Introduction
Key Takeaways
This is a transcript of the CMMC Certification webinar broadcast on October 7, 2020. This transcript was generated primarily by automated voice recognition with minor edits for readability. Although highly accurate, you may note minor differences between the audio recording and this transcript.
Panelists
- Ben Tchoubineh, Chair, CMMC-AB Training Committee
- Thad Wellin, Senior Lead Cybersecurity Analyst and CMMC Lead for SecureStrux
Scot McLeod (Apptega):
For today's discussion, we've got two great guest speakers lined up. First up, we have Ben Tchoubineh, who was one of the Board Members and Chair of the Training Committee of the CMMC accreditation body. And Ben, would you like to provide a quick introduction of yourself?
Ben Tchoubineh (CMMC-AB):
Hi guys. This is Ben. Thank you, Scot. I'm glad to be here. Hopefully we can provide a lot of great information to the audience. I've been in the learning industry for professional learning for 30 years now. As an entrepreneur I got involved with CMMC-AB in December and it's been a crazy ride since then. So, we're looking forward to providing and achieving a lot in the next few months. Thank you.
Scot McLeod:
Great. Thanks, Ben. Next up, you can see on your screen next to Ben is Thad Wellin, who is the Senior Lead Cybersecurity Analyst and CMMC Lead for SecureStrux. Thad, can you provide a quick introduction?
Thad Wellin (SecureStrux):
Good afternoon, everyone. Thanks for joining this webinar. I am Thad Wellin. I've been with SecureStrux going on seven months now. I'm the CMMC Lead and I have a background in Cybersecurity Information Assurance for the last 20 years now. I spent 24 years in the air force, retired in 2014 and now I love sharing and providing insight to making sure that people have secure networks.
Scot McLeod:
Great, thanks that we are very happy to have both of you with us today for this discussion. So, before we move into the discussion, I'd like to ask the audience to participate in a quick polling question to set the stage for our panelists, and you should see that question on your screen right now, and it simply says which best describes your organization. And we'll ask that you check all that apply.
Let's move on now and I'll turn this over to Thad for some initial background information related to CMMC.
CMMC Background Information
Thad Wellin:
What we want to do is start off by just doing a quick overview of CUI. That seems to be a common concern and question. So, CUI was basically born out of the fact that agencies and services have different ways of managing sensitive unclassified information. So, it is regulated by the Information Security Oversight Office that as part of the National Archives, was established in 2016 with an executive order from President Barack Obama and then commonly for most folks, it's contractually obligated through the DFARS Clause 252.204-7012.
CUI is basically information that requires safeguarding and dissemination that's consistent with a law, regulation or government policy. So, there are two types of CUI, Basic and Specified. A couple examples of Specified CUI would be Controlled Tactical Information. And what's commonly known as ITAR, International Traffic and Arms Regulations. So are a couple of examples of Specified. And we'll talk more about those in the next couple of slides, but CUI can be either electronic information stored on a PC. Or it can be a printed document. It can actually be a part, like a circuit board, or it could be an image of that board. You need to have the proper marking and protections in place. There are currently 24 categories of CUI, 92 sub categories, and 110 types.
And this is all detailed in the CUI registry. And if the government wants to protect data that does not fall into one of those categories or types, they can add another category, sub category and type to the CUI registry. We are going to provide some links to some great training that's available from the national archive. And we'll send that out to everybody and make that available to everybody after the presentation.
So, what is FCI? FCI is federal contract information. It's information that's not intended for public release, but doesn't meet the level of CUI required protection. This is where CMMC level one starts. If you have FCI, you should be preparing to be certified at least CMMC Level 1. The contractual obligation right now is typically the FAR clause 52.204-21. And once again, so here are some examples of what FCI is. It basically comes down to contract information that should not be publicly released, but doesn't meet the same level and protection requirements as CUI.
So, what is CTI or Controlled Technical Information? For us in the DoD world that are working on DoD contracts, this is 90% of what we're going to be dealing with. This isn't one of those specified categories of CUI that has to do with military and space applications and then all the levels of protection that are required. So as far as CUI goes, the basic level of protection in CMMC is going to be Level 3 and that is basically Level 1 with 20 additional controls that you're supposed to be using right now because you have that contractual obligation with the DFARS clause 25224-7012. And it dictates that you should be following NIST 800-171 and have that implemented, or at least the start and a POA&M for all the controls that you're not currently compliant with.
So once again, CTI is, is one of those military categories, and this is what the DoD will be dealing with a majority of the time. Some of the other stuff that we might be dealing with is export controlled. And I mentioned ITAR. ITAR falls in the export control category. So, there are additional protections that are required for export controlled ITAR data. Of course, it must be labeled and properly protected. It cannot be released to anyone that is not a U.S. Person without an export license. A U.S person is defined as a U.S citizen or legal resident. That also means that the data can't live outside the U.S. without an export license. So, if you have ITAR data, you can't travel overseas with it unless you have an export license. Please, if you have ITAR data, be sure to fully understand the implications of maintaining and managing export-controlled data, because there are fines, and there are actually people who have gone to jail for blatantly ignoring the rules and not handling export-controlled data in the manner it should.
So, that was a quick overview of CUI, FCI and some of the specified categories that those of us in in the DoD world are going to be dealing with. We're going to provide these references in length after the briefing. And that's my quick overview of CUI, and we'll go ahead and jump into the discussion.
See the end of this blog post for a Complete List of Reference Links
Current Timelines and Updates from CMMC-AB
Scot McLeod:
Thank you, Thad, for that quick introduction transition into the discussion. As we do that, we'd like to ask the audience to participate in one more polling question. You should see it on your screen now. Before we asked you what you do, now we're curious to know how large your organization is. Please just select one answer.
