Thursday, January 13th online from 7:00 PM to 9:PM
Presenter: Robin Basham, Chapter President, CEO EnterpriseGRC Solutions.
Management Discussion: We do not have a quorum of candidates to move forward with our new board. Istvan Berko will engage with our voting chapter members to gain consensus for how we cost effectively stay alive with a 100% remote model.
In the absence of in person conferences and meetings, Robin has not been able to coordinate conferences, which has been our sole source of revenue for the last five years.
Some board members with more than five years in our roles will explain what it means for us to step away with dignity knowing what it takes to support the next generation of leaders. With revenue and support a lot of our community can do this, but we have to change the way things are done.
Why the topic update: People are seeing the words DFARS and CMMC thrown into webinar topics. Our board wants to assure that our membership gets qualified and accurate training. Since Robin is recently engaged on this topic…
Topic: NIST 171 Compliance: The NIST Special Publication 171 series, Defense Federal Acquisition Regulation Supplement (DFARS) 7012, and Cybersecurity Maturity Model Certification – Regulating Protected Controlled Unclassified Information
Suppose you are a nonfederal service provider whose offering might involve handling Controlled Unclassified Information (CUI). Up till now, it might not have been an issue. Still, suddenly either your Government Contract Management Officer or an upstream distributor for one of your products has informed you that your contracts and work orders won’t move forward till your offering is listed in the DoD Supplier Performance Review System as having passed NIST 171. Now what? This paper explains what you need to know about the NIST SP 800-171 Assessment Methodology and its use in demonstrating adequate security as detailed in the recently updated DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
In short, DFARS Rule 2019-D041 means that US Federal Agencies cannot award your contract unless you’ve met with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and have validated that assessment either by a Self-Reported, Supplier Performance Risk System (SPRS) score, or, as certified by a DoD accredited assessor (third party) using the prescribed Cybersecurity Maturity Model Certification (CMMC) Framework.
|Domains of Knowledge ->||NIST Frameworks (The SP-800 series)||DFARS Guidance||Certified Assessor Requirement Level|
|User or Actor||NIST 171, 171A-Low, 171A-Medium, 171A-High, 172, DoD NIST 171 Assessment Methodology, NIST.HB.162 Assessors Handbook||DFARS 2019-D041, DFARS 252.204-7012, DFARS 252.204-7019, DFARS provision 252.204-7008, *CMMC Rule||CMMC L1, L2, L3, CMMC L1 Scoping Guide, CMMC L2 Scoping Guide, SPRS-Basic, SPRS-Derived, DoD NIST 171 Assessment Methodology, NIST.HB.162 Assessors Handbook|
|Compliance Professionals – Basic Assessment||NIST 171, 171A-Low, NIST.HB.162 Assessors Handbook (for low)||DFARS 252.204-7012||SPRS, DoD Assessment Methodology, NIST.HB.162 Assessors Handbook|
|Compliance Professionals – Medium Assessment||NIST 171, 171A-Medium, NIST.HB.162 Assessors Handbook||DFARS 252.204-7012||SPRS, DoD Assessment Methodology, NIST.HB.162 Assessors Handbook, CMMC L2, CMMC Level 2 Scoping Guide|
|Compliance Professionals – High Assessment||NIST 171, 171A-High, 172, NIST.HB.162 Assessors Handbook||DFARS 252.204-7012, DFARS 252.204-7019, *CMMC Rule||CMMC L1, L2, L3 (content is the same as NIST 172), NIST.HB.162 Assessors Handbook|
|Assessors – externally accredited, DoD certified||NIST 171, 171A-all, 172, NIST.HB.162 Assessors Handbook||DFARS 2019-D041, DFARS 252.204-7012, DFARS 252.204-7019, *CMMC Rule||CMMC L1, L2, L3, SPRS-Basic, and Derived, NIST.HB.162 Assessors Handbook|
|Executives / Legal||NIST 171 (Chapter 3)||DFARS 2019-D041, DFARS 252.204-7012||N/A|
|DCMA (Contract Administrator)||DoD NIST 171 Assessment Methodology||DFARS 2019-D041, DFARS 252.204-7012 DFARS 252.204-7019||SPRS – Review system results as provided by an assessor|
About the speaker: Robin Basham recently lead the Cloud Security Alliance CCM 4 to NIST 800-53 R5 Working Group. This effort began as a proposed commitment in April, involving the collaboration of some of our biggest and most well respected East Bay Enterprises. Leveraging the talent of 20 volunteers and mappings as designed in three major companies, the CCM WG produced a refined mapping that will release in JSON format and hopefully brings much-needed clarity to the Cloud Security and Compliance Community.
Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC-IA), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Recently full time at Cisco, Unified Compliance and ISMS Program Manager, Robin currently leads LSHC in support of three MDM clients as well as donating substantial time to supporting social platform security to further social democracy. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member to the ISACA SV Chapter.
February Topic is BotSentinel CEO Christopher Bouzy.