cybersecurity for defense contractors

CYBERSECURITY FOR DEFENSE CONTRACTORS: DEMYSTIFYING DFARS AND CMMC REGULATIONS

Hosted by: Office of US Senator Richard BurrOffice of US Senator Thom Tillis

North Carolina Military Business Center North Carolina Defense Technology Transition Office

Businesses in AttendancePlease test your chat function and provide: company name,

your name, location, email address

AGENDAIntroductions and Welcome

• Denny Lewis, North Carolina Defense Technology Transition Office (DEFTECH)

• Kim Kotlar, Consultant

Speakers• Laura Rodgers, Business Development Professional/Cybersecurity Compliance and

Chair, North Carolina Interagency Cybersecurity Coordinating Committee (I3C)

Business Questions and Answers• Please type your questions in the chat function for review and response

Conclusion and Announcements• Denny Lewis, North Carolina Defense Technology Transition Office (DEFTECH)

UPCOMING 2021 SUMMIT: CyberChats (Weekly Beginning January 13, Virtual)

North Carolina Installation Construction Prime-Subcontractor Teaming Outreach (March 2-4, Virtual)

Defense Contractor Academy (March 9 – April 1, Virtual)

Federal and Defense Textile Summit (May, TBD)

Medical, Biomedical & Biodefense: Support to the Warfighter Symposium (August, TBD)

Much more to come. . .

All registration information will be available online at www.ncmbc.us.

http://www.ncmbc.us/


• Denny Lewis, North Carolina Defense Technology Transition Office (DEFTECH)• Kim Kotlar, Consultant















Speakers• Laura Rodgers, Business Development Professional/Cybersecurity Compliance

and Chair, North Carolina Interagency Cybersecurity Coordinating Committee (I3C)











NORTH CAROLINA MILITARY BUSINESS CENTER PRESENTS

DEMYSTIFYING DFARS AND CMMC CYBER REGULATIONS

WHILE THIS DOCUMENT IS DEEMED A PUBLIC RECORD BY NORTH CAROLINA LAW, THE NCMBC OWNS THE COPYRIGHT TO THIS DOCUMENT. WITH ATTRIBUTION TO NCMBC, THE NCMBC PROVIDES A NON-EXCLUSIVE, ROYALTY-FREE, PERPETUAL LICENSE TO COPY AND DISTRIBUTE THIS DOCUMENT

17 December 2020WWW.NCMBC.US

5

Cybersecurity Regulations Terminology

• FAR: Federal Acquisition Regulation – all the regulations associated with federal procurement

• DFARS: Defense Federal Acquisition Regulation Supplement – acquisition regulations for the Dept. of Defense

• NIST SP 800-171: National Institute of Standards and Technology Special Publication that contains 110 cybersecurity controls

• Supplier Performance Risk System (SPRS) - web-enabled enterprise application that gathers, processes, and displays data about supplier performance. It is the DoD’s single, authorized application to retrieve supplier performance information.

6

Cybersecurity Regulations Terminology7

• Federal Contract Information (FCI) - information that is not marked as public or for public release, and is subject to minimum cybersecurity requirements, such as CMMC Level 1. FCI does not include information provided by the government to the public or simple transactional information, such as that required to process payments. While this information is not as sensitive as CUI, it must still be protected. FCI may be stored in many places such as:

• emails originating from government addresses• systems that store files received from the government• hard storage devices• workstations• manufacturing devices• backup systems• networks

Cybersecurity Regulations Terminology8

• Controlled Unclassified Information (CUI) - information that requires safeguarding or dissemination controls but is not considered classified – it is information that legally cannot be made public. CUI must be legally protected but is not deemed sensitive enough to require a high-level security level clearance to access. CUI is data, that if leaked or accessed by our adversaries, could negatively impact national security by showing our vulnerabilities or giving our adversaries an advantage.

Examples of CUI include legal material, health documents, technical drawings andblueprints, intellectual property, ITAR controlled documents/products, etc.

Cybersecurity Regulations¨ FAR 52.204-21 – “Basic Safeguarding of Covered Contractor Information Systems.” Maps

to practices in CMMC Level 1.¨ DFARS 252.204-7012 – “Safeguarding Covered Defense Information and Cyber Incident

Reporting.” Requires protection of CUI by compliance to the 110 cybersecurity controls in NIST SP 800-171. Contractors could self-attest to compliance. Modified by DFARS Interim Rule.

