April 28, 2020

 

Is your organization ready for CMMC?

As CMMCs roll out over the next 6 years, it’s going to become a reality for more and more DoD subcontractors. 

As many as 50,000 organizations by 2025. 

Thankfully there are folks out there who are experts at this. 

On this episode of The Virtual CISO podcast, we heard from Stuart Itkin. Stuart is the Vice President of Marketing & Product Management at Exostar, and he and his team are leading the charge when it comes to CMMC readiness. 

We talk all about: 

  • The need for robust CMMC readiness
  • Why your organization may need to adhere to several different certifications depending on the specific project or RFP
  • How Exostar can help get your organization CMMC ready

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Exostar has some great CMMC resources at the Certification Assistant page, check it out here!

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

John Verry (00:06):

You’re listening to the Virtual CISO podcast, a frank discussion providing the best information security advice and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there, and welcome to another episode of the Virtual CISO podcast. I’m your host John Verry, and with me as always, the Doc Brown to my Marty McFly, Jeremy Sporn. Hey Jeremy.

Jeremy Sporn (00:36):

Hey there, Marty. Hello everyone.

John Verry (00:39):

So what’d you think about the conversation I had with Stuart?

Jeremy Sporn (00:43):

So as a scientist by trade, of course, I think it’s prudent to start off with some stats. About 65% of the DoDs direct spending is transacted through Exostars’ platform, and that includes 150,000 organizations that trust and rely on Exostar to be secure … Excuse me, a secure place to communicate and transact with DoD prime contractors. Primes for short, as I’m learning, is the shorthand for prime contractors. To say that Stuart and Exostar occupy a unique position in the DOD supply chain would be quite the understatement.

John Verry (01:18):

Yeah. That’s exactly why I thought it would be a good idea to have Stuart on the show. A lot of the folks that we’re talking about CMMC and 800-171 are either not familiar, or only marginally familiar with Exostar, and the role they play, and we thought it’d be valuable for them to get acquainted with them at this critical point in time because of the significance and the role that they play relating to CMMC.

Jeremy Sporn (01:44):

You’re just a nice guy. You want to help people out, John, I get it.

John Verry (01:46):

There you go. Nothing to add.

Jeremy Sporn (01:51):

All right, so other than learning about yet another great bourbon, expect to walk away with a clear understanding of what the transition period will be like from NIST 801-171 self-attestation to CMMC certification. Big change there. If you are a DOD subcontractor who thought you could wait to really implement your NIST 800-171 controls, stay tuned. You will want to know why that is a dangerous road into the future. See what I did there, Marty.

John Verry (02:24):

Yeah, I saw it. I saw it. So let me ask you a question, like onto the show at 88 miles per hour?

Jeremy Sporn (02:30):

Yeah, 1.21 gigawatts. Gigawatts!

John Verry (02:34):

All right, let’s get to the show, enough out of you.

John Verry (02:40):

Stuart. Thanks for joining us today. How are you?

Stuart Itkin (02:43):

John, I’m doing great. Thank you for inviting me to join you today.

John Verry (02:46):

Excellent. So I always start super simple. Tell us a little bit about who you are and what is it that you do.

Stuart Itkin (02:52):

I’m the Vice President of Products and Marketing for Exostar and we’re innovative leader in secure business collaboration, serving the aerospace and defense industry and the defense industrial base.

John Verry (03:07):

Gotcha. Now that’s a mouthful, but before we drill into that, I always like to ask people, what’s your drink of choice? It kind of introduces a little bit about you. So what is your drink of choice?

Stuart Itkin (03:21):

You know for a long time I had been a martini man with blue cheese olives and, well, over the last six months I’ve become more of a bourbon guy.

John Verry (03:30):

You know, it’s funny, I’ve made a similar journey. I used to do Gibsons, Right? Which is vodka with the pearled onions, and yeah, certainly … You know, you’re in Virginia, correct?