Thad Wellin:
All right. So, I'm going to toss this up to Ben for the first question, and that is What's going on with current timelines and what updates can you tell us what are coming up for the CMMC-AB right now?
Ben Tchoubineh:
Okay. By the way, I'm very jealous that I can't vote. I keep wanting to push the little button and I want to be part of this. It's pretty cool.
So, the one thing I want to tell our audience is that I am a small business owner and the several businesses that I have are also DoD contractors. So, I'm also concerned and also worried about this whole CMMC thing. I really want to be ready when CMMC comes along. And of course, I'm a little on the inside, so I know what's happening. But I'm still facing the same preparation issues that most of your facing in terms of being ready for CMMC and making sure that I pass my assessment, which is going to be done by a C3PAO. So, I have the same concerns about costs, about making sure that we make it before the contract comes due and so on. All of us at the AB are also business owners, also involved in the DoD ecosystem and have the same exact concerns as you do. So, we want to make sure that our OSC’s are well prepared and this goes really, really well. We also want to make sure that we defend our country. That's really the main purpose of this thing, right?
We need to improve the defense of our nation. So, many of you are RPO and C3PAO applicants. As most of you should know, the applications have come to us. You've been applying since June, and I want to tell you that at we're about to start processing them finally. And so, we had to put together a whole lot of infrastructure to be able to process these applications. So, you should hear from us, like in the next couple of days. This is really great news for those who have applied as either consulting organizations that would serve as RPOs or certifying organizations that would serve as C3PAOs or both. You should hear from in the next few days. We've moved very far in terms of our relationship with the DoD.
We signed an MOU, as you all know back in the spring. And now we're about to get our contract done. It's really just a few days away as well. And you should hear something from Katie Arrington about that. That will give us the necessary legitimacy as the final step of this, to really be able to get going. The other thing that's happening is that we are training our provisional assessors, which means that what we're going to have 51 - 53 provisional assessors. And that will grow to 73. by the end of October. This means we'll have assessors out there who will be able to do pilot assessments until the rule change goes into effect. And change is going to go into effect hopefully in just a couple of months, based on what we're seeing out of the DoD. And so, when that happens, I understand the CMMC will hit the streets. And so probably in January, we're going to start seeing assessments for score.
And also, our formal training program is going to start their processing and move towards full certification. And our training program will start where publicly, anyone will be able to go through the training program and become certified as professionals or assessors. That should start in Q1 of 2021.
Thad Wellin:
Thanks Ben. So that brings up a couple of questions for me. I guess the first question is how long do you expect the provisional program to go on and what is the milestone for converting from a provisional program into the full program?
Ben Tchoubineh:
That's a great question Thad. So how long is the provisional program going to go? Basically, until the formal program starts. So that really relates to the second part of your question – what is the milestone? And that is the release of the certification exams that we will be providing to the public. So, the certified professional, certified assessor level one, certified assessor level three and certified assessor level five will be first. We're not going to start with five yet, but we're going to do CPCA 1 and 3 and hopefully those will be released as soon as March or April. So, people will be able to take training as early on January or February. So, as soon as the exams are out, people will be ready to start taking exams and then they'll be certified and they'll be able to start assessments.
Thad Wellin:
We're going to do professional programs, but right now the rule changes are not in place. So, what is CMMC-AB going to do to address the fact that the rule changes are not in place, but they might actually start going out and doing assessments and certifying?
Ben Tchoubineh:
We’ll be working very closely and diligently with the CMMC PMO, the DoD office that runs CMMC. They will decide who will go for score versus a pilot assessment. So as long as the rule change is not fully in place it's really up to them who gets assessed and which of those assessments are for score. And we'll also open up our provisional assessor's availability in case there are other companies that want to get assessed initially.
Thad Wellin:
Has CMMC-AB prioritized who's going to be able to get assessed first and how are they managing that?
Ben Tchoubineh:
The CMMC PMO at the DoD is going to tell us who gets first priority. Once the C3PAOs are certified, they will be available to the open market. So, the companies that the DoD PMO tells us to go get assessed will need to get assessed first, but beyond that, it's really up to the open market. Now, we've very much recognized that the initial demand is going to be much higher than the availability. So, when the training program begins, we’ll have a highly scalable program because we're going to have multiple schools involved in this program. Our exams will be available nationwide so we will be able to scale very, very quickly in the Spring and Early summer of 2021, so that the number of assessors increases exponentially. So, we expect an initial bottleneck, but I'm hoping that through our scalable education model, that bottleneck will start to get resolved by mid-2021.
Thad Wellin:
All right, well thank you for providing the timeline and updates, and we're going to go on to our next section.
Scot McLeod:
All right, folks, we've arrived at our next polling question for you. And we would like to get your input here, if you are a DoD Prime or Sub. And the question is, Which CMMC certification levels do you believe you're going to need? And in this case, you can select all that apply because some of you may be looking to certify at multiple different levels.
How to Ensure the Appropriate CMMC Certification Level(s)
Thad Wellin:
It looks like the majority of today’s attendees are looking at level three. So that tells me that majority of the folks on the call are, are either handling CUI or expected to handle CUI. So, it does surprise me a little to have the level three as high as it is.
Ben Tchoubineh:
Based on the DoDs numbers. I know your audience is not necessarily representative of the entire DIB, but based on these numbers. Our assumption is that around 70% of the organizations that will be seeking certification, what we call OSCs are going to be at level one. And only about 25% will be at level three and only about 5% will be higher. And really, I think that's just a guess and honestly. I don't know how much stock to put into that.
