November 12, 2021

The US Department of Defense (DoD) has just announced CMMC 2.0, a new strategic direction for its cybersecurity program based on public comment and internal assessment. So what does it all mean? 

Many sources say that CMMC 2.0 is about “less requirements,”—but it’s really much more about changing how the DoD will hold defense contractors accountable to the NIST SP 800-171 requirements that have been in place all along. 

We’re speaking to two of our best Security Consultants from right here within our ranks at Pivot Point SecurityGeorge Perezdiaz, CMMC / NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. 

In this episode, we discuss:

  • What’s new and what’s not with CMMC Level 1 (for securing FCI) and what is now called CMMC Level 2 (for securing CUI)
  • The overall realignment of the US government’s cybersecurity audit program with NIST 800-171 
  • “Bifurcation” and who will and won’t need a third-party audit if you handle CUI
  • How CMMC 2.0’s new accountability process fits with the recent cybersecurity executive order, the Civil Cyber-Fraud Initiative, the False Claims Act, and upcoming rule changes to 32 CFR and 48 CFR
  • Why “letters of affirmation” are a boon to SMB security and IT leaders compared to the threat of a third-party audit

Mentioned during the podcast:

eCFR :: Home

To hear this episode and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

 

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro/Outro) (00:06):

You are listening to the virtual CISO podcast, a frank discussion, providing the best information security advice and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there. And welcome to yet another episode of the virtual CISO podcast with you as always John Verry, your host, and with me today, two of my compatriots here at Pivot Point Security, George Perezdiaz and Caleb Leidy. You’ve met them before. Good morning guys.

George Perezdiaz (00:38):

Morning, John.

John Verry (00:39):

So we’re going to keep this one to a nonfun and frivolity podcast. No bourbon talks, sorry, George, no beer talk, sorry, Caleb. We’re going to get down to business because we had some interesting news in our space, the shift from CMMC version one to CMMC version two, based on DOD’s review of the program. I think most people, guys, are going to concentrate on the fact that things are different, and hey, I no longer need an audit, or I no longer need to do this, or I no longer need to do that. And I think while there is some definite differences, I think the core is still largely the same. And I think it’s very important that people understand not only is what’s different, but what is still the same. And then, most importantly, once we get through that, we’ll talk about what that means to you if you’re in the DIB and perhaps what that means to you, if you’re outside of the DIB. So let’s start easy, George, let’s start simple. What’s different about CMMC level one now?

George Perezdiaz (01:36):

CMMC level one now has no CMMC certification. It goes to annuals self at a station that it’s a company by an affirmation ladder from a senior official. Now it’s straight up. I mean, it was straight up in [800171 00:01:53], but that is the basic change. There is the 17 requirements with no CMMC certification.

John Verry (02:00):

Gotcha. And those are the same that mapped to that far 52.204-21, I believe?

George Perezdiaz (02:05):

Correct. And hold one second.

John Verry (02:08):

So George, let’s start simple. Let me know what’s different with CMMC level one.

George Perezdiaz (02:13):

Yes. Thank you, John. The main difference from Legacy CMMC to the 2.0 is the removal of the CMMC certification before, and anybody and everyone that had FCI was bound by [C through PAO 00:02:29] to be certified every three years. Now, it’s annual self-reporting, self-assessment within affirmation letter from a senior official. And we continue to be doing the core 17 requirements from the 800171 in the far.

John Verry (02:46):

So the bottom line for somebody that’s in the DIB is they’re saving some money on an audit.

George Perezdiaz (02:54):

Indeed.

John Verry (02:55):

The requirements have not changed at all. And the signatory requirement ala Sarbanes Oxley is going to cause some interesting potential, a higher degree of, let’s call it investment in ensuring that you’re actually representing your controls optimally. I think that ties into that new civil cyber fraud initiative, which I think we are on towards the end, because I think that’s really a critical part of the way the DOD and I think the government as a whole is thinking about this stuff. So FCI, we got that covered level one. Level three, in order to understand what’s changed in level three, we need to understand how the standard is changed because level three is no longer level three. Caleb, you want to touch on how the standard itself has changed?

Caleb Leidy (03:39):

Sure. So yeah, I like the way George calls it, the legacy CMMC model. Version one, we had those five levels, but-

John Verry (03:49):

The OG.

