EP#90 – John Verry – Important Clarifications on CMMC v2 from CMMC Day May 9, 2022

To invest in CMMC or to not invest in CMMC, that is the question.

CMMC (Cybersecurity Maturity Model Certification) is a lofty yet necessary investment for the Defense Industrial Base. With all signs pointing to May 2023 for when we can expect CMMC to be included in contracts, anyone who is considering CMMC should do it sooner rather than later as implementing any comprehensive cyber security program could take a company 9 to 12 months.

On this episode, our host John Verry recaps his most important takeaways from the recent CMMC Day conference held in Washington DC on May 9, 2022.

Join us as we discuss:

• CMMC Level 2 and 3 requirements
• CMMC’s three-year certification process
• False claims acts and the impact CMMC will have on the review process by the Justice Department
• Differing opinions of CMMC from conference attendees and CMMC experts 

To learn more about the implantation of CMMC in contracts, follow the link below or find us on your favorite podcast streaming service.

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Speaker 1 (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for Security, IT, and Business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there, and welcome to yet another episode of The Virtual CISO Podcast. With you, as always, John Verry, your host and with me today is me.

Today’s episode is an interesting episode. Last week I was fortunate enough to attend a CMMC event in Washington, DC where we had a very good cross section of people that are impacted by CMMC. We had folks from the DOD and NIST who were talking about it from that side of the fence. We had some C3POs. We had some key service providers, think Microsoft, Google, AWS. Managed services provider in the space. We had a number of clients that were DIB members, right. Orgs that are subject to CMMC. So it was a great cross section. And I think we got a lot of clarification with regards to CMMV two and where this is all going. So I thought it was important to get this to you.

So first and foremost, and I think the most important piece of news, is that according to Stacy Bostjanick and she is a DOD and she is effectively in charge of the CMC program, March, 2023 is the expected date when the rulemaking will be complete, which allows CMMC to be included in contracts. Those contracts would happen 60 days later, as I understand it, which means that we can expect to see CMMC actually appearing in contracts in May of 2023. So it’s nice to actually have some clarification on when we expect this to happen.

Now it’s important to understand that we, so now we’re talking about CMMC V two, right? So level two, which is what affects CUI and level one, which affects FCI. Both of those, we have the clarity on that a level three, by the way, is still a little uncertain, in level three we know that 800-172, which has 35 controls in it, a TBD number of controls will form the basis of level three. What’s also interesting about level three is some clarification that we got, is that to get to a level three, you will have a level two CMMC certification audit conducted by a C3PAO assessment, excuse me, I shouldn’t use the word audit. And then the DICAD will come in and do a level three assessment on top of that. Now from a level two perspective, let’s say we get to May, 2023, in order for contract to be awarded minimally, you’d have to have a score in SPRS and or your affirmation filed by your senior official. You know, the affirmation is that new requirement that exists at this point in time. And then you can receive a contract for some period of time.

There’ll be a waiver process. What that will do is it’ll give you 180 day grace period to achieve certification, which is a very tight period to do so, which definitely puts contracts at risk. We know that we will be having C3PAO assessments at that time for most contracts. You know, there is that talk of bifurcation. The expectation is that eventually all contracts that are involving CUI will go through a full certification assessment. At the beginning, there may be some contracts that don’t require that. The early adopter program has been approved, which means that you will soon start to see organizations touting the fact that they are CMMC certified based on the current version of CMMC. The expectation is they will need to get to 4,000 assessors in year one to be able to keep up with the demand. And the expectation is that they will have 8,000 assessors by the end of year two, again, to meet that required demand.

And the expectation and the number that you hear pretty consistently is there are probably 80,000 organizations that will require a CMMC level two certification, other points of emphasis that came out, there was a lot of talk and I appreciated it because this has been my stance the entire time is that the more things change, the more they stay the same and realistically with CMMC, nothing has changed. Once we rolled back to CMMC V2, because CMMC is effectively 800-171, and that went into effect December, 2017. So really nothing’s changed since December 2017, those 110 controls that you’ve been attesting to the fact that you’ve implemented them by sending an invoice are now just being formally validated to be in place. And again, with minimal change, there are really just four documents that you need to pay significant attention to. As you’re working your way through this, we’ve got 800-171, which defines the 110 practices.

