May 10, 2022


As the implementation of CMMC by the DIB picks up pace, the frequently shifting requirements can be daunting — especially when the guidance is already so complex.

And that’s doubly true for managed service providers (MSPs), who have to contend with some of the most confusing CUI requirements.

In today’s episode, making his 3rd guest appearance, I’m joined by Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, who is here to clear up the confusion and share his insights into how the rollout of CMMC into the DIB impacts MSPs.

Join us as we discuss the current state of CUI for MSPs in the DIB, including:

  • The controls MSPs have responsibility for in a client’s environment
  • The controls clients have responsibility for in their environment
  • The controls MSPs have to implement in their own environment to meet DFARS flow down requirements

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Speaker 1 (00:00):

You are listening to The Virtual CISO Podcast, a Frank discussion, providing the best information, security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed, and proactive, welcome to the show.

John Verry (00:26):

Hey there. And, welcome to yet another episode of The Virtual CISO Podcast, I’m with you as always, John Verry, your host. And, with me today, a perhaps third time visitor, Caleb Lighty. Hey Caleb.

Caleb Lighty (00:37):

Hey John. It might even be the fourth.

John Verry (00:41):

Don’t rub it in. Some people are going to start getting jealous. It’s actually one. So, I always like to start easy. Tell us a little bit about who you are, and what is it that you do every day?

Caleb Lighty (00:49):

Sure. So, Caleb Lighty, consultant here at PPS and our Federal Risk and Compliance Practice. Specializing in CMMC, but also FedRAMP, RMF, security, cybersecurity framework. Basically anything that’s federal regulation, cybersecurity focused. We’re here to help you with.

John Verry (01:11):

Sounds good, man. Before we get down to business, we always ask, what’s your drink of choice?

Caleb Lighty (01:15):

So, we have, I’m in the Metro Detroit area, and there’s a local brewery called Griffins Cloth, and they have a beer called, Mr. Blue sky. It’s kind of a citrusy, white wheat ale. Really good stuff.

John Verry (01:32):

And, my next question is, how come I have not been gifted a bottle of this yet?

Caleb Lighty (01:36):

You didn’t ask.

John Verry (01:37):

You could have sent me Journeyman. So, like in Detroit, you also have a distillery that my son likes, Journeyman? Have you ever been to Journeyman’s?

Caleb Lighty (01:43):

I haven’t.

John Verry (01:45):

Journeyman’s makes a pretty darn solid whiskey that I got while I was out there as a gift. And, he ended up drinking, it and ended up rebuying his own bottle of it, because you can get a fairly broadly distributed piece. All right. So today, like to frame the conversation let’s say, we’re seeing CMMC rolling out into the Dib, finally. And, beyond that, as 801 eventually addresses all of the CUI definitions that are contained, the CUI registry of which there are quite a few, right? If you look at the CUI registry, there are roughly 20 categories of which defense industrial based data is one of those 20 categories. So, we’re already hearing from folks that are in the supply chain. Most notably managed service providers as an example, that they’re being asked questions about, what their role is in an organization.

John Verry (02:33):

If they’re servicing an organization that has CUI under at least the Dib requirement right now, they’re being asked certain types of questions that they’re challenged to answer, and we think that’s going to get much more broadly defined over the next couple years as we see this roll out across all definitions of QI. And, I think the key thing is, that you and I have chatted about is, this concept of shared responsibility, and making sure people understand what we mean by that, and what a shared responsibility in matrix is that. So, for this context, please define shared responsibility.

Caleb Lighty (03:01):

Yeah. So, it’s kind of self explanatory, right? There’s responsibilities at play for implementing cybersecurity practices, controls, meeting requirements. The overall requirement to have the framework in place, and to be compliant, and to be protecting controlled classified information is to that organization seeking certification, the OSC. But, if they’re outsourcing some of these things, right? You might be outsourcing some of your IT, you might be out outsourcing some SOC services, there’s responsibilities for them, because they’re providing those services, and the OSC is not directly implementing controls on their own behalf, but you still have to make sure that they’re being implemented in a way that is compliant to the framework as well. So, there’s, it’s a matter of control, and as well as ownership.

John Verry (03:58):

So, when we talked about the podcast prior, we came up with these three particularly use cases, if you will, that are probably good to frame this conversation, right? The idea of which controls, and MSP has responsibility for, that are within the client’s environment. Which controls the client has responsibility for, in the client’s environment. And, which controls does the MSP have to implement, in the MSP environment, to meet DFARS flow down. Now, I think we’d agree, there’s a lot of complexity depending upon what type of an MSP the organization is. So, what is the best way for an MSP, or even if you’re not an MSP, if you’re a third party service provider to an organization that in your processing CUI, to break this down. Would you, if you were advising an MSP, would it be that you’d help them with a data flow diagram? An L2 scoping guide asset classes would be, that would be the way you’d look at it. Think about how somebody should think about this.