Caleb Leidy (03:50):

The OG CMMC. But we had those five levels, but only three of them were necessarily applicable. We had those transitional phases that were in there for two, and four, but based on the requirements and the data that you had, you were going to be at a level one, a level three or a level five requirement. So they’ve gotten rid of that two and four level and they’ve chopped it down to one, two and three. The one as George talked about, is relatively the same. The three process essentially those that are currently subject to the DFAR 252.204-7012 requirements and then 800-171, the same control set or requirements set.

John Verry (04:41):

You said level three, you meant level two.

Caleb Leidy (04:43):

I sure did. Yeah. [crosstalk 00:04:45] So level three is now the really advanced where it used to be the middle, standard CUI, basic controls. So that’s level two now. So yeah, between the DFR is 7012 and the interim rule clauses, other than maybe the 7021, which is in influx a bit, that is what I see a CMMC 2.0 essentially boiling down to for what they’re now calling the level two.

John Verry (05:18):

All right. So level one stays level one, level three becomes level two and level five, ostensibly becomes level three. Fair?

Caleb Leidy (05:30):

Yeah.

John Verry (05:30):

Okay, cool. All right. So now, if I am now in the old level three, the new level two, tell me what is different from my perspective?

Caleb Leidy (05:41):

Not a whole lot has changed from what current requirements are, I’ll say that, but a lot has changed from what Legacy CMMC version one was intended to be for level three. And as we have those Delta 20 controls and all the process maturity requirements, or maturity process requirements. So, there’s a lot that is still there and still required for 800-171 compliance, but the way that it rolled out and you look at the 32 CFR, and some of the CUI notices from [Nara 00:06:17], and they’ve directed, “Hey, they enter 171 is the standard. They enter 171 alpha is the assessment standard.”

Caleb Leidy (06:27):

So I think that was neglected in the foresight of DOD when they started rolling out CMMC, the original, and then that was caught during the review. And now it’s been pulled back to, “Hey, everything’s there. Maybe we need more of an independent assessment body to expand our capability to do that within the government space.” Which they’ve effectively done. And then some other small tweaks. The CMMC was a thought in version one, and now it is a solidifying factor of the current requirements for version two. And then we’ll see how that changes for level five as well. But that’s where we’re at for level two.

John Verry (07:18):

Okay, cool. So let me see if I got this. So level two, what’s different is the 20 additional requirements. So we had the 110 and the 800-171, we added 20 for version one, those 20 are gone. And I think those processes, which were causing a lot of consternation because they were well defined, and my understanding is that’s where a lot of the CMMC CA3POs were failing their audits or having challenges in their audits was figuring out exactly what these processes should entail. So those processes had been left as well. So we had 51 processes and these 20 additional practices are now gone, correct? So we’re back down to exactly where we even started before CMMC, right?

Caleb Leidy (08:03):

Absolutely.

John Verry (08:04):

It’s basically 800-171 is the standard that protects CUI from the US government’s perspective. And now CMMC is perfectly aligned with 800-171. And the audit program will be perfectly aligned with 800-171 A.

Caleb Leidy (08:18):

Yup.

John Verry (08:20):

Okay. There’s one other difference, which you didn’t get to. Can you talk briefly about the bifurcation? And that’s a $10 word. I know that’s one of your favorite words.

George Perezdiaz (08:31):

I love it.

John Verry (08:32):

Caleb breeds more vociferously than anyone I know on government stuff and he shot me a note and he goes, “I had to look up the word bifurcation.”

Caleb Leidy (08:40):

Yeah. That’s a very legal term. And actually when you look up the definition, it talks about court cases very specifically. So a very legal term that they decided to use there, which is interesting getting into the legalities of everything that’s actually happened to this point. And I think of why they’ve gotten to where they are with the program and actually looking at what the laws and the regulations are and one, their obligation from the DOD to put out this program and oversight for non-federal entities is handling CUI. And then, and two, the laws and regulations of what they’re bound to in the way that they can implement that program.

Caleb Leidy (09:24):

So the bifurcation, what they’re looking at is some organizations that are going to be at that level two are going to be handling data that they are considering maybe less sensitive or not “critical” to national security while other organizations and contracts and programs will be handling data that they do feel is critical to national security, all CUI.