¨ CMMC – Cybersecurity Maturity Model Certification – requires physical cybersecurity assessment and certification to a CMMC level of maturity. Quality Management System(QMS) for cybersecurity.

¨ DFARS Interim Rule – implements CMMC AND modifies DFARS 252.204-7012 to include a self-assessment using the Department of Defense Assessment Methodology, which must be uploaded to the Supplier Performance Risk System. Effective date: 30 Nov 2020. Will be phased-in over a 3-year period.

9

DFARS/CMMC – Why the Confusion?10

1. No one expected the DFARS Interim Rule to modify DFARS 252.204-7012.

2. DFARS 252.204-7012 is referenced in contracts even when no CUI will be processed, stored or created. If there’s no CUI, then the clause is not applicable.

3. The DFARS Interim Rule eliminated self-attestation to compliance and added a self-assessment requirement using the DoD Assessment Methodology.

4. The DFARS Interim Rule went into effect on Nov. 30th, which was interpreted (incorrectly) to mean that every contractor in the defense industrial base must have their self-assessment score uploaded to the Supplier Performance Risk System (SPRS) by that date.

5. Assumption that COVID would cause delays in the implementation of CMMC, so it was projected that CMMC implementation would not occur until FY 2022.

6. Varying interpretations of the DFARS Interim Rule7. No clear definitions for FCI/CUI

It’s All About the Data11

• The cybersecurity regulations are designed to protect data. Compliance to DFARS and CMMC depends 100% on the type of data a company processes, stores and/or creates on behalf of the DoD. So, the cost and complexity of your system as well as the costs associated with assessments depends on data.

• DFARS 252.204-7012 and CMMC Level 3 require that Controlled Unclassified Information (CUI) be safeguarded (protected).

o CMMC Level 3 = 110 NIST controls + 20 additional controls + QMS + Maturity

• The best way to avoid the expense is to not touch CUI. AND, with less CUI being transmitted, the risk to national security is reduced. CUI = $$$ and Risk

• Companies that touch FCI need to pursue certification to CMMC Level 1, which is 17 controls. FCI = $ and Low Risk

What Does the DFARS Interim Rule Do?12

• Added DFARS 252.204-7019

ü Implemented the NIST SP 800-171 DoD Assessment Methodology – use to perform

a self-assessment to the 110 controls in NIST.

ü Directs contractors to upload the results (score) of their self-assessment to SPRS

ü Directs contractors to maintain current assessment results in SPRS (not older than 3 years)

• Added DFARS 252.204-7020

ü Directs contractors to provide access to the Government to their facilities, systems and personnel when it is necessary to conduct a medium/high level assessment

ü Directs prime contractors to ensure that applicable subcontractors have the results of a current assessment posted in SPRS prior to awarding a subcontract

What did the DFARS Interim Rule Do?13

• Directs contracting officers to verify in SPRS that a company has a current assessment on record prior to contract award or prior to exercising an option.

• Added DFARS 252.204-7021ü Established the Cybersecurity Maturity Model Certification (CMMC)

requirements

DFARS Interim Rule –DoD Assessment Methodology

14

• Enables strategic assessments at the entity (corporate) level – not by contract

• Provides a standard methodology for contractors to do a self-assessment (Basic Assessment) to the 110 controls in NIST SP 800-171 – assigns a numerical value to each control

• “The requirement for the Basic Assessment would be imposed through incorporation of the new solicitation provision and the contract clause in new contracts and orders. As such, the requirement to have completed a Basic Assessment is expected to phase-in over a three-year period…” Reference – DFARS Interim Rule

DFARS Interim Rule –DoD Assessment Methodology

AssessmentsBasic Assessment

• Self-assessment to 110 NIST controls

• Pre-award assessment• Uploaded to SPRS prior

to award• Valid for 3 years• Confidence level - low

Medium Assessment• Performed by DCMA• Based on criticality of

program and sensitivity of data

• Post-award assessment• Valid for 3 years• Confidence level –

medium• DoD uploads results to

SPRS

High Assessment• Performed by DCMA• Based on criticality of

program and sensitivity of data

• Post-award assessment• Valid for 3 years• Confidence level – high• DoD uploads results to

SPRS

DFARS Interim Rule –DoD Assessment Methodology - Scoring

• How to Score the Self-Assessment – a perfect score is 110, meaning the contractor has all 110 NIST controls in place.

