CMMC (Cybersecurity Maturity Model Certification) can raise many red flags and concerns – As CMMC rulemaking approaches in 2023, we take a break from our normal podcast and answer the most asked CMMC questions to date to help ease the unknown.
This episode features George Perezdiaz, FedRisk Practice Lead, with Pivot Point
Security, who provides answers and explanations to a variety of questions we have received regarding CMMC. George is extremely knowledgeable on CMMC topics while being one of the top industry experts on the topic. During this episode, he helps answer our top 20 most asked questions regarding dates for rulemaking, achieving compliance for the DIB (Defense Industrial Base), the cost to become CMMC certified, and much more hopefully providing a path for those who need it.
Join us as we discuss:
- When CMMCV2 will become effective
- Who needs to be CMMC certified
- Can a small business affordably achieve CMC compliance
- CMC Level 2 and 3 requirements
- And much more!
To hear this episode, and many more like it, we would encourage you to subscribe to the Virtual CISO Podcast on our YouTube here.
To Stay up to date with the newest podcast releases, follow us on LinkedIn here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
See Below for the full transcription of this Episode!
Intro Speaker (00:05):
Listening to the Virtual CSO podcast, providing the best insight on information security and security it advice to business leaders everywhere.
John Verry (00:19):
Hey there, and welcome to yet another episode of the virtual CISO podcast, uh, with you as always, John er host, and with me today, uh, a probably second or third time visitor, George Presby as Hey, George.
George Perezdiaz (00:32):
Hi, John. How are you?
John Verry (00:33):
Good. Uh, for those that I don’t remember, George, George, uh, heads up PPSs, uh, Federal Risk Practice, uh, in his, uh, in my mind, uh, one of the top guys in the in the nation with regards to Cmmc, uh, which is today’s topic. Um, we’re gonna go a little bit off script, not gonna be a, a traditional podcast where we ask, have all the fun and foral, uh, gonna be really focused on, um, you know, with Cmmc, uh, coming back to being significant, uh, after a little bit of a dip, uh, we are being besie with lots of questions, uh, and we thought it would be great to just have a podcast focused on, these are the, you know, 20 ish questions that we’re getting most often. Uh, and see if we can get ’em answered for you. Uh, so George, are you ready for our, our fir We’re gonna go with rapid round, right? We’re gonna go through these as fast as possible, otherwise people are gonna be listened for an hour. All right. So let’s start with, um, does Cmmc B two become effective for everyone as of March, 2023? Will we need to be Cmmc certified by March, 2023, or where? And do we still need to put a score on spr s? Those are all related.
George Perezdiaz (01:39):
Okay. Yeah, good times. So thank you for having me, Josh. Just se FOIA real
John Verry (01:43):
Quick. Oh, always, always.
George Perezdiaz (01:44):
Well, rulemaking is scheduled to occur on May, 2023, right? That’s just the land scheduled. That doesn’t mean that cmmc will become, uh, effective into effect then. It only means that the rulemaking will be done. It’s expected that, um, 90, 60 days by July, 2023 Cmmc will be in contracts for the DFR 70 21, uh, clause that we have seen already, uh, previous of it. And the, the SPR S score, um, it’s only mandatory if you have dfr S 70 19 in your contracts. Right? Okay. Uh, I know there’s a lot of discussions out there that if you have 70 12, it’s automatically a requirement, uh, debatable. Right. Depends on what your contract officer is telling you, what the DOD expects from you, and potentially what your, uh, prime contractors also asking.
John Verry (02:32):
Okay. One quick question for you there. So, Stacy Bus Janet, at that, uh, Cmmc day I was at, said March, 2023 with 60 days later, May, 2023 things starting to come into contracts. Did that shift?
George Perezdiaz (02:46):
Uh, everything that I have seen, John is, uh, May, 2023 with July, 2023, as in when it will show up in contracts, which is exactly what you’re saying, 60 days after.
John Verry (02:56):
Yeah. Okay. So, so yeah, I keep hearing March, so, All right. We’ll have to figure that, you know? Yeah.
George Perezdiaz (03:01):
Cause she was in the, in the webinar with Prevail, and that’s what was recorded to that session was May, 2020.
John Verry (03:07):
All right. So all, so the prevail webinar happened after Cmmc day, so I guess they’ve shifted at 60 days. Okay, thanks. Um, next question. Can we bid on projects and or win a project if we are not yet cmmc L two certified?
George Perezdiaz (03:22):
Uh, today, yes, <laugh>, but once rulemaking is finalized, maybe not. Right? And I say Mel, maybe not, because again, the requirement will still have to show up in new contracts saying that you are obligated to achieve, I’m sorry, to maintain and achieve CMC level two, whether the 4 70 21. So today, yes. Uh, after rule making, and, uh, once you start showing in contract, you will have to have it.