Caleb Leidy (09:52):

What’s very interesting is that it’s already been preset, but the impact level for CUI is moderate. So aside from, and they say it’s going to be risk-based, but John, you’re very much into risk assessment space. There’s a lot that goes into a risk assessment, but all they have is that, that impact level, which is already predetermined. So I don’t know how they can really change it a lot. We’ve talked about weapon systems and command control systems, but there’s a lot of categories that fall into those. I think George was saying earlier, we don’t see a lot that is overly different from the data and the programs that are already going to be protected. So I think a lot of folks are thinking that they’re going to get out of the independent assessment piece. I don’t think that’s the case. What I do think though, is that it looks like it’s not going to necessarily be a certification, which a lot of people keep saying and speaking to, CMMC version two, level two certification that doesn’t look like a…

PART 1 OF 4 ENDS [00:11:04]

Caleb Leidy (11:03):

… version two, level two certification. That doesn’t look like it’s necessarily going to be the case anymore. It’s just an independent assessment and those results go to the Department of Defense.

John Verry (11:11):

Got you. So, we have a to be determined fork into either self-attestation for “lower risk” CUI. And I agree with you; that’s a weird concept to say, because theoretically, all CUI is CUI, but let’s not go there. And then we’ve got a third party assessment through a C3PAO for anybody who has information, which is deemed more critical. You used weapons systems, command and control. I think they also used the term communication systems might fall into that. Are you guys familiar with something called the DPAS score? Because I heard somebody else say that they might use the DPAS score. How would someone know what a DPAS score is and what theirs would be?

Caleb Leidy (11:53):

So it’s a rating. It’s a prioritization rating that is put onto contracts for things that are needed in quick order or very critical, “Hey, we need this right now.” Those ratings are not necessarily something that would play into the critical pieces if you will. But there are program identifiers that go along with those, and working through DCMA, previously, I know that those program identifiers are something that are very highly considered in determining what’s important versus what’s not, from that perspective. So having a good hold on those program identifiers, and if you look, really get into those DPAS regulations and the documentation that’s there, and you look at the categories for the program identifiers, there are a lot that align very closely to the CUI categories on the registry.

John Verry (12:58):

We’re going to have some interesting stuff. So loosely, if you’re on the phone with a client right now, if they’re in one of those three that we talked about, you’d probably say, “Hey guys, you should be prepared for a C3PAO audit.” If they’re not, we’d probably say, “Guys, you’re going to need have senior management self attest.” Fair? Cool.

John Verry (13:15):

George, anything else on level three we should touch base on? Anything we didn’t cover?

George Perezdiaz (13:18):

Yeah, absolutely.

John Verry (13:19):

Excuse me. Level two.

George Perezdiaz (13:22):

Yeah.

John Verry (13:22):

Old level three. New level two. It’s going to take me a while.

George Perezdiaz (13:25):

There’s two things that we left out. One, and this is the kudos that I give the DOD is the reintroduction to POAMs, which Caleb and I have always said, POAMs are inevitable in a NIST 800-171 environment. You’re going to have POAMs, if you’re managing your environment correctly. Now you can have POAMs and still receive a certification, as long as those, those POAMs are not for your high ticket items; your encryption, your incident response, your training is in there too, and of course your MFA and others. The other one that is a quasi kudos is a waiver where you can execute on a contract before you get the CMMC certification, as long as you achieve the certification within the time allowed by the contract or DOD. So those are two things that are nice to have and that make sense.

John Verry (14:17):

On the POAMs, right, not only did they restrict which controls it might apply to, but also a timeframe, right? I think they said 180 days or something like that.

George Perezdiaz (14:25):

Yeah, and I thought it was interesting that before, it was 90 days. So that’s a very soft change from 90 days to 180 days. So it’s interesting that they have extended that window, where if you think about it, if you’re not allowed to have POAMs for your big-ticket items, that means that you can turn around a little quicker, right? Because likely will be a process that will be missing and processes and policies will be a little bit easy to whip out if you will.

John Verry (14:53):

Yeah, my suspicion and this is just guessing, is that it has something to do with budgeting. Right. If somebody didn’t realize if they needed to spend some money and they didn’t have the money, it just gives them a little bit time to allocate the cash, do things. I think a lot of this is driven by money, right? Because I think a lot of the feedback that they got was, this is incredibly expensive, and there was some concern that we were going to lose some of the folks that are necessary right? In the deep dip.