Stuart Itkin (03:44):

I am just outside of Dulles Airport.

John Verry (03:46):

Gotcha. Are you a Bowman guy? Right because I mean Virginia has got some good bourbons. Most people don’t realize, although you’re technically not allowed to call them bourbons, but Bowman’s kind of a pretty good brand down that way.

Stuart Itkin (03:57):

So Bowman’s we don’t have, but I found one called Filibuster, which I’m enjoying. Not at the moment moment though.

John Verry (04:06):

Well listen, that would’ve been good too. I mean as of right … I hear alcohol kills COVID, so maybe you should’ve had one. So getting back to where we were, explain … So really what I wanted to chat with you about is CMMC. So can you explain Exostar’s role in CMMC and in the whole defense industrial base? Because I think you’re a name that some people have heard, but I don’t know that they fully understand how you fit into the puzzle.

Stuart Itkin (04:36):

Yeah, and it’s a good place to start. We really occupy a very unique position within the defense industrial base in the aerospace and defense industry. We’re about a 20 year old organization and we were formed by five large defense contractors, specifically, to address really tough and common problems that existed among large primes within the defense industrial base. Today, 20 years later, the companies that formed us are still our shareholders and we continue down that mission to be able to provide them with solutions to, again, tough common problems.

Stuart Itkin (05:12):

Over the years, the majority of that has focused on collaboration. It’s focused on supply chain transactions, and today, ultimately what we’ve created is a secure collaboration and transaction platform over which about 65% of all direct spend of the DOD is transacted. So for example, Lockheed Martin manages its entire F35 supply chain over the Exostar infrastructure, and in total, 150,000 organizations within the defense industrial base kind of trust and rely on this infrastructure to be able to collaborate, to share information, to trust that their information is secure, to trust the services with whom they connect with.

John Verry (06:02):

Excellent. So you are in the food chain from the RFP/RFI phase all the way through, let’s say, gathering evidence of NIST 800-171 conformance, or perhaps CMMC conformance, as we move forward?

Stuart Itkin (06:17):

So again, I mean we were really more fundamental than that with respect to the [DIB 00:06:23] and we are the critical infrastructure that allows that collaboration to occur for organizations to exchange information, to place purchase orders, to acknowledge purchase orders and so forth. But among the areas that we’ve also addressed for our primes and other large contractors is their ability to manage risk within their supply chain. Cybersecurity being a big element of risk within their supply chain, but not the only area of risk with which they are interested.

Stuart Itkin (06:57):

So over the last several years we’ve created a series of tools for contractors, primes within the defense industrial base, to be able to assess the risk associated with suppliers, to be able to assess compliance of those suppliers. Among those is compliance with NIST 800-171. Contractors today are required to assure that their subcontractors are eligible, that they have the proper systems and controls in place to be able to receive controlled defense information. One way that they can satisfy that is by self-attesting to their compliance, having satisfied the 110 controls of NIST 800-171 and we provided tool that enables them to be able to perform that function, to monitor that compliance across their supply base.

Stuart Itkin (07:53):

It has the added value for suppliers that enables them to complete that self-attestation a single time. Not uncommon for a supplier within the DIB to work with many different primes. If each of those primes is asking them to complete the same self-attestation, that’s a lot of work. It’s a lot of valuable time and we enable them to complete that form a single time, and then for them to have control over whom they choose to share that with.

Stuart Itkin (08:23):

So that’s kind of where it is that we’ve been working at this point and we kind of recognize that with CMMCs kind of roll out over the next six years is it gradually affects, I believe it’s about 1500 organizations, in 2021, about 7,500 in 2022. Ramping up to about 50,000, in 2025, is that this need for organizations to continue to comply with the current DFRs, to continue to comply with their requirement to flow that requirement down and to verify that their suppliers in fact have conformed, or self-attested to 800-171, and that requirement isn’t going away.

