Downloaded 28 times
More Related Content
Similar to Demystifying CMMC: Real-World Insights from ControlCase Experts
![Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]](https://cdn.slidesharecdn.com/ss_thumbnails/automatingispnetworksusingansibleandipamasasourceoftruthsot-v25-1-251124105117-d7d4ca24-thumbnail.jpg?width=640&height=640&fit=bounds)
Demystifying CMMC: Real-World Insights from ControlCase Experts
- 1. Demystifying CMMC: Real-World InsightsFrom ControlCase Experts Alexy Johnson CCA, CISSP & Erik Levitas Webinar
- 2. © ControlCase. AllRights Reserved. Agenda About ControlCase ControlCase 3PAO Announcement CMMC Overview 01 02 03 Which CMMC Path? CMMC Compliance Process Q and A 04 05 06 Review content & Design
- 3. Eric Levitas Vice President Presenter: AlexyJohnson, CCA, CISSP Sr. Consultant, Lead CCA Host: Review content & Design
- 4. ControlCase Snapshot © ControlCase. AllRights Reserved.
- 5. © ControlCase. AllRights Reserved. 5 ControlCase Overview Best-in-Class Compliance Platform ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and frequently changing IT compliance and regulatory requirements Proprietary software, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery) Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a single platform. One AuditTM enables our clientele to Assess once: Comply to Many Leadership positions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains Serving over 1,000 customers Global footprint with offices in the U.S., LATAM, Europe, India, Canada, and UAE Leverages an offshore delivery infrastructure for competitive advantage IT compliance manager for multiple industry segments including banking, service providers, retail, hospitality, and telecom Global Vision & Solutions Enhancement Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC software and managed services Founded in 2004 Headquartered in Fairfax, VA Offices in U.S., Canada, India 250+ employees
- 6. ControlCase Snapshot © ControlCase.All Rights Reserved. 6 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified. Demonstrate compliance more efficiently and cost effectively (cost certainty) Offload much of the compliance burden to a trusted compliance partner Improve efficiencies by doing more with less resources and gain compliance peace of mind 1,000+ CLIENTS 10,000+ IT SECURITY CERTIFICATIONS 275+ SECURITY EXPERTS
- 7. ControlCase Snapshot –Solution © ControlCase. All Rights Reserved. 7 Certification and Continuous Compliance Services Partnership Approach Compliance HUBTM + = IT Certification Services Continuous Compliance Services &
- 8. Certification Services One Audit™ AssessOnce. Comply to Many. © ControlCase. All Rights Reserved. 8
- 9. ControlCase Announcement © ControlCase.All Rights Reserved. 9 Review content & Design
- 10. CMMC Overview © ControlCase.All Rights Reserved. 10 What is CMMC? • The Cybersecurity Maturity Model Certification (CMMC) is a framework designed by the Department of Defense (DoD) to standardize cybersecurity requirements for companies handling sensitive data. Purpose • The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information. Scope • This applies to DIB companies that store, process, or transmit CUI, including government contractors, subcontractors, and suppliers. Benefits • Improved cybersecurity posture, increased trust and confidence from clients, and competitive advantage. 1 2 3 4 Review content & Design Purpose • To protect Controlled Unclassified Information (CUI) from unauthorized access, use, disclosure, disruption, modification, or destruction.
- 11. Why Choose ControlCasefor CMMC? © ControlCase. All Rights Reserved. 11 Authorized to Certify As an Authorized C3PAO, we conduct official CMMC Level 2 assessments and issue a Certificate of CMMC Status for CMMC Level 2. Fast-Track Your Compliance Our AI-powered Compliance Hub™ streamlines evidence collection, automates assessments, and simplifies remediation, getting you certified faster and more efficiently. End-to-End CMMC Readiness & Certification From gap assessments to official certification, we provide full- spectrum support, ensuring zero surprises during your audit. 1 2 3 4 Deep Defense Expertise We’ve worked with hundreds of DIB contractors, helping them meet and exceed DoD cybersecurity requirements. We have CCPs and CCAs on staff with real world expereince Review content & Design
- 12. CMMC Certification Levels ©ControlCase. All Rights Reserved. 12 Level 1 – Self Attestation Basic cybersecurity practices. Level 2 – C3PAO Assessment Intermediate cybersecurity practices. Level 3 – DIBCAC Audit Advanced cybersecurity practices. 1 2 3 Review content & Design
- 13. Which Path? © ControlCase.All Rights Reserved. 13 Path 1: Readiness & Compliance Support (Steps 1 & 2 Only) If you need help preparing for CMMC, we provide: Step 1: Readiness Assessment – Identify security gaps, calculate your SPRS score, and develop a remediation plan. Step 2: Compliance Alignment – Implement required cybersecurity controls and validate compliance through our experts. Path 2: Official CMMC Certification (Step 3 Only) Step 3: CMMC Certification Assessment – If you are already CMMC-ready and have not received readiness or remediation support from us, we can conduct your official CMMC Level 2 audit and certification as an Authorized C3PAO. If we assist with readiness and remediation, we cannot perform your official CMMC certification (Step 3). Review content & Design