• For every control that is not in place, subtract its value from 110 – see below

Example: If my company is not compliant with controls 3.1.1 and 3.1.5, subtract 8 points from 110.

DFARS Interim Rule –DoD Assessment Methodology - POAMS• If any of the 110 controls are not in place, a Plan of Action and Milestones

(POAM) must be developed to show how you plan to implement the control and when the control will be in place.

• The date that a score of 110 will be achieved (uploaded to SPRS) should be the latest date on your POAMS.

• There has been no guidance on how long POAMS can be open.• Companies should upload a new score each time a POAM is closed and the

score improved.• Compliance does NOT mean you must have a score of 110. Compliance

means that you have performed a self-assessment, have POAMs in place, and have uploaded your score to SPRS.

DFARS Interim Rule –DoD Assessment Methodology - Results• Assessment results posted in SPRS are available to DoD personnel only

and are protected. (Method for primes to check score of potential subs has not yet been established)

• The information below must be posted to SPRS

DFARS Interim Rule –

DoD Assessment Methodology - Scoring

Remember - the contracting officer only sees your total score, not how you scored on each control.So how does the DoD know if you’re compliant with the controls

that have more impact on the security of your network – the

ones rated a “5” – without doing a Medium or High assessment?

Answer: They don’t.

DFARS Interim Rule – DoD Assessment Methodology – Assessment Costs

• Since the DFARS Interim Rule is based on the NIST controls in DFARS 252.204-7012, which is already in most contracts, the DoD is only considering the cost of the assessments to be allowable. In other words, any labor and equipment expenses incurred to achieve compliance to the 110 NIST controls is not considered a billable cost and may not be billed directly to the customer (roll the costs into your OH rates)

• Contractors do not have to pay the assessors for Medium and High assessments; the expenses are all internal to the contractor.

• Basic Assessment - $75; Medium Assessment - $909; High Assessment -$50,676

DFARS Interim Rule –Government Access to Facilities

21

• If the Defense Contract Management Agency determines that a Medium or High Assessment of a company’s cybersecurity system is necessary, the new DFARS Interim Rule directs the company to provide access to the Government assessors.

• Medium and High Assessments will be done based on risk • Costs associated with the assessments are all internal to the company –

providing support to the assessors

DFARS Interim Rule –Subcontractor Assessments

22

• Prime contractors are responsible for ensuring that their subcontractors have current assessment scores uploaded into SPRS – IF the new contract or order contains the new DFARS clauses AND the subcontractor will touch CUI.

• Primes do not currently have access to scores for their subcontractors. Subs are beginning to see emails from their primes telling them to perform the assessments and upload their scores – with no other guidance provided.

DFARS Interim Rule –Verification of Assessments

23

• Contracting officers are directed to verify that a contractor has a current assessment in SPRS. New assessment scores must be uploaded every three years – at a minimum.

Cloud Service Providers & Compliance24

• DFARS 252.204-7012 (D) – if a contractor intends to use an external cloud service provider to store, process or transmit CUI in the performance of the contract, the contractor shall ensure that the CSP meets security requirements equivalent to the FedRAMP Moderate baseline.ü The contract with the CSP must include every control they are responsible for and how

they will maintain compliance. ü Defense contractors are 100% responsible for compliance to cybersecurity

requirements. Compliance cannot be off-loaded to a CSP.ü CSPs cannot handle compliance for all the controls/practices.ü Don’t use a CSP from a foreign country.

Employee Training is Key25

• According to the FBI, CISA, NSA, etc. most breaches are the direct result of an employee inadvertently clicking on a link or opening an attachment

• Employee training must be on-going to protect your company data and CUI/FCI

• Our adversaries aren’t just after our data – they want to disrupt our supply chains

• Review the training resources on Cybernc.us

https://www.cybernc.us/

DFARS Interim Rule - CMMC26

• Established the Cybersecurity Maturity Model Certification (CMMC) requirementsü Unified cybersecurity standard for DoD acquisitions – eliminates confusion created by

multiple regulations. Best cybersecurity practices.ü Protects Federal Contract Information [FCI]– unclassified information that is to be

protected from public disclosure, and Controlled Unclassified Information [CUI]–information that requires safeguarding or dissemination controls

ü A quality management system for cybersecurity – not a checklist. Compliance to CMMC is not an IT task, it’s a management program. As with other quality management systems and maturity models it requires a culture change.