George Perezdiaz (15:17):

Yeah. It’s still 180 days doesn’t make it less expensive. It’s just giving DOD is being very flexible. I think we’re being a little loose into securing things. Caleb commented on, CMMC probably neglecting 171 a little bit. Respectfully, Caleb, 171 was always there as you and I know, the DOD reserved the rights to add to the requirements. And I think the fault there on the legacy model was that they came up with requirements versus using 172 requirements. I think that’s where the flaw was. Or you have missed a already providing technical leadership at guidance to the federal industry and private sector as well, might as well used those proven and tested publications that they have put in place in the 800 series.

John Verry (16:09):

I think that that message came across loud and clear last night in the town hall where somebody basically said, “why are we screwing around? We have NIST they’re great. We’re going to listen to NIST and NIST going to drive everything”. So it seems like they cemented NIST as being the authoritative source of any standard that will be used by the government.

George Perezdiaz (16:30):

Makes sense.

Caleb Leidy (16:31):

They did. Yeah.

John Verry (16:32):

That was the impression I got. Caleb, you must have had a slight smile on your face last night, being a former DIB CAC auditor, when they mentioned that level three, the new level three, will not be a C3P audit. That will be something which is done by the Dipak, correct?

Caleb Leidy (16:47):

Yep. Well, right now that’s what brings up a really good point, John, and something that I think is pretty important to get out to is that CMMC is the DODs implementation of the CUI program that is directed at the national level. At the executive branch level, say that by the 32 CFR. So, since they are so far ahead of the rest of the agencies that fall under that they’re leading the way in setting the program. I imagine the rest of the federal government, as this expands out, will look very much like what the DOD is putting out. But right now, we have the DOJ and the really only has purview over DOD contracts and DOD contractors. That’s something that may in the future expand out also whether they have to fall under a different agency or whether that is worked for an interagency, but with those requirements still being worked and, and figured out there’s a lot of training when DIB CAC was first stood up to start assessing 800-171 in DFAR 7012 compliance.

Caleb Leidy (18:03):

It took some time and some hard work and some effort to just get the assessment standard figured out, get the right people in place, the way in which should go about conducting those assessments. I don’t imagine the new requirements being added in will be as much of a burden, but it could take some time and be a little bit of a hurdle to add those in and figure out exactly what those level three assessments look like.

John Verry (18:32):

Right. So let’s take a step back for a second. So, on the new level two, the old level three, did we cover everything and terms of, what’s the same, what’s different? I think we did. I just want to make sure I didn’t miss anything.

George Perezdiaz (18:44):

Yeah. The one thing we didn’t talk about this time is you referenced it on level one was the survey Oxley, lookalike.

John Verry (18:53):

Yeah. I was just going to get to that. That’s what I wanted to do is kind of make sure we covered that. And then let’s talk about some of these things that are wrapped around this that I think are really critical. And I think, give us a sense of not only what this is going to mean if you live in the DIB, but I think what it’s going to mean if you live outside of the DIB. Let’s talk about that first one, George. So we’ve had the situation up to this point where they’ve been filing these false claims acts.

John Verry (19:15):

If you had a DFAR 7012 requirement, you were responsible, ready to attest to the fact that you’d implemented 800 -171 controls. And if you failed to do that, and there was some type of a whistleblower, or there was some type of an incident or the Dipak decided to do an audit, and they found you to be having misrepresented that they could file a false claims act. The timing of this civil cyber fraud initiative by the DOG, DOJ, excuse me, which allows them to prosecute under failures of the control system, misrepresentation or failure to report an incident in a timely manner.

John Verry (19:55):

Anybody think that that is coincidental? I’ll take it from the smiles, that’s a no?

George Perezdiaz (20:03):

No, I don’t think so. You have DOJ doing sending that message. You have DHS sending this the same message as well. There’s a lot of conversations around reporting, timely reporting. We have changed a lot of the reporting requirements to 24 hours. Now we are encouraging folks to keep an eye on each other. If you see that George is saying that he’s doing what he’s not doing, we invite you to report. And when you report, you will get a percentage of that contract, which is very, very attractive to some people, right? So there’s a lot there that it’s in alignment with what we’re seeing here.