John Verry (09:06):

Gotcha. So just to be clear, so your platform would be like sort of the equivalent of an online questionnaire that someone might answer where they’ll put in information relating to their 800-171 conformance and then that information then can be securely shared with the upstream organizations that they need to share it with? Is that correct?

Stuart Itkin (09:25):

So that’s exactly right. At the choice of the prime, it pushes a questionnaire or invites each of their suppliers to complete this questionnaire. The information then is returned back to the prime. The information is scored, the progress with respect to completing that form is visible, but it provides the prime visibility in terms of the state of compliance for each of their suppliers.

John Verry (09:52):

Gotcha. Now, so we’re going to get into an interesting space, aren’t we? So we’re going to have this ongoing obligation to be 800-171 conforming, and then we’re going to have this additional requirement to kind of migrate to CMMC for those organizations that either need to, to bid on a particular contract or project, or choose to because it might yield competitive advantage, is that correct?

Stuart Itkin (10:17):

Correct. I think the point being is that these two sets of requirements are going to coexist for a period of time and the number of contracts, and hence, the number of contractors and subcontractors subject to CMMC is going to grow over time starting in 2021, and in 2026, our understanding is that all RFIs and RFPs will have CMMC requirements as part of those. So what we know is that these requirements are going to coexist for some period of time and the requirements for CMMC are going to ramp up from 1500 organizations in 2021, to about 7,500 in 2022, to, reaching about 50,000 in 2025 according to information that has been shared by the DOD.

Stuart Itkin (11:12):

So as this gradual ramp up occurs, as similarly, the number of contractors and suppliers that are subject to NIST 800-171 is going to start to decrease slowly. But over a period of time, probably the better part of five years, these two sets of requirements are going to coexist, and a given supplier may have to comply with CMMC for one contract ,and still report with respect to 800-171 for another contract. Primes at the same time are likely going to have contracts with CMMC requirements and others that haven’t yet been subject to CMMC for which they’re going to need to verify that suppliers under those contracts have conformed in submitted a self-attestation to NIST 800-171.

John Verry (12:04):

Gotcha. One quick question for you. So Katie was on the show, I don’t know, a month or so ago and at that point she was saying that 1500 number was a 2020 number, and 7,500, 2021. Has that changed from your perspective?

Stuart Itkin (12:20):

So I think we’re citing information that that we have received from DOD and I think that what she had said is that, in 2020, that will be 1500 organizations that will have requirements, but the actual implementation is going to be in 2021. But I think the point being-

John Verry (12:41):

[crosstalk 00:12:41].

Stuart Itkin (12:41):

It’s a timing issue, but the real point is, is that the ramp up is going to be gradual and it’s going to start with requirements in 2020, with organizations needing to comply in 2021, and the number of organizations affected growing until it becomes part of every RFI and RFP in 2026.

John Verry (13:03):

Gotcha. Yep. That makes total sense. I think the one thing which is positive here in terms of an org needing to conform with both 800-171 and CMMC, is that, if you’re already 800-171 conformant and you’re looking for a CMMC level three, the 110 controls are common. It’s only an additional 20 controls for level three, correct?

Stuart Itkin (13:27):

Exactly. So actually going through the process of completing all of those controls. Again, we know that organizations too are putting in place a [POAM 00:13:36] for those that they’re planning to implement, but actually going through that process, completing a POAM, truly being fully 800-171 compliant in the sense that you’ve implemented all 110 controls becomes a real bridge to being able to achieve CMMC level three certification. I guess you point out the delta from that point is a relatively small one.

John Verry (13:59):

Gotcha. Now, one of the advantages, I think, working with Exostar, as a prime as an example, provides is that you’re giving them an easy mechanism for them to gather more than just the letter of attestation, a self-signed letter that, “Yeah, we are doing this,” right? You’re giving them an ability to review and see some of the artifacts or see some of the information about the implementation, correct?

