAO) to conduct audits on all DoD contractors. • CMMC requirements are expected to appear in RFPs in September of 2020. Defense Federal Acquisition Regulation Supplement (DFARS) • Signed into law on November 4, 2010 • This was the governments effort to protect the U.S. defense supply chain. • Mandates that private DoD contractors adopt cybersecurity standards that follow NIST 800-171 • DFARS lets contracting companies “self attest” their contract requirements after they have already won the contract NIST SP 800-171 • The National Institute of Standards and Technology (NIST) 800-171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations • Was developed after the Federal Information Security Act (FISMA), which is the law was passed in 2003.

5. CMMC FRAMEWORK • The Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple security standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) • The purpose of the CMMC is to measure the level of cybersecurity maturity of prime contractors and their supply chain that work with the DoD to protect Controlled Unclassified Information (CUI) • CMMC encompasses the security requirements for CUI specified in NIST 800-171 for DFARS clause 252.204-7012 as well as basic safeguarding requirements for federal contract information (FCI) specified in FAR clause 52.204-22 • The model framework (below) organizes these processes and practices into a set of domains and maps them across five levels. • In order to provide additional structure, the framework aligns the practices to a set of capabilities within each domain • The framework further divides the practices into 17 domains, with most practices contained in six domains: • Access Control (AC) • Audit and Accountability (AU) • Incident Response (IR) • Risk Management (RM) • Systems and Communications Protection (SC) • System and Information Integrity (SI) • The remaining 11 domains have most of their practices required for higher levels of certification Model encompasses multiple domains For a given domain, there are processes that span a subset of the 5 levels For a given domain, there are capabilities that span a subset of the 5 levels For a given domain, there are practices that span a subset of the 5 levels ©️ 2020 IGNYTE | All Rights Reserved

6. CMMC LEVELS & REQUIREMENTS Focus: Level 1: Safeguard Federal Contract Information (FCI) Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI Level 3: Protect CUI Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs) • 171 Controls (includes level 4 controls): Advanced • Encompasses ALL controls from 800-171 • Includes a select subset of 4 controls from DRAFT 800-171B • Includes an additional 11 controls to demonstrate a proactive cybersecurity program • 156 Controls (includes level 3 controls): Proactive • Encompasses ALL controls from 800-171 • Includes a select subset of 11 controls from DRAFT 800-171B • Includes an additional 15 controls to demonstrate a proactive cybersecurity program • 130 Controls (includes level 2 controls): Good Cyber Hygiene • Encompasses ALL controls from 800-171 • Includes additional 20 controls to support good cyber hygiene • 72 Controls (includes level 1 controls: Intermediate Cyber Hygiene • Includes a subset of 48 controls from NIST 8000-171 (CUI) • Includes additional 7 controls to support intermediate cyber hygiene • 17 Controls: Basic Cyber Hygiene • Consists of the safeguarding requirements specified in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 ©️ 2020 IGNYTE | All Rights Reserved

7. THE CMMC EFFORT BUILDS UPON EXISTING REGULATIONS • Specific Existing Regulations: • 48 Code of Federal Regulations (CFR) 52.204-21 • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 • NIST SP 800-171 rev 1 • NIST SP 800-171B (Draft) • NIST SP 800-53 • ISO 27001 • ISO 27032 • AIA NAS9933 • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. • The intent is for certified independent 3rd party organizations to conduct audits and inform risk. • NIST and CMMC • NIST 800-171 is a separate, special publication from NIST 800-53, and many of the controls can be mapped back to an equivalent SP 800-53 control. • CMMC combines the controls from 800-171, 800-171B, 800-53, ISO, amongst other sources. • These controls can be mapped back to CMMC maturity levels within the Ignyte mapping engine. ©️ 2020 IGNYTE | All Rights Reserved

8. CMMC – ASSET MANAGEMENT • One of the new control families CMMC has added on is the Asset Management family. • One of the biggest obstacles for organizations is having complete visibility of what is currently in their environment • With Ignyte’s Asset Management Module, organizations will be able to: • Identify and document assets • Manage Asset Inventory • Manage Asset Vulnerabilities • Provide automated documentation to auditors/assessors ©️ 2020 IGNYTE | All Rights Reserved