John Verry (03:46):
Yeah. What I heard was that, uh, and I don’t know if you heard the same thing, was that the thought processes that you might have, you might be able to, you can certainly bid, uh, and you may even be able to win, but then you’d only have a six month window to actually achieve the CMMC certification.
George Perezdiaz (04:01):
Yeah, I, I haven’t heard that. I think this is where the, the waiver program, that CMC version two comes into play, may come into play. It depends on the criticality of the, of the contractor, the services that you provide, the do d uh, the priorities and the availability of the C three pals and or the dac, right? So there’s various factors there that, that will dictate how quickly you can actually get to cmmc level two,
John Verry (04:22):
Right? Yeah. They told they in at CMC day, that’s what she said. She said they anticipate, but, but again, it was, they anticipate. So there’s still, I guess, a little uncertainty there. Um, you know, a simple question. Uh, how do we know if CMC level one applies, or level two or level three? Um, do all d contracts by their nature require cmmc of some sort?
George Perezdiaz (04:44):
Okay. And I like how you said simple question. It actually isn’t <laugh>.
So the rule from there to see if level one applies is look for the far n dfr to see if the level two applies. Uh, so if you have the FAR 52, 2 0 4 21, it says that you have to have the 15 basic requirements, right, which equals to the CMC level one in the near future. Uh, so that’s, uh, saying that, uh, do, does everyone in the dip would need cmmc? Yes. At the very minimum, they would need cmmc level one if you have those, uh, federal contract information that you need to protect from public, uh, distribution, right? Uh, for level two, the, the factor has been as soon as you receive CUI or expect to receive cui, you had to have that natural transition of going from the level one that is almost automatic to having the level two, uh, obligation. So either one of those, it’s gonna be a, uh, definitely a requirement to play in that space, depending on the ality, again, of the programs and the services you’re providing.
John Verry (05:47):
Okay. Good. Um, this is one of those ones, it’s more a business question to an extent than it is a, a specific CMC question. Um, but I hear this a lot. We are an X person business, 1525. Uh, is it possible for a small business like us to affordably achieve compliance? Or should we be thinking about exiting the dib?
George Perezdiaz (06:06):
Okay, Now, never think about exiting the dip, right? Uh, look for your options and opportunities there and, uh, and find a motivation or a path that, that will allow you to continue to grow in this space. So if you right size it, yes, uh, it is, uh, relatively affordable if you do it correctly and at the right layer with the right, uh, amount of effort. Uh, one thing to remember, John, and to, uh, keep reminding the, the dip is that the dod have set several times that the cost of security, and I’m, uh, paraphrasing something that, uh, Kate back in the day said the cost of security is an allowable cost, right? There’s also the def a case that talks about, uh, that, that it is expected that to be an allowable cost and it should be, uh, accounted for in the proposal. So find ways to recover that security investment, right? No different than quality, no different than time and, and, and scope.
John Verry (07:00):
Yeah. And, and I’ll take a slightly different tact on the same, you know, question in that, you know, at some point it is a business question, right? If you, if 90% of your businesses did, then you’d be foolish, right? If at 10% of your businesses did, and it’s gonna cost you $75,000 to achieve cmmc, you know, it may not. You know, And, and that’s, that’s the argument that, you know, the conversation that I have with people, but I will encourage this, is that we’re seeing enough people say they might exit the dib or they’re not sure if they’re gonna, that what’s gonna happen is the, the number of providers is going to go down, which means your competition is going down. So if you’re willing to make the investment, I think you’re making an investment into, uh, into an environment where you’ll have less competition, you can probably drive greater pricing, especially cuz of the cost of security. Um, and then the last thing I, I always encourage people to think about is, if, if you and all your peers are thinking about making this investment, if you’re the only one who does, not only is there less competition, but the barrier to entry for some guy in a garage right now to spin up a sheet metal shop or something of that nature, is that much higher because he’s got a, in into his startup cost. He has to bake cmmc certification.
George Perezdiaz (08:09):
Yeah, exactly. I’m with you. It, uh, don’t ever think about giving up. Uh, there’s, there’s many options out there. Have you explored all of those? Right? Uh, at the end of the day, if you need to call us and, uh, and see how we can explore some opportunities with you, we are happy to do that.
John Verry (08:24):
Sounds good. Uh, another question. Hear a lot, um, we, you know, we sell parts there, you know, we cots parts or commercial off the shelf. Um, do we still need cmmc and nt? And, you know, follow onto that was, you know, how does the DOD determine if a product qualifies as cuts?
