Hello and welcome to the NIST 800-171 learning path. My name is Dave Hatter, I'm your instructor for this course, and this is Course 7: Putting it All Together. In this course, we'll do a review of everything we've covered up to this point and then in the second video, we'll walk through a blue project to look at creating a system security plan, the plan of assess a milestones, creating a basic assessment score, and submitting that score to SPARS. Let's dive right in. It all gets started with Executive Order 13556, 13556 established a government-wide Controlled Unclassified or CUI program to standardize the way the executive branch handles unclassified information requiring protection. It has designated the National Archives and Records Administration, or NARA, as the Executive Agent to implement the CUI program. It says, only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or government-wide policy may be designated as CUI. What is Controlled Unclassified Information? Well, according to Executive Order 13556, CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but it's not classified under executive order, classified national security information, December 29, 2009, or any predecessor or successor order or the Atomic Energy Act of 1954, as amended. The CUI registry. We've talked about this before, and this is a site hosted by NARA. You can see the link down there in the third bullet, you can dive right into it. I encourage you to go check it out. The CUI registry identifies approved CUI categories and subcategories with a description of each and the basis for controls. Again, the descriptions can be very helpful in trying to understand all of this stuff. It defines procedures for the use of CUI, including, but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of information. The government came up with a three part plan to protect CUI. The federal CUI rule, 32 CFR Part 2002, which establishes the required controls and markings for CUI government-wide. NIST special publication 800-171, which defines the security requirements for protecting CUI in non-federal information systems and organizations, and the Federal Acquisition Regulation or FAR clause to apply the requirements of the federal CUI rule and NIST 800-171 to contractors. One of the key things to really think about as you're going through the work to get yourself in compliance and ideally comply with CMC is to think about scoping. The more CUI you have in an organization and the more sprawl of CUI you have, the more difficult it is because more systems, more touch points, etc. To the extent that you can narrow the footprint of your CUI, ideally get it all in one place, one server, one Cloud Platform, something like that, the better off you'll be. When you think about scoping, really think about these key points. To the extent possible, you want to isolate CUI into its own security domain by applying architectural design concepts. Security domains may employ physical separation, logical separation, or a combination of both. You can use the same CUI infrastructure for multiple government contracts or agreements. Again, some key concepts here, narrow that footprint and understand that once you've created an environment and architected it for trying to narrow the scope of CUI, you can use that for multiple contracts. Again, this can be very time-consuming, very difficult, very expensive to the extent you can narrow that scope it will potentially make your life a lot easier. Let's talk about DFARS and NIST 800-171. NIST special publication 800-171 is the framework that helps manufacturers comply with DFARS clauses 252.204-7008, 252.204-7012, 252.204-7019, and 252.204-7020. The DFARS 7012 and 7020 clause will be in all DoD solicitations, contracts, task orders, or delivery orders. The flow-down requirement for contractors requires tiered subcontractors to have an assessment in the Supplier Performance Risk System or SPRS. Again, we'll talk more about that in a bit. Contractors must validate compliance with 7019 prior to awarding a subcontract or purchase order of any kind. Contractors must include the contents of DFARS 7019 in subcontract agreements. NIST 800-171 applicability. You can see here that the DoD contracts are now subject to the requirements of DFARS and the NIST 800-171 requirements. CUI requirements apply only to components of non-federal information systems that process, store, or transmit CUI or provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and NFOs. Let's talk about a few 800-171 assumptions. Again, this applies to non-federal organizations or NFOs. This assumes that these NFOs already have technology information infrastructures in place. They're not developing or acquiring system specifically for the purpose of processing, storing, or transmitting CUI. You have safeguarding measures already in place to protect existing information which may be sufficient to satisfy the CUI requirements. You may not have the necessary organizational structure or resources to satisfy every CUI requirement. You can implement a variety of potential security solutions to meet requirements. Again, they're not telling you you have to build an infrastructure specifically for this. They're assuming you're going to leverage the infrastructure, tools, processes, policies, procedures you already have in order to ease compliance with 800-171 and CMMC. Let's talk a little bit about the 800-171 requirements. Again, this is a refresher. It's 110 total security requirements across the 14, 800-171 families. Each family or each requirement rather has a well-defined structure. It'll either be a basic requirement or a derived requirement. The requirements are non-prescriptive. They can be implemented by NFOs and a variety of ways, including by an internal team and external MSP, through a variety of solutions, and with alternative but equally effective measures. Each requirement has a discussion section that helps explain it. This you can see quoted here, ''the discussion section associated with each CUI requirement is informative, not normative. It is not intended to extend the scope of requirement or to influence the solutions organizations may use to satisfy our requirement. In addition, the use of examples is notional, not exhaustive, and not reflective of potential options available to organizations.'' Again, they're not trying to tell you exactly