SIMPLIFYING CMMC & DFARS 7012 COMPLIANCE SOLVING THE PUZZLE FOR

SIMPLIFYING CMMC & DFARS 7012 COMPLIANCE SOLVING THE PUZZLE FOR SMALL BUSINESS From DFARS 7012 to CMMC Certification

ABOUT COALFIRE FEDERAL Coalfire Federal provides cybersecurity services to government and commercial organizations helping them protect their mission-specific cyber objectives. Coalfire Federal is the leading FedRAMP 3PAO, a CMMC C3PAO and CMMC RPO and offers a full spectrum of cybersecurity risk management and compliance services ABOUT STUART ITKIN Coalfire Federal VP CMMC and FedRAMP Assurance Previously VP Product Management and Marketing at Exostar, Global CMO at CEB Executive roles in several cybersecurity businesses Lead mentor at MACH 37 cyber product

ABOUT PREVEIL PreVeil is a simple, inexpensive and secure SaaS platform for storing and sharing CUI and ITAR data in email and files. Designed for the enterprise, PreVeil is used by leading defense contractors for CMMC compliance, Supply Chain Collaboration and Incident Response. ABOUT RANDY BATTAT Co-founder and CEO of PreVeil since 2015 Previously, CEO of Airvana Led teams at Motorola and Apple BS in Electrical Engineering, Stanford University

ABOUT DTC GLOBAL Focused on DoD Cyber Threat since 2006 Led DoD’s First Cyber CI Insider Threat/FIST Program Operationalized 3.5B in Transformative Globally Distributed Technologies Cross-Discipline/Horizontal/Vertical Platform & Systems Integration Industry Trenches ITAR/DFARS/CMMC Large Global Prime Contractors Supply Chain Risk to Small/Micro Businesses Clients: 46.8B Market Cap, 235k Employees, 300-325k Endpoints Industry Thought Leaders since 2015 ABOUT REGAN EDENS Chief Transformation & Compliance Officer Director, Board of Directors CMMC Accreditation Body Chartered by DoD to Manage CMMC Certification Chairman of Standards Management Committee Vice Chairman of Training Committee CMMC Certified Master Instructor Led Training for CMMC Certified Provisional

AGENDA Regan Edens 10 Tasks to get you started with CMMC compliance Critical areas for focus 5 Critical enablers for compliance success Randy Battat Cloud-based Encrypted File Sharing & Email Q&A Breakout

SOLVE THE PUZZLE: TOP 10 TASKS From 130 Practices, 409 Assessment Objectives Your Path to Compliance Begins HERE 1) Conduct required tasks such as RSA, POA&M, and document them in SSP. 2) Identify and properly mark the types of restricted information (CUI/FCI) to needed to conduct services, deliver products, and parts. 3) Identify the sources of the restricted US DoD information; understand where it is developed within your company; and understand where the 4) restricted Restrict, segregate, handle, and safeguard the information, information flows within the network and employee documents, workflows. and parts. 5) Develop, modify, and sustain policies, workflow procedures, and network devices and activities that involve the restricted DoD information.

SOLVE THE PUZZLE: TOP 10 TASKS Your Path to Compliance Continues 6) Train personnel to understand the risks, policies and procedures required to sustain the requirements. 7) Ensure impacted portions of your supply chain understand and meet requirements. 8) Monitor, enforce, document, and audit requirements. 9) Prepare for third party certification with 100% conformity. 10) Sustain requirements and report misuse of CUI, network or other incidents placing or potentially placing the confidentiality of the information at risk.

FOCUS ON THE HARDEST PARTS Critical Focus Areas Requirements Follow the Data (CUI/FCI) Data Flow Determines Scope Compliant Business Processes Secure Network & Compliant Architecture Detailed Documentation Controlled Environment Your Employees, Trained & Knowledgeable Your Supply Chain & Subcontractors

BE MART: SOLVE THE PUZZLE WITH HELP Critical Enablers Reliable Expertise & Guidance Experienced Consultants & Integrators Control the Flow of CUI & Limit Scope Limit People, Devices, Applications CUI Data Management (Email/Storage) Cloud Service Providers & Services CUI Workflow Matches Reality Train People on Procedures & Policies Engage Supply Chain NOW mart SC Strategies Reduce Risk

BE MART: SOLVE THE PUZZLE WITH HELP Critical Enablers Reliable Expertise & Guidance Experienced Consultants & Integrators Control the Flow of CUI & Limit Scope Limit People, Devices, Applications CUI Data Management (Email/Storage) Cloud Service Providers & Services CUI Workflow Matches Reality Train People on Procedures & Policies Engage Supply Chain NOW mart SC Strategies Reduce Risk

CUI/FCI for CMMC Compliance: Cloud-based Encrypted File Sharing & Email 11

CMMC Domains: Policies, Processes, Systems Access Control Asset Management Audit & Accountability Awareness & Training Configuration Management Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Recovery Risk Management Security Assessment Situational Awareness System & Communications Protection 12 System & information Integrity Mostly Systems Both Systems & Processes Mostly Policies & Processes

Systems Considerations Compliance Deployment options Security Ease of use & adoption Total cost of ownership 13

PreVeil: Simple Way To Enhance Cybersecurity End-to-end encrypted file sharing & email for CUI or ITAR-restricted data Addresses CMMC requirements for handling CUI in files & messages Easy to deploy — no modifications required to existing IT infrastructure Easy to use Fraction of the cost of alternatives 14

Demonstration 15

PreVeil Security 16

Traditional File & Mail Servers Plain Text Plain Text Company A Server Company B Server Internet Plain Text Company C Server Plain Text Company D Server 17

End-to-end Encryption Encrypt Company B PreVeil Server Decrypt Company C Company A Company D 18

Passwords vs. Keys Traditional System PreVeil Password Server Password Attacker obtaining password can log in remotely Attacker 19 Server Key stored on device required for decryption

Administrative Vulnerabilities Traditional System PreVeil Any admin can perform sensitive operations: Reset passwords Export data Delete users Admins can perform sensitive functions only with after being authorized by an “approval group.” Example — Exporting Data: And so can an attacker Encrypted Decrypted Files & Emails Admin Admin Server Attacker Exported Data Server Exported Data Approvers 20

External Access Control Traditional System: Open to the Internet PreVeil’s Trusted Communities Suppliers X X Organization Internet Organization Customers Attackers 21 Suppliers Customers

Key Takeaways Not all cloud services are compliant for CUI & ITAR data Consider the next generation of cybersecurity Easy to use and deployment are critical to adoption 22

Q&A

FINIS coalfirefederal.com dtcglobal.us preveil.com [email protected] [email protected] [email protected] 603-892-0538 443.910.3159 857-353-6480

Breakout