welcome everybody my name is Teresa law I'm the director of product marketing for service now and I am very excited to be here with my cooworker Anri and our partner security bricks if we go to the next slide it's just a really quick Safe Harbor if we are talking about any forward-looking statements you know these are based on our beliefs and our assumptions and without any further Ado I am going to turn it over to Raj from security bricks thank you Teresa um and thank you service now I appreciate uh the opportunity to present our uh cmmc accelerator uh this is actually the second time we doing this we had um um talked about this I guess exactly a year back um with kind of the same crew so we just thought we'll do another refresh um you know webinar in the same topic except you know as many of you know uh December 2023 towards the end of after Christmas uh the dod release the proposed final ruling so there's been more clarity in terms of you know what the rules of cmmc are um there's more clarity on timelines requirements so um we thought we'll take this opportunity to um uh review you know what our actual does and how can it help uh with your journey uh with your cmmc journey um I'll go through a few slides and then I'll let unri talk a little bit about um I'll talk actually Ben will talk a little bit about the automation when from security bricks and then unary from service now can talk a little about the product and we'll do a little demo and hopefully hopefully you'll find this useful just a quick who we are uh we are um a uh accredit 3PO for fed Ram we're also in accredited C3PO for cmmc which means we as a company Can U attest you for both fed ramp and cmmc one one among probably the 10 or 11 companies in the US who can do that um we are a based here in the US we all work within four time zones we are all US citizens um we do we have a big um IMPACT program we have a lot of veteran service members we transition into service security actually this quarter alone last quarter alone we did two we've been doing this since 21 we have about four of them in with us now uh very proud of it um we appreciate the service and we want to give them some skills so they can extend um you know protecting the country like they did um like they have been doing we focus on cloud security and compliance very hyperfocused on it our journey with service nav has been you know since preo or maybe during covid we actually are a vendor of service nav we've been working with unry and the product team on a number of features and designing more from a compliance security perspective um and and she'll talk through some of the work we have done together and then we are also Partners so we have launched some accelerators we have helped with some implementations um and our whole Focus here is ensuring that we are able to you know automate uh some of these requirements and try to see how we can take outof the box features and try to help customers use it for various use cases so that's kind of how we work with so with going next um I just thought we'll recap a little bit on the various terms I'm sure many of you have attended uh other cmmc webinars but I thought it'll be useful just to kind of level set up when we use the term cui uh FCI so these are important because the entire cmmc is on the premise of protecting unclassified control information right so it's see why so anything that you have to be safeguarded um in from a from a COI perspective cmmc plays a role FCI is something that is not intended to public release and then 8001 ctim is the framework that is used uh for protecting or the controls that are requirements that are needed to protect COI and then C3PO this is a um uh this is from cyber AB um there's a typo there but this is from cyber AB uh essentially um going through organizations that have want to audit and who want to validate uh you know contractors that they have implemented these requirements so you'll you'll see some of these terms terms used as we go and um you know we thought we'll just do that as starting point nothing since you know it's been a few years I guess about 3 four years or even longer since um CM uh since DoD said they want to have a uh new framework or a new requirement which is a cmmc and there there's been conversations they started off at level five levels they came down to three levels there's been a lot of back and forth today a number of almost all the contractors follow the dforce which is essentially from 2017 where you have to self assess against the 8171 framework you enter your score um cmmc kind of extends that right they want to know validate that you know the controls you say you have are actually in place and so there's a few things that they wanted to um you know extend um in this program from again it's all about protecting you know cui information so the it's I guess a lot of you know even us when we went through our C3PO U last year we were unsure as to when this will actually come to prodution and it took time but I think in December finally the dod came out and said You know here is our proposed ruling we're going to have three levels of uh we're going to divide these contractors there about 200,000 plus contractors who work directly or indirectly with the dod and the idea is we need to they'll divide them into three entities level one level two level three they're going to use the 800 171 framework but then they're going to have you know uh the level one which is a majority of them just do a self assessment level two uh where you can either do a self assessment or you'll you'll go through a C3PO and then of course