Caleb Lighty (04:51):

Yeah. And, perhaps you could do it either of those ways. I like to see it from the perspective of the OSC, going through the practices in, let’s say a gap assessment, or a self assessment, and identifying, “Hey, for this practice, we know our MSP manages the set. For this practice, we know our MSP manages the set.” So, you could start to lay out the responsibilities that way, and also make sure that they’re being implemented in a way that is in compliance with 80171 CMMC. If you look at the scoping guide, shame on you for using such naughty language, scoping guide. MSPs actually are in there as an asset type, right? A security protection asset.

Caleb Lighty (05:38):

And, there’s a lot of talk around security protection assets that are more typically geared toward technologies. But, if you look at people in services, as a security protection asset, they’re providing services, they’re doing things, providing functions that will give evidence to implementing controls to meet the requirements. Then they also are subject to protections as well. If we look at access control, physical protections for the environment, not only in the OSCs environment, but also in the MSPs environment to make sure that data is still properly protected for confidentiality. So, it really, I would look at it from a practice to practice perspective, and what services they’re providing.

John Verry (06:26):

When you say practice to practice, so you’re referring to the practices, the MSP offers? So, if they’re offering, let’s say, break fix on site, you’d look at that practice differently than you might look at one where they’re providing a security monitoring, security operation center style practice, is that what you meant by practice?

Caleb Lighty (06:43):

Yeah. So, the services that they’re providing, and the CMMC practices, right? The 80171 requirements. What are the functions that they’re actually providing? What’s their operational function? Are they doing that in a way that’s meeting the intent of the requirement for 80171, the practice for CMMC, a lot of folks are getting to the point where they’re taking overall, and trying to classify assets, and then later on figure out what they do. Not to any fault of their own, assessments haven’t started in the industry yet, on the commercial side, coming from doing these assessments in the Dib CAC, it comes with an understanding of, you get into assessment mode, and you start running through the requirements, right? There’s an understanding of the scope, and of the environment, and maybe if there’s third parties involved, but you really aren’t looking too deeply into those until you get to a requirement, or a practice and say, “Oh, our MSP does that, and this is how they do it.”

Caleb Lighty (07:44):

So, now you’re going to start looking more closely at those. Where the scoping guide comes in, and I think has been good to help in that, is that if you look at it from practice to practice perspective, then you may neglect to go back and say, okay, well that MSP has security functions and people with security functions, are we making sure that the access control is proper for them? Are we making sure that they’re following the company’s guidelines on viewing, and handling, and working with CUI outside of a controlled space. Those other things where we’re looking at protecting the people, and how they function so that we’re not, losing confidentiality of data, as opposed to necessarily, the very specific things that they are doing.

John Verry (08:33):

So, there’s there definitely some complexity to this, right? Because, if I’m the client, and I have an MSP that is connecting into my environment, to remotely manage some it infrastructure for me. The responsibility to live up to the access control, authorization responsibilities, lie on me, and then if they’re doing, let’s say they’re providing some type of a service with that access, that is also impacting CUI, then they’re responsible for ensuring that the way they conduct those practices meets the CMMC or 80171 requirements?

Caleb Lighty (09:14):

Yeah. That’s the way I would see it.

John Verry (09:16):

Okay. Interesting. So, can a, so let’s say that I’m an organization that provides, managed services of some sort into the defense, industrial base, or more broadly other organizations that will be impacted by CUIs, as we move forward. Can I, absent of knowing the specific client, can I architect things like in a way that I know will be work for all my clients? Is that the way that you advise them to do that?

Caleb Lighty (09:43):

I think that would be a great start, right? You can do things in a generalized enough method, right? If you’re working absent of a client, and you’re starting with your MSP, and here’s the services that we provide, you can set things up to say, all right, within the bounds of our clients policies, we have services set up, we know what services we provide. We know what requirements those services would speak to, and we know that we’re going to have to access and protect our environment by the client’s policies as well. Unless the client then defers, and that back and forth, okay your policy is good enough. Your policy, your process is good enough, it fits into the structure of ours. But focusing, I would, for an MSP absent of client, go ahead and jump in, and do a gap assessment, or at least look at your services, and understand what services you’re providing that are speaking to CMMC requirements.

Caleb Lighty (10:56):

And, that just broadens up your ability to answer to those. We’ve got a long history in the Dib, where you get to a client who needs to be 80171 compliant, or needs to get a CMMC certification, and are just now finding out that these requirements exist. Now you’re going through, and doing gap assessments, and you’re finding out that you need to do this, and you need to do this, or you need to do this. Well, they’ve had MSPs this whole time, so they’re not just grabbing them as we go. So, those processes, and agreements, and contracts between those businesses are already worked out, and if your MSP isn’t doing the things that you need to meet your compliance objectives, then you’re going to need to rework things, or see if they can add to what they’re doing, or see if they can adjust. But, it may not be as simple as an MSP that’s coming in fresh, and already understands where they’re helping you meet your compliance objectives.

