Securing the Do D Supply Chain Cybersecurity Maturity

Securing the Do. D Supply Chain Cybersecurity Maturity Model Certification Ms. Katie Arrington Chief Information Security Officer for Acquisition and Sustainment DISTRIBUTION A. Approved for public release 1

We need to make Security the Foundation We need to Deliver Uncompromised Cost, Schedule, Performance ARE ONLY EFFECTIVE IN A SECURE ENVIROMENT DISTRIBUTION A. Approved for public release 2

DIB Cybersecurity Posture • State-of-the-Art Hypothesis: < 1% of DIB companies – Maneuver, Automation, Sec. Dev. Ops • Nation-state – Resourcing: Infosec dedicated full-time staff ≥ 4, Infosec ≥ 10% IT budget – Sophisticated TTPs: Hunt, white listing, limited Internet access, air-gapped segments – Culture: Operations-impacting Info. Sec authority, staff training and test • Good cyber hygiene – NIST SP 800 -171 compliant, etc. Vast majority of DIB companies – Consistently defends against Tier I-II attacks • Ad hoc – Inconsistent cyber hygiene practices – Low-level attacks succeed consistently DISTRIBUTION A. Approved for public release 3 3

Cybersecurity Maturity Model Certification (CMMC) • The Do. D is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity. • The CMMC levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies. • The required CMMC level (notionally between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”. • The CMMC must be semi-automated and, more importantly, cost effective enough so that Small Businesses can achieve the minimum CMMC level of 1. • The CMMC model will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector. A neutral 3 rd party will maintain the standard for the Department. • The CMMC will include a center for cybersecurity education and training. • The CMMC will include the development and deployment of a tool that 3 rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain. DISTRIBUTION A. Approved for public release 4

Notional CMMC Model Development DISA STIGs Phase II: Mission Systems Development Environments USCybercom NSA JHUAPL MDA DOE USN SMC AF JHUAPL NASA Assessment and Level Assessment Complexity DOD CIO Financial Sector Mitre DODCAR AIA NAS 9933 Industry DHS Gartner Army Adversarial assessments Phase I: Infosec Solutions ISO 27001 CMMI SANS FICO Fed. RAMP Threat analysis ISO 9000 FIPS 140 -2 Mission-based RMF RMM / CRA Phase I: Control Frameworks NIST 800 -53 Threat-based Mission Focus Enterprise Focus NIST 800 -171 Maturity model must be dynamic and threat informed DISTRIBUTION A. Approved for public release 5

Model Rev 0. 4 Synopsis - Practices Description of Level Practices CMMC Level 1 CMMC Level 2 Basic Cyber Hygiene Intermediate Cyber Hygiene CMMC Rev 0. 3 Practices New CMMC Rev 0. 4 Material CMMC Rev 0. 4 Practices 17 +18 practices 35 46 +69 practices 115 Rev 0. 4 New Content Sources • DIB SCC TF WG Top 10 • NIST Cybersecurity Framework 1. 1 • ISO 27001: 2013 • AIA NAS 9933 CMMC Level 4 Good Cyber Hygiene Proactive 63 10 +28 practices +85 practices 91 95 • CIS Critical Security Controls 7. 1 • CERT Resilience Management Model® • Additional DIB Inputs CMMC Level 5 Advanced / Progressive 4 DISTRIBUTION A. Approved for public release +30 practices 34 • Subject Matter Experts 6

Implementation (Pre-Award) SRM Database CMMC Gov’t PM Certifier Company PM Requiring Activity Internet Accessible Lookup CMMC REQT CMMC SRS Database Verify CMMC Level ACQ Review Grant Certification CMMC Concept RFI “Level 2” & Date RFP Develop Model Build PGM Office Develop Regulator REQT. Award BID Create Database Companies Self. Evaluate Regulator IOC Advance to Level Conduct Certification Artifacts Certifier Select Certifier Procure Regulator Source Selection (Go/No-Go) Marketplace Find Certifier Options: 1. Internal 2. SVC Provider 3. Partner Will Transition to Industry/non-profit DISTRIBUTION A. Approved for public release 7

CMMC Development Schedule DISTRIBUTION A. Approved for public release 8

https: //www. acq. osd. mil/cmmc/index. html DISTRIBUTION A. Approved for public release 9