the big people which is the um tier 3 one level three ones that are directly going to be audited by the dipak um so this is kind of the that is I guess in the proposed ruling the uh currently a lot of people have asked you know when will it come uh when do you think I should be ready um that the answer that we have is or any any of us have in this industry is that it is for sure going to come because it's gone through it's it's right now they're looking about 300 plus Commons and the dod is reviewing them um there has been conversations and talks about coming out sometime in Fall of this year and irrespective of when it comes in the rule they have defined as to and then we'll walk through as to how they're going to implement it so I think it's time for people to you know take this seriously and start to work through and see which levels they go through um a little bit about the ecosystem I just touched on it but I wanted to kind of talk through this because this is very important for a lot of people they've asked you know how are where are the friction points you know what are the things that we need to look for so there are about 200,000 you know suppliers as I said overall right the numbers are vary about 880,000 of them are Level twos I would say majority of them 100 plus are going to be level ones and then maybe if you know few thousand are going to be level threes which is the uh big direct contractors that hold Prime that big Prime contractors that hold majority of the contracts so the middle portion which is the the level ones they can do the self assessment the middle portion is where you are going to have to people to do you know these level two assessment that includes validation of 110 controls from 8171 about 5% is what uh it says that you they could be eligible to do self assessment that's based on the discretion of the dod and the agency and majority of them will have to go through a auditor a C3PO such as us there about 52 of us today that are in this pipe that need to audit at some point all these and so it is a formal audit like you would do at any compliance framework and you'll then you know submit your score uh through the spr system just like the contractors do today so all this data just comes from you know what the ruling looks like what some of the um how the ecosystem looks this is very interesting because this rule not only applies to contract contractors who are directly working with DOD but also number of subcontractors we have seen a number of U subcontractors that work with the prime um and they do work so this is more of that contractual flowdown and that's a very interesting part because when we designed our cmmc accelerators we have we have just I to recap we do have other accelerators on the store we have a feder accelerator we're working on a Soto accelerator that's going to come out shortly and another PCI accelerator when you looked at cmmc accelerator we looked at in two lens one is the assessment that a contractor has to do and how can service now help them automate but also using the service now vendor risk module how can they now validate that their subcontractors are are compliant to cmnc levels so we took both the approaches because a lot of in this industry like many Industries there's a lot of work that flows down to subcontractors and the prime contractor is contractually obligated to make sure that the other levels below them are complying to cmmc so this kind of becomes a chain and so in this case you know many of the contractors are not just you know it applies to everybody in the ecosystem this is the timeline this is what came out so if anyone wants to go out and check out the um document that was put out there from DOD in on December 26 this is critical so the timeline essentially shows you know whenever it could be October of this year it could be September it could be January of next year it doesn't matter whenever they come out with the rule first six months is going to essentially be where they're going to have people to start looking at um some of these assessments which category which you know levels they fall in and they're going to get them to start looking at cmmc and submitting some of these next 7 to 12 months they're going to go through people have to go through certification assessments and so you can see most of these now the difference here is that there is the ability let's say that one of the contractors don't pass certain controls there are five or six controls that if you fail there is no you cannot be um you know certified per year but there are few but there other rest of the country rols that they don't see as critical and it's I would say it's not critical but you know some of them where you can have something called a poem which is the plan of action and Milestone you can when you do an audit and you say you failed a certain control if it's allowed you can write a poem which will then allow you to fix that in 180 days and then another c3p you're coming and validating it so that gives you the transitional um uh period where you can have the cmmc assessment we actually are already seeing many contractors um just since the beginning of the year looking at this seriously because if they have a contract that's coming up for renewal in 25 or they're bidding a contract for a big contract in 25 they all have group language of cmmc in there so they are seeing it already right they're saying hey when you when this is awarded we're going to have some cmmc requirements so people are already who are preparing for this contracts are already saying okay I can't wait so we need to