John Verry (12:00):

Right. And, I guess, from an MSP’s perspective, the good news would be, is that, I think the vast majority of entities, especially those currently in the defense industrial base, because many of them are manufacturing concerns that don’t have overly robust security programs to begin with. That, as long as you architected, the delivery of your services in a way which was 80171 compliant, more likely than not, you’re going to live up to their policy, their requirements, right? I think would be unlikely, if you met those requirements that you’d fall outside of their requirements.

Caleb Lighty (12:29):

Right. That makes sense.

John Verry (12:31):

All Right. So, does that change much? So, the way that we, just that part of our conversation was around us acting in their environment. How does that change, dependent upon whether or not we’re providing a service, which is specifically called out in the scoping guide. And so, you’ve got what, if I recall correctly, I don’t have the guide open in front of me, but we got these idea, like security protection assets, right? So, if I was providing a SOC service, right? Managed MDR, XDR, SOC, whatever we want to call it these days. I never know, managed SIM. They all seem to mean the same thing. But, if I was providing that type of a service, and that service, that’s a little bit differens. I’m not necessarily going into their environment to do something. Their data is coming to me. And, I’m providing a service which is integral to their system security plan.

Caleb Lighty (13:15):

Gotcha. Yeah. So, same perspective, right? They’ve got that technology, that you are running on their behalf, is providing a function to their environment, that is critical as part of the requirement. So, they have to, when assessment time comes, and it’s just good to know for internal business processes anyway, be able to provide evidence that is controlling protection, right? Controlling, putting security controls in place, in a way that meets the requirements. So, if we look at a SIM, right?

Caleb Lighty (13:50):

That someone else is managing, you’ve got all kinds of requirements in the AU family, that go into, what are you logging? How are you logging it? What are your records look like? Which, if someone else is managing that for you, you may not have a great amount of insight into day to day, but you should know what they’re doing. Be able to provide evidence of what they’re doing and have a lot of insight into that, if you need to get to it, right? To provide evidence or to respond to critical information that comes from that kind of service. It goes into another aspect, And it might have been what you’re getting at, right? Is, if CUI is actually being trans- [inaudible 00:14:35]

John Verry (14:34):

That was the next question I was going to go, right? Because, there’s under normal conduct of a system, ideally you would not have CUI ending up in your logs. But, if we were to a net flow, or something like that, or there was something else going on. Yeah, you might have CUI actually transit, which would completely change the requirement for the managed service provider, correct?

Caleb Lighty (14:57):

It would. And, that’s a really interesting aspect that a lot of people get into is, if someone is processing, storing, transmitting CUI on your behalf, you have flow down requirements. If it’s unintentional, then you have a failed control, right? And, you have a spillage, maybe a reportable incident, and something that you need to button up, and have a process to deal with in the future. If it’s intentional, now you have flow down requirements that, you’ll flow it down, and there’s certain, might be subcontract, or what have you, but that organization is now going to have their own CMMC requirements to deal with. And, that has been, I’ve had some discussions with folks recently, and people get pretty upset about it. If you’re looking at OSC, and they’re sending CUI elsewhere to an MSP, then do we gather evidence, and make sure that MSP has a CMMC level two certification? Not during that assessment, you don’t. Because, that’s really adding requirements, right?

Caleb Lighty (16:10):

The OSC right now, doesn’t have an obligation, a legal obligation, or requirement within the CMMC framework, or the 80171, which is what going to be being assessed, to ensure that third party has a CMMC certification. Now, that third party is going to be required to have a CMC certification, right? Or, 80171 compliance, and that’s between, really them and the government. Even the flow down, it’s all a contractual perspective, right? So, a commercial assessor doesn’t really have the authority, or the obligation to pursue that avenue much further, right? You can ask it, maybe during an assessment. “Hey, did you check to see if that organization has a score in SPRS” “Yep. We did, and they sent us a letter that said they’re compliant,” so, and so forth. Great. If they say, “That’s a contractual matter, and we don’t want to discuss that with you for our assessment.” It really would be adding to the requirements for CMMC, or 80171 specifically, to pursue that a lot farther, and it’s really a government function at that point.

John Verry (17:26):

Yeah. But, we’re talking about a very, in my humble opinion, a very significant loophole, right? Because yes, CMMC is what we’re obligated to. Which is basically obligation 80171, but the 80171 application comes from DFARS, whether it’s a 7012, or usually a 7012, because that gets added to the 7019, and 20. So, under the DFAR 7012, we have that responsibility to flow it down. So, it’s a very weird situation to me that you’re going in there as an auditor, you know that CUI is flowing into another environment. You know that there’s a DEFARS clause that necessitates them to flow down the requirement, and have evidence that they’ve done so, but yet you have no capability of look… Like that seems a little off. Do you think that’s something that people are talking about and saying, “Hey, we got to figure out a way to fix this.” Because, I think you’re going to see a lot of problems there.