George Perezdiaz (08:42):
Okay. Yeah. So it’s almost, uh, the same answer for do I need cmmc? Uh, very likely you’ll need at least level one, right? That’s almost going to be an automatic requirement to protect those 15, 17, uh, basic requirements. The, uh, the other portion to that aspect is, um, no, Again, if it is COTS only, cmmc level two, it splits, I’m sorry, D 4 70 12 specifically calls out that it will be out of scope. Uh, one thing to remember, as you look at the services and products that you provide to the dod, is it a commercial product? And it’s part of the definition that, uh, the FAR has in their, in their website. Uh, is it is again, is it a commercial product? Uh, is it offered to the government under contract without modification? So that generally says that, hey, if it is, this is a COTS, dd or whatever federal client you have, I do not need to have a level two because of those things apply. Uh, so at the end of the day, uh, just know your rights, know what you’re working, know the end applicability of that product, and, uh, and there’ll be in a good shape there.
John Verry (09:48):
Um, you know, another question we hear a lot, George, is, you know, some variation on, Hey, we’re currently ISO certified there, always talk about reciprocity. Do we still need to get CMMC certified? If so, you know, how much additional work is it? How much additional cost is it?
George Perezdiaz (10:03):
Mm-hmm. <affirmative>. Yeah. Uh, that’s, uh, like you said, something that we hear very often. Uh, and unfortunately back, back in the days back, what, two years ago when, uh, when all we all we’re looking at Cmmc through the lens of version one, reciprocity was a heavy item of discussion. Fur was, uh, fat run was in the plan. And then iso, we recently had notification that FRA run reciprocity now exists. The ISO is next, right? I’m thinking probably in the next six to 12 months, uh, will have more guidance. But as of today, they’re not wanting the same. They’re, uh, somewhat completely independent. As you know, John, it all comes down to the scope of applicability and how you build those, your isms, your information security management system, and also your DOD scope. Are you making them wanting the same? And then you can easily or relatively easily maximize on those investments that you’ve already made for the iso. But there’s gonna be some, uh, heavy lift in there in identifying your assets, categorizing them correctly, making sure that those, uh, data, um, path and data communications are tagged and labeled correctly, uh, to and start building that, uh, scope for cmmc. So, yes, this is a very tricky question, right? Uh, cuz ISO has that, uh, store only versus the process in transmit the c i has, uh, as far as cost go, I probably will say, uh, help me out here, right? <laugh>, uh, cause
John Verry (11:29):
Yeah, well, the cost is hard. The cost is hard to guess, right? And it also depends on, you know, are you, do you already have your Nest 801 71 stuff in place and we’re layering ISO on top of that, or vice versa, Do you have ISO 27,001? And now we’re just trying to, you know, have iso which is a framework for managing frameworks, you know, manage your c ui, you know, framework, your, your, your, uh, uh, 800, 1 71 CMMC framework at the, the same time, um, if you’ve got a mature environment, I mean, you know, you can probably tack this on in the, you know, 25 to $35,000 range is probably not a bad idea to think about, but it really depends, right? The more, as you said, both of them are scoped certifications. So if the, if the information and scope of ISO is cui, then that, that deltas very little. If this, if you’re protecting, uh, commercial data differently than you’re protecting cui, we might have two, effectively, two enclaves. That’s gonna be more, almost two separate projects. So, all right. Uh, what else we got? Um, simple one. I, I keep saying that to you and you keep getting mad at me. Uh, how long will it take us to prepare to get CMM C L two certified? How much should we budget?
George Perezdiaz (12:40):
Uh, yes. Very, very simple. Uh, so you can say at least, it depends, right? Depends how big a,
John Verry (12:46):
But that’s the answer. That’s the answer to all these questions, right? It depends. I told you was simple. All next question, <laugh>.
George Perezdiaz (12:53):
Yeah. So, yeah, it’s one of those things I I, I haven’t seen anything go faster than nine months, John, and that has a lot, uh, to do on the OSCs motivation, right? The organization looking that for that certification, they have to be committed and motivated if they’re not, Oh, and that, uh, leadership support, right? That cliche line item that says you have to have the leadership support. It is critical because you definitely are going to make some drastic investments. You probably are going to have to be, uh, a, a champion of change for your business. So it’s going to be different, uh, for any organization, depending on the culture, depending on how quickly you can, uh, acquire new technologies and new processes and tools and, and policy, right? Uh, so as far as the funding, I generally tell folks, and I, this is from an example of what we have seen here at pps, uh, account for either having a 1.5 FTE to manage and maintain or a similar investment for getting it implemented. Uh, and that, you know, will vary dependent on the skill level that you were looking to, to hire and, and acquire there.