get going so this is you know uh the timeline that was proposed from um it's it's out there from DOD and they don't give a specific date but they tell you what their plan of U implementation timeline looks like so this slide essentially talks about you know how dod is looking at this things like safeguarding defense information flow down of subcontractors things you already know but there's another interesting um angle here that I think is a lot of uh people have need have asked for clarity which is what happens if you know many of the small to midsize and you know almost everybody uses a third party they use either a cloud service provider maybe a Microsoft or AWS or they use um manage service providers people who provide them you know um certain support uh maybe they do they manage certain infrastructure and especially it's very common with the small ones and the they came out and said you know if you're a cloud service provider and you are you know providing you're part of the cmmc boundary you're part of the scope then they will need they can be fed ramp um uh moderate uh approved or certified sorry certified and if they are then they can be part of that boundary they can be part of the ecosystem so if a CSP uh which is a cloud service provider uh handles cui data and they have they are they have to be in the boundary of this DOD contractor if they are a Fed ramp accreditated uh entity or they're in the marketplace or they're ready they can be part of it now DOD accepts that but if you are another MSP if you are another provider don't have um a the uh if you don't have a um fed ramp accreditation and you're not you know you cannot then you have to become cmmc uh certified yourself so a lot of msps today who are serving this contract this contract base are now taking a look and seeing if cmmc applies to them because one do they handle the COI data because when the package or when the assessment is done on behalf of that um contractor they need to to you know include the um compliance of that M external service provider so it's another one so the ecosystem now grows not just these contractors but the people who are serving these contractors so so think about all the managed service providers external service providers storage providers any of that so it kind of increases that and they also have to go through cmmc level one level two whichever and those are all uh defined in the uh proposed rules that are out there but something for people to think about and this is becomes very critical so at this point you know I'll let give Ben uh who uh is our who heads our compliance and service now at security breaks to take over and um kind of talk through how we approach the automation how what are the problem statements and kind of talk through some of the features of our accelerator Ben we actually have a a question before Ben starts um in the chat um make sure you put your questions in the Q&A panel although I will be scanning the chat in case you put some in there so we have a question here that says I've heard there is a title of provisional accessor assessor provisional assessor well an assessor is going for full certification is that an actual assessor level I I um are they talking about the joint surveillance um The Joint voluntary surveillance assessment or possibly okay okay sorry I can explain that so currently um we ourselves have a few DOD contractors in something known as jsv so the dipac which is the uh defense industrial based agency that's uh part of DOD um has essentially told contractors that if you are ready and you would like to be assessed on the same cmmc uh say level two assessment we can you know we as a C3PO can uh put your name in there and the dipc chooses to um chooses you as a candidate we'll do an assessment that dipak you know validates the results and if you do pass that irrespective of when cmmc comes for the next 3 years you are good to go you're complying to cmmc so that's the I wouldn't say it's provisional right now that is the um alternate till the actual timelines come out but that's very much feasible we have we we have seen a spike of them in the past one month where custo where contractors want to go through that gsvc ass gsva sorry jsv assessment The Joint servance ass M yes that's the I if that's what you're referring to because there is nothing provisional at this point no one really can you know unless you go through jsv or wait for cmmc there is no provisional assessment as far as we are aware of yep that was that was it thank you we haven't got we actually do have um one more question before we start if a company only deals with pii or Phi data will that company be a candidate for level two so assessment or will it depend on the language in the contract proposal great question it'll depend on the language and the and the um whatever is in contractually because it also depends on if they're working directly with the prime or they're working with the dod they determine which levels they have to go through and they will let them know because it depends on a lot of factors so um it it is not always that I'm level two or level one what we have heard is um again majority of the contractors are asking that they're going to the higher level of level two unless they're very small and you know they don't ma of the people who are touching cui are automatically looking at level two only because they think that futuristic business may want them to go there and or they just want to take the highest level of compliance that they think they could be so that you know even if it's not needed they have done a better job