Caleb Lighty (18:15):

I think you would see problems. And, it really depends, right? And again, they would really have their own contract requirements. It would be the same. The MSP would get requirements flowed down to them if we knew that, hey, we know that we’re passing CUI through that MSP environment. So, we’re going to flow down the contract clause to ensure that they’re properly protecting the data. But, it’s all within in the bounds of the OSCs assessment, right? And, that’s why when we look at it from an overall perspective of a business, business relationship, versus when we’re actually looking at an assessment perspective. As an assessment, you’re not certifying, or looking at the compliance of that third party. You’re looking at the functions that they’re providing, and the people, and resources that are being used for the OSC that you’re assessing, are in compliance.

John Verry (19:16):

No, I understand, but clearly there’s… Look, at the end of the day, we want to protect CUI. The idea that you can go in and give someone a CMMC level two certification, knowing that they’re flowing data down to multiple sources, that they have no evidence are actually conforming with 80171, or have a score in SPRS, or have their own CMMC, sounds nuts to me.

Caleb Lighty (19:40):

Primes have been doing it for years.

John Verry (19:42):

I know. Which is why we have CMMC, right? No, no, seriously. Yeah.

Caleb Lighty (19:46):

But, like DCMA-

John Verry (19:47):

Yeah. So look, but DCMA can’t go out and look at… So, what’s going to happen? So, you’re saying that in order for, I’m Joe manufacturer, I run John’s manufacturing company. I’m providing CUI downstream to somebody. Okay. So, let me ask you, let me go a different direction. If we didn’t go MSP. If we went, I was flowing it down to a sheet metal shop. Okay. And, you’re in there for CMMC, I’m assuming the same thing holds, that you have no obligation to look to see whether or not… So, at the end of the day, the government did this to protect CUI. We know every organization flows down a lot of CUI, but we’re not going to look at that as part of a CMMC assessment. I’m sorry, but there’s definitely a little bit of a gap there that somebody should be looking at to say, “How do we address this?”

Caleb Lighty (20:27):

Right. And so, there is to an extent, right? And, they brought in the 7020, which we’ve talked about a bit, and that clause actually has the requirement, you can’t give a subcontract without validating that the subcontract, if your CUI is involved, is to, with a company that has a score in SPRS.

John Verry (20:49):

But, that like 7012 was, right? The only way that ever gets enforced is through a false claims act, or a DCMA knock on your door. And, the DCMA does not have nearly the bandwidth as you know, because you worked for the DCMA, and Dib CAC, the bandwidth to go around and knock on 80,000 entities doors.

Caleb Lighty (21:08):

Right. I don’t think that MSPs are included in that 80,000 number-

John Verry (21:13):

Right. They’re absolutely not. Right.

Caleb Lighty (21:15):

And so, you look at that, DCMA does have, it’s not just Dib CAC. It’s a huge organization, thousands and thousands of employees. There’s other functions for contract assessment, right? Contract clause compliance assessments, who would serve more of that function.

John Verry (21:33):

So, it should be, you’re saying that, it should be covered through that part of the DCMA. Okay. I hope you’re right. Because, otherwise we’ve gone a chunk of the way there, but not really as far as, I think we ultimately need to go.

Caleb Lighty (21:47):

And, I don’t know, I really don’t think, again if you’re looking at it that way, in contracts, and how it all goes out. I don’t know if anybody’s really looking at MSPs in that regard right now, right? And, you’re going to rely only on the Dib, and the industry partners to say, “Well yeah, we know we have CUI. We’re subject to 7012, and 19, and 20. And, we know that we flow CUI to our MSP.” Right? They’ve called it out for cloud providers, but they’ve not called out requirements for MSPs. It’s interesting. Yeah.

John Verry (22:29):

Yeah. It is. And, that speaks to the next question I was going to ask you, right?, When does an MSP become a cloud service provider, right? Because you are a strong advocate, you’re a guy who reads these standards at a level that I don’t, and you’ve pointed out to me multiple times that, an entity that’s a cloud service provider, handling CUI is not beholden the CMMC, right? they’re beholden to FedRAMP, moderate or equivalent, I think is still the language that’s in there. So, question for you know, let’s say you’re talking about, let’s say pivot point is providing an AT&T Cybersecurity SIM solution to a client, right? And, we have access into the environment, and we’re providing some reporting to them for CMMC compliance. It is a MSP, right? In a sense, or MSSP relationship at that point, but that’s also a cloud service, right? AT&T Cybersecurity is a cloud service. Pivot points providing the service to them. Do we become a CSP? Is AT&T Cybersecurity considered CSP in that situation? Or, is it still the MSP, and we’re only getting the flow down to the 7012?

Caleb Lighty (23:36):

Yeah. So, I think everything you said is accurate, right?

John Verry (23:46):

[inaudible 00:23:46] Usually, when you say “Everything you’ve said…” I think I’ve known you a year in three months. Anytime you’ve started a sentence with, “Everything you just said…” Just it always is finished with, “Was wrong.” So, thank you. I feel a lot better today. I must be learning some- [inaudible 00:24:01]

Caleb Lighty (24:00):

You did good. I’m glad within, a little over a year that- [inaudible 00:24:05]

John Verry (24:05):

It took you a year to train. Well done you. Yeah. Yeah, exactly. So, is this the moment where a grasshopper grabs the rock from the master’s hand, is that what just happened?