If I could answer this question, I'd probably be like, yeah, I'm not sure. Or I wish I was level one because it'd be a lot cheaper. But obviously if you know, you're dealing with CUI, then obviously level three is the safer path to go.
Thad Wellin:
So, this poll question leads directly into our next discussion topic. How can we ensure the appropriate certification levels?
Ben Tchoubineh:
So, there's two ways to do this. One is use the references that we’re going to send out [provided at the end of this blog post] and go through and look through all the links and really get educated on the definition of CUI. But even then, let's say, are you at level three? If you have CUI, are you going to need to be at level four or five? Maybe hire a consultant for help and guidance. Some of you may want to do this on your own. You’ll want to look at the contracts that you're bidding on. Look at the kind of information that you are managing, or will be managing through those contracts. Because the fact is the process is going to be done through DoD acquisitions. The defense acquisition university, I'm working with them pretty closely. They have already trained some of their acquisition’s folks on CUI. DoD will include in the RFPs and RFIs, the CMMC certification level required for each contract. So you need to know which level you need to be at to be able to bid on contracts and win.
If your organization needs to be at level four or five, you must have the maturity required. You will need to know what that really means in terms of the organizational maturity, repeatability, reporting capacity, and of course, policies and processes required in levels four and five. If you're not sure, you want to either hire a professional to tell you, or look at the kinds of contracts that are coming down the line and maybe get together with your contracting officers and see what they're thinking for the renewal.
So, we all know the baseline. FCI is going to be at least level one. And we all know that the baseline for holding CUI is going to be level three, but what are some of those indicators that would let a contractor know that they need either look at level two or look at levels four and five,
Ben Tchoubineh:
"If you are handling CUI and you've never done a NIST 800-171 audit or assessment, and you believe that you may not be ready for a CMMC assessment, try to go for level two with the thinking that you're going to get to level three as quickly as possible. However, if you're not running CUI then, it still makes sense to go to level two. Because if you don't have CUI but you're planning on adding CUI, that's when you really would want to go to level two in preparation for level three."
Thad Wellin:
So, some of the things that I've seen, apply to those organizations that are identified with advanced persistent threats, and that's what 800-171 Bravo, the draft version is geared toward - those companies that have advanced persistent threats. So that's the word on the street that I've been hearing. And some of that is rumor. But my basic understanding is if you're developing some type of missile system, then more than likely, you're going to fall into those one of those categories of four and five. Now, of course the way the flow-downs work and your subcontractors work, the prime might be at level four or five, maybe half the subs are at level three and then the folks that are dealing with any CUI or any actual development effort, maybe they're just suppliers in some other form or fashion, but have FCI, they might need level one. And that's kind of the basis that I've been telling my clientele. And when I'm in the forums like this and I'm having discussions. So, here's a follow up question to that. What would you do suggest for those prime contractors to make sure that their sub-contractors are ready with the appropriate level?
Ben Tchoubineh:
That's a great question as well. You're really on point here, Thad. The issue is that there's not much guidance out of the DoD at this point about this. And here is the problem that a prime could be facing in terms of their subs and the subs facing and dealing with their prime right now, in terms of being cyber-secure and ready for CMMC as it comes out. It’s a big problem if you don't know the kinds of contracts, and what certification level is required by the prime. If you don't know what level your contract is going to be at, you don't even know what your start point is. Is it going to be a five? Is it’s going to be a four? Is it going to be a three? So again, a lot of communication with your contracting office and with your current customers and what they're thinking. Do they even know about CMMC? What are they thinking when a contract gets renewed? Of course, that’s if you already hold a contract, you want to keep it. If you are trying to win a contract back, there's a lot of communication that can happen between the contracting office and your organization. So, a lot of communication, a lot of questions to be asked, because if you ask that's, when they're going to feel the pressure to go out and find out if they haven't already. And again, when rule changes occur, things will take a while to float out. Some officers will jump on it.
Thad Wellin:
Others will take some time to get into it. And so, as a result, your querying them will get them started. So that's number one. Number two is you don't want to go too high. So, if the contracts you're dealing with are mainly a three or at most a four, why would you go to a five? Unless you want to say I want to be able to get all my contracts, but if you're a smaller business, once you get past two, any additional level, is exponentially expensive. And of course the organizational maturity that's required to get from, let's say three to four or four to five, you might have fewer practices, but you do need to build a lot of maturity in your organization.
So, my recommendation is to determine the level you need to be at. Not try to go for the highest, because now you're spending more money than need. You want to be just at the right level. The other thing is what do you do with your subs? Now, the sub may say, okay, well, I need to be able to win as many contracts as possible. So, I'm going to try to go for the highest level possible. That's great, but you may not be able to recoup a lot of those expenses. Right now there is very little guidance and we want to try to avoid the trap of trying to go too high for the certification. The problem is you don't want to go too low either. This is a problem, and we just need to get more guidance out of the DoD. And my recommendation is pressure your contracting officers to give you more guidance and work with your subcontractors. If you're a prime trying to figure out the right level, your decision should be at based on as much knowledge as possible. You can hire consultants to help you with this in terms of the CUI requirements at level three, the requirements at level four, requirements at level five, and of course the lower levels so that you can figure out for yourself what your sweet spot is.
Thad Wellin:
The only thing I would add to that is that it's really important to understand where your subs stand currently. So, it's a good idea to have those conversations and give them checklists to go through, to find out where they really stand. Because the experience is when you ask an open-ended question, you basically get the answer they think you're looking for. So, if you ask, Hey, are you 800-171 compliant right now? They’ll say like, oh sure. But when you start getting into the details and asking specific questions on certain components of 800-171, that's when they'll say, Oh, wait a second. Maybe I need to go back and really look to see where we are. So, it's important for primes to have that conversation with your suppliers to make sure when the time comes, that they're ready and they're prepared to be at the appropriate level that they need to be at, based on the data they're going to be managing as part of the contract.