John Verry (13:58):
Yeah. And I, I think that the, I I agree with you that most of the projects that we’ve had, uh, have gone relatively slowly, but a lot of those were sort of delayed by the delay in, in the DODs review, and people take a backseat. So I would assume that as we get to closer to, you know, May, 2023, that you’re gonna see more people be getting, being able to get projects done faster because, you know, the urgent becomes the, the important becomes the urgent. Right now, cmmc is important, but it has not been urgent, Right? Right,
George Perezdiaz (14:30):
John Verry (14:30):
Yeah. And I usually tell people, you know, and again, you know, a, a, a global organization with, you know, that does a billion dollars worth of bearings is gonna be a lot different than a 15 person dib company. But if you look across at a 150 or 200 person manufacturing organization, I mean, I think generally speaking, you know, somewhere between 50 and 150 might be a reasonable range, depending upon what they don’t. You know, the one 50 s gonna be, We really haven’t done much before. We don’t have a sim, we don’t have our information, uh, you know, we don’t have a good secure form of, of data transmission, you know, And then I think the lower end of that’s gonna be, we’re in pretty good shape. We just gotta button things up and, and implement a few pieces of technology. All right. Um, let’s see. Um, here’s another interesting one. Um, and this is not an easy one to answer, maybe. Uh, we are a small consulting company that provides bodies on bases. Uh, we are being asked for cmmc, although we do not actually handle any CUI on our systems or networks. How do we proceed
George Perezdiaz (15:31):
<laugh>, uh, generally speaking, uh, look at the contract and what you have agreed to do on behalf of the DD or the DOD client. If you accepted the D 4 70 12 clause, now you are obligated to have the security requirements that you said you’re going to implement. And it’s a hundred, 1 71 equals CMC two right now. Um, however, we have a few clients in that same boat, right? And one thing to remember there is that the information that the DOD provides may be COI because of the job description, the personnel, the technology requirements, skill level technology, things of that nature can give insight into the DOD priorities, right? If I need 15 satcom, uh, professionals and name a base, uh, or in military installation, now I’m given insight of what is the DOD planning to do with the mission in that particular base or installation or, you know, Navy side. So the things that look trivial may not actually be that, uh, casual of a thing. Uh, this is something that in the classified world, right? You look at, uh, flight schedule and things of that nature, that stuff is classified. It looks very simple. But depending on the, the, the materials that you’re moving across, uh, the bases and the different installation, that stuff indicates that the DODs moving to do something is building a capability to gain visibility into something else. So likely they have CUI and they just don’t know it.
John Verry (17:02):
And just for my own edification, let’s say in theory they don’t have cui, but they have a clause. Is there a way to build an enclave, you know, that would capture any cy that flew, you know, did float into the environment? I mean, because like, you know, if I, if I don’t really don’t believe I’ve got any cys, it’s still possible to become CMM C L two certified.
George Perezdiaz (17:24):
Yes. We actually have clients in that particular space, right? Where they say the dod saying that I have COI and I want to continue to play in that space. Can I get cmmc ready? And we did that, right? We build them a secure room, right? With the key and the lock and a layer over a layer and cameras and fences that it’s empty, right? Whenever the DOD says, Here’s your C ui, they can comfortably say, I can put it here in this secure room. So there’s no need to panic and running around like crazy. What am I gonna do Now? They are ready. So yeah, that’s actually more normal, normal than you will think.
John Verry (17:58):
Okay. So we, we architect to the future state,
George Perezdiaz (18:01):
Uh, we always architect to the future state <laugh>. Well, that’s
John Verry (18:04):
True. Hey, uh, very, very good point. Um, okay, um, how do we know if we are a company that’s gonna be allowed to self-certify? I think this is going back to the, the bifurcation, which seems to have been on the table, but kind of they backed off of that and it seems like it’s going off the table. Um, yes. So I think that’s what they were referring to.
George Perezdiaz (18:26):
Uh, but yeah, John, that, that’s actually one of the toughest questions to answer because, uh, of that we don’t know. The DOD still hasn’t given clear guidance on when and if the bifurcation is going to apply, and how are they going to apply it? Uh, I think it’s a more complicated than the DOD will think. So the, the message there will be, do your self assessment be ready for, for a cmc uh, assessment if you need it. And, and just do the right thing. Be, be prepared. If you’re saying that you’re, uh, ready for cmc, ready for, uh, to handle CUI securely, then that’s, uh, that should be the mentality there. But yeah, that one is still waiting for it.
John Verry (19:04):
And what I’ve told people is it really doesn’t matter if you’re going to sell, The only difference is you’re not intending the order and you’re saving X dollars, you know, $30 thousand, 50,000, whatever that number is. But I mean, the process of getting prepared and the process of being in a position to assert that you are is the same. So it really doesn’t matter. Just consider your, you know, follow the same process and consider yourself lucky that you saved X dollars until, until finally they say you need the certification formal,
George Perezdiaz (19:30):
Right? And, and we’ve always said that, uh, the dip techs still around the dipak will still reserve the right to do an assessment at any given time at any organization. So just be ready,
John Verry (19:40):
Right? And, and if you’re found to have not been fully truthful, and if you’re basis for signing off, right? It does require senior official signing off, right? Still. So you’re putting yourself at some level of risk if you sign off on something which you don’t know is fully conforming, and then if you were to be audited or there was to be a, a claim, right? A whistleblower, uh, you know, then you might be subject to false claims acts, uh, which, which can be pretty onerous. Uh, what else we got here? Um, I like this one. Is there a path for non-US companies to get CMM certified? Uh, and does that change if we are processing it a R data?