ü Based on CMMI – developed by Carnegie Mellon and Johns Hopkins using the NIST Cybersecurity Framework, NIST SP 800-171 and other cybersecurity regulations.

ü CMMC is foundational – as important as cost, schedule and performance – non-negotiable.

Who Has to Comply with CMMC?• Any organization in the DoD supply chain that processes, stores and/or

creates FCI or CUI. Includes SBIR/STTR and grant recipients.• Any organization that provides protection for FCI or CUI. Note: that

includes Managed Service Providers and Cloud Service Providers.• 60% of the Defense Industrial Base will need to be compliant with CMMC

Level 1; 30% will need to be compliant to CMMC Level 3; less than 2% need to be compliant with CMMC Levels 4 and 5.

• Commercial-off-the-Shelf suppliers will not be required to be compliant with CMMC.

27

CMMC Timeline

• January 31, 2020 – CMMC 1.0 released

• March 18, 2020 – CMMC 1.02 released; signed MOU transferring CMMC from DoD to the CMMC-AB

• 2nd qtr. 2020 – CMMC marketplace created

• 3rd qtr. 2020 – Defense Acquisition University initiates training; CMMC-AB begins training assessors.

• 1st – 2nd qtr. 2021 - CMMC DFARS regulation rolled out; CMMC requirements in 15 RFPs, SBIR/STTRs, grants etc. Anticipate 1500 contractors affected the first year.

• October 2025- All new DoD contracts will contain CMMC requirements

28

CMMC Model Structure17 Capability Domains CMMC model with 5 levels measures

cybersecurity maturity

29

CMMC Practices Progression30

CMMC Maturity Process Progression31

How CMMC Will Be Managed – CMMC Ecosystem

32

• CMMC Training – the Defense Acquisition University [DAU] is providing

training to acquisition professionals (contracting officers). Several

organizations, including the NC Military Business Center and the Procurement

Technical Assistance Centers (PTACs) are developing and providing training to

assist businesses with compliance. The NCMBC is working with the DAU so the

training we provide is consistent with DAU training.

• CMMC Flow-down – level flow-down will follow the FCI/CUI. If a contractor

won’t receive, process, store or create CUI, then they will be required to meet

CMMC Level 1 requirements. Just because a prime contractors touches CUI,

that doesn’t mean their subs/suppliers will.

How CMMC Will Be Managed – CMMC Ecosystem

• CMMC Accreditation Body [CMMC-AB] – will oversee the training, quality, and administration of third-party assessment organizations (C3PAOs). CMMC-AB consists of 13 individuals from industry, the cybersecurity community, and academia. CMMC-AB is a 501(c)(3) organization – not part of DoD.

• CMMC Third Party Assessment Organization [C3PAOs] - manage Certified Assessors (CA)

• Certified Assessor (CA) - certified to assess companies at different levels – CMMC Levels 1, 3 and 5. CAs can also deliver certified CMMC consulting services

• Certified Professional (CP) – trained, tested, and certified professionals who demonstrate a working knowledge of the CMMC model. CPs can support organizations working towards CMMC compliance – assessments and consulting

• Registered Practitioners (RP) – trained in CMMC and can consult

33

Cost of Certification - CMMC• Recurring costs of implementing CMMC are allowable and reimbursable

– should be like any other OH cost – rolled into rates. Non-recurring costs can be billed to the contract directly.

• DoD perspective – DFARS [NIST 800-171, 110 cybersecurity controls] has required self attestation to cybersecurity compliance for several years, so companies should already have controls in place if they have worked on defense contracts, so non-recurring costs should be minimal.

34

Cost of Certification - CMMC• Assessment costs will increase significantly as CMMC Levels of

certification increase. Below are DoD estimates, and include the amount paid to the assessor/team and your time during the audit.ü CMMC Level 1 Assessment - $3000 [no CUI, just FCI]ü CMMC Level 2 Assessment - $23,000 [not sure I see the point in this one

since there will be no contracts issued that have CMMC Level 2 compliance requirements]

ü CMMC Level 3 Assessment - $51,000 [CUI]ü CMMC Level 4 Assessment - $70,000 [mostly large primes]ü CMMC Level 5 Assessment - $110,000 [for high-value assets and/or

advanced persistent threats – mostly large primes]

35

AVOID CUI!36

• The best way to minimize the cost of securing your network and prevent unauthorized access to CUI is to avoid touching CUI. It will require more work on everyone’s part, but it will save time and money, and reduce the risk of our adversaries accessing our data or disrupting our supply chains.

o Prime contractors - work with your CO/KO to find ways of eliminating the need to receive CUI; for example, discuss the necessity of them sending a complete set of drawings to you. Is it possible to compartmentalize the information sent so that it no longer contains CUI? Can CUI be redacted out of the drawing or information? Is a secure cloud available in which to perform the work? And figure out ways to eliminate the need for your subs/suppliers to process CUI.

