Totem.Tech’s Cybersecurity Engineers have provided more than a decade of Information Assurance (aka cybersecurity) for the U.S. government. We created our Cybersecurity 101 educational resource to help small to mid-sized DoD contractors understand these complex cybersecurity requirments (NIST 800-171 and CMMC).
The content for this course was created by our cybersecurity engineers and compliance analysts after working through our DoD compliance and assisting dozens of contractors with their DoD requirements. It is important to us that our customers understand the importance of cybersecurity, even though most don’t have a cybersecurity or an IT background. We have taken a complex topic and simplified it. Each of the seven-week readings are easy to understand, self-paced, with full online accessibility or printable in PDF format.
Included in this seven-week educational series is a 30 minute compliance assessment with one of our cyber engineers using the DoD’s Assessment Methodology. This will help you understand how the DoD would score your company’s cybersecurity compliance.
The goal from our engineers and analysts was to provide clarity and practical guidance on many common questions about the compliance process. Here are some of those questions:
• Which DoD contractors need to complete the DFARS cybersecurity requirements?
• What are the differences between the CMMC and the original NIST 800-171 requirement?
• How do I get started with becoming complaint with DFARS cybersecurity requirements?
• If I utilize the cloud, am I still required to comply with DFARS cybersecurity requirements?
• What do I show auditors when they ask if my organization is DFARS compliant?
• Why does my organization need an incident response plan?
1.1 Brief overview of cybersecurity requirements (both NIST 800-171 and CMMC) and why they are there.
1.2 Does every Government Contractor have to comply? What is CUI? Do I have any CUI?
1.3 First Step: Segregating or co-mingling CUI with other corporate data.
2.1 Introduction to System Security Plans (SSP).
2.2 CMMC Level 1 / FARS 17 – How to prioritize implementation.
2.3 Addressing the other challenging controls.
3.1 Introduction to Plan of Actions and Milestones (POA&M).
3.2 Risk Assessment vs. Control Assessment.
4.1 Proactive doesn’t mean no incidents: Differences between an event, incident, and breach.
4.2 Introduction to Incident Response Plans.
4.3 Incident Response Reporting.
5.1 What is the cloud? Can I use it for DFARS compliance?
5.2 FedRamp and cloud service security requirements.
5.3 Who is responsible if there is a breach?
6.1 Importance of company buy-in to your cybersecurity policies.
6.2 Where to start? Company training and Authorized Use Policies (AUP).
7.1 Differences between control assessment, vulnerability scanning, pen testing, and risk assessments.
7.2 Understanding the DoD Assessment Methodology (DAM).
7.3 Schedule compliance assessment (included in DFARS Cybersecurity 101 class).