George Perezdiaz (20:20):
Okay. Uh, so this is actually a question that I saw within the, the OSD CMC website that is saying that this particular path is under, uh, under implementation. And that the main goal of cmmc of the CMMC program is to establish that cyber security baseline to protect CUI regardless of where it is, what side of the border it resides. So, um, I’m pretty sure that if you’re protecting, uh, if you’re helping with critical missions critical programs, the DOD will be more than happy to assess, uh, your security controls and, and potentially is issue that CMT certification. Uh, the it a part is, uh, is a, it’s a tricky one, right? Cause the, it a will bring additional requirements we include into potential need for a license, uh, from DOS or commerce or whomever. I think you’ll have somebody here in the near future, John, to talk about this more from a legal perspective, which I always like those discussions, right? Uh, but, uh, as you know with the I A R, you have the, the, uh, report new reporting requirements. You have new encryption requirements, including end-to-end encryption. Uh, and then if you have that IAR R that comes to you available to you with the D 4 70 12 in addition to the D four, I’m sorry, the IAR requirements, you now have also cmmc. So, um, does it change with the iar? Yes, you will have definitely additional requirements as soon as you start handling processing ITAR information,
John Verry (21:45):
Right? And, and isn’t there a little bit of a complication or is that the letter that you’re referring to? If, if, uh, if you’re a foreign company in theory, right? Doesn’t IAR data? Well, it used to, right? Maybe these new regulation that you’re talking about. Didn’t IAR data need to stay on, you know, at least be restricted to access by US citizens?
George Perezdiaz (22:04):
Yeah. And that’s, that’s the, what they’re called. The, uh, the newer interim rule for the I, uh, for the I A R to March, 2020, that they say that now you can access, if you are an authorized user, you can access i a from outside of the US as long as you’re not bringing that information into that region. So essentially,
John Verry (22:22):
But you still have to be a US citizen.
George Perezdiaz (22:23):
You still have to have, not necessarily a US citizen or a US person. Remember, you can be a non-US citizen and be a US person and be authorized to access I a R. Uh, the, the requirement is, um, green car holder, uh, uh, political refugee and some other descriptions that the State Department has. That’s what we use the, the authorized user. Cuz you can also be a non-US person and have a license that authorizes you as a person or as a company to have those folks, uh, access your, your control information. Uh, and the other aspect there is that that connection has to be end-to-end encryption, uh, encrypted, which it becomes really, really, uh, challenging to achieve.
John Verry (23:02):
Okay? So, so, so you know that the IT a r definitely complicates that being a foreign company. Uh, but both should be doable if you architect things the right way.
George Perezdiaz (23:16):
Yes, anything is doable, right? You just have to have the right amount of, of money and the, and the will to do it correctly. But yes.
John Verry (23:24):
Um, here’s an interesting one. Um, does an SPS RS score and or CMMC assessment look at the flow down of CR requirements to our vendors? If so, what do we need to do? Is 801 71 and cmmc do not include vendor due diligence guidance? Um, and then part of that is also we also have SaaS products, uh, that, that are in use. Do they have have to be fed ramp certified if they might receive cui?
George Perezdiaz (23:48):
Okay, that’s, uh, that’s a good one. Loaded. So, uh, D 4 70 12 and, uh, in the subcontract section, I believe is Section M talks about the, you should, should include the D 4 70 12 clause in subcontracts, right? So yes, it’s not going to be something that you find in this a hundred one seven one cuz you have straight up 110 controls. But as a contract requirement, you are obligated to let your subcontractor know that, hey, this applies to you as well since you’re helping me achieve this D O d uh, mission right now, you’re handling COI on my behalf. Uh, so yes, uh, there’s no supply chain, uh, security there, but, but you have to do that. The, uh, the same issue is true for FE moderate, right? You can see that, uh, or equivalent, the dfars, uh, 70 12 says that if you’re going to use as a csp, it has to be fe moderate over equivalent. There’s also nothing in cm, I’m sorry, N hundred 1 7 1 or cmmc that says how will the, uh, assessment body look for those things. So those are more of, uh, contractual requirements that you have to account for. That’s what we always emphasize. Read the contract, read those clause and and provisions and make sure that you understand and you agree and you’re going to, uh, implement your c I program in accordance with all those different caveats.
John Verry (25:10):
Right? Uh, and, uh, correct me if I’m wrong, my recollection is that the, the CMMC assessment process that came out specifically does cover. So it was interesting to me that, cuz I always wanted how this was gonna work, right? Cuz you’ve got cmmc assessment that doesn’t cover DEF a s clauses, but it looks like they added some specific stuff into the CMMC assessment process that does address at least that those particular DEF a s clauses,
George Perezdiaz (25:35):
Correct? Yeah. And that was, uh, that was refreshing to see, cuz originally we, uh, assume and anticipated that they always, I’m sorry, they see the PAO was not going to do that. That that was going to be a DCA responsibility to go look after. Uh, granted if the C P L noticed something, they had the right to report to the dod, Hey, I noticed that these things are happening there, including the non-fee run moderate items. So, uh, yes, I was happy to see that one item there.