Ben Tchoubineh:
That's great recommendation. I'm running training, but I'm also part of the credentialing committee and many other committees. And I'm involved with a lot of this stuff and talking to the DoD, but a lot of subs right now are just dealing with their primes who are asking are you ready for CMMC? Prove it? And so, the subs ask, how do I prove it? Or the other way around - the sub may not be requested of the prime yet, but they really want to be prepared when the prime comes to them. So, a lot of times what the prime will do first is to start a communication and really look at what kind of information is passing back and forth through their contract.
"You really want to look at the kind of information you're sending to your sub and the kind of information your sub is sending back to you. How is it passed back and forth and at what level? You might be storing CUI at the prime, but your sub might just only be seeing FCI. So, you have to be careful about putting too many constraints on your sub as a prime because that's going to increase your cost. So, you really want to get the right level and not put too many constraints on your subs."
On the other hand, the sub needs to be prepared at the right level. Also be prepared to have the right level of communication with their prime when the prime comes knocking. So, the main thing again is to get help, get support, if you haven't done a 171 assessment because all of us should have done that.
The great thing about CMMC is that it's not a one size fits all. We can take advantage of that instead of 171, which is one size fits all. It is too much in some cases and too little in others. So, this is what we need to take advantage of. So, study up on what CMMC is all about, what CUI is, what FCI is, what each of those levels are, and then decide for yourself, what is the right level that you need to be at? Do a gap analysis and determine what level you're ready for. You can't get an assessment right now. And you can't get certified right now. But you may be able to in two months, but then there's going to be a long line. It might take six months to a year for that bottleneck eases up. So, until then get a gap analysis and figure out where you are and where you need to be.
Thad Wellin:
Okay. one more quick follow up question to all this. You're prime, you have subs and some of your subs do nothing, but they're resellers of strictly COTS products. They won't have any FCI or CUI. What is your recommendation as far as our CMMC level for them?
Ben Tchoubineh:
It really based on the guidance that we see out of the DoD if a product that you sell is the same for private sector as it is for anyone, then you don't need to be certified. However, if you have special accommodations or if you're storing information, then there needs to be a process where you get CMMC certified.
Thad Wellin:
I just wanted to bring up that point because there are about 350,000 in the Defense Industrial Base, and a lot of those are simply selling COTS. So, I wouldn't want someone to go out and, and rush to say, maybe I need to be CMMC three. When all I do is resell a product to the government or resell a product to a prime.
Let's move on to the next question related to getting started with your gap analysis. So as far as the CMMC-AB and your perspective, since you have several small companies and you have lots of conversations with companies. What is your starting point for getting started with a gap analysis?
Ben Tchoubineh:
I called my IT guy in one of my businesses and I said, Hey, are we ready for this? And he's like, well, how do you spell CMMC?. So, I said, okay, well, let me send you some guidance. Because I have access to the public stuff. None of the private stuff. So, here's the link to the website and you might want to read it through that. I gave him a few days and called him back. And of course, he hadn't done a thing. So, I think that's where we need some help. You said, okay, go find some organization that can come and help you out. The lucky thing for me is that I also own a company that does that. They do gap analyses and so forth, and they're a cyber company. So, I said call the other company. And so that was my start. But it's important if you have internal people who are cyber people or you have a vendor MSP, or if you have clients who might be able to help you with a network of people, get out there and get help.
Thad Wellin:
So the thing I would add to that, so let's just say I'm company X and
"I have an IT staff, and I might even have a security staff and maybe I've outsourced some of my security and maybe outsourced a little bit of my IT too. The first thing I would do is identify a point person for CMMC and have them fully understand what the requirements are. Have them go through an 800-171 internal assessment and actually use the assessment procedures in 800-171 Alpha, and truly identify the weaknesses and then start putting together a plan to fix them. But I wouldn't stop there even if I had a strong IT team. And even if I had a strong security team, I would definitely want to go out and have someone outside assess our posture. The advantage of an outside person is there's no influence at all."
So, it's a totally outside person coming in to look at your program. But you've got to find the right people that are able to do that. So that's my only suggestion is to handle it on your own, get to a point where you think you're pretty good. And then when it comes time to, you're at the point where you're out that 90%, it might be time to look at that third party.
Getting Started with Your CMMC Gap Analysis
Scot McLeod:
Gentlemen. I think this next question follows your last discussion very nicely. And again, this one is for those participants that are DOD primes or subs, and it simply says which best describes your approach to preparing for CMMC certification?
Thad Wellin:
So, I really like the look of those results. It means that people are taking a proactive approach and managing this in house and then like we suggested once I get to a certain point, bring in a consultant and RPO. So, it's actually really good to see numbers like that. The problem with strictly relying on an RPO or consultant is that a lot of times they're dealing with a blank slate. So, if you haven't looked at the controls, you haven't prepared for a certain level, it might be a rough starting point when an RPO or a consultant comes in.
Alright, let's jump to the next question. Assessing the gaps and preparing for a certification assessment. So, I think what we're trying to say here is after we've gone through and we've done an assessment and we're to the point where we're thinking we're at that 99%, what is the important thing to do to actually prepare for the actual certification itself?
Ben Tchoubineh:
Again, I think the bandwidth here is going to be pretty low at the beginning of 2021. And if you're part of a larger contract that comes due, and let's say the contract has the CMMC requirement in it, the DoD may be willing to provide waivers. I hope that's going to be the case, but we don't have a definitive answer from the DoD as to how they're going to approach that. But it's always important to have proof of an assessment, not the assessment itself, because you may not be able to get to it early on, but proof of a gap analysis. An external one is always good, but even an internal one my suffice. So that if someone comes knocking saying, Hey, you need to be at this level, you can say, look, I've had an analysis. And here it is. Can we go for a waiver for now?