- 14. CMMC Compliance Process ©ControlCase. All Rights Reserved. 14 Gap Assessment A comprehensive evaluation of your existing cybersecurity practices & scope review. Remediation Support Implementing necessary security controls to address identified gaps. Build out a compliant SSP with appropriate policies and procedures. C3PAO Certification Receiving official CMMC certification after successful audits. (Triannual Audits Required) 1 2 3 Review content & Design
- 15. © ControlCase. AllRights Reserved. Gap Assessment • Identification of Non-Compliant Requirements • Roadmap to Compliance • Preparation for CMMC L2 Certification • Review of all 320 controls • Provide roadmap / POA&M of open items • Updated SPRS score that’s accurate • Value? It gives a real time look at current compliance posture and shows level of effort needed to meet CMMC compliancy Review content & Design
- 16. © ControlCase. AllRights Reserved. Remediation Support • Activities to include: • SSP Review • Assessment Boundary Review • The goal of this activity is to review the system boundary and to validate that it is adequately represented diagrammatically. The asset inventory will also be reviewed to confirm that it matches the system boundary and meets CMMC requirements. • Network Design Review • The goal of this activity is to review any on-premises or cloud networking that Client is responsible for administering to ensure that appropriate technologies are in place for any wireless or remote access; to ensure that internal and external boundaries are adequately monitored, controlled, and protected; and to ensure that the network is adequately segmented. • CUI Data Flow Review • The goal of this activity is to review Client CUI Data Flow Diagram to validate that data flow is properly mapped from entry to exit. • Security Requirement Implementation Review • The goal of this activity is to review the description of the controls used to implement security requirements. This review will be performed based on the assessment objectives found within NIST SP 800-171a. During this review, the implementation details will be reviewed to determine whether the implementation will meet CMMC requirements. • Policy/ Procedure Review • The goal of this activity is to review Client policies and procedures to determine if they adequately support the implementation of CMMC security requirements. • Continuous Monitoring Strategy Review • The goal of this activity is to review Client plans for continuously monitoring the compliance of its information system. Activities to be reviewed include account reviews, system monitoring, vulnerability scanning, security control assessments, etc. • POA&M Development • The goal of this activity is to help Client to develop a POA&M which will include actions designed to remediate all deficiencies discovered during the security control assessment. • Calculating SPRS Score • The goal of this activity is to calculate a SPRS score based on the DoD NIST SP 800-171 Assessment methodology and to guide Client through the process of submitting the score. • Compliance Consulting • The goal of this activity is to work with Client to continue the development of its compliance and security initiatives related to CMMC. Review content & Design
- 17. © ControlCase. AllRights Reserved. C3PAO Certification • PHASE 1 • Plan & Prepare the Assessment: • ControlCase and BEIER INTEGRATED SYSTEMS will collaborate on calendaring the assessment, preparing schedules, timelines, and meetings with your staff and technical resources, and planning any required on-site visits. • The ControlCase team will provide an overview of the process, aiming to create a high level of comfort for your team, which will help enhance efficient and informed participation. We will work together to outline the requirements for your team during the assessment and discuss the assessment plan. • Readiness Review: • During this phase, ControlCase will review the Client’s position relative to the CMMC standard to determine whether your organization is prepared to enter Phase 2. • Deliverables from this phase include observations and recommendations. • PHASE 2 • Conduct the Assessment: • Phase 2 allows you to demonstrate compliance with NIST SP 800-171. • ControlCase’s CCA will act as the central Technical Point of Contact (TPOC) communicator and maintain daily communication with the Client’s point of contact, including daily briefings on the assessment findings. Follow-ups and action items from the ControlCase’s Assessment Team will be communicated to the Client at that time. • Based on the Phase 1 schedule, your team will be fully equipped with the necessary ControlCase staff and resources to: Review content & Design
- 18. © ControlCase. AllRights Reserved. Q&A – Open Forum
- 19. THANK YOU Eric Levitas VP,Business Development - Federal elevitas@controlcase.com 443.800.2590
Editor's Notes
- #6 Organizations of all sizes rely on ControlCase’s certification and continuous compliance services to dramatically cut the time, cost and burden out of IT compliance. Unlike traditional consulting firms, we bring a partnership approach versus an auditor mentality to every engagement. We go beyond the checklist and provide the expertise, guidance and automation needed to more efficiently and cost effectively demonstrate and maintain compliance. Whether you're looking to satisfy regulatory requirements, meet customer demand or establish confidence with prospective customers, with ControlCase as your compliance partner, your workforce will be free to focus on their strategic priorities, and you’ll eliminate the hassle and reduce the stress associated with certification and continuous compliance.
- #10 CMMC Program requirements will apply to all DoD solicitations and contracts for which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on its unclassified contractor information systems.