John Verry (26:01):
Uh, agreed. Um, you hear this one a lot. How detailed will a C3 PA assessment or DAC audit be? How detailed will my procedures be reviewed? Um, how many months of evidence do I need to pass a CMMC assessment? Do I need policies, procedures, and or an SSP to pass my assessment? So, uh, what, what’s it gonna take to live through a C three PA assessment or a d c assessment?
George Perezdiaz (26:26):
Buckle up essentially, right? <laugh>, uh, the, the good thing about the process now is there is a, uh, a, a review, an assessment before an assessment, right? The C PAOs and the <inaudible> have realized that they don’t have the time to go assess someone just to fail them, right? So yes, it is going to be detailed, but it’s going to be detailed from day one. As soon as you con contact the C through P AO and say, Hey, I think I’m ready for an assessment. Oh, you are. Let me see what that looks like. Right? So right then and there it is going to be detailed. It is going to be, uh, demanding. So the key is to be ready. The key is to start generating your evidence today, uh, for each one of those requirements, for each one of those objective documented log it.
Um, the C three PALS expect, of course an ssp. That’s where everything starts. That is one of the requirements that is in missing hundred 1 71. And what you want to do with your, it’s the, uh, with your SSP is to, again, build it in a way that someone can pick it up and know how to maintain your system or now, or how to even rebuild your system, right? The key is that that is your, it’s a plan. How do I manage, how do I build it? How do I maintain it? Uh, so your processes can be within the SSP or be assigned to something else. Uh, but it has to make sense. It has to make sense for the assessment team to pick it up and see, okay, I see how this process will generate this output and that is repeatable and achievable. So yes, buckle up. You have to be ready and no kid and you have to be ready.
John Verry (27:57):
Yeah, when somebody asks me that, a lot of times what I’ll do is actually just pull up one height. Uh, you know, and anyone listening, 800 dash 1 71 A is a fantastic document to understand what it’s gonna be like to go through an audit. You know, So I’ll literally grab an 800, 1 71 clause and say, Okay, look, here’s what they’re trying to look, Here’s what they’re gonna look for. And I love the bottom where it’s, you know, select this from this. And it really gives you an idea of where you might either create your evidence from or where they may ask for the evidence. Uh, I think that’s probably the best way to prep for an audit. Short of, uh, us doing like a readiness assessment, you know, doing our own preliminary audit, which is also recommended if, if passing is critical. Um, great. And
George Perezdiaz (28:34):
The CMMC assessment guide as well, John. Just, uh, sorry about that, but yes. Yeah, CMC assessment guide is fantastic with the examples and everything. Granted, the examples are not something that they will be assessing, but it’s something that can help you generate an idea of what you’re supposed to be doing there.
John Verry (28:49):
Yep. I agree. Um, uh, if I get CMMC certified using NIST 801 71 R two, do I need to re-certify when NIST 801 71 R three is released?
George Perezdiaz (29:00):
I can say, uh, that is a great question.
John Verry (29:03):
Um, I know the answer, I think, I think I know the answer
George Perezdiaz (29:06):
Very likely. Yes. Right. Um, so if you get certified today in the voluntary period, and let’s say in May we codify cmmc and in July starts showing into programs, Now you start that clock, right? Let’s say nest hundred one seven, the revision three comes out July timeframe. So you probably, next time you are, uh, you are up for re-certification, you probably want to start moving towards that new standard, right? Cause it is expected to be the latest, uh, of the publications there.
John Verry (29:38):
Yep. Yeah, that’s what I heard Stacy say. You’ll be okay until the, the re-certification. And, and as of right now, Cmmc is a three year certification, right? Uh, it’ll be interesting to see whether or not we have any reporting requirements in year, you know, two and year three, but for now, they haven’t outlined any, um, <laugh>, here’s a loaded one. Uh, this is not an easy question. Should we pursue a voluntary assessment?
George Perezdiaz (30:04):
<laugh>, why, Right? <laugh>. So, so it depends on what you’re trying to achieve. What is your motivation and how ready you are? If you know that you can, you can pick up that test and score a hundred, by all means, go for it. But now that it’s not going to be paying less, know that it’s going to be demanding and know that it’s not gonna give you an automatic level two certification. We have still have to wait for the, uh, the, uh, rule making to happen to, to be able to achieve that. So as long as you understand what you’re getting yourself into, and uh, you’re ready to get the seal of approval, go for it. We have three organizations right now, uh, that wanna go. And we are going through the process right now, and we are hoping that the DOD looks at, uh, at our items and decides to put at least one of our, uh, of our clients through the process. Cuz uh, we’re, we’re excited about it and we’re very proud of what they have done to, to be able to say, Hey, we’re ready. We are. Bring it.