AVOID CUI!• Subcontractors/suppliers – you need to collaborate with your primes and

ask the same questions. Example: a prime contractor does not need to send a complete set of drawings to a machine shop that will be fabricating screws.

No CUI = Less Risk and Less Money

37

CUI - COLLABORATION

Collaboration is key • Prime contractors should contact their contracting officer[CO/KO] to

determine if the contract includes CUI. If the CO/KO doesn’t know,

ask them to contact the DoD CUI Office at osd.pentagon.ousd-intel-

[email protected]

• The NCMBC is working with the Defense Acquisition University to

make sure they understand the implications of the new

cybersecurity standards, as well as the confusion surrounding CUI, so

they can provide appropriate training to CO/KOs

38

mailto:[email protected]

Where Do We Start?1. For company leaders: Tone at the top is critical – treat cybersecurity as an opportunity

to do your part to protect National Security, which in turn protects our freedoms.

2. If your company sells strictly COTS, consider working toward CMMC Level 1 compliance. While compliance is not yet required, it could be in the future. Perform a self-assessment to Level 1 requirements. There are only 17 controls/practices in CMMC Level 1.

3. Review your current DoD contracts. If DFARS 252.204-7012 is referenced AND your CO/KO states in writing that your company has/will touch CUI, you need to comply with NIST SP 800-171 as soon as possible if there are unexercised options coming up or you are planning to bid on a contract after 30 Nov 2020. You probably need to find a consultant who is an expert in NIST 800-171 requirements.

40

Where Do We Start?

4. Get help from a cybersecurity consultant if you think you need it. NOTE: at this

point, very few consultants are certified in CMMC, but they can help implement the

necessary NIST controls – just make sure they understand NIST 800-171.

5. If your contract references FAR 52.204-21, begin working toward compliance to

the 17 controls in CMMC Level 1.

6. All other companies in the DIB – begin with compliance to CMMC Level 1

7. Once you feel comfortable that your company is compliant with CMMC Level 1

requirements and you are certain your company will not need to touch CUI, you

can contact the CMMC Accreditation Body via the CMMC Marketplace to schedule

a compliance assessment. [For companies that only require CMMC Level 1 compliance]. NOTE: It may be several months before the infrastructure is in place

to begin assessments.

41

Where Do We Start?42

8. If you want to go after contracts that will require you to touch CUI, and/or you want to be proactive and get ahead of your competition, begin by working toward CMMC Level 2 compliance. [Note: No RFPs will be issued at CMMC Level 2 – Level 2 is considered a stepping-stone to get to Level 3 - so begin with Level 2 requirements, then move to Level 3. Keep in mind that at Level 2 you are still not compliant with NIST 800-171]. Level 2 has 55 controls in addition to the 17 required at Level 1. In addition, all controls/practices must be documented, and you must have a cybersecurity policy.

Where Do We Start?43

9. CMMC Level 3 requirements include an additional 58 controls/practices, all practices must be documented, you must have a cybersecurity policy and a System Security Plan is required. Remember, CMMC Level 3 is derived from DFARS 252.204-7012, which requires compliance to NIST 800-171.

CMMC Level 3 = NIST 800-171 [110 controls] + 20 additional controls + QMS + Maturity

10. Schedule a Level 3 assessment via the CMMC Marketplace. If you attain CMMC Level 3 certification, you will have exceeded the requirements in the DFARS cybersecurity clause.

11. If your company is registered to any quality management systems standards such as ISO 9001 or AS9100 D, your cybersecurity system needs to be integrated into those programs. If your products/services fall under the ITAR, cybersecurity needs to be integrated into that program as well.