how to meet each one of these requirements and then leaving you a lot of flexibility to custom-tailor solutions that make sense for your organization. That's important to keep in mind. Then remember that these requirements apply only to non-federal systems that process store or transmit CUI. Again, getting back to that idea of trying to narrow the scope and limit the CUI. There are 14 requirement families in this state 800-171. We'll just do a quick review here. You've got access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication protection, and system and information integrity. Let's talk about the deliverables of 800-171. Your deliverables basically are a body of evidence that should include organizational policies and procedures, a system security plan, and a plan of actions and milestones. Let's take a look of policies. The terminology around policies, plans, procedures often gets confused. I thought it made sense to throw in a quick definition here. According to the Merriam-Webster Dictionary, a policy is a high-level overall plan, embracing the general goals and acceptable procedures, especially of a government body. Their requirements established by senior management, it's direction provided to employees and contractors enforceable under US labor law and HR direction. Policies provide strategy and direction to guide decisions by lower-level management, they're designed to achieve positive outcomes. It's a statement of expectation enforced by standards and further implemented by procedures. It's a living document that should change to reflect conditions. Maybe most importantly, they're mandatory. Let's take a look at some common policies you're likely to see out there in the wild. I won't read this whole list to you here, but as you can see, there's a wide array of different types of policies. Some organizations may have all of these policies, some organizations may only have some of these policies. In some cases, you might see many of these policies combined into one document or a bunch of stand-alone individual policies. You'll note there in the footnote that I've got the asterisks that show you where you can find free sample policy templates. One of the things that can often be difficult if you don't have any policies is to just get started from scratch. Organization like Sands, which I'm a big fan of, has some great policy templates that you can start with. You don't just have to start from scratch. Again, there'll be some links to those resources at the end of this particular video. The other deliverables, then we've still got a system security plan and the plan of action milestones, which we'll get to in a minute. Again, the SSP or system security plan, we need to develop document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships or connections with other systems. The reason why you need an SSP, well, first of, it is required by NIST 800-171, in requirement 3.12.4. Also per DoD, you should not try to submit a self-assessment without a system security plan. The system security plan is required for CMMC Level 2 or higher. It's an important document really to make significant progress on this, you need to make sure that you create an SSP. It is something that you will ultimately be expected to give to an assessor for compliance with the higher levels of CMMC. How do you create your SSP? Well, the good news is you have a lot of flexibility. There's not a formal standard. NIST has a free templates you can download from their website and it's a great starting point. You can see I have a link to it there. It's an Excel spreadsheet. You can download that again, it makes for a great starting point. You're going to use that to collect evidence and artifacts and document them in your SSP. Make sure you keep the assessment objectives in mind as you work through the 110 requirements. The final deliverable for your body of evidence here is your POAM, your plan of action, and milestones. You develop and implement plans of actions to implement a control and reduce or eliminate vulnerabilities. You need to address delays and meeting requirements. Each should have an expected completion date and interim milestones. Ideally, you won't have that many items in your POAM. Again, when you look at it from the CMMC perspective, the POAM may or may not be allowed and if it is allowed, based on the last research I was able to do, you'll only have 180 days to address those guys. Ideally, you want your list of POAMs to be as short as possible. You want to have expected dates when you expect to get each one of those items done. Again, this is one of the key reasons that lead to CMMC is there really was no penalty. Folks, we've put a lot of stuff in that POAM and then really never have any plan to get around to addressing those things. Why do we need a POAM? Well, like the system security plan, it is required by the state under 171 in requirement 3.2.12, and it's a document that would be given to an assessor. You can see a screenshot here that explains from this data 171, the POAM. Creating a POAM like the system security plan, there is no prescribed format. There's a free template in a word document that you can download from this, I definitely suggest that you start out there. Again, like with your system security plan, keep your assessment objectives in mind as you work through it. Let's talk a little bit about CMMC. I've alluded to it a couple of times and we covered it earlier in the course. CMMC is the Cybersecurity Maturity Model Certification, a unified standard designed to reduce exfiltration of CUI from the defense industrial base was prompted by data breaches that are impacting national security and originating with non-federal organizations. Version 2 was published in November of 2021. It's still largely based on 800-171, DFARS 252.204-7021 defines the CMMC requirements and DIB contractor or a Defense Industrial Base contractor can achieve a specific CMMC level for an entire enterprise. Or particular segments are enclaves depending on where the CUI is handled and stored. Again, getting back to the idea of scoping and trying to limit the footprint of this information. How did we get to CMMC? Well, as we said earlier, NIST 800-171 is a self-attestation standard. You create an SSP and a POAM, you put whatever you want in there. There was really not much risk of audit. People would just have POAMs