John Verry (31:01):
Yeah. So, I mean, is the answer to that question, do you perceive it as being a competitive advantage? Worth, worth the, the cost? I mean, I mean, cuz that’s really what it is about, right? It’s about being able to promote your services to agencies or promote your services to primes that are bidding a large contract and say, Hey, we’re, we’re already, we’re already through, We’ve already have an as, you know, a successful assessment.
George Perezdiaz (31:24):
It’s, it’s hard to say, John, cuz right now you, you’re required to have an SSP plan of actions and Milestone and a s SPS score if the, that’s what the DDS looking at, right? Is your SPR s and all the evidence that you have logged there. Granted there’s more value to an s SPS score that was submitted by the DCA or C P O versus
John Verry (31:46):
Way, way more, way more. I mean, one is self attestation, one is third party attestation, and the DOD has gone on the record and I figure out what the exact number is, but they’ve reviewed things and said that what, 70 you know, 70, you know, that, that the average score reported to, you know, in SPR s is what was the numbers, you know, 70% higher than it really is in reality. Um,
George Perezdiaz (32:07):
Right. I I think I just saw wanna into yes, low twenties, I think it was when somebody actually thought there were 110. Yeah,
John Verry (32:15):
Exactly. So I, I think that, you know, like if I’m somebody, if I’m an agency or I’m a prime and I’ve got somebody who’s been validated independently, objectively, versus someone who’s self-reported and they both have the same score, I’m definitely going with a person that’s been validated independently.
George Perezdiaz (32:28):
Yeah. Yeah. So yeah, you have to be a prime, right? If you’re a subcontractor and you’re going to brag about, it’s gonna be kind of hard to validate that you indeed went through one of those, but yes, um, definitely an advantage.
John Verry (32:41):
Um, so I know that you, you, you showed me an email recently that ties to this, uh, one of our most important primes is pushing for N 801 71 and additional standards. Are they allowed to do that? <laugh>, Why are they doing that? Will do, will we need to comply, right?
George Perezdiaz (32:58):
Why, why did you add that one here that just happened?
John Verry (33:01):
<laugh>. I, because because I thought it was a, I I thought it was a fantastic question.
George Perezdiaz (33:05):
Uh, so yeah, it’s, it’s a, it’s a matter of contract, right? If, uh, if, if you’re protecting different data sets in in different ways, I think that’s what they’re going for there. What is your commercial information? I e I want you to have ISO for this information. What are you gonna do with my CDI and C ie. I want you to implement and be responsible for D 4 70 12 and this a hundred, 1 71. Uh, so it’s a matter of convincing that one client that, hey, every time you give me information, just so you know, I’m gonna treat it as this, as if it is cui. And probably if you’re actually being truthful, you don’t have to do those other two requirements, uh, other two standards. Uh, but it is valid and it is a matter of, it’s a, it’s a business decision. It is a business conversation that they need to be able to, uh, well equipped to answer.
John Verry (33:52):
Yeah. But I guess the question is, the, the, I don’t need to do it, but I also, they don’t need to give me a contract if I don’t do it, right? So, I mean, I guess the question is if they, you know, they’re contracting with me, they have the rights to put anything into a contract that, that they want, and if I want their business, well then I’ll do what they say. And if I, if I think it’s un, un, uh, unfair, man, I won’t,
George Perezdiaz (34:14):
Right? It’s a requirement, right? I have my requirements to be able for you to be able to work with me. You’re either comply with those requirements or I’m gonna go somewhere else, right? Or we can negotiate, right? Cause the, the other item there, it’s a matter of understanding, right? I’m going to apply this security component now for it. Are you willing to pay for it? Because now it’s a requirement, right? So the cost that I gave you yesterday for that thing that you wanted from me, that didn’t come with the ISO or the CIS standards, now the cost likely must and will change, right? So, Right. It’s a business decision that it, uh, our negotiation item,
John Verry (34:48):
I think you might have wrote, written a blog recently on the next question, can I discuss COI over, uh, pots lines, you know, plain old telephones service.
George Perezdiaz (34:57):
Yes. And I was, uh, pretty happy to get some really good answers from some really good folks within the DO d and and industry. Uh, and the answer is that it depends on the c UI that you’re handling, right? We had some, and I did some research there real quickly. So, uh, GSA says, some coi you’ll be able to discuss over plan old, uh, over pots. Uh, I think it was agriculture that has some different requirements, but the DOD was very explicit about it, right? So if you have dod c i, you will encrypt that communication, uh, that’s, uh, a part of that, of that, uh, contracting toolbox. So yeah, that was a really good guidance. And we also heard that from, from Stacy, which we appreciate every time she replies to one of our questions.