Addressing Gaps and Preparing for a CMMC Certification Assessment
Thad Wellin:
So as far as preparing for the certification assessment, can you talk a little bit about the objective evidence that's required to be able to actually get certified?
Ben Tchoubineh:
So, when an assessor comes in, they're going to look at artifacts. They're going to need somebody to talk to. So, there's going to be someone either external or contracted, or you as an organization that can guide them through your organization and your architecture and so that you need to have what is it called an SSP, which is a System Security Plan. And then you need to have an architecture network diagram of some sort. I mean, there's going to be a lot of different documentation required, but you also have proof of effectiveness depending on the CMMC certification level. So, let's say if you're in level three, you need to have the policies in place, your processes in place, your plans in place, as well as the money that's going into cybersecurity, so the funding, the budget and the people, the roles and responsibilities, so a lot of different aspects of documentation that will be required. Assessors have three major ways of doing assessments. First, they're going to interview. Then either test or observe. And so you're going to have to have mechanisms available for them, either someone to answer their questions or ways to show them what you have or documentation to tell them what you have for each of those.
So, at level three, you have 130 practices, right? Level one, you only have 117 and also fewer requirement for documentation. Does that answer the question, Thad?
Thad Wellin:
It does. And I just want to point out that I I've actually gone through your RP training and I must say it was actually pretty intense and at the same time great. And I think it’s important to understand as a consultant as an RPL, making sure that folks are ready with two of the three forms of objective evidence for each practice. And the other thing that was just kind of telling to me is, policies and procedures are a huge part of CMMC, especially as you get up into level three. It starts at level two, but it's even more so at level three. It shows maturity and it's important that organizations maintain those practices, like documenting how they're going to do it in a strategic manner. And that shows the maturity of an organization that's going to be required for level three.
"It’s important, not only to have a program, but to have it at the mature level when it's time to get certified. And what you can do is start gathering that evidence. You start gathering the artifacts to show that you're doing your audits on a regular basis. That this is the process for doing everything else that goes into all the different practices and processes for the appropriate CMMC certification level that you're looking at."
Ben Tchoubineh:
One thing is really important here. And your great description made me think of this is.
"If you've passed the 171-audit, and this is why we call it a 171-audit versus an a CMMC assessment. An audit is kind of a checklist. And it’s a technical checklist, do you have a firewall? Check. Do you have a virus checker? Check. Do you have locks on your doors? Check. You go through a checklist and you're done. But CMMC is a little different. Especially at level three, just having the controls in place isn't going to be enough. It just isn't. The way that we're training our assessors right now, who are going to be the first ones out there and set the tone for all the assessors that come after them, is that just having the controls in place isn't going to be enough. They need to see the maturity. And maturity means repeatable processes, following organizationally accepted and approved policies that have been occurring for some time."
Now we don't have a specific timeframe, but it has to show maturity. So, in 171-audit, if your auditors came in and looked at your organization and they said, Oh, there's no firewall in place. Let's just give the obvious example. It's always the firewall, right. And all of a sudden, they're there for a week and they find that there was no firewall on Monday. On Tuesday, the CEO signs the invoice and they put the firewall in place and they configure it. And on Wednesday they come back and there's a firewall, you pass. That's not going to be the case for CMMC level three or above, or even level two. There needs to be maturity. There needs to be repeatability. And there needs to be proof that whatever is happening has been happening in a repeatable way. So, buying the thing during the assessment isn't just not going to work. And so please keep that in mind that you need to be prepared and mature.
Thad Wellin:
And I think that highlights the key differences between a 171 audit and what's going to be required for CMMC level three. 171 only required a system security plan and to basically address the gaps that you currently have and documentation wasn't required for everything, for all these 171 controls. So that's a huge difference. And like you say, like we keep harping on, CMMC is a maturity model. It's not something you can roll out and produce, and then the next day get certified.
Ben Tchoubineh:
That's why we're saying you’ve got to prepare now, even if you're not going to get assessed for another two years, most likely, most of you probably won't get assessed for another two years, but you need to prepare now. It's very, very important that you prepare now because you’ve got to show maturity. That's why in CMMC we don't have controls. We have practices. Because we have to show maturity.
Thad Wellin:
Okay. Well, let's go on to the next question. Ben. We've kind of talked about this already. We've kind of addressed this ensuring readiness and certification of subcontractors. So, making sure that your supply chain basically is taken care of. Is there anything else you wanted to add to the discussion that we had earlier?
Ben Tchoubineh:
I think we've covered it. You’ve got to communicate with subcontractors, look at the information that's flowing between your two organizations and try to decide what the right level is. Not too low, not too high. You don't want it to be too expensive and you want it to be obviously high enough. So, you’ve got to just work together.
Thad Wellin:
And, and like I said, open communication between you and your subs is key, making sure that that you're having those conversation so you make sure that when it comes time to go for that next contract a year from now that your supply chain is going to come with you because primes can't do this alone. There are a lot of things that are required as far as contracts go. And you have to have those subcontractors with those special identifiers, next to their categories. It's all required in contracts. So, you have to make sure that that your subcontractors are ready.
Common Trends and Issues We’ve Found During Gap Analyses
Thad Wellin:
I think we've talked about this one enough, let's go onto the next question. Common trends and issues that we've found.
