A Deep Dive Into CMMC 2.0 - 4 PDH
Monday, May 1, 2023
1:00 - 5:00 p.m. CDT
Room 007A
Henry B. Gonzalez Convention Center
$99 for SAME Members / $129 for Non-Members
Limit of 35 attendees.
Already registered for JETC? Email registration@same.org to request that the CMMC Workshop be added to your registration.This interactive workshop will benefit any organization leader looking to edit, create, or update their NIST 800-171/CMMC plan. We will begin with an overview of scoping, domains, and the audit before breaking into smaller teams to tackle individual modules. Discussions will cover how you’ve dealt with, or will deal with, the 110 security controls; cultural changes and challenges; strategies for addressing the 14 capability domains; and where organizations are struggling and facing challenges. By the end you will have completed our CMMC Planning Workbook for your organization and be prepared to achieve compliance through our proven methodology.
Who Should Attend?
- Individuals responsible for DoD contracts.
- Individuals responsible for protecting Controlled Unclassified Information (CUI).
- Anyone in the Defense Industrial Base (DIB).
- Organizations that recognize that compliance with CMMC is not an option when working with the DOD.
Why Should You Attend?
- To learn how to succeed with your CMMC compliance.
- To become confident in your ability to meet the demands of the assessment.
- To hear from companies and executives about their successes and obstacles to becoming compliant.
- To complete a planning workbook with tangible, executable next steps that you can take back to your organization.
- To get a list of applicable resources and a CMMC glossary.
- Earn 4 PDHs.
Module 1 – Scoping
One of the most critical factors in succeeding at CMMC is ensuring you have an answer to the question of scoping. Scoping is understanding how the framework fits your organization’s individual needs. Every organization looks a little bit different in terms of its use of technology, its competitive advantages and its unique culture – all things that contribute to what CMMC will look like and how you will achieve compliance for your organization. For example, do you know whether everyone in your organization needs access to CUI, or only an isolated few? Knowing this answer will have a profound impact on the decision and direction your organization will take with CMMC. Our experts will help guide the teams through the scoping conversation. The groups will discuss what has been tried in their organization and hear about critical considerations for success.
Module 2 – Domains
At each Maturity Level, there are controls that need to be addressed. (For example, at Maturity Level 2 there are 110 controls arranged within 14 control families/domains). The language used by the framework’s authors is not clear and as a result many organizations falter, as too much is left to the organization’s own interpretation. Unfortunately, you will be assessed as to what the DOD’s intent is for each control and not how you have interpreted the requirement. If not done properly from the onset, a misunderstanding of the requirements will likely affect your C3PAO audit, your NIST 800-171 score and the potential to mis-collect the wrong evidence.In addition, there are multiple alternatives available to the organization. Some of those options depend on the size of an organization, some based upon complexity and still others based upon the organization’s own culture. We will explore available options for addressing these controls.
In this module, our expert will provide guidance around these requirements by walking through each domain and its set of controls. Each team will then be given an opportunity to engage in an open discussion about what has worked and what some of the pitfalls are when implementing change within an organization’s ongoing operations. In addition, we will explore as a group how to shape the conversation for your return to the office.
Module 3 – Putting It All Together
In this module we bring what you’ve learned in this workshop together, to ensure success as you prepare for the C3PAO assessment. We will explore whether you have properly evaluated your infrastructure, including policies and procedures. You will determine: if you have well designed controls, explore how to evaluate and measure execution, and discuss requirements surrounding the evidence.In our small group breakouts, we will hear about the teams’ collective experiences and challenges with both the C3PAO process and subcontractor compliance. We will explore the timeline for engaging with a C3PAO, considerations for selecting a C3PAO and special circumstances such as taking advantage of the Joint Surveillance Program. We’ll talk about what organizations should expect when going through the C3PAO assessment, including the three forms of evidence that will confirm the existence of a security control – interview, observation and testing. Lastly, we’ll talk about how to make sure you’re ready to support each of the controls and put your best foot forward during the official assessment.
Learning Objectives
- Participants will understand the importance of having a plan of attack for addressing CMMC.
- Participants will understand what does and does not apply to their organization.
- Participants will understand how to avoid unnecessary system rework and the associated costs.
- Participants will understand the value of approaching the journey in an orderly, prioritized fashion.
- Participants will understand how to select a C3PAO and what to expect when going through the official assessment.
Presenters
Damon Hacker, MBA, CISA, CSXF, CMMC-RP - Damon Hacker is President, CEO and co-owner of Vestige Ltd, a leading cybersecurity company specializing in CMMC. As a member of SAME, he brings more than 30 years of experience in cybersecurity, including compliance and Information Security auditing. He helps to improve the techniques, processes and technology in cybersecurity. He actively assists SAME Members achieve compliance with NIST 800-171 and CMMC.As a CMMC Registered Practitioner, Damon is an in-demand speaker at the National, Regional and state/local levels—including SAME Federal SBC, SAME CapitalWeek, SAME JETC, JETS (Atlanta) and a number of local SAME Posts. He speaks on the subjects of DoD CMMC cybersecurity compliance, IT security, IT auditing, computer fraud, white-collar crime, data breach, non-compete and intellectual property theft.
He earned his MBA from the Weatherhead School of Management, and his undergraduate degree from Case Western Reserve University. He is a Certified Information Systems Auditor (CISA), CSX Cybersecurity Nexus Fundamentals certification from the Information Systems Audit and Control Association (ISACA) and is a Cybersecurity Maturity Model Certification - Registered Practitioner (CMMC-RP) for DoD cybersecurity compliance. Vestige is a Registered Provider Organization (RPO) within the CMMC ecosystem with Registered Practitioners (RP) on staff.
Jade Brown, BA, C/EH, GCTI - As a CyberSecurity Analyst Jade conducts CyberReadiness and CyberSecurity Maturity Model Certification (CMMC) Assessments, including completing a gap analysis and report of findings. She has experience in creating, reviewing and updating System Security Plans (SSP) and Plan of Action and Milestones (POAM). She advises clients on CMMC compliance and specific actions to take with security controls and achieving compliance with CMMC.