that were never dealt with. That's really the gist of what ultimately drove the government to come up with the Cybersecurity Maturity Model Certification as a way to overcome the shortcomings that they were seeing with the self-attestation model of 800-171. Why should you care about CMMC? Well, if you're an NFO with contracts containing DFARS clause 252.204-7012, you must have at least a basic assessment against 800-171 in order to receive a contract award after November 30th, 2020. Requests for proposals or contracts may contain clauses or your prime may ask you to report your CMMC score. NFOs, that are non-compliant with the required level per the contract will not be able to retain DoD contracts. By 2025, DoD will require all defense contractors to pass a CMMC audit to bid on jobs. This only applies to RFPs or contracts with the clause embedded in them. That also have clause 252.204-7012 or some other indication that CUI is and will be processed under the contract. Where we're at now is the DoD interim rule on CMMC. There's an interim rule assessing contractor implementation of cybersecurity requirements, which is DFARS Case 2019-D041 that implemented CMMC on September 29th of 2020. As of November 30th, 2020, contractors are required to self-assess or have DoD assess compliance and reported prior to any new DoD contract award or DoD's exercise of any contract option or extension. This adds a DFARS subpart 204.75 specifying policies and procedures for awarding a contract or exercising an option between November 30th, 2020, and October 1, 2025. It also requires contractors to achieve a CMMC certificate at the level specified in the solicitation at the time of the award. Again, CMMC now has three levels. Depending on the contract specification, it will tell you what level you need to be in compliance with. Contractors must maintain a current score which is less than three years old. Throughout the life of the contract or task or delivery order, DoD contractors must immediately post assessments of their cybersecurity compliance on the DoD SPRS system. Primes are required to flow down the substance of DFARS 252.204-7022 to all subcontractors, except for commercial off-the-shelf software suppliers. Primes must ensure subcontractors have a current DoD assessment posted in SPRS prior to awarding a subcontract. If a sub-contractor does not have a summary level score of a current 800-171 assessment posted in SPRS, then the sub may conduct and submit a basic assessment to SPRS. The interim rule contract clause 252.204-7019 requires the following for reporting your basic DoD assessment. The standard assessed in this case is NIST 800-171, especially for Level 2 and Level 3. Then we'll add in some extras from special publication 800-172. You will need to know the organization conducting the assessment. In this case, it is a self-assessment, so it'd be contract or self-assessment. You'll need to know your cage codes. You'll need your SSP. You'll need the date of the assessment completion, the summary level score, which we'll talk more about in a minute, and then the date that all requirements are expected to be implemented or what your poem says for the implementation of the requirements that you have not met. The DoD interim rule scoring is an objective assessment of 800-171 implementation. If you're able to implement or be in compliance with all 800-171 controls, you'll get a score of 110. Again, that is all the controls in 800-171, except for controls where scoring is built-in for partial implementation. Partial implementation is not credited. This is important to understand. Most of these are essentially you get everything or you get nothing and it's an all-or-nothing proposition. There are a few controls which we'll talk about here in a minute, where you can earn partial credit but for the most part, it's an all-or-nothing proposition. Your score of 110 is reduced by each requirement not implemented, it is possible to get a negative score and we've seen that out here in the field several times. This does not prioritize controls in terms of impact, but some have more impact and others and controls are weighted based on impact. For CMMC 2.0, the objective is to safeguard sensitive information to enable them protect the warfighter, to enforce the DIB security standards to meet evolving threats, rather, ensure accountability while minimizing barriers to compliance with DoD requirements to perpetuate a collaborative culture of cybersecurity and cyber resilience and to maintain public trust through high professional and ethical standards. Again, we've gone from Level 1 of CMMC to Version 2 of CMMC and some of the key differences, the model has been streamlined. It's focused on the most critical requirements and it's reduced from five levels to three, and it's aligned with this 800-171 and 172. You have reliable assessments with reduced cost, which is important because this can take an enormous amount of time and energy to get yourself and compliance so they've in my opinion done a good job of trying to streamline it and make it easier. It increases accountability because it now brings in third-party assessors and DOD assessors to make sure that what the contractors in the DIB are saying is accurate and then flexible implementation spirit of collaboration, as you can see, allows companies under certain limited circumstances to make plan of actions and milestones to achieve certification which was not allowed under CMMC Version 1 and added flexibility and speed. In some cases, some of the requirements can be waived in special situations. Again, trying to make this a little bit more flexible for contractors and the DIB. This graphic shows you side-by-side the Level 1 of CMMC and then Level 2 as you can see we've gone from five levels to three. If we take a look at each of those levels here, Level 1, the foundational level only has 17 practices and only requires an annual self-assessment. Level 2, which is probably where most organizations will need to get, is 110 practices align directly with 800-171 and you have a triennial third-party assessment for critical national security information. Some organizations may be able to get by with an annual self-assessment and then Level 3, the expert level. It's all of the controls of 800-171 plus some additional controls from 800-172 and that would be a triennial government-led