So SecureStrux has been doing a gap analysis as far as CUI and 800 171 for about four years now. And we've done quite a few CMMC gap analysis. And I think that if you had asked me this question, before I started doing this, I probably would have said stuff like multi-factor authentication and some other things, but to be honest with you, that's not the trend at all. There are so many technical implementations for multi-factor authentication that most organizations are doing that. It's different than it was four or five years ago, where that was a big deal that you had multifactor authentication. But that's definitely not a trend. I think the biggest trend is the simple fact that people don't have documentation and policies and procedures that match the technical implementation. To be honest with you, most of the gap analysis that I've done so far, there's very little documentation at all. So, a lot of times they have a good technical implementation, but they don't have a documented process for how they're managing it. So I think that's probably the biggest trend and then there are those other things that are hard to do unless you have a documented process, like fully managing incident response, having those playbooks on how to actually manage an incident and then change management and configuration management or the other trends that we see, people just don't have without a documented process. It's really hard to manage change and documenting change in your environment. So those are some of the big trends that I'm sure you see in the healthcare and financial world.
Ben Tchoubineh:
And you know, what is CMMC going to do? What are the true effects of CMMC? Because until now and we’ve got to be honest with ourselves again, I'm a DOD contractor. So, I'm going to be honest with myself here. DoD has tried all kinds of care with us, right? Putting it into contracts, being nice about it. Maybe we'll audit you. And if you don't have what you need, then we'll do a POA&M and just try to be better next time. It's like, there's really been no real effect. What they're trying to do now is raise the stakes. So, what is it going to do? Well, it's going to start involving many different organizations, all of a sudden, not just cybersecurity within a company. What we're talking about is obviously Sales and Marketing too. I mean, they want their contracts one, and all of a sudden, there's a requirement and you don't have what you need, and you’re not going to be able to win the contract. So, Sales gets involved. Legal is going to get involved. All of a sudden there are clauses in contracts that they're actually going to read.
Obviously, IT and cyber have always been involved, but they may not have been heard as much as they will now. They get a voice at the table. Financing cybersecurity has always been hard in my experience and I don't want to speak for all of us on this call But in experience cybersecurity has been an afterthought. So as a result, cybersecurity does not get much of a budget. Now, I'm not talking about those of you that are building weaponry on so forth. But, most of us OSCs are small businesses. Cybersecurity is just an afterthought. So, it doesn't end up in the budget as a line item. It's just IT. But what's going to happen is that, of course, all of this will come up to the executive offices and all of a sudden, the CEO will become aware of the importance of cybersecurity and that's the goal that's, what's important. So, from my perspective, generally speaking, the biggest gap is in the entire strategy of the business that does not include cybersecurity. That's the biggest gap. And what CMMC is going to do, hopefully long term, is it's going to change the culture of the DIB and maybe has other government departments adopt CMMC and maybe the local and state governments, then the culture of this country. So that CMMC becomes a line item at legal, at finance, at sales and at IT, and cybersecurity, as well, as of course in the executive offices.
Thad Wellin:
You just highlighted a key point, businesses are in it to make money. And you have two options. Either spend money to be able to get that revenue and, basically spend money to get yourself CMMC compliant, or you're going to have to unfortunately find another line of business to get into because they're going to draw a line in the sand and it's going to come down to if you want to be awarded the contract? You're going to need the appropriate CMMC Certification level. So, I think you'll find a key point of this is forcing companies to spend money on something that's that’s important to protect their own IP and to make sure that the war fighter has a technological advantage over our opponents, over the bad guys that we’re on the battlefield with. I mean, that's the key.
Ben Tchoubineh:
I deal with P&L statements all the time. That's how I look at how my company's doing. My CEOs will send me their P&L statement, their balance sheet. Cybersecurity is not normally a line item in the P&L statement. It could be under IT, or it could be buried as a sub-line item, but not a main line item. I have a feeling what is going to happen, is that along with office expenses, technology expenses, and legal expenses, which are the high-level line items, cybersecurity might get its own high-level line item now. Because the main gap is the fact that executive leadership and even the board of an organization do not have cybersecurity as a high enough priority until now. That's the major gap and that's hopefully going to change.
Thad Wellin:
All right, well, let's see what we have next.
CMMC Questions and Answers
Scot McLeod:
Thank you for the many questions that have been coming in, and I'd like to remind you, we've got about 20 minutes or so left, so we may have time for most of them, but you can certainly continue to submit those questions as we get into the Q&A. So, let's see, there's some that have come in to that seemed to be very specific to one environment or one individual. We're going to try to focus on those that seem like they have broad applicability for most of the attendees, because we do have quite a few people on the call.
Scot McLeod:
So first one here says this may be premature, but will you provide formal in-person training on CMMC?
Ben Tchoubineh:
So, the AB is not going to provide, we have the RP training right now that that's been through, but that's for consultants for those who want to be professionals or assessors, CMMC is trying to get out of training aspect of it. We're just going to run the exams. And the certification program training is going to be offered by third parties called licensed training providers, or LTPs, we're going to have a list of those available starting in January, February timeframe. When they're going to start providing classes, you can go to our website, CMMCAB.org to find the ones close to you, or the ones that provide classes.
Scot McLeod:
Great. Thank you, Ben. Another one says, is it true that level one certification will require an audit from a C3PAO?
Ben Tchoubineh:
Any kind of CMMC assessment that is going to be for score and your score ends up in the DoD database so that your acquisitions people check it. Those assessments need to be done by a C3PAO. They can't be done by anyone else.
Scot McLeod:
Very good. That seems like a very black and white situation there. Here’s another question - My IT staff is asking if there will be any templates that they will be able to follow?