Caleb Lighty (24:13):

Yeah. Something like that. Yeah, so how many levels of flow down do you go, right? Flow down is flowdown, is flowdown. So, I think in that situation, you laid out, right? PPS would still be an MSP, MSSP in the grand scheme of things. The actual product offering is the cloud service, right? So, their infrastructure and, the SaaS product that would come along with that, would be what would need to have that FedRAMP moderate authorization, or equivalent, right? And you can, of course you can get FedRAMP authorized for a SaaS, or PaaS, or infrastructure as a service, at all those various levels, which that would be really on AT&T at that point. The obligation to ensure that requirement is in place, now moves. Because, the OSC- [inaudible 00:25:10] Right? The OSC is flowing down the requirement to their MSP, and their MSP has some responsibilities there, but now any subsequent flow down, right? We’re passing CUI to another environment, and that’s a cloud environment. And so, now we have an obligation to ensure that, that FedRAMP is there.

John Verry (25:32):

Yeah. Pretty soon you’re going to be asking your babysitter for a CMMC certification. It’ll only be L1 maybe, but no seriously. When you start to think about the way that data flows between organizations, at some point when the federal government turns this on completely, how many organizations are not going to, at some point, have some type of data that’s classified as CUI, through some type of a flow down, or a flow down of a flow down. It’s going to get crazy.

Caleb Lighty (26:00):

It’s going to be really messy. There’s some predictions out there that, because of marking and identifying CUI, that essentially anything that’s not marked, or currently is called FOUO, or sensitive, but unclassified, it’s just going to be called CUI by the government, which is concerning, right? It’s not how it should work, but if you think about the task at hand, we say, all right, right now we have everything marked FOUO. And, we’ve dealt with it as FOUO for a long time. So now, as the government, we’ve got to go back, and look at all of our FOUO and put it into buckets. This is CUIs, this FCIs, this unclassified, and it’s not going to be pretty.

John Verry (26:48):

Well. And look, we don’t want to over treat risk, right? That’s a fundamental concept in information security, but at the end of the day, if you want to be a viable business, right? An 80171 conforming environment is conceptually highly similar to an 27,001 conforming environment, highly similar to a SOC two conforming environment. And, those are becoming the baseline responsibility, to be an organization that isn’t at significant risk to going out of business independent of its contractual obligations. So, I think honestly, really, and I think the presidential executive order, and the guidance coming out of CSA is sort of saying the same thing. And, if we’re going to continue to be an economic player, and have our sovereignty, and have national defense, right? That we really do need most organizations to end up at a 80171, or similar style environment.

Caleb Lighty (27:42):

Yeah. And they should, and they’re going to keep moving on through, trying to put this program in place. The way I see, we’re talking about MSPs, right? And, it’s fun that we bring up the FedRAMP requirement, which I just think is ridiculous. But, if we look at the FedRAMP requirement, and we say, well, how’s this play out for, for MSPs. It’s not really structured with requirements around MSPs. The whole industry has had a problem with not doing anything around this area until we started seeing some enforcement of the requirements. What, if the government comes out and says, similar to cloud provider, who’s not even providing services to the government, because you use them for CUI purposes. They now have to have FedRAMP moderate or equivalent. For an MSP that’s providing services, what if they were to just say, they have to have an RMF ATO moderate level, or equivalent. That’s really no different than the FedRAMP requirement this there right now.

John Verry (28:47):

Right.

Caleb Lighty (28:47):

And, MSPs just aren’t going to, they’re not going to do that. That’s crazy.

John Verry (28:51):

Right.

Caleb Lighty (28:51):

And, I don’t think the FedRAMP requirement is right either, that’s another topic, but just looking at that same logic. You’re either going to have to start requiring a CMMC certification, or provide the circumstances to say that, this is how an MSP is scoped into an OSCs certification and responsibilities. And, here’s some of the requirements. But, laying out those requirements, and like you said, it’s not well policed right now. I do think that it’s being seen, and looked at. So, the results of trying to make determinations on what those requirements should be, might be a scary thing to think of, coming from the government.

John Verry (29:36):

Yeah. It’s going to, like we said how many times, it’s going to be an interesting next five years. So, I know that I’ve heard you talk with MSPs, with regards to this concept that they should develop a shared responsibility matrix. Why do you think that’s so valuable to them?

Caleb Lighty (29:52):

Yeah. So, kind of along the lines of what I was saying earlier, if an MSP understands that they provide pretty standardized services across the board to their clients, they can start to look at how their controls are meeting CMMC practices, 80171 requirements, and have that preset. Say, we know this is what we do and what we control. We know that for this same set of requirements that you, our client are going to need to take part of it, and here’s exactly what those things are. Here’s what we do and how we’re meeting it. Here’s what you need to do to ensure that you’re meeting it. And, you have that all laid out ahead of time. You have one, an MSP who understands your compliance needs and is helping you. And then two, you have an MSP that can be looked at, from C3 PAOs, from any anybody doing gap assessments, consulting services.