John Verry (20:43):

So in a weird way, did they just do something super smart, right? In that instead of these organizations all having to be subject to a $70,000 audit by making senior management sign off. And if we see the same behavioral change we saw with Sarbanes Oxley  404 attestation, are they going to end up getting a much higher degree of conformance at a fraction of the cost?

Caleb Leidy (21:09):

Absolutely.

George Perezdiaz (21:09):

I will say so. Yes. One thing that makes people nervous as you, and I know, is signing the dotted lines. We need you to sign here. We need you to be the person that is submitting that self-assessment report with that affirmation letter, saying that you have validated that all your controls are in place and that what you’re submitting is accurate. That it’s very strong statement there.

John Verry (21:33):

All right. So we do a lot of work with the DIB and, and the DIB very often we’ve got small to medium sized organizations with an IT director that is responsible for information security. And is the guy we’re on the phone with, who’s saying, “I don’t have the bandwidth. I don’t have the time. They’re not giving me the budget”. So realistically, his hammer is no longer a C3 pay of water is going to show up. His hammer is, “Hey Mr. President, here is the letter that I need you to sign.” Right. And, and I’m telling you that we don’t actually meet this”.

PART 2 OF 4 ENDS [00:22:04]

John Verry (22:03):

Right, and I’m telling you that we don’t actually meet these requirements, and if somebody asks me, I’m going to tell them that we don’t.

Caleb Leidy (22:09):

Yeah.

John Verry (22:11):

That’s going to be the conversation that we’re having now, right?

George Perezdiaz (22:13):

Yeah.

Caleb Leidy (22:13):

Absolutely.

George Perezdiaz (22:14):

And also, John, what I… So sorry, Caleb, real quickly. As we’re delivering this message to our current clients, that the 2.0, it’s here today, 90% of them understand that “Hey, George, are you guys are going to be doing the self-assessment for us? I’m pretty sure that our leadership team will be more comfortable if a self-assessment comes from an expert versus our internal folks.” So, that right there is going to help out a lot of the leadership team, give that level of confidence that what is in that paperwork, is as accurate as possible from a third-party perspective. Go ahead, Caleb. Sorry.

John Verry (22:49):

I was going to say one other thing real quick before you jump in, Caleb. And I think that this idea, George, of having some type of single source of truth, some type of it, I think this is going to enforce better practice, where leadership has something they’re basing this opinion on. The third-party assessment is good, but you’re not going to want to do third-party assessments continually, right? So, maybe you’re going to do them once a year, every time you need to re-attest. So, ideally, you’re going to have some mechanism to know that things are operating the way that they are, some type of a single source of truth, some type of a dashboard. So, I think it’s going to encourage more maturity in the way that DIB members actually execute their programs.

George Perezdiaz (23:27):

The larger the organization, the better of course, but it’s also validation that your cyber security investments are going to the right place, right? That you can also justify that investment and that security because we know it doesn’t generate revenue, but it does help you to generate revenue if you’re into DIB.

John Verry (23:44):

Yep. Caleb, I cut you off; what did you want to say?

Caleb Leidy (23:48):

Yeah. I was just going to say, during DIB CAC assessments, during all the consulting that I’ve been doing here with PPS, it never fails. So you get to the IT manager you said, John, or other various people at lower levels, and they’ll say, “Oh, this is great that you guys are telling us that we wouldn’t be able to pass without this because I’ve been trying to get this for a long time, and I can’t.” Right? I worry a little bit, now with the new model coming out, that people again feel like now they’re not going to be looked at as harshly anymore, which is not really the case. Hopefully, people will not find that out the hard way and still prioritize these efforts. But it is always those lower-level folks, and I think that adding in the senior level affirmation is going to really, really make a big difference here. Great point.

John Verry (24:43):

Gotcha. So, I know you guys have already started having conversations with our existing clients that were working towards what was previously CMMC Level 3 certification. Is the message… What is the message to these contractors? Is it nothing more than, ” Guys, really fundamentally, nothing has changed”? You have CUI. The government has a standard by which applies that standard is slightly smaller than it was yesterday, right? The additional 20 practices and 51 processes are not in place, but you still are contractually obligated to achieve the standard. And, you are either going to end up having to have an audit, or you’re going to have to have senior management sign off at risk of a civil litigation in the event that they’ve misrepresented. Is that fundamentally the message that people need to take away from this?