so it all depends on the um entity that's going to require you to get certified fantastic there are no more questions at this time so then go ahead and take it away thank you Teresa thanks thanks thanks Raj so before we get too far into cmmc and the acceler that we have built I wanted to take this chance to talk a little bit about the N 871 I mean after all the 871 serves as the Bedrock for S MC certifications particularly in securing your cui data now it consists of 100 10 controls that are divided into 15 control families and these 110 controls provides really a structural approach for organizations to uh equi uh to effectively identify protect detect response and recover from cyber threats uh R go and jump over to the next slide please okay this slide this probably a little I there's a lot of Little Numbers in there but I just want you guys to kind of focus on the the colors of the light blue and the orange these are really the two main area uh technical configurations and administrative control the administ control encompasses The crucial aspect like Insurance response plan policy vulnerability measurement procedures awareness uh and trading initiative and on the other hand you have the technical controls that are zooming on very specific security configurations such as your encryption settings for data in transit at rest uh firewall ACLS for managing inbound outbound traffic password parameters log settings role based access configurations so these are the two now if you look at the 15 control families you know it doesn't seem particularly groundbreaking in compared to other regular framework that you have work with like PCI Hippa hydras and this right but achieving CC can speak uh certifications really entails a significant amount of effort in documentations in how your organizations meet these control requirements and then we'll dive a little deeper in the next slide Raj go and jump to the next slide please okay I know we are to half hour mark and but I do want to spend a little bit time on on this one here as far as challenges Go I mean there are certainly a lot of challenges um but you know here are four that we you know selected to want to talk to you about especially now as far as transition timeline it typically takes around nine to 24 months for this to take place but from our experience most organizations out there you know don't recognize and allocate sufficient time and resources so to get there to become atto or get it CMC certified right the journey really begins with setting a very clear allocations of your organizational boundaries and a comprehensive list of assets that are within scope uh this includes systems Ops third party vendors processes that interacts with your cui data now I don't know if there's any accessor uh in the call here but for those who are could probably attest to the fact that oftentimes when we come in and do an assessment we realize the boundaries are not correctly set and the list of assets that should have been included are completely left out so now assuming that you got all that right and you move on to the next stage which is to really to start assessing the control right you got your boundaries you got your assets clearly defined and is absolutely accurate each control then needs to be or the control evidence needs to be carefully scrutinized with a detailed explanations in the SSP and how the intent of the requirements is met right completing the SSP you know often results in pretty hefty uh effort it you know from what we normally see it ends it up around the three to 400 Pages documentations pulling informations from various areas within the organizations and to make that even a little bit more complicated is the time the evidence are uh useful so assuming that you're preparing all of these and you know you started this process six months ago but by time the assessment actually takes place you know any evidence that are beyond the 30 days time period are invalid and so therefore you got to go back and recollect all of these evidence again because end of the day the assessor is gonna use your SSP as a guidance to validate your compliance against cmmc and then there is another challenge against uh in regards to the P pman waiver obtaining a waiver is or are very limited and assuming that you're assessments you know where issues are identified you know some were quickly resolved because it's perhaps a documentation and you know you can go and get that updated very quickly but others you know may result in a poem right and given what we know today you know we really highly recommend that you target it you know achieving a high level of compliance to really minimize the Reliance on the poent and most of our clients today that we are working with um they're still doing the very oldfashioned way which is you know very man you know they they they do their security risk or compliance assessments you know they're setting up interviews with the me individually and collecting evidence uh and storing it into a compliance folder this manual process is extremely labor intensive uh and not only that it's really prone to inaccuracy and incompleteness as well so another challenges from the Minal process is that the evidence that are collected you know often lacks in the clarity in terms of what evidence are actually required so this is where and I'll talk a little bit more about later in terms of you know how automations are able to help streamline this whole process and ensuring that the accurate datas are collected and the datas are collected are particularly useful uh from a uh Cal assessor consumption next