Caleb Lighty (30:50):

If you have that all laid out similar to a CSP, we have the FedRAMP, the system security plans, and customer responsibility matrixes, and they… Matrices, right? They lay those all out. And, whereas CSP, most of the time it’s like, there’s still some ownership from the client to configure things, or how they act in that environment. I think it would be different from an MSPs perspective, just knowing, hey, we know that we’ve got this set of requirements fully met. We know that there’s these pieces for you to do, to fully meet these requirements.

Caleb Lighty (31:27):

And, you take out your level of work for compliance, as opposed to looking at it, as, from an IT, or a implementing controls perspective, we already know what our compliance looks like. So, it makes it easier across the board. It’s better for the MSP, because then they don’t have somebody that has to come every time and ask questions. What do you do for this requirement? What do you do for this requirement? And, you don’t have to, you have a level of comfort and reliability from their potential clients to say, all right, we know exactly what we’re getting into.

John Verry (32:05):

So, it’s a marketing advantage on, on the first case- [inaudible 00:32:09]

Caleb Lighty (32:08):

I would say, definitely.

John Verry (32:09):

I guess the second thing is it would be an effectiveness, and efficiency of operations advantage, in that, if I defined a standardized way, I do something and I tell my potential clients, and clients that, that’s the way we do it, and they architect around that, then I don’t have to have 12 variations in place, right? Yeah. I can say, because if you think about it, when you go to Microsoft, you don’t get a chance to say, “Hey, this is what I want.” Microsoft says, “This is how we do it. If you want to buy it, go ahead.” Right? And, they do that for effectiveness, and efficiency of operations. And, I guess you already pointed to the other side of effectiveness, and efficiency of operations is that, if you have smart clients, they will flow down the requirement. And, you’re going to be asked for documentation to reflect that. And, that responsibility matrix is that documentation. And, you’re providing that from the very first moment that you start working with them.

Caleb Lighty (32:56):

Right.

John Verry (32:56):

That’s pretty cool. I would think that would absolutely be the right way to go.

Caleb Lighty (33:01):

Yeah. And, I think it’s key.

John Verry (33:03):

So, question for you, did we… I’m looking at our notes. I think we beat up the MSP idea pretty well. Is there anything that we missed, in terms of some of these subtle variations of what they might run into?

Caleb Lighty (33:15):

Yeah, I don’t think so. You know what, a lot of the times, if we look at, one thing I would add just along the last thought we were going back and forth with, and the shared responsibility matrix is, most of the time MSPs are, are being contracted to fulfill an IT service, right? And, where they’re going to be lacking is going to be in documentation, and policies,, and procedures. But those need to come from inside the organization, the client organization anyway, right?

Caleb Lighty (33:46):

Because, that’s just where that’s going to fall. So you can, it’s easy to lay out that way, “Hey, you tell us what your policies, processes, procedures are. We’ve already got a set baked in way of how we do things, and we can line those up.” Is what I was getting at earlier. The vagueness, right? We do, at our MSP we do configuration management via group policy management. Okay. Well, for our particular instance, these are what group policy things that we say we absolutely have to have, and how they’re going to be set. Great. So, now we go from, we do group policy management down to these are the settings within our group policy, within our policies, group policies.

John Verry (34:34):

Yeah. Something that made me think of that I hadn’t thought of before. So, you do FedRAMP work. So when you work, when you’re deploying your solution in either AWS or Azure, the SSP you use is the one that you grab off of their site, because it’s prepopulated. So, that the controls that they’re responsible for, right? Their version of the responsibility matrix, if you will. Is actually outlined within the SSP itself, right? So, you can see that you’re absorbing that control. Would that logically hold as another thing an MSP should consider doing, would be to actually have a system security plan template, with, for a service, that defines which of those controls, because, can you imagine, as somebody who’s got to implement an SSP, and has all of these holes in their document to fill, if I was looking at a client and excuse me, looking at a particular service provider, and they were saying, “Hey, here’s how it matches up. So, you can just point to our controls, in all of these sections.” That would seem to be pretty valuable.

Caleb Lighty (35:32):

Oh, absolutely. Absolutely. And, that’s kind of what I was getting at, right? Is if they lay that out ahead of time, putting it into an SSP with your control implementation in there is a great way, right? So, you can have those inherited, shared, or client responsibility, all laid out. And, that makes it super easy for a client to come in, and know what they need to do, and to already have the documentation that they need for evidence, and verification, that those practices are being met.

John Verry (36:05):

Yeah. We covered the MSTP stuff. Pretty good. Appreciate that. So, let me ask you to geek out a second, because any MSPs that is listening to this really needs to be aware of, what’s the timeline when all this stuff is going to happen? So we know that the legal contractual wheels are turning in DC, as we speak. And, I know there’s a bunch of documents that I don’t fully understand all of them. I know you’ve referred to far case 2017016. The one that I to, I know a little bit about is 48 CFR, and 32 CFR. So, when are all these going to go into effect, and what are the likely implications to an MSP that’s listening?