Caleb Leidy (25:31):

Yeah, and it’s a mix, right? We’ve got various clients that are at various stages, right? Some maybe a little upset that they implemented things that are not as specifically applicable to what the rules are, but not that they’re not better for it, right? We know that, right? Implementing more security is never a bad thing. But what I’ve found is that a lot of the clients that I’ve been working with were already kind of switching course because they’re getting the questionnaires and the pressure from primes, right? They are flowing down the requirements, the current requirements, that are now the future requirements, and they’re flowing these down and everybody’s kind of freaking out and they’re being put on timeframes. So, a lot of folks are already refocusing on that 800-171, which is great. It’s where they should be. Those are current standing requirements that we’re going to need to focus on and get people compliant with, and the DFARS rule, the interim rule. Which all of that is going to remain in place until this rule making process is finished to actually implement CMMC 2.0.

John Verry (26:41):

Right. George, any thoughts?

George Perezdiaz (26:42):

Yeah, absolutely on the same lines. It’s a good message. It’s simplified as a model, but when everything has changed, not a lot has changed. We still with 171, who reigns supreme, and the prime contractors are doing an excellent job at keeping the eyes on the ball. And that’s a constant reminder there, right? That well, DOD may not be communicated since June of this year, the prime has been. If you have been identified as a top 20 critical technology or critical supplier for one of your primes, the likelihood that they will want you to have a CMMC Level 3 certification it’s there still, right? So again, kudos to the primes for doing that, and yes, straight [inaudible 00:27:28] 800-171.

John Verry (27:29):

Yeah. That’s actually really interesting. I’m glad you guys brought that up. Because I’ve said that to a number of people as well, is that even if the DOD isn’t enforcing something, if the primes are, your feet are still being held to the fire because at the end of the day, the vast majority of our organizations are doing work at least through primes on some of their contracts, if not all of their contracts. And we have seen most of the major primes, over the last three months, we’re getting the letters that basically say we’re holding your feet to the fire to get to this level by this point in time, and if you don’t, we’re no longer going to do business with you. So you’re right. Even if CMMC has changed, if the primes don’t change and what their expectations are, we’re still back to the same place we were. Correct?

Caleb Leidy (28:12):

Yeah, and it all still comes from flow down. I honestly don’t feel like the primes would, and we know the primes wouldn’t, be as persistent on it if they weren’t being looked at for compliance with their contract clauses. Right?

John Verry (28:29):

Gotcha.

Caleb Leidy (28:29):

And we know that because somebody started, the DOD started looking at it more fiercely, and now we see the questionnaires coming out. It’s still going to remain in those flow-down requirements, and the primes will make sure that they’re covering themselves by meeting those flow-down requirements.

John Verry (28:50):

All right. So, we’ve talked a lot about what this means to the DIB. What’s interesting to me is if you want to give credit, I think George used the word clever earlier with regards to the government, which is a dangerous thing to do, but I think he was right. And is there even more cleverness hidden in this? Caleb, you’re our government regs guy, the idea that they’re taking a step back and that they’re making a rule chain at the Title 32 CFR Level, that has broad-ranging implications, right? Is this all being done in a very choreographed way, tied in with the presidential executive order? What we’re redoing is that we’re going to take a step back and create a unified program driven by CFR 32, across the government for CUI. Could they have been that clever in this process?

Caleb Leidy (29:47):

Well, that’s already what it is. And it’s the reason that we’re seeing that step back from CMMC proposed Version 1 to CMMC 2.0 because the CMMC Version 1 was not aligned to the 32 CFR, which is regulated by information security oversight office, the ISO. And they put some minimums and some maximums in place on what can be done for CUI oversight. They talk about in their CUI notices and in their 2019 report to the president that they’re working across the entire executive branch to implement the CUI program, but they’ve called out the DOD as ahead. So DOD is kind of being the example right now, and they’re already behind on when they expected to implement a ruling at the far level, which would put a standardized program in place for oversight in non-executive branch entities, as they call them, that are handling CUI. So this is absolutely going to expand out to the entirety of the executive branch federal contractors.

John Verry (31:00):

I’ve heard the term nine to 24 months because there’s lots of 60 day comment periods and lot of formality to this process. So what’s interesting here again, if you were in… I’m going to go back to the DIB for a second, but if you were in the DIB and you said, “Well, we just got a reprieve.” In a weird way, could this speed up CMMC in the DIB? Because we were talking about a five-year rollout period of CMMC V 1, if this becomes part of Title 32 CFR in nine months, doesn’t that accelerate CMMCs applicability in the DIB?