Stuart Itkin (14:20):

Well, so today we’re asking them, at the request of the prime contractor, to complete the self-attestation form. We’re continuing to invest in tools recognizing that this process is changing in two respects. It’s more about companies that are complying with 871 being audit ready in addition to going down this path for CMMC. So being able to provide a mechanism for them to gather and store that evidence is a natural progression for the tool that we’ve developed to be able to provide that capability. Then ultimately, with CMMC, our intent is to build similar tools to help suppliers, as well as primes, to be able to go through that process of not only, it’s not answering the questionnaire, it’s understanding what it is that they need to put in place.

Stuart Itkin (15:16):

What are the tools they need to invest in? What are the practices they need to put in place? So that they can say, “Yes, I’ve done this and I’m actually doing it.” Then providing the evidence so that it can be reviewed by an assessor at some point. So just kind of a logical progression of what we’re doing is also building tools that will help organizations across the DIB go through that process and make the process of actually achieving CMMC certification that much easier for them.

John Verry (15:47):

Gotcha. So in that respect, that’s a win win. It’s a win for the primes and for the defense agencies because they have greater visibility, it’s also wind for the supply chain because they’re getting the information that they need to effectively implement these controls?

Stuart Itkin (16:04):

Absolutely. It’s a win win as well because contractors need the supply chain to be CMMC compliant at the time that a contract comes out, again, with CMMC requirements. So from the conversations that we’ve had with primes, again, they’re not only aware but taking steps to ensure that they can provide information, that they can provide support and assistance to suppliers within their supply bases to be ready and to be able to achieve CMMC compliance. At the same time, suppliers know that they need to be able to achieve CMMC certification in order to participate in future contracts.

John Verry (16:47):

Gotcha. Then I think there’s another added advantage, right, is that my understanding, and correct me if I’m wrong, is that the DCMA and the organization within it called I think DIBCAC, D-I-B-C-A-C. My understanding is that they’re going to do a heightened level of actual 800-171 enforcement. Is that correct?

Stuart Itkin (17:08):

So that is our understanding. We did a recent program and we had [Darren King 00:00:17:13] who is responsible for the audit component within DCMA, and shared with us that the number of audit teams that DCMA has is almost quadrupled over the last year. The recognition that CMMC is being put in place because 800-171 alone with self-attestation, having people grade their own tests, hasn’t been an effective mechanism to really thwart the leakage of CUI to adversaries.

Stuart Itkin (17:45):

So while CMMC is being put in, I think at the same time DOD through DCMA is saying we need to put some more teeth into 800-171 through audits, through greater scrutiny to ensure that people are really putting in the controls they say they are under 171 and moving from a POAM to actually doing the things that they’ve said in their POAMs.

John Verry (18:08):

Right. One of the things that, again, and I think it’s part of that same enforcement is we’ve seen at least a couple of cases where they’ve used the false claims act against organizations that had let’s say a not done, full due diligence on 800-171?

Stuart Itkin (18:22):

That’s exactly right. I think that there were other sticks that probably DOD and DCMA has, but that all of the compliance regulations within DFRs can be overwhelming, especially for the small contractor, but also for large contractors and subcontractors as well. We certainly know of one highly visible case where somebody did not go through the steps of truly putting in place the controls that they said they had through their self-attestation. A whistle blower within that organization reported them and they were subsequently charged under the False Claims Act. Just the point being that I think DOD is telling people, “We need to take this seriously.” It’s not just the process of 800-171 self-attestation or CMMC certification. But the recognition that the security of supply chain and the cybersecurity of the supply chain truly is a national defense priority.

John Verry (19:24):

Yeah. So it seems like [NET’s 00:19:25] out because I think there were some organizations when they saw Katie Arrington’s pronouncement about those numbers, we talked about 1500 followed by 7,500 that was, “Oh cool. We get to dodge CMMC for a while.” But at the end of the day, really, you can Dodge CMMC, but you can’t dodge 800-171, which means that realistically you’re either implementing 800-171 in a provable auditable manner or you’re implementing CMMC in a provable auditable manner, correct?