Ben Tchoubineh:
That's a great question. We don't have any, but your MSSP or your cyber, support organization or consulting organizations should have templates for you to help you get prepared. We have draft templates, but honestly, those are just draft. We're going to be software agnostic. So hopefully a lot of different applications we'll be able to plug in with us term, but until then, it's probably some word or Excel spreadsheet you can use. But we don't have anything like that right now on our website.
Thad Wellin:
I'll just add to that. So, there's no templates, but right off the link from CMMC-AB website is the link to the acquisitions and where there are not templates, but there is the guidance from CMMC-AB, and then if you go to the NIST 800-171 site, they actually have a template for a POA&M and they have a template for a System Security Plan. So, if you're looking for a template to download and start your process those are some places you can go to find some templates.
Scot McLeod:
Excellent. Okay. So, this may be a multiple part one here that the verbatim question says, How do we read more about what the rule changes are that are not in place yet, that you mentioned several times and Ben, this might also be related to DFAR as being out for public comment right now, I believe.
Ben Tchoubineh:
So, the thing that was kind of interesting, I honestly thought they were going to actually rewrite the DFAR clauses and include CMMC language, but what they did is they actually added DFARs 252204, I think it's 2017, 2018 and 2019. So, they didn't make any changes to the current DFAR clauses, at least what was released last week, I think it was, but what they did is they put out for comment what the default clauses will be. And like I said, we can provide those links to the acquisitions - the actual true links instead of conjecture that I've seen from different sources.
Scot McLeod:
This question is about the government mandating this being done and asking who will manage the variances in costs be amongst the C3PAOs for conducting audits.
Ben Tchoubineh:
So, this is a free market system. So as a result, we have a marketplace we're going to have a marketplace in, on our website where you can see the names of the C3PAOs, and just contact them.
Thad Wellin:
Ben mentioned the marketplace is going to show quite a few different things. It'll list the RPOs, it'll list I believe it will actually list to the RP level, it'll list, the C3PAOs, and the certified assessors. It's also what my understanding and you can chime in too, to tell me if I'm correct or not, but you guys are going to list like tools. What else are you going to listen to your marketplace, Ben?
Ben Tchoubineh:
That's a lot right there. Yeah. The training providers, of course. But it's all going to build up slowly but surely. Hopefully there's going to be a whole lot more in the next couple of months that we're going to add to the marketplace, but that's where you can find the providers. But then honestly Google them, call them, talk to them, see, again, first six months of this until about June or July, there's not going to be much choice. And so, the pricing will probably be more expensive, but as we try to saturate the marketplace with more and more C3PAOs and more assessors, hopefully the pricing will come down.
Thad Wellin:
So yeah, once again just one quick thing. So, there is no requirement for someone that's going to provide the gap analysis to be a registered provider or RPO, but I will say that the training has been excellent. So, I appreciate everything that you guys had done for the training. But when it comes down to the auditors, you have to be really careful that you don't just go out to the free market and pick an auditor - they have to be listed on the CMMC-AB website to actually issue a certification to your organization. So, it's important that when you shop around, for your C3PAO, that you use the marketplace.
Ben Tchoubineh:
Yeah. And make sure if you find somebody on Google and they say they're C3PAO, or they email you, you need to come back and look at our website to make sure that they're there.
Scot McLeod:
The next question simply says, will this affect non-DoD contracts such as with NSA, Homeland Security and others?
Ben Tchoubineh:
So based on my information, the other departments or watching closely and as soon as this becomes successful, they're hoping to adopt it as well. This might take some time though. So probably three, four years away, but maybe sooner.
Thad Wellin:
Yeah. I will say this. I have seen the GSA Star's three contract was the RFP was released and it actually had CMMC language in there. So, I mean, they're already jumping on board.
Ben Tchoubineh:
Yeah. And we're like, we're not ready. No one can do this. You're right.
Thad Wellin:
Yeah. I absolutely do think that we're not far away, maybe three or four years away from the entire federal government adopting CMMC or some form of it, and I have a feeling that it's even going to get down to the state and local governments.
Ben Tchoubineh:
Oh yeah. I mean, state and local, maybe local is a little much, but on the state level, I'm sure the big ones are definitely already looking at it. I'm in Maryland and the CMMC-AB is headquartered in Maryland and Maryland's looking at it. But I'm sure California, New York and Texas and the other big guys are looking at it as well and once those guys go, the rest will follow. So pretty quickly. The other thing is of course, other countries as well. So, Canada is watching closely and they're already in talks with the DoD. We've had conversations with Japan, with the European union, Singapore. It's really going to be worldwide very quickly.
Scot McLeod:
Next question here simply says, will the certification assessments be conducted in person or virtually?
Ben Tchoubineh:
So, at this point we are training our provisional assessors to be able to do assessments virtually. We're hoping that once vaccination start that we can do in person as well. And so, it all depends on the universe and how things go. Right? But we can currently do them virtually. but it's not ideal.
Thad Wellin:
So far, a majority of our gap analyses in the last six months have been virtually. So, I've been a huge proponent of not doing these virtually - it's best when you're on the ground and you can actually interview people, but in the current environment we found ways to do it virtually.
Scot McLeod:
Okay. There are several questions related to effort and cost. And I'll read this one here as a proxy for all of them. Basically, it says, what is the typical amount spent to get to level three certification?
Ben Tchoubineh:
I'll start with this, but I'm sure Thad has a much better answer than me. But I will say this, I mean, look at the number of companies and by the way, the DoD has come out with several different numbers. I've seen 350,000 companies. I think it's a way higher than that, because I don't know if the DoD is looking at all those subs of the subs of the subs of the subs. And so, when you really put all the numbers together, we're talking about maybe over 500,000, if not higher, and that's just DoD. And then once everybody else joins, the sky's the limit and these guys are of all shapes and colors. We're talking about a one-person company versus a hundred thousand person company. We're talking about a single location versus hundreds of locations nationwide. We're talking about small enclaves versus global enclaves. So, there's really no typical anything when it comes to CMMC. That's just kind of my observation. Of course, we don't have enough historical information. We have zero historical information to give you a good marker there that anything that you might be able to add to that, because that was a bad answer, but...