George Perezdiaz (31:35):

Yeah, it does John. But, if you remember the requirement to Caleb’s point, it’s going back to the basic. 32 CFR already had NIST 800-171 there, DFAR-7012 since 2016… Has 7012, I’m sorry, NIST 800-171 there. So essentially, what they’re saying is, “Hey, you were supposed to be doing this since 2016, now let’s do it, let’s get serious with it.” So it shouldn’t affect the organizations that were supposed to do what they were saying they were doing, too badly. And probably, that’s where the connection comes from DOJ and DHS with all those false claims act and the right to sue that organization.

John Verry (32:14):

Yeah, actually, I agree with you, it doesn’t change the requirement, but it changes the accountability.

George Perezdiaz (32:19):

Yes.

John Verry (32:20):

Right? And that’s really, which is really what the whole idea behind CMMC was anyway. Right? Maybe that should be the title of the podcast, is the requirements haven’t changed, the accountability has because that’s really what all of this stuff does. And this idea that it goes into 32 CFR Caleb, as far as I understand, if we look at the CUI registry NARA, DOD information is one of I believe, 20 CUI classifications. So in theory, there’s 19 other classifications that, as this becomes more widely enforced, that are if you’re processing that data, you’re going to be subject to some level of 800-171 conformance requirement.

PART 3 OF 4 ENDS [00:33:04]

John Verry (33:03):

… [inaudible 00:33:00] of 801.71 conformance requirement.

Caleb Leidy (33:04):

Absolutely.

John Verry (33:04):

Okay.

Caleb Leidy (33:05):

Yeah, and something that I’ve talked to George about, is if you search for CUI in the ECFR site, it comes up in-

John Verry (33:14):

What is the ECFR? I’m sorry, what’s the ECFR?

Caleb Leidy (33:16):

It’s where you can find all the CFRs.

John Verry (33:19):

Okay.

Caleb Leidy (33:19):

It’s just the website. But you can find CUI listed out in a lot of places that are not Chapter 2 of the 48 CFR, which is DFARS, and the 32 CFR part 2002, which is the CUI. So you can find CUI spread out and talked about in other areas, so outside of the DOD and outside of the overall.

Caleb Leidy (33:46):

You only find the NIST 800 171 talked about in the 48 CFR chapter two, the DFARS requirements and the 32 CFR, which says that that’s the requirement for overall, for the CUI. So the DOD are just the only ones that have actually implemented the program for oversight and are requiring what is the overall requirement, right? And as that goes to the far level, which is 48 chapter one, 48 CFR chapter one, that will bring in the applicability and the standardization across the entirety of the executive branch space.

John Verry (34:25):

Yeah.

Caleb Leidy (34:26):

So, I would see it rolling out in the same way DFARS did it. They put the requirements in place through FAR and through DFARS and other various contracting vehicles. And they say, “Here’s the requirements.” And it was 2016 where they put out the 7012 and they gave until 2017, December 31st, 2017 to be fully compliant. So it’s probably going to be the same type of timeline.

John Verry (34:55):

So, it just seems to me like if you followed this logically, this is just one more step in what we’ve seen over the last couple years. George is a guy who reads the Solarium report. I give him credit. I fell asleep every time I’ve tried to read it, but he’s always encouraged me to read it and refer to it. But if you look, George, and you just follow the arc, with what we’re seeing in the Solarium report, the fact that the presidential executive order and its commitment to cybersecurity for the government and for our private sector, for ceases rise, I think in power, with regards to their ability to enforce these things. And now doubling down on NIST as being an authoritative source of who is going to explain to us how we treat data. And now this move towards CFR 32, isn’t this just, it’s just stepping stones, right? To the government, taking some level of authority and responsibility for ensuring the cybersecurity, not only of our government itself, but the critical businesses that service it.

