TERRANOVA SECDEF CMMC

Developed in the USA, Enhanced for the World Reducing the Risk of War

Enhancing Cybersecurity for Defense Contractors

We focus on the CMMC framework to strengthen the cybersecurity posture of organizations working with the Department of Defense, ensuring compliance and protection against cyber threats.

TERRANOVA SECDEF and CYBER SECURITY GLOBAL ALLIANCE are Endorsed by the U.S. Department of Commerce (DoC) and by the Canadian Federal Government and the Ontario Provincial Government working with the EU Commission

CMMC Cybersecurity Framework

Enhancing defense contractors' cybersecurity posture through the Department of Defense's CMMC certification model.

Cybersecurity Maturity Model

Enhancing defense contractors' cybersecurity posture through a structured maturity framework and adherence to CMMC standards.

CMMC Compliance Consulting

We provide expert guidance to ensure your organization meets the stringent requirements of our EU Ready Cross-Border CMMC certification.

Continuous Compliance Support

Ongoing assistance to maintain compliance with CMMC, enhancing your cybersecurity measures and risk management processes.

Cybersecurity Maturity Model Certification

•Introduction to CMMC
•Why CMMC
•The Model, version 1.0 and 2.0
•Practices AND Processes (maybe?)
•The Assessment
•How to prepare for CMMC
•Current activities
•Identify sensitive data on your network
•Scoping (PCI DSS)
•Shared infrastructure
•Reciprocity
•Rule Making
•Q& A

Why CMMC?

•DOD estimates that there is over $600B in IP theft each year
•Current NIST 800-171 is self-attestation. Many contractors do not follow but say they do!
•Same with lower level DFARs based contracts. No oversight.
•DOD wanted teeth!

CMMC requires all defense contractors to:

•Successfully complete a CMMC audit of their cybersecurity posture once every three (3) years
•For CMMC 2.0, Levels 2 and 3 the audit will be conducted by an independent third party. No more self attestation
•Audit is PASS/FAIL with a small grace period to address gaps
•Must be reevaluated by the same assessor
•Must achieve correct CMMC Level prior to contract award – will probably change to prior to bid
•Model is based on several existing cyber frameworks
•NIST, ISO, DFARs, UK, Australia, Canada, EU, etc…
•Combined best practices from around the globe.
•CMMC 1.0 model combined a cyber practice model with a maturity model (think CMMI)
•Five (5) Levels for both cyber practices and maturity processes
•Must meet both practices (controls) and processes (maturity) for each specific CMMC Level
•Also must meet any lower level requirements (e.g. For Level 3, must meet all requirements for Levels 1 & 2)
•CMMC 2.0 model eliminated maturity model processes
•Now only three (3) Levels of cyber practices

Model covers:

•17 Domains across cybersecurity
•Three different security posture levels (controls)

CMMC Level 1

•The vast majority of companies will be Level 1
•Introduces Basic Cyber Hygiene for those who have little to none
•Six Domains
•17 controls
•Designed to protect Federal Contract Information (FCI)
•Aligns with basic DFAR’s cybersecurity requirements

CMMC Level 1: Only Six Domains

CMMC Level 2

•CMMC Level 2 – Low Level CUI (gov’t defined)
•Allowed to store/process CUI
•External assessment may be via C3PAO or DCMA DIBCAC
•All the cybersecurity practices of NIST SP 800-171 (primary cybersecurity clause in DoD contracts)
•110 Practices

Level 2 Assessment Covers All Domains

CMMC Level 3

•Most critical level of CUI
•Assessments WILL be conducted by DCMA DIBCAC
•Same overall requirements as Level 2 with addition of some NIST SP 800-172 controls

Assessments

•Defense Contractor (or Organization Seeking Certification (OSC)) will contract with CMMC 3rd Party Assessment Organization (C3PAO)
•C3PAO will have certified and trained Assessors (auditors)
•Contract will define:
•Scope
•Timing
•Artifacts
•Personnel
•Interviews
•Costs
•Assessors will coordinate and plan with OSC prior to on-site visit
•During on-site, expect:
•Kick-off meeting
•Daily Wrap up meeting
•Final Out-Brief
•Issues handled in real to near real-time
•If eligible – receive your score before the assessor(s) depart
•If required, list of actions needed to meet standard and next steps (short window to complete)

CMMC Preparation (Recommendations)

•What are you required to comply with now?
•DFARs?
•NIST 800-171?
•ISO?
•DFARs – CMMC Level 1
•NIST 800-171 – CMMC Level 3
•Begin taking your company’s cybersecurity posture seriously
•HR?
AP/AR? SOX

Identify sensitive data on your network

•CMMC is designed to prevent the theft/leakage of:
•FCI
•CUI
•Where does ANY sensitive data reside on your systems? Proprietary data?
•Where is the FCI?
•Where is the CUI?
•Identification of sensitive data allows the next steps to be based on cost and effort

Scoping

•Protecting data incurs costs and effort
•Protect $100 of data with a $10,000 tool?
•Place the effort and pay the cost to protect the data that is required to be protected
•As an example - PCI DSS
•Only those systems that process credit card information
•Limits the number of servers/endpoints that require protection and assessment
•Is there a cost difference in the assessment of five systems versus 1000 systems?

Reciprocity

•Unknown but…
•We would expect DoD to approve some reciprocity for already certified systems/services
•For example – Cloud provider
•The Cloud provider is already assessed to be FEDRAMP Moderate
•Specific Domain 1, Access Control, practices are already approved by achieving FEDRAMP
•If utilizing those specific services, the assessor should give the OSC “credit” for them and not require new proof

Cybersecurity Maturity Model Certification

Terranova SECDEF's CMMC Platform uses our own National Supply Chain Security Program that has been enhanced to develop the CMMC Framework for NATO and their Allies, without any mess and smoking mirrors

CMMC Maturity Levels 1 - 3

We provide expert guidance and training to ensure your organization meets the stringent requirements of CMMC certification for NATO Countries.

CMMC for NATO Forces

Ongoing assistance to maintain compliance with CMMC, enhancing your cybersecurity measures and risk management processes.

Terranova SECDEF is in 21 Countries in NATO Friendly Countries

Terranova SECDEF Officers were on the U.S. Department of Defense's original CMMC Design Team and the true leaders in cybersecurity model development globally.