Thad Wellin:
No. It's absolutely the same answer I'm going to give. It's so subjective that the one thing that I will say, the thing that is really, really hard is will you get that return on investment when you're that really small company? One of the things that I've suggested and I've heard this come out of some of the big contractors is the way they're going to help out there. There are pubs in there. And those small consultants that still need a CMMC certification as if they're going to extend their network to them. So, I have heard that happening. I can't point exactly to any company that has done that, but I have a feeling that's going to become more common than we think as of right now. Especially when it comes down to that one-person consultant that might need access to see why it might be best to just be part of the primes network and figure out how to segment off that person from the rest of the company data. So, there's different inventive ways that people are going to be able to meet the requirements, and doing it in a manner where it's not going to cost too much. So, you’ve just got to like, like Ben keeps saying, shop around, find different resources. The bottom line is that you’ve got to figure out how you're going to do this. If you want to continue doing business with the DoD.
Ben Tchoubineh:
I love the answer because it's going to mean a culture change. As I said, and in that culture change, we're going to have to do things differently. And I've, of course, we're all human beings. We're extremely creative, and we're going to find ways to do them in a way that is compatible with the new atmosphere and environment.
Scot McLeod:
This one is very closely related to the last one. But I believe a little bit different though. It says, we believe we're in very good shape with NIST 800-171. How long should we expect it to take to prep for a CMMC certification audit?
Ben Tchoubineh:
Depends on what level you're going for. But if you're at level three, then what we have is 20 Delta practices. If you're good with 171, so that's 110 controls, you're going to have the 20 Delta practices to worry about, but at level three, remember you also have the maturity to worry about the policies, the procedures, the plans, budgeting, role and responsibility documents, and showing that you have been following them. So, keep all of that in mind. I don't know the size of the company, but so in terms of cost and time, it's very variable, but again, be concerned with those 20 Delta practices and turning those 110 controls into practices, which means policies, procedures, and maturity.
Thad Wellin:
Yeah. And to be honest that's a perfect answer, Ben. You’ve got the baseline, so you’ve got the tech controls in place. If you're meeting 800-171, you’ve still got to make sure those other things are in place. And then of course you’ve got to also address those 20 additional controls that are CMMC specific. And then you have to show that you're actually doing this and you're living and breathing the practices in the manner that they need to be managed.
Scot McLeod:
All right, gentlemen, I think we've got time for a couple more here. And these two I'm looking at right now are kind of related to the relationship between primes and subs. This first one's a two-parter Besides the proactive preparation, what's the timeline that the DoD requires for subcontractors to be certified, will uncertified subs impact the Prime's CMMC certification.?
Ben Tchoubineh:
Most likely there's going to be some allowance for that. So yes, if you're using subcontractors, your assessor is going want to see proof that your subcontractors, whether through your contract, whether you have added the CMMC requirement in your contract, sometimes the assessor that's all they want to see. And then how you were enforcing it and through what practices and mechanisms are you enforcing that. How have you then received proof from your sub that they are at that level? Again, this might take some time to really be able to implement fully.
Thad Wellin:
And so that brings up a good point, Ben. And as far as CMMC certifications, what will be made public regarding who has a certain CMMC certification? What is the official process for either the government or primes to see if their subcontractors actually have a certification?
Ben Tchoubineh:
And this is a great question. Based on communication I've had with DoD today, which may change, this is not public information. The level you're at is not public information. And in fact, when you're enforcing a certain level with your sub, that should not be public information. So that whether you're certified or not is public. What level you're at should not be public.
Scot McLeod:
Very good. Well, gentlemen, I can't believe 90 minutes has gone by so fast. But we are at the bottom of the hour. Believe it or not. This has been great. I'd like to, on behalf of Apptega and SecureStrux extend our thanks to Ben for making this time with us today and providing your insights. And Thad, thank you for managing the conversation with Ben. Very well done. And hopefully all the attendees got a lot out of this hour and a half.
Thad Wellin:
I just want to thank Ben for all of his volunteer hours that he's put toward making this happen and all the volunteers at the CMMC-AB. We in the Defense Industry Base sincerely appreciate it.
Ben Tchoubineh:
You're very welcome. It's very much worth it. It really is. It's exciting. It's fun. It's challenging. It's exhausting, but it's worth it. All I want is for us to be a more secure nation, so we're getting there.
Scot McLeod:
Well, those thoughts are a great way to close this out. I would like to also thank everyone for attending with us today. On your way out, there's a short exit survey. We’d like to get your feedback and input for future sessions and other topics that we can provide and also make improvements to these as we go, please give us your candid feedback. And we look forward to meeting with everybody online again in the near future. So, everybody, have a great safe afternoon.
CMMC Certification References
CMMC Certification and Compliance Guide
Fundamentals of CMMC Certification
CMMC Marketplace in CyberXchange
CMMC Certification Preparation Services
National Archives and Records Administration (NARA) owns CUI definition
CUI registry (online repository for all information, guidance, policy, and requirements on handling CUI)
DOD Policy on CUI and FCI
- DoD Instruction 5200.48 and DoDi 8582.01
- https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF?ver=2020-03-06-100640-800
CUI Program implementation guidance by Information Security Oversight Office (ISOO)
32 Code of Federal Regulations (CFR) Part 2002
CMMC-AB Marketplace