George Perezdiaz (35:56):

Yeah, absolutely. And I’m glad that you’ve mentioned that on CISA, because when Caleb was talking about the DIB CAC doing the assessments for the new level three, automatically, I thought that when it goes to the higher level, the ISO level and the CUI level program level, then that’s when CISA will jump in, in my humble opinion. And it’s very timely, right? What do we see in 2020? Was us getting hammered in our critical infrastructure, which is essentially what CISA has been doing since they were in established in 2018, provide that technical leadership, trying to enforce the CMMC standards in federal, local, state and tribal environments. And all these changes like you said, they’re not casual. They’re not happenstance. It’s all very well orchestrated. And the Solarium report was that play by play. This is what we need to do to be able to continue to be competitive and have a strong and resilient supply chain.

John Verry (36:51):

Yeah. One last question for you guys. So there was a strange sentence that one of you guys pointed out on the new CMMC V2 website, where there would be some potential incentives for those organizations that continue to get certified prior to CMMC V2 being formalized. Any insight into that yet?

George Perezdiaz (37:13):

Caleb is very passionate about it. Caleb, go ahead, man.

Caleb Leidy (37:16):

Yeah, not that I’m aware of. It’s just one small line that says, “Hey, in the meantime, even though we’re not going to require this since everybody’s already gone through a lot of these steps, we’re thinking about ways that we might incentivize organizations to go ahead and get the certification.”

John Verry (37:34):

All right. If they did, would it be to V2? And so would it be just a V2? I’m assuming they’re not going to do a V1 certification. Yeah.

George Perezdiaz (37:45):

Yeah. Legacy’s gone, John. Legacy, it’s dead as of Thursday.

John Verry (37:51):

All right. So, all right, good. Yeah, I just want to make sure. So it would be a V2 and that would mean that we’d have to wait for some of the documentation to come out. So, if somebody says, “Hey, I’d like to become CMM.” I think personally that you’re going to see a fair number of the more forward-thinking folks in the DIB become certified anyway. It’s thought leadership; it’s a differentiator. So when do you think they’ll be in a position where they’d be able to do that? Do you think that that’s something that will happen? We’d be able to start putting people through certification in December, January, any thoughts?

George Perezdiaz (38:25):

My opinion [crosstalk 00:38:27]. Volunteer

Caleb Leidy (38:26):

They say it’s volunteer. It’s voluntary right now. Organizations can volunteer to get that certification. So, they still haven’t put out a timeline that I don’t know if they’re still going to require that eMASS documentation on the back end of it or how all of that process is going to work. I think it might take a little time to work that out, but yeah, well, hopefully within the next couple months.

George Perezdiaz (38:53):

Yeah.

John Verry (38:54):

All right. Cool.

George Perezdiaz (38:54):

I don’t see it before February. [crosstalk 00:38:56].

John Verry (38:56):

I think we beat this up … February?

George Perezdiaz (38:57):

Yeah.

John Verry (38:57):

Okay. I think we beat this up pretty good. Any last thoughts, guys? Anything we missed?

George Perezdiaz (39:02):

There’s one, John, that we did miss is the cost of certification where it mentions that it will be up to the C3PAO and dependent upon the complexity of the ecosystem or enclave about hoping that the DoD have definitions for simple, medium and high complexity so that we are not at the mercy of the C3PAOs to determine that for us.

John Verry (39:26):

Gotcha.

Caleb Leidy (39:27):

Yeah, for me, I would just caution everybody to be very closely paying attention to what goes on throughout the rulemaking process, get the public comments in. I think the DoD, no offense, got a bit of a big head on this and took a step too far in some areas and pulled back. And so now, they are still recommending changes that are not quite in line with the PAOs and things like that. So make a good point to focus on what is for sure, in fact, written down in requirements currently, and be cautious on what the DoD says are proposed plans versus what becomes finalized.

John Verry (40:13):

Yeah, I guess my last thought is that especially having listened to you guys chat for the last hour, is that it seems like things have changed a lot, but they haven’t. The requirements have changed minimally. And the way you’ll be held accountable has changed notably. But at the end of the day, you still need to do what you needed to do yesterday morning when you woke up, maybe a little less. But if you think about it, when you implement the hundred and 10 practices of a 171, those extra 20 from CMMC, you’re probably going to hit a few of those anyway. So, the reality is that, we’re back to the beginning, right?

George Perezdiaz (40:53):

Indeed.

Caleb Leidy (40:54):

Indeed.

John Verry (40:55):

Cool. All right, guys, as always appreciate your expertise and insight.

Narrator (Intro/Outro) (41:01):

You’ve been listening to the virtual CISO podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.