John Verry (35:38):
Yeah. So, so technically, right, if somebody’s using voiceover ip, which most people are these days, you just wanna make sure that you’ve got encryption enabled and you know, broadly that way you don’t ever have to think about it.
George Perezdiaz (35:49):
Uh, yes, sure. Okay. I think it’s a little bit more complicated, but yes, I think complicated things a little bit.
John Verry (35:58):
Um, I think, and I mo many if not most, you know, like Cisco VO voice systems are configured with encryption turned on. Yeah, I think that’s fairly standard. No.
George Perezdiaz (36:10):
John Verry (36:12):
Okay. Um, does, does my backup c UI need to be FIPs validated?
George Perezdiaz (36:20):
Uh, good one. So it depends, but maybe not. Right? Uh, the good thing about, uh, S a hundred one seventy one is that oftentimes gives you the flexibility to define, uh, and design your controls are currently. So that one requirement actually says, uh, protect the confidentiality of COI and backup location, something like that, right? So he is not explicitly saying that you must encrypt the backup. And, and, and if it says encrypt the backup, then that means that the encryption has to be fixed, validated, or NSA approved, right? So, but because it’s saying just protect the confidentiality, that means that you have the flexibility to use encryption and or alternative, uh, uh, physical security controls.
John Verry (37:06):
Okay? Um, can I put encrypted CUI on a non FedRAMP moderate equivalent SA or csp?
George Perezdiaz (37:14):
That’s, uh, that’s another tricky one. Uh, yeah. So <laugh>, encrypted CUI does not mean that it is not CUI anymore, right? It still remains cui the way I understand it. Uh, put in a password on something doesn’t automatically makes it, uh, not, uh, not cui, right? And if we go back to the, to the requirement from D 4 70 12, if you are using cloud service provider to handle process or store, uh, transmit c ui, then that cloud service provider has to be federal, moderate, or equivalent. So, uh, yeah. So you want to be in the side of caution and make sure that that, uh, container is authorized and approved to handle that, the sensitivity that of the data that you’re putting in that medium.
John Verry (37:59):
Yep. Makes sense to me. Um, do I need end-to-end encryption for my cui?
George Perezdiaz (38:06):
So that goes back to the, to the IAR conversation we were having for that, uh, rule change in March, 2020. That is a, an i r requirement, right? That it, it, it applies only if you are doing certain in certain use cases, not always a requirement, right? As I understand it. So for C i, no, c i, if you look at it, there’s nothing there that says, and this hundred 1 71 or in dfars, this says that you must protect c i with end-to-end encryption. You have encryption in transit and you have encryption at rest in some of the requirements, right? Uh, but there’s nothing there to that, that says that you have to have encryption and use, which will make that into an encryption.
John Verry (38:46):
Okay? Uh, why, when, where do I need MFA for cmmc?
George Perezdiaz (38:53):
Yeah. So I, I like this, I like this question a lot, uh, because a lot of the times, um, our folks, so let me see, um, the cui, you have to protect it in accordance where we, where you have, where you have it, right? So the, the mfa, sometimes we see folks, Hey, I’m gonna put MFA before I get to fat wrap, uh, to my GCC high or whatever, uh, cloud tenant. But as long as you, as soon as you save c UI or process or store within your desktop, now you have MFA in the run layer, right? You’re, you’re protecting the C UI that is on the cloud before you get to it, but you neglected to protect the C i that is going to be inevitably on your laptop. So that’s why it’s very, uh, important for organizations to sit down and slow down and look at how and where is my CUI going to traverse and travel and interact. Uh, because you wanna make sure that you do it correctly. So likely you’ll need it at the, at the end point, at the edge before you get to the operating system. Like most organizations have it, and likely you will need it with, uh, the vpn, if you have vpn or before you get to that, um, container that has your coi. So there’s various places to deploy. Just make sure that when you’re deploying this, you’re doing it at the right layer,
John Verry (40:09):
Right? So this is why, this is why, you know, I’ve heard you say to somebody like, Really, we should get the SSP complete, Understand where your C I lives before we, before we start purchasing anything.
George Perezdiaz (40:20):
Yeah, exactly. As soon as they contact us and they say, Here’s an sow, please don’t buy anything yet. Let’s talk this through. Right?
John Verry (40:26):
All right, so speaking about buying things, and this is also, your answer’s probably gonna sound a lot like this. You know, do I need a sim? You know, And then of course, the next question beyond that is, what does the SIM need to do? And I think, I think your answer’s gonna sound a little bit like this last answer.
George Perezdiaz (40:40):
Yeah. So the, maybe it’s a little different cuz the, the aau, right? The other, and accountability family points out, uh, out a lot of you need a sim, you need a sim, you need a sim, uh, a security information and event management capability. Uh, and the answer is, uh, maybe, or maybe you don’t need a sip, right? There’s nothing, again in NI 1 71 or DEF A that