Resources• For help understanding the requirements go to CyberNC.us

• CyberChats to start January 13th – weekly virtual working group to help companies build a cybersecurity compliance program

• Cybersecurity Consultants – posted on NCMBC website [consultants have completed an application, but will not be vetted by the NCMBC]

• NCSU Cyber Toolkit – gap analysis tool for compliance with NIST 800-171

• Project Spectrum – initiative supported by the DoD Office of Small Business Programs – courses, training videos, assessment tool

• CUI Registry Categories – look at all categories, not just Defense

• CMMC Center of Awesomeness – technology solutions and other tools

44


http://www.ncmbc.us/applications/

https://www.ies.ncsu.edu/download-cybersecurity-tool/

https://projectspectrum.io/

https://www.archives.gov/cui/registry/category-list

https://www.cmmc-coa.com/cmmc-awesomness

CyberNC.us45

Key Points47

• Don’t panic – it’s important to understand the standards before making decisions

• It is all about the data, so avoid CUI – COLLABORATE• Start working to secure your network ASAP – national security depends on it• Employee training is vital to the security of your company data and CUI/FCI• DoD contractors are responsible for compliance – can’t be offloaded to a

managed service provider or a cloud service provider• If you choose to work with a cloud service provider, make sure you have an

enforceable contract with them that includes all the controls/practices they are responsible for

Key Points - CMMC¨ CMMC certification will be required at time of contract award. If you aren’t

compliant, you don’t get the award.

¨ If you provide strictly COTS products, CMMC does not apply¨ If a company receives or touches FCI, then it will be required to be certified to

CMMC Level 1 [60% of companies in the DIB]

¨ If a company will touch CUI, then it will be required to be certified to CMMC Level 3 [at a minimum]

¨ Compliance with CMMC is a HUGE differentiator – companies that aren’t proactive and pursue certification will not get contracts

¨ Collaboration is the key to avoiding CUI and reducing cybersecurity costs

48

Looking to the Futureq Other departments in the federal government will begin to require

compliance to CMMC. For example, CMMC requirements will be in the STARS 3 contract.

q Anticipate CMMC being adopted internationally in 2021 or 2022 and becoming an international standard

q CMMC Level 1 may go away since it is seen as basic cyber hygiene. As cyber threats evolve and increase, a higher level of CMMC may be required – even for companies that don’t touch CUI.

This is an opportunity for North Carolina to get ahead of other states that are not coordinating compliance to cybersecurity requirements.

49

Important Links• CyberNC.us

• FAR Clause 52.204-21 [maps to CMMC Level 1]

• DFARS 252.204-7012 [maps to NIST 800-171]

• NIST SP 800-171 Rev.2 – includes template for System Security Plan and POAM

• New DFARS Rule

• DoD Assessment Methodology

• Supplier Performance Risk System

50


https://www.acquisition.gov/far/52.204-21-0?searchTerms=52.204-21

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf

https://www.sprs.csd.disa.mil/

Important Links51

• CMMC v1.02 [

• CMMC Appendices – model in table format

• CMMC-Accreditation Body – shows CMMC Ecosystem

• CMMC Level 1 Assessment Guide

• CMMC Level 3 Assessment Guide

• Get help from the NCMBC – Laura Rodgers; [email protected]

https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf

https://www.cmmcab.org/

https://www.acq.osd.mil/cmmc/docs/CMMC_AG_Lvl1_20201208_editable.pdf

https://www.acq.osd.mil/cmmc/docs/CMMC_AG_Lvl3_20201208_editable.pdf

mailto:[email protected]

52

It’s not an option. Our adversaries -particularly China, Russia, North Korea and Iran - are targeting our networks constantly. We simply cannot let them get information that shows our vulnerabilities and/or gives them an advantage. The stakes are way too high.

Network Security is Non-Negotiable

NORTH CAROLINA MILITARY BUSINESS CENTER PRESENTS

DEMYSTIFYING DFARS AND CMMC CYBER REGULATIONS

WHILE THIS DOCUMENT IS DEEMED A PUBLIC RECORD BY NORTH CAROLINA LAW, THE NCMBC OWNS THE COPYRIGHT TO THIS DOCUMENT. WITH ATTRIBUTION TO NCMBC, THE NCMBC PROVIDES A NON-EXCLUSIVE, ROYALTY-FREE, PERPETUAL LICENSE TO COPY AND DISTRIBUTE THIS DOCUMENT

17 December 2020WWW.NCMBC.US

53






Conclusion and Announcements• Denny Lewis, North Carolina Defense Technology Transition Office

(DEFTECH)









cybersecurity for defense contractors

Documents