Stuart Itkin (19:53):

That’s exactly right. For organizations that are sitting there saying, “Well gosh, it’s only 1500 out of 300,000,” or whatever the actual number is. You don’t know when your number is going to be called, are you going to be one of those? But the primes, when we talked to the primes, they’re looking at this in a little different way. We’ve heard the primes talk about CMMC is really a good start. But they’re looking beyond compliance and trying to truly understand the risk they’re taking on when they put together a capture team, the risks they’re taking on when they take on a bid.

Stuart Itkin (20:32):

Again, looking beyond just cybersecurity, but really, I think making the point to suppliers, “This is something you need to be doing sooner rather than later because we’re going to favor people whose risk profile we can understand and better measure,” so that it really does become an advantage for suppliers to take this step early, to be ready to be certified, and to really have kind of a competitive advantage against others as they’re looking at individual contracts.

John Verry (21:02):

Right. I think that’s where a tool like you’re adding in now is going to be super helpful because really what it’s going to allow those primes to do is put together a capture team comprised of those organizations that they feel have the right cybersecurity posture.

Stuart Itkin (21:15):

Well, and that’s very correct. Ultimately the vision that we at Exostar have is building solutions for the contractor base that really provide a 360 degree view of risk of suppliers. Again, well beyond just cybersecurity, but understanding financial risk, and reputational risk, and conflict minerals, and ITAR, and the list goes on. It’s a long list of things, but being able to make well-educated, informed decisions in terms of who they choose to work with. So cybersecurity is step one, but for the primes, the tools that we’re ultimately working on building is to try to provide a much broader understanding of the risk they take on when they choose to work with any individuals supplier.

John Verry (22:03):

Right. I’ll make the recommendation that we add pandemic planning to that list, which I wouldn’t have done two weeks ago.

Stuart Itkin (22:11):

Well, I can tell you, we’ve seen a number of questionnaires come to us from a range of companies relative now to Exostar’s own pandemic planning. I’m happy to say that our employee base is safe and healthy, that we’re all working from home, that our systems are all resilient, meeting their SLAS, and while our call center volume has kind of gone up a little bit, our call center is on top of things and continuing to deliver the level of service that we pride ourselves on to our customers and partners.

John Verry (22:44):

I’m sure those primes are going to be asking all the supply chain the same thing.

Stuart Itkin (22:48):

Absolutely.

John Verry (22:50):

It’s strange new times. Question for you. So we’ve got this a CMMC-AB, the accreditation body. Do you guys have any formal role with that? In light of your position in the market?

Stuart Itkin (23:01):

So we certainly have been supportive of the accreditation body. We’ve offered support and continue to offer to play a role as they go through their planning and activity. Again, they’re taking on just a monumental task and give them tremendous credit. So we kind of confer with them, we’ve been asked for input and suggestions from time to time. We participate in some of the panels and workshops that they put together. But we’re not on the accreditation body as a board member, but I anticipate that we’ll become an active participant on a number of the working groups that they’ve put in place. But again, tremendous credit to those involved in the accreditation body and the work that they have done to date.

John Verry (23:52):

Yeah, no, it’s amazing how fast this is all moving, you know?

Stuart Itkin (23:56):

Yes.

John Verry (23:57):

Especially given it’s the government. So I think we did a pretty good job of getting our way through this. Any last thoughts that you wanted to add before we get to farewells?

Stuart Itkin (24:10):

Not that I can think of off-hand. I’m sure that we’re going to hang up and I’m going to say, “Boy, there were three or four more points that I certainly wished that I could bring up.” I think if there’s anything, if there’s a message to organizations within the DIB is that everybody is in this together. The dependency that primes have on their supply chain, the vested interest in ensuring that the supply chain is not only accredited and certified to be able to work with them, but truly is secure, and that is managing, it’s its risk. This is something again, that I think we’re all in together, that Exostar believes we’ll continue to play a key role in the unique relationship that we have with the primes and providing tools and support to enable them to do that and truly to understand and manage the risk that they accept as they work with individuals suppliers.