slide please okay so our journey with service now so we are a service now platform and specialist partner we started this back in 2020 and we our expertise in the fields of being an assessor I've been an assessor for for like God know it's probably like around 20 years right and we develop a really good and clear understanding of what type of data and evidence are typically required to meet a certain type of objective whether if it's you know a control objective from NIS from ISO from from CS right you know we've been doing this long enough that you know as an assessor we comping we know exactly you know what we need to see you know maybe s evidence we need time stamps on the evidence that collected you know all of those are clearly you know you know our expertise in terms of you know identifying the evidence that required so we started developing an ultimate indicators for CS in version 7 and then we create the indicators for ISO 27001 and then later you know we upgraded the 70 to a version 8.0 for SS as well as really measuring Cloud um security posture for AWS and Azure that were based on the ACs Benchmark against PCI ISO n and CCM as well and to create these autom indicators um was really fun and interesting is that we have to dig into all of the different modules within service now right because based on any pieces of uh control objective it's said well we got to have these five pieces of key informations to satisfy this control and where do we get those right so we literally dig through the whole service now offering everything from the HR module the itom it1 irm vrm cmdb discovery You Name It We we dug through it you know includes the ja offs and the cycles as well so in most cases the basic indicators um that we developed were suffice enough to meet the intend control objective I don't know if you guys are familiar with type different type of indicators out there but essentially there are three right there's manual right and there's basic and then there's scripted basic is where you know you're looking at datas from a single table and in some cases you know we again we were able to address most of these USIC a basic indicators but in some cases we have to pull lots of data from different uh tables and so we had to create a a scripted inats um to create that automate inats that provides a realtime assessments report against the set of Frameworks slide 15 please all right so those are a two slides that I want to spend a bit more time on um next is our approach uh our approach is really simple our primary uh principle is Simplicity we want to keep things as simple as possible we you know take what's out of box within service now um create automated evidence collections using data dat in service now and then from our perspective as a certified C3 pan point of view we identify the type of evidence that are required to uh that are that are required for the third party assessor when they come in so that's our Specialties in terms of how we go about all ation and our principle of Simplicity next slide okay introduction to accelerators uh Raj kind of touch on touch on this a little bit and I and I'll go through it you know at a high level so we can get some time for our demo here we have two accelerators um that are let me see apologize let me just make my screen bigger my eyes sides are getting worse so our accelerators uh that we have it's read available for downloads at the App Store it contains the this 871 content with the author documentations and control objective uh it is built on the C modules which initi will talk about later and then we have the other accelerator that are really focused for the that that runs on the vendor risk measuring module that allows you to if you're a level two contractor your subcontractor who interacts with your cui data will need to be adhered to a level two uh as well so this content will give you a quick Head Start to conduct an assessments against your subcontractors next slide please all right the benefit accelerator so when we were working with service now and you know we were creating these indicators he said hey you know what let's create a uh a uh accelerator for the cmmc to get the folks out there who needs to be CMM tmmc certified a quick Head Start Now by downloading accelerators you get the questioners out of box you can then fire this off you know using the vrm modules to streamline your whole assessments against your vendors uh it will create a nice dashboard for you it'll give you a sort of a a ability to kind of track and report on compli status against any of your vendors and as well as being able to track issues that are identified and go through the whole ration process within the service now uh vrm platform next slide please okay this is the Sim accelerator that you yourself need to be certified against right so we have to develop this content for you uh it's integrated directly into the policies and compliance module it uses the workflows that are built in and uh that utilize the the the uh cam modules itself um the nice things about this is when we built this again was to give folks the a head start you don't need to now develop the questionnaire yourself you can download the content that we have the all three documentations are there it provides guidance it tells you exactly what type of evidence are required and you can fire this off using the C modules uh be able to you know automate your work flows collect your evidence and so with that he also provides you a supplier performance risk systems based on the assessments results and then from there you can you know export these datas