9. CMMC PRACTICES ACROSS DOMAINS PER MATURITY LEVELS ©️ 2020 IGNYTE | All Rights Reserved

10. NIST 800-171 TO CMMC GAPS ©️ 2020 IGNYTE | All Rights Reserved

11. CERTIFICATION & ACCREDITATION DETAILS How will your organization become certified? • Your organization will coordinate directly with an accredited and independent certified third-party assessment organization (C3PAO) to request and schedule your CMMC assessment • Your organization will specify the level of certification requested based on your specific business requirements. • Your organization will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier • The accreditation process being finalized • CMMC v1.2 provides useful guidance for the CMMC Accreditation Body to finalize requirements for auditors and for companies that need to start preparing for their CMMC accreditation. • A key driver for contractors is that all practices for the required CMMC level must be met before accreditation will occur. • Accreditation must occur before contracts will be eligible to be awarded. What’s involved with CMMC Certification? • The certification will measure the Defense Industrial Base (DIB) sector organizations ability to protect Federal Contract Information (FCI) and CUI • It is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect CUI that resides on the Department’s industry partners’ network. ©️ 2020 IGNYTE | All Rights Reserved

12. CHALLENGES SOLVED BY IGNYTE | TRAINING • Results • Members will be educated about the CMMC Certification and its system created by the Department of Defense (DoD) to ensure defense contracting organizations have the controls implemented to secure sensitive information including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) • Members will have knowledge about the CMMC Model Framework • Members will be educated on how the CMMC Framework is dependent upon best-practices from various cybersecurity regulations including NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933 amongst others • Defense Contractors Can Prepare for CMMC Compliance • Ignyte’s CMMC on-demand training is a cost-effective learning solution that is applicable to defense contracting/manufacturing organizations to address and manage cybersecurity risks in order to be awarded the DoD contract. • Ignyte’s CMMC on-demand courses will offer the convenience and flexibility business managers and IT professionals require to complete their training goals. • Ignyte’s learning solutions offers: • 12-months of unlimited access • Online mentoring • Content equivalent to classroom training • Digital Courseware • CMMC Certification Training Course • 2-day hands on certification planning • Live, Online (Scheduled Time) • In Class (Anytime) • On Demand (Anytime over the web) • Mixed Learning (On Demand in addition to instructor support) • Private Team Training (on-site) ©️ 2020 IGNYTE | All Rights Reserved

13. CHALLENGES SOLVED BY IGNYTE | AUTOMATION • Ignyte’s accreditation solution completes CMMC & DFARs compliance and risk mitigation requirements and communication challenges between stakeholders efficient through workflow automation, predictive insights and automated monitoring • The Ignyte team leverages our proprietary software with auditor staff to: • Conduct proper scoping & characterization to control implementation cost • Tailoring & modifying NIST 800-171 controls making them relevant to the business • Defense Contractor Repository System • Capturing CUI, CDI and FCI data types • Automated STIG & CCI based implementation • SCAP compliant integrated software • Ongoing automated evidence gathering through Robotic Process Automation (RPA) • Real-time Plan of Action & Milestone (POA&M) • Tailored & Real time System Security Plan (SSP) generation • Submission to C3PAO & Assessor workflow • Authority to Operate (ATO) package builder • Collaboration between implementer, assessor, primary contractor, and accreditation body. ©️ 2020 IGNYTE | All Rights Reserved

14. WHAT IS INCLUDED WITHIN THE FULL CMMC ACCREDITATION PACKAGE? • Ignyte’s certification solution includes the following: • Entity size determination • Solution implementation • Onsite meeting • Training • Assessment • System Security Plan (SSP) • Plan of Action and Milestones (POA&Ms) • Remediation Roadmap • CMMC Audit Preparation • CMMC Audit Walkthrough • Audit Certification • Continued assurance & compliance ©️ 2020 IGNYTE | All Rights Reserved

15. CMMC ACCREDITATION PROCESS AUTOMATEDMANAGE COMPLETE CMMC ACCREDITATION PROCESS • End to End commercialized Authorization & Attestation Technology • Ignyte was built for educated subject matter experts (SMEs) and smart organizations looking to go beyond checklist software • Accreditation software means applying a structured approach to mitigating risk by assessing the technical impact on business. • Ignyte is: • Cost-effective - less than a full-time employee (FTE) • Assessor & C3PAO friendly • Implementer Ready • Prime & Sub-Contractor preferred platform ©️ 2020 IGNYTE | All Rights Reserved

16. CONTACT INFORMATION MAX AULAKH Ignyte Assurance Platform max@ignyteplatform.com 937-789-4216 www.ignyteplatform.com https://www.dfars-nist-800-171.com/ ©️ 2020 IGNYTE | All Rights Reserved

17. WELCOME TO THE NEXT ERA OF CYBER ASSURANCE Ignyte is the ultimate risk management engine for simplifying compliance across regulations, standards and guidelines.