We’ve got 871A, which defines how they’re going to be assessed. So that allows you to know exactly what’s going to happen and prepare your artifacts and evidence in a way which will hold up to that assessment. You’ve got 800-172, which we talked about, is if you’re going towards level three, that’ll be some 35 additional controls or some logical subset of that. And the 801 72A document again, is how it’s going to be assessed. You know, they reiterated. And I think it’s important to talk about that CMMC is expected to be a three year certification. So think of this as being like ISO, except in year two and year three, instead of having a surveillance audit, you’re going to have what they’re referring to as affirmation from a senior company official. So if you guys are familiar with Sarbanes Oxley, which had a management sign off on the controls of our financial reporting, this is ostensibly the same.

So what we’re going to require is a senior official is going to have a basis for his opinion, right? So some form of assessment, some evidence that he looks at, and he says, I believe, and I’m asserting to the fact that we are doing everything we’re supposed to be doing. We’ll talk why that’s so important is the next thing here, which is The False Claims Act. So as you guys probably know, there’s something called The False Claims Act, the government is really looking this. And I think it’s a key part of acting as an enforcement mechanism, during year two and year three, or for those organizations that are not required like under the level one, right? The FCI, as you might know, last fall, the justice department launched their civil fraud cyber initiative. So what they did was they beefed up their capabilities to take on false claims acts a false claim act can be triggered in a lot of different ways.

Probably the most likely ways that you would end up in a false claim act would be a whistleblower or, and this is the scary part, some form of a cyber incident. So under CMMC under DFARS guidance, you are required to report security incidents. So if you have some type of a breach, you need to report that if you have a breach, there would be the question as to whether or not, how did you have a breach if you’ve properly implemented those 110 controls, of course, you can still have a breach with all of them implemented well, but it’s less likely. So, that might trigger some type of a review of what’s going on. And if you are found to have misrepresented quote unquote, the implementation of the 110 controls, you could be subject to a false claims act. These false claims acts can be very, very expensive.

In 2020, they recovered over $20 billion through false claims act. We just recently saw Arrow Jet, a claim was filed through a member of the DIB that was sealed for some reason, probably because it had something to do with some highly sensitive information. But CHS just had a false claims act settled in Aprilish, I think, and that was about $930,000. So you do not want to be in that position. So it really is critical that if you are going to sign off that you have the proper implementation of your CMMC controls, I would strongly suggest that you actually do have it. Another point of emphasis was it is now okay, with the clarity of CMMV two, was you can get certified with a POAM. Now there was, there are, you can’t get certified for POAMs for what we’ll call high importance controls, things like multifactor authentication or encryption, but for those controls that if you think about, those that have one point or maybe even three points, you can have a limited number of POAMs.

It’s important to note that you will have a maximum 180 day cure period on those if you do have any POAMs. Most of what I just gave you is feedback, but I’m going to call from the government. And from those that are in the rulemaking side of the house, it was also really interesting for me to have a chance to talk with members of the community. Other folks like us that do consulting, managed services, providers, folks that provide technology services like Microsoft C3PAOs that have gone through the process. And I thought some of the information that I got there would be worthwhile to share as well. One thing which is very interesting to me was talking with a C3PAO that has recently gone through their DICAD audit in order to become qualified as a C3PAO and DICAD requested during the audit that they address the NFOs of 800-171 in appendix of their SSP.

Never seen that before. I thought it was really interesting. So the NFOs are in appendix E of 800-171, and there’s an implicit expectation that they’re going to be there. So addressing the NFOs isn’t necessarily hard. In fact, you probably address them by addressing the 110 controls, but this idea of explicitly pointing out in the appendix, how you met the NFO controls was interesting. And I think good guidance wouldn’t take that long, but it does reduce that risk of it occurring during your assessment. Did talk to unfortunately, a couple of folks that have had bad guidance during the process. So I talked to one in particular, that was a painful process. They went with an RPO, registered provider organization, that gave them some guidance that was incorrect. So they did a migration from in on-prem Microsoft exchange to Microsoft 365, not recognizing the fact that would not be suitable for CUI.

So now they’re going to have to do another migration to Microsoft’s GCC environment. So not good. I did speak, not at the conference, but prior to the conference, I spoke with someone on the phone that had a similar challenge. They made some migration, they actually went to Microsoft’s proper government offering. The problem happened was that the RPO did not understand that there is a difference between different types of CUI data and did not recognize that some of the data was subject to ITAR which changes the cloud that can be, and it’s got to get to the GCC high, which is causing that organization a little bit of pain. So just a caveat and something to be aware of certifications are important, and an organization cannot provide services unless they’re certified. I think it’s equally as important, perhaps even more important that they’ve got significant experience in dealing with these types of data, CUI and have done work in the DIB.

