RECORDED WEBINAR:
Understanding the New DoD Contractor Cybersecurity Assessment Methodology
This webinar was broadcast on January 22, 2020.
Synopsis
This 12th event in the Cyber Collaboration Center's DFARS 7012 webinar series will feature guest speaker John A. Ellis, the main DCMA point of contact for a new DoD-wide cybersecurity compliance policy recently announced by Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment. The "DoD Assessment Methodology v1.0" provides scoring metrics and levels of confidence ("low", "medium", and "high") for defense contractors. The new policy will be used by the procurement community to conduct due diligence on contractor cybersecurity compliance, ranging from requiring contractors to submit Basic Self-Assessment scores to the government (resulting in a "low" level of confidence) to requiring on-site validation of implementation by government evaluators, using NIST 800-171A assessment guidance (resulting in a "high" level of confidence). The new Assessment Methodology uses a weighted, subtractive scoring system, assigning point values of 1, 3, or 5 to each of the 110 security requirements of NIST 800-171 according to a value system established by the DoD based on its determination of risk and priority. Contractors subtract the prescribed number of points for every unimplemented security requirement, and submit an aggregated final score (which could be a negative number if enough high-priority requirements have not been completed).
The DoD Assessment Methodology is being implemented right now, before CMMC requirements take effect, and should be useful for companies seeking to better understand how their level of compliance may impact their competitiveness for risk-based procurements in advance of CMMC. In addition to Mr. Ellis, Webinar #12 will also feature cybersecurity compliance experts from eResilience discussing the relevance of this new DoD-wide guidance to CMMC, the importance of the Assessment Methodology in helping prepare for CMMC, the impacts to contractors and their supply chains, and potential mitigations to minimize impacts and increase cybersecurity resilience.
John Ellis
Director of DCMA Software Division
John A. Ellis is currently the Director for DCMA’s Software Division, responsible for the Policy, Training, and Tools used by the Agency's software professionals in the conduct of their software surveillance activities, including the application of cyber security contract requirements and policies. Mr. Ellis, a retired Army Colonel, served on active duty for more than 30 years. Commissioned a second lieutenant in the Field Artillery in May 1985 and becoming a member of the Army Acquisition Corps in 1995, he served in a variety of assignments until his retirement 1 June 2015. He held assignments both stateside and abroad. Mr. Ellis’ DCMA experience began as the Commander of the Future Combat Systems (FCS)/Army Modernization Programs (AMP) contract management office in St. Louis, MO and he culminated his active duty career as DCMA’s Central Region Commander. Mr. Ellis is a Member of the Defense Acquisition Corps and is Level III certified in 3 disciplines: Information Technology; Program Management; and Engineering. John is also a Certified Information Systems Security Professional (CISSP).
Tim Williams
Technical Director, eResilience
Mr. Williams is a Chief Security Architect with expertise in DoD/NSA cross-domain security architectures and enterprise systems. He has over 34 years of success in providing product design, development, and integration guidance for commercial and government secure and accredited systems. Mr. Williams is a subject matter expert for design and deployment of NSA Commercial Solutions for Classified (CSfC) systems and support for customers implementing NIST RMF, DoDRMF and NIST Cybersecurity Frameworks. He has performed risk and security control assessments based on NIST guidelines (800-30 and 800-53a) for public and private organizations and has worked with DoD red and blue teams during large cyber exercises. Mr. Williams has developed and worked through the evaluation process for meeting the FIPS 140-2, Common Criteria EAL-4 requirements. He holds six patents in the multi-level security area and secure virtualization.
Larry Lieberman
Cyber Evangelist, eResilience
Larry Lieberman is a Cyber Evangelist at eResilience, a division of Referentia Systems, where he is involved in communications, business development, and outreach/education. An experienced writer, presenter, and public speaker, Mr. Lieberman is currently focused on helping defense contractors understand and implement the requirements of DFARS 252.204-7012 and NIST 800-171, a set of government regulations that are critical to improving cybersecurity across the Defense Industrial Base and enhancing our National Security.