Caleb Lighty (36:42):

So, things that are coming from the DOD, and the CMMC rule making process, within various portions of the 48 CFR, and the 32 CFR, 9 to 24 months from last November. Maybe, who knows. CMMC assessments, and how CMMC views things, right? And, talked a little bit earlier about, our naughty language for saying scoping guide, but the scoping guide starts referring to MSPs more than we’ve seen other documentation referred to MSPs. So, as CMMC assessments start rolling during the voluntary period, which could be as soon as next month. We’ll start to see how MSPs are assessed, from the eyes of C3 PAOs in the CMMC accreditation body. And then, as we see the final rules come out, the far CUI rule, which is the case 2017016, that’s expected sometime this year.

Caleb Lighty (37:44):

And, I don’t think we’ll see a whole lot specific to MSPs in that one, more around the federal CUI program, and standardization across the board. For the DOD rules, I also am not sure how clear they’re going to be, right? They haven’t so much in the past [inaudible 00:38:02] said, they have things like the FedRAMP requirement for cloud service providers. They could very well range from anything from, you need to have a CMMC certification as an MSP, that’s receiving CUI, right? Processing [inaudible 00:38:18], transmitting CUI. Down to a moderate ATO, or equivalent for RMF, right? In the [inaudible 00:38:28].

John Verry (38:28):

Yeah. So, you took that question in a different direction than I was intending it, but that was actually pretty cool. I was intending in a slightly different direction as to, when 48 CFR, refresh my memory. 48 CFR is the non DOD version, right? And, 32 CFR is the DOD? Or, did I get that backwards? I always mix them up.

Caleb Lighty (38:45):

32 CFR is national security, and there’s a bunch of different sections. Part 2002 is COI that comes from [inaudible 00:38:55].

John Verry (38:54):

But, 48 is the more generic one, right? That’s the one that applies across the entire government, correct?

Caleb Lighty (39:00):

So, 48 chapter one, is the far. Which applies across the federal level. 48, chapter two, is the DFARS, which gets the DOD specific.

John Verry (39:11):

Yeah. Okay. Now you know why I’m confused. All right. So, what I was really kind of going in the direction of is that, when 48 CFR part one, right? When that, when that goes into contracts, begins to go into contracts, right? That would in theory immediately make all 19 other classes outside of the Dib, right? All contracts that were involved in processing CUI would suddenly be beholden to that standard, right? That’s incorporated into every standard, every contract. So that, any person that’s processing CUI, so if you’re an MSP, but you don’t deal with the Dib, right? You’re dealing with financial, you’re dealing with transportation, and any of these industries that are specified in their intellectual property, legal, healthcare. In theory, the minute that 48 CFR, part one, goes to press, then everyone who processes that data subject to CMMC right. Or, 80171, I guess, would be a better way to say it.

Caleb Lighty (40:07):

Yeah. More 80171-

John Verry (40:08):

And, perhaps CMMC.

Caleb Lighty (40:10):

There’s various, and that’s why it’s such a mess right now, right? There’s so many different regulations, things that make CUI categories specified that are extra requirements on top of the 80171, or the basic CUI safeguarding rules. And, that’s what is part of the reason why it’s taking them so long to work this all out, right? It started 2010, with the executive order. So, here we are 12 years later, almost getting to starting the program. But, they’re one of the CUI blog from Nara. The last one that they put out talks about taking those specified categories, working out the small intricacies of some of the specified categories, and what those extra requirements are, and bringing those categories to basic. So, we’re left with really the 80171 compliance.

John Verry (41:02):

Okay. All right. Now we hadn’t talked about this prior, but considering the fact that the 80172A dropped today, or just recently, that in theory puts us closer to a audit program, or assessment of a CMMC L3, assuming that CMMC V2 L3, and assuming a CMMC V2 L3, the presumption is that the requirement for that will be 800-172. So, is that a fair assessment? And if so, where do you think that’s going? How long will you think that will be? I know we’re just wagging, and then second thing is, how likely would it be that might impact an MSP?

Caleb Lighty (41:42):

Okay. So, I think it would impact an… I’ll start with the MSP piece. I think it would impact an MSP the same exact way that everything is currently impacting MSPs, right? You got to find out where they fit into it. What controls they’re meeting, and are responsible for ,what their requirements are, and how they’re supporting the OSCs. The 172 is, they’re not intending to use all of the requirements from that for the level three. And, what’s really interesting is a look back to where they said bifurcation, right? For level two, and well, we’re going to assess some, and not, some is more critical. Level three is the more critical, right? That’s why we can’t do it a level two, everything’s at that set level. But, we have very critical programs that deal with CUI, that are going to be held to a higher standard, and that’s level three.