It is a relatively unique world to live in. One of the side conversations I got into was I sat down for lunch and there was a couple of folks from members of the DIB that were pursuing CMMC or trying to figure out if they should pursue CMMC. And one of the guys was complaining that he knows that they’re not fully 800-171 conforming, and he’s worried that they’re going to have an action against them. And he’s worried what’s my liability. So we had a long conversation about that, and it was interesting because he has a friend who’s left a company over the same, and he’s considering leaving his company for the same reason. So, interesting thing to be thinking about. Another thing, which was interesting is I talked to a prime and I also talked to a couple members of the DIB. And it appears as though the primes are going to be pushing hard for CMMC, ahead of the curve, if you will.

You know, one DIB member was telling me that they lost a contract, the quote was 55 is too low of a score for us to work with you. And then in talking with a prime, he basically said, we believe that a quote, unquote certified supply chain is an advantage on the next, I think he used the term trillion dollar acquisition. I have a hard time thinking a trillion. So I’ll use a billion and assume that’s what he meant. Of course, we all know the famous line from the Senator, a billionaire billionaire, pretty soon we’re talking about a lot of money. So it probably was trillion dollar acquisition. So, that was really all the feedback that I wanted to share. And I hope that was helpful. And I think, with a lot of the conversations ended up with DIB members and a lot of the people that I’ve spoken with over the last month or so on phone calls for, clients and potential clients, bottom line is, is we or is we ain’t.

You’ve got to look at the DIB as being, currently it’s a get certified or get out kind of decision, right? So, I’ve heard people say, we’re leaving the DIB. I’ve heard people say we are investing in the DIB, right? Because we’re trying to gain market share from companies leaving. I’ve heard people say, we believe that certification is a significant barrier to entry for new competitors. So it’s a worthwhile investment because nobody is going to be able to come in and take our bread. So I think there’s an, is we or is we ain’t component here, and that’s just your decision point. And I don’t think there’s a right or a wrong, I think the fundamental question is, can you generate a reasonable return on investment for your business, from your CMMC investment?

If it’s a $100,000 dollars, if it’s $150,000, you got to figure that out and it’s going to be a lot of money. It’s expensive stuff. And I think the, well, there’s one thing I missed on the previous slide there. Sorry about that. One other thing, which was another interesting point of feedback from the community was the concept of flow down. There’s increasingly an emphasis, both the primes and should be an emphasis in your organization on what they referred as disaggregating data and minimizing that flow of CUI down. One of the point places where they pointed that out as being the most significant challenge and something which we probably on the easier side to correct is in not flowing down components of drawings that are unnecessary, right? Subsetting them out logically. So I thought that was interesting. Another thing which someone was talking about, where they were had just gone through a DICAD audit and the DICAD auditor said, hey, you’ve got your ERP solution scoped out, but you’re putting the invoices into your ERP solution.

The invoices have the part numbers and those part numbers are CUI. So that’s a really important caveat point is to begin to try to get that information as much information as we can out of our ERP because ERP pollution and cleaning that up would be a huge challenge. So again, back to that, is we or is we ain’t, and we talked about that, is it a good investment? And then the last thing to kind of think about is that if you is, right? If you need to be in the DIB and if you need to be CMMC certified, I’ll just say that May 2023 is a lot closer than you think. Generally speaking, implemented comprehensive cybersecurity programs like CMMC or in this age 800-171 usually takes most organizations nine to 12 months if you don’t want to terribly disrupt business as usual.

So, that assumes there’re no backlogs, no challenges. So if you need to migrate to GOV Cloud, we know there are a limited number of providers right now. They can probably service you in six, nine months. Probably not. There’s going to be a line, same thing with C3PAOs. So I would encourage you if you are going to make the investment, I think you should make the investment on the sooner side rather than later side so that we can make sure that we get you there. You know, by May, June of next year. Of course, if you’ve got any additional questions, if there’s anything we can ever do to help, please don’t hesitate to reach out. Thanks guys. Hope you found this one helpful.

Speaker 1 (16:07):

You’ve been listening to the virtual CISO podcast, as you probably figured out. We really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.