DoD government contractors know that CMMC Compliance is critical. They also know that the Compliance process can be complex and confusing.
Each webinar in our CMMC Compliance series is designed to provide you with a solid understanding of the new DFARS requirements. Our goal is to help you “connect the dots” in the complex CMMC Compliance process.
This event touched on all the relevant information pertaining to the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule which went into effect on December 1, 2020. The DFARS rule introduced not only the CMMC requirement, but also, two other clauses which impact defense contractors who handle Controlled Unclassified Information (CUI).
The new clauses require companies who handle CUI to perform a NIST 800-171 self-assessment, using NIST 800-171A and the new DOD Assessment Methodology, and report their raw score into the Supplier Performance Risk System. The new rule also allows for DOD to conduct “higher” level assessments that involve document review and potentially an on-site assessment by the Defense Contract Management Agency (DCMA).
CUI stands for Controlled Unclassified Information.
From creation through destruction, there are requirements for handling CUI at every stage. These also have implications for the information systems and physical spaces that touch CUI. Understanding CUI is the very first step in your CMMC journey. If your company handles CUI, or may in the future, then you will need to obtain the CMMC maturity level 3.
In this webinar we introduced the concept of the CUI Life Cycle (CUI Life Cycle (dodcui.com)). Authorized holders of CUI have requirements at each stage in the CUI life cycle. The CUI Life Cycle is a framework by which to consider the information you’re handling and where it fits within the information life cycle to help determine the applicable requirements that apply to your information currently.
In our third webinar, the ATS and OCD Tech CMMC webinar panel debunked numerous CMMC myths. While there are countless myths surrounding the CMMC, we grouped the into the three major categories that we most often hear: CMMC maturity levels myths, self-assessment myths, and solution myths.
Some of the myths we covered are:
This event touched on the methodology for achieving alignment with the CMMC and NIST SP 800-171 frameworks adopted by OCD-Tech and ATS.
We introduced the three-phase approach to alignment with a deep dive into phase 1: Gap Analysis & Documentation Creation and brought the audience through preparing for creating a System Security Plan (SSP), including determining scope and informing stakeholders. We also covered how to write proper implementation statements, and determining a NIST SP 800-171 Self-Assessment Score.
Through this webinar, participants were able to gain an understanding of how to begin to determine alignment or to confirm that they are on the right track in their current readiness exercises.
In this webinar, we took you through seven common remediation gaps and a variety of solutions that meet NIST SP 800-171 and CMMC frameworks.
We provided a general overview of Microsoft services to help you determine which tool you need, reviewed critical cost and feature differences between GCC and GCC-high environments, and discussed how to configure the GCC features to get the best value and coverage of your CMMC controls.
In addition, we identified what to look for in the most common tools to satisfy NIST and CMMC gaps, and how to minimize security risks to on-site resources. We also highlighted areas that clients should pay close attention to, in order to avoid risk and potentially compromise CUI. Topics ranged from managing multiple locations to unsupervised assets and the need for proper monitoring.
Sign up to be notified of future webinars that may interest you.