Caleb Lighty (42:39):

So, whenever they figure out what those very critical programs are, then that’s where I see they’ll start pulling out, and making the requirements set that they’ll pull from the subset of 172 requirements, and I expect CMMC level three to line up precisely to that, right? The 110 from 171 at the level two right now, with the additional, whatever they pull for those critical programs from the 172,, go to the level three CMMC. So I don’t think it’s overly complicated outside of figuring out, what those critical programs are. They should have a pretty good idea of, and it gets rid of the nagging concept of, is there less or more critical CUI at the level two? And, I would say, no, right? So, they’ll figure that out. They’ll pull the requirements set. It’ll port right over to CMMC level three. And, you really have the same assessment process from there.

John Verry (43:40):

Gotcha. Do you think the, I know when they talked about the original bifurcation, they referred to it as prioritized acquisitions, and I think they gave examples of munitions, command, and control, and communications, or I think those were the three groups that they said, as an example. Do you think that we’re going to align with the program, or do you think that we’re going to end up aligning with CUI specified, or do CUI specified in programs go hand in hand anyway, and it’s six, one half dozen, another.

Caleb Lighty (44:07):

They don’t, right? So, the data types are just really come down to what kind of sector they’re in. I think it’ll go to the programs, right? If you look at contract programs, you might have a specific fighter jet. And, we know the F35 is a big example of CUI protection, reasons, and origins, right? So, if you take F35, you’ve got a contractor who’s the prime on that. And then, you’ve got all these subcontractors that are down to it. So, you might have a subcontractor six, seven tiers down the supply chain, who is dealing with CUI for a very critical program, contract program, like the F35, who now might need to be level three. Just because of the program that is associated with.

John Verry (44:57):

Okay. And, it might even differ depending upon what that sixth level down subcontractor is doing, right? A sheet metal shop might be different then an antenna shop, right? Somebody that’s involved in guidance of the aircraft, or its missiles would be a little bit different then somebody who’s bending a piece of metal, that’s going to go around a wheel. Well,

Caleb Lighty (45:14):

Yeah. And, it’s same for, for flow down, right? I don’t think the flow down verbiage is going to change. You need to identify what the CUI is, and if the data retains its identity, as covered defense information for that subcontractor.

John Verry (45:31):

Gotcha. Anything else we missed, sir?

Caleb Lighty (45:33):

I don’t think so. Its been lots of fun. I’ve got lots more to talk about, but we don’t have enough time.

John Verry (45:41):

I wore you out. Huh? I have a tendency to do that. So, do you want to go for the fictional character? The amazing, horrible CISA. You’ve done it at least once before. Do you want to go for it again? Or ,you want to, you want to beg out.

Caleb Lighty (45:54):

You know, on on this third, and or fourth time that I’ve been on the podcast- [inaudible 00:45:59]

John Verry (45:58):

Stop rubbing in other people’s noses. Okay. It’s going to cause a problem.

Caleb Lighty (46:03):

He’ll be all right.

John Verry (46:04):

there’s a long line of people that want to be on this show, and I’ve let you grace this episode again, I mean come on. So, you’re going to pass on that, I take-

Caleb Lighty (46:13):

Take, no, I don’t think I’ve been given the opportunity to, yeah.

John Verry (46:17):

You haven’t? All right. So, let’s go with it. All right. Well then, I hope you’re prepared. So,, give me a fictional character or a real world person you think would make an amazing, or a horrible CISO and why.

Caleb Lighty (46:26):

All right. So, I’m going to go recent events here and everything that’s going on. Ukrainian president, Vladimir Selinsky, I think would make an amazing CISO. Because, he’s shown that he understands high level concepts, and prioritizations, and strategies, but is also not afraid to get down at ground level, and be involved in the team that’s carrying out, and implementing those strategies as well.

John Verry (46:54):

Yeah. And, he’s an astute political, his actions are pretty clever. The way he’s called out NATO, he’s called out the US. He really understands how to use the press. Not that you have the press inside of an organization, but you still have those same kinds of politics, and you need to be able to create the same kind of pressures by putting people in tough spots. So, that’s a really interesting one.

John Verry (47:17):

And, the other guy that was pretty cool too. Did you see the picture of, I think he was the mayor of Kiev. The Guy looked like rock, you know what I mean? And, he was the mayor, and he’s like in battle gear, and he’s like, “I’m not a politician. Who’s hiding an office somewhere.” And, he’s at the front lines, waiting for him. Yeah. It’s a dreadful situation, what’s going on over there. I say prayer for everyone involved. And, I pray that we have some fast, and painless end to the conflict, because it’s dreadful to see some of the crap that’s going on. Someone wants to get in touch with you. I know you’re active on LinkedIn. Anywhere else that someone might reach out to you?

Caleb Lighty (47:55):

Yeah. Caleb Lighty on LinkedIn. I’m in the CMMC, CUI discord [inaudible 00:48:01], that everybody loves to get involved in. So, I’m in there, and then [email protected], feel free to reach out.

John Verry (48:10):

Awesome man, as always. It’s been fun, man. Thanks.

Caleb Lighty (48:13):

Yeah. Thanks John.

Speaker 1 (48:18):

You’ve been listening to The virtual CISO Podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And, to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.