into your SSP for reporting purposes as well as track your poem uh based on the issues that were identifi during this assessment period initi I'm going to go a and pass it over to you and then we'll do a demo afterwards thanks Ben um hello everyone I'm anishi and I'm a senior manager of product management at service now I manage our uh it risk in compliance as well as internal audit products and today I'm going to talk about the continuous authorization and monitoring product uh as well as the accelerators that we've released uh which will help you with the continuous monitoring so the continuous authorization and monitoring uh application um that was released in I I think in Quebec released a long time back which is a primarily built uh uh for the use case of Nest RMF and we provide out of the boox content for nest 850 53 and this application was built for customers who uh are working with um fed customers or even for our fed customers so uh this application will help you to go through the seven steps of Nest RMF starting with prepare categorize select Implement assess authorize and monitor um what we do as part of each step is what I'm I will quickly uh go through as well here so in the prepared State uh or prepared part of the workflow the key activity we perform is defining the system and Mission as well as stakeholders so you can identify your authorization boundary by gathering data from existing IT services it asset management or other sources all of these uh all of this data is available in cmdb in service now so that's the benefit you can Define your stakeholders and you can come up with a thisis strategy uh in the categorize uh phase or categorized State the key activity is to determine the criticality of the system by analyzing the impact of loss so we provide pre-built information types which can be leveraged for impact assessment and this determines which Baseline controls to bring into the system the select state uh is where you can um basically uh the uh select the initial set of controls for the system and tailor these control is needed to reduce risk so you can perform your control tailoring by determining what controls are applicable not applicable if you can inherit some common controls as well so this is what you would do as part of uh this particular State then when it comes to select the Key activities in this particular stage of nstmf you can select initial set of controls um uh once you tailor the controls in the Implement State you can Implement these controls that you've selected uh before so you can go ahead and implement the controls has its own life cycle uh the benefit of uh The Continuous authorization app uh that we built here we built it on top of our uh GRC application which includes a policy compliance risk audit so you can leverage all of it uh in this app so you can basically perform Implement your control you can go through the control life cycle and the and test your control as well so in the Implement State you're actually implementing the controls uh as you uh selected uh in the previous state and then in the assess state is where you actually determine if the controls are implemented correctly so you can assess your control using our audit engagement using the control testing um feature and when the control fails it generates the poems automatically so you can monitor those poems in in a central reposit as well then finally in the authorized State the key activity that you would perform is authorize a system or common controls based on the determination that the risk is acceptable you can generate SSP report you can pull in the change request incidents vulnerabilities um and view the summary of these activities you can pull all of this information because that's available in service now platform That's The Power of U service now platform and uh that's how you would go ahead and monitor and authorize the system and finally in the monitor State the key activity of course is to monitor the system and the associated controls on ongoing basis so these are the seven steps uh that we have and the workflow will go through all of these steps um and as Ben explained before they've also used the cam app um for their accelerator that they have store so this can be expanded Beyond 8 853 um and can be for continuous authorization and monitoring all right so can we go to the next uh slide so here I'm going to talk about uh the accelerators that we have released in the store this will help you with continuous monitoring uh of the controls um and Ben touched upon it briefly before so Raj and Ben helped us uh with with this accelerator and the content uh and we built it and release on the store so in this particular accelerator we released a technology controls accelerator as well as cyber security controls moning accelerator uh these two accelerator provides you content for monitoring your CIS 8 controls your CIS 7.1 controls ISO control as well as CSA uh CCM 4.0 uh what we provide as part of this accelerator is we provide content for CIS eight and uh CSS CCM so you would have authority documents you will have citations you'll have a bunch control objectives uh for these two regulations or standards and then as additionally we also provided some automated indicators we have around 67 automated indicator templates to monitor the CIS 8 controls and also monitor the common controls uh such as CSA CCM coming from CSA CCM this 853 uh this CSF ISO 270001 and two and PCI DSS so you can use same indicator template to not only monitor CIS 8 but also monitor the common controls uh that map to CIS 8 can you go to the next slide