assessment. Again, you've got the three levels of CMMC. Level 1, the annual self-assessment, Level 2 may require and probably will for most people, will require third-party self-assessment, and then Level 3 or the expert level is the triennial DoD assessment. The basic assessment that you would need to do for CMMC and this 800-171 to submit to SPARS is again this contractor self-assessment. You can see here this is a direct quote from the DoD Assessment Methodology Version 1.2.1, "The basic assessment is the contract or self-assessment of NIST 800-171 implementation status based on a review of the system security plan is associated with covered contractor information systems. Two the basic assessment results in a confidence level of low, because it's a self-generated score. You're doing the assessment yourself. Then three, the summary level scores resulting from the basic NIST 800-171 DoD assessment should be documented as indicated in Section 6 and Annex B of this document. Again, this document being the DoD Assessment Methodology Version 1.2.1." For basement assessment scoring, as we've said before, it's 110 point scale, essentially 110 requirements of 800-171. Each requirement is assigned a "weighted subtractor value". Satisfied requirements are in points, partially satisfied requirements may earn a fraction of points. Again, in most cases it's all or nothing. Unsatisfied requirements may get points subtracted. It is possible to earn a negative score. They don't require that you have a specific score. I know that some people when they see a very low score or negative score get concerned about that, and I do think at some future point there might be some baseline score you'll need to earn, but for now, there's no minimum score, you can submit whatever your score is. Frankly, in order to maintain your contracts, you may need to do that. If this is a concern for you in maintaining your contracts, you need to just go ahead and do this and submit your score. Then you can see there you may need to do multiple assessments depending on the size of your organization and the number of contracts you have. What you see in this screenshot is again, just a simple spreadsheet that's got all the controls in it. Then shows you for example, the possible value and then your score. Then ultimately it just rolls that up and will allow you to submit it. This would be one way to go about trying to capture the information and calculate the score. There are all kinds of third party tools out there that can help with this. We'll wrap up here. Let's talk a little bit about SPARS again. SPARS is the government system to allow you to enter your score. It does a lot more than that, but it is the place where you can go enter your score. In this case, your 800-171 basic assessment score, you would need the date, the score, the scope, the plan of action, and completion date for every vendor location identified by your cage codes. SPARS is granted to authorize the acquisition government personnel through a single sign-on capability in the procurement integrated enterprise environment, or PIEE. If you have the SPARS cyber vendor user role, you can manage your basic assessment and you must be registered in PIEE and approved for access to SPARS to enter your score. I always like to remind people, especially if you're under the gun for this, it's a really good idea to go ahead, go to PIEE, gets your account setup, get this process rolling, get everything in place. Once you have your basic assessment score computed, you won't have to wait and/or potentially sort through any issues that come up to be able to upload your score. Again, why do you care about SPARS? Well, per DFARS 204.73 safeguarding covered defense information and cyber incident reporting, contract officers are directed to verify and offers NIST 800-171 assessment is on record. DFARS 252 and that would be in SPARS, sorry. DFARS 252.204-7019, notice of NIST 800-171 DoD assessment requirements requires offers, ensure results of their current assessments are posted in SPARS, and DFARS Clause 252.204-7020 requires contractors to ensure applicable subcontractors have the results of a current assessment posted in SPARS prior to an award. Again, it's important to understand this system, it's important to get yourself setup in there, and it's important to compute your basic assessment score and get it posted. Again, what you need to submit, the date of the assessment, your score out of 110, the scope of the basic assessment, your SSP, your cage codes, and then your POAM completion date. When will you get to compliance with all 110 requirements of 800-171. To submit your score to SPARS, technically you don't have to submit it until the contract is awarded. But frankly, if you get the score out there sooner rather than later, it's just one more thing you can check off the list and potentially use as leverage or competitive advantage versus companies that don't have that. SPARS access is granted to authorize the acquisition government personnel through single-sign-on to the procurement integrated enterprise environment. The cyber vendor user role will allow you to manage that basic assessment. Again, you need to be registered in PIEE and approved for access to SPARS to use that. You can also potentially submit your score if you don't have a cage code and you don't have everything set up to the email address, webptsmh@navy.mil. If you do that, as it says there on the last bullet, you need to make sure you encrypt that data. This is sensitive data, your system security plan, your POAM, all this information, even your score, would be key insight too bad actors for how to exploit vulnerabilities in your system. As you're working on your system security plan, your POAM, doing your basic assessment, you really need to keep a close eye on that information. You need to ensure the protection of that information to make sure it doesn't get into the wrong hands. Again, if you're going to email that, makes sure that you encrypt it first. That pretty much wraps us up on the review of this course. Again, there are a few resources here at the end. You can see a link to the DoD assessment methodology, PIEE cage, and SPARS. In the next video, we will go through a short project to hopefully put this all together for you and see how this can work. Thank you for watching, and we'll see you in the next video.