John Verry (25:07):

Yeah, it’s definitely going to be an interesting next three to five years in our spaces isn’t it?

Stuart Itkin (25:11):

It absolutely is. But again, CMMC, an important initiative and we think it’s an important step that’s being taken.

John Verry (25:21):

I don’t think anybody in the industry could possibly not think it’s important, and including the people that need to come conform with it. I mean, it’s going to cost money, and it’s going to take time, and it’s going to be a little bit painful. But I don’t see, given the way that cyber has become such an important part of defense and economic health that anybody can argue with it.

Stuart Itkin (25:45):

I think so. There’s just kind of one peculiarity that that kind of strikes me and DOD, Katie Arrington, talks about how $600 billion of CUI is lost every single year. What it comes down to is that’s the intellectual property of prime contractors and subcontractors within the defense industrial base.

Stuart Itkin (26:08):

While maybe primes appreciate the value of that intellectual property, I think it’s something that I’m surprised when subcontractors don’t recognize this, the small contractor who’s building a unique latch for some platform that is being created by a prime. That’s their intellectual property and that’s the reason they’re in business. They’re understanding that this is something that they should be protecting, that they need to protect, and has value to their businesses seems to be less well understood within the contractor and subcontractor base perhaps then it is and in other industries.

Stuart Itkin (26:47):

But what does being lost is the property of organizations with within the DIB. It’s not just what DOD is losing, but what individual companies have created, what they’ve invested in. That’s what’s being lost. It’s affecting not only our country but it’s certainly affecting them and their businesses as well.

John Verry (27:06):

Yeah. Listen, it’s John Q. Public’s tax dollars. I spend a lot in taxes and I’m not complaining about it, but do me a favor, protect what I’m paying for.

Stuart Itkin (27:17):

Absolutely. When you see the Chinese with an airplane that looks strangely like the F35 and you know what we as taxpayers paid to be able to bring the F35 to theater, and to understand that they got the benefit of some of that which we spent and invested. That makes me angry. I’m not sure [crosstalk 00:27:36] without a doubt, without a doubt.

John Verry (27:40):

Exactly. So if folks want to get in touch with you or Exostar, you know to find out about your program?

Stuart Itkin (27:46):

So they can find a lot of information on our website exostar.com. Certainly, feel free to reach out to me directly. I’m at [email protected]. Again, our mission as a joint venture company formed by organizations within the DIB is really to see that we support them and that we support the organizations that they depend on across the aerospace and defense industry.

John Verry (28:12):

Well listen, if you think of those three or four things that you forgot to tell me, I’ll ask you to write them down and we’ll, we’ll get you back on in six months cause I think there’s going to be a lot of more information to share at that point. So I wanted to say thank you for coming on. Super appreciated.

Stuart Itkin (28:25):

Absolutely, and send me the name of that bourbon you mentioned.

John Verry (28:27):

I think it’s John J. Bowman. I had a bottle of it and I just remember that it was a Virginia … and it was somewhere around Williamsburg, if I recall correctly, because I have relatives down that way and I just remember thinking to myself, “Dang, this is pretty darn good for non-Kentucky bourbon.”

Stuart Itkin (28:46):

Okay, well I’ll look forward to when we all get out of quarantine and you and I can share a glass of that together.

John Verry (28:52):

You got it. We could still do it virtually. In fact, I got a couple of bottles on the shelf behind me so you know. All right, so listen, thanks again Stuart.

Stuart Itkin (29:00):

Absolutely. Thank you. John.

John Verry (29:02):

You’ve been listening to the virtual CISO podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected], and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.