all right so here is the example of the what we are doing here in this accelerator we have out of the box content for CIS 8 as I explained so we have around 171 control objectives and we are shipping 67 automated indicator templates these automated indicator templates can be used to monitor U 54 out of 171 controls uh from CIS 8 and uh these uh these will be basically there's also maap to Common controls actually the indicator templates uh basically map to all the 171 controls from CIS 8 and you can monitor all of them 54 out of those indicator templates can also be used to monitor common controls from n from CSA from CCN PCI ISO this CSF Etc then we have around 197 control objectives coming from C CSA CCM and we have 41 indicator templates that could monitor these CC CSA CCM control objectives um now the unique uh uh unique value proposition we have here is these indicator templates basically fetch the evidence data from various applications or products from service now uh such as uh secops itam itom third party risk and hrsd so you can see the number of indicator templates that monitor number of controls from SE Ops there about 30 controls that fetch data from seops products such as vulnerability Response Security incident uh configuration comp product we have five indicator templates fetching data from our third party risk uh management application 17 indicator templates fetch evidence from itom products five of them fetch evidence from itam and 10 of them fetch evidence from H hrsd and you can expand it further to uh Al also basically uh fetch information if you don't if you're not using a certain product from service now if you have custom tables you can leverage this accelerator this will give you Head Start so you can Define your own indicator templates as well um there are couple of examples here uh of how what kind of indicator templates we are uh we are shipping as part of this accelerator so one of the indicator templates which is uh performing your regular automated port scan will actually check if the qualus is active and it's performing the scans on a regular basis uh this is the indication that a vulnerability response product provides so we will fetch that information to provide you evidence um another example I would like to take is from the software Asset Management so you can identify or determine if there are any unapproved softwares that are uh that are unauthorized so you can it'll actually check if there are any unapproved or unauthorized softwares u in the system and it'll fetch dat fet that data and give you evidence fail the indicator templates and create issues automatically so this particular accelerator uh really helps you with continuously monitoring your controls these are uh these are the controls which also includes uh our Cloud controls so we do have integation with config compliance you can monitor your Cloud controls uh if there any misconfigurations so you can do a lot here um so this is just a quick up uh brief update about the accelerators and with that I'm going to pass it on to Ben again to demo their accelerator on cmmc so for cmmc accelerator for the cmmc uh NB 17 uh1 framework we have this uh cmmc accelerator on service now store so once uh uh we download the application we're going to be having the content in it and the content resides in policy and compliance module so for example in Authority document we have authority document for cmmc Baseline security and so this Authority document has 110 citations that are mapped to each control like each citation is mapped to each control one control and the control objective is um maap to a a testation that is a set of questions that are going to be uh asked to the stakeholder to assess them for example if you go into this assess uh citation it's mapped to this control sc23 13.9 so this is the attestation right here if I can just go into this and show you how it looks yep so here we go so this is a part of the control objective and each control objective is going to have a set of questions related to it and if they can answer it as implemented and not implemented and give a reason and describe implementation for that control as we are using cam uh module uh cam application to run our uh 8171 assessments so let's go to the authorization package that's a part of Cam application I have created one authorization package already for demo purposes we're just going to go into it and look how it works so as Anri explained prepare state is um we u define the boundaries we give it a name and categorize we uh categorize this authorization package on the basis of impact level it can be uh low impact High impact or moderate for this purpose I uh assume it's moderate yep it's moderate and once we categorize the authorization package uh on the impact level we're going to go into select state where we are supposed to tailor the Baseline controls so in this case for cmmc accelerator we have added our own uh cmmc control objectives in it so once we're done uh adding 10 control objectives from NSP 8171 we are just going to move to the Implement state but before that we have to uh approve this request so it can move to the next state all right so now it's an Implement State and these Baseline controls from NSP uh 8171 creates it uh 110 controls one for each basine control objective or here we can send all these control objectives into a test state so the stakeholder can receive all these assessments and they can answer them as required or whatever they have the evidence for let's send it into a test so once they're assessed um once they create uh assessments for the stakeholders uh as of now I'm this system is in a process of creating attestations it's done it says attestations created so these all attestations are sent to the stakeholder for example it's to the owner Ahmed Bal so I'm just going to go into my assessments to see if I get those assments yep right there so based on the answer of the question if they're uh if they just select not implemented it's going to be a failed control and it's going to create a issue automatically so just for example we just did this we go back here and see I just did one not implemented so it should create a issue and say that control is not compliant hey a minut um just just a just a quick note here um so for the content that you uh get from the App Stores U the questioners are populated for you um in most cases when I mentioned about how you know a manual process can be prone to errors in this case here um you know when these question are generated you have the ability to modify these questioners uh before they go out to the stakeholders to provide them you know a better stricter guidelines in terms of exactly what type of evidence you're looking for in some cases maybe you know you might want to include a link of the evidence or expected right so then click on that link oh yeah okay all right these are the list of assets that need to be included in my in my evidence collections that I'm going to submit and these are the type of evidence that I need to provide so um the question itself can be very flexible um to cater to each of the organizations uh and how they do things so um and that really as it as it goes by year after year you know those questioners are improved and provides a a continuous Improvement in in in consistency to make sure that the right type of datas and the right type of evidence are captured and provided to the auditor so I think we are out of time we are five minutes so if it's okay um we um unfortunately we would love to show our vendor accelerator but we want to be respectful of time um uh and we we're happy to take it offline we have a few questions we can answer um and I can share the last of this couple of slides that we have but I think you know in the interest of time it may be just helpful to um answer questions our accelerators are available on the store for free uh you can download them we are happy to help you um just I want to close this with this slide where um you know we we as a company security braks um we have put out these accelerators for free we have the FED ramp accelerator we have the uh um two cmmc accelerators we have a number of our C you know contractors already downloaded using it but we also have helped them extend it you know as a C3PO we can do a mock audit to tell you if you you know are um if you are you know if your controls pass or not we have some inherited controls we have a lot of things that we can help you uh reduce your or further automate you know this things of indicator templates Ben spoke about so we kind of can extend our solution so if it's at this point I think if we have a couple of questions we'll try to answer I think I saw one of the questions that talked about um you know what are the 300 20 so we as an assessor uh have to although the 110 controls we look at 320 assessment objectives so the 8178 right so what then what what we looked at here is if I was going if you were going to go through an assessment uh typically you know how would we do it and so that's the you know that's the answer to that question um are there any other questions that are there so we can help answer there there are a couple questions so what is the best way to link my existing indicators to cmmc controls now that it depends if those are those indicators are U again are they collecting data that are required for uh cmmc control yes you can and then you need to modify them so that they can validate those because typically indicator templates are written for a certain evidence like if you want to monitor or you know so if you take a control if you know what is it that you want to that control that indicator to uh Monitor and or collect evidence you'll need to map that so if you have an existing so we have if you have an existing indicator template for say um uh CIS um uh uh configuration right um and you're using those to do your configuration checks if it so happens that you can map it to a 800 171 control for cmmc you can see if it can be used again it just depends on what that indicator is the intent of the indicator that was built and if it can be mapped to the requirement control okay um next question is what is the um does the system provide Auto recommendations when non-compliance is selected um it does not it'll tell you I think uh in our free one we have just told you what are the what are the uh what are the required or suggested and or you know what are the what's the evidence requirement uh not in the if we we do have you know we can help you build those but it's not out of the box in our accelerator we have that information but it's not in the free accelerator okay um I'll ask the last question here can we download the accelerator on our own or do we need to reach out to get it downloaded you can download on your own awesome I really appreciate everybody's time I I wonderful presentation by all of our presenters I appreciate your time thank you all for joining us we have a lot of more webinars coming up have a wonderful day if you have any questions please reach out to security bricks or to uh service now and thank you security bricks and thank you all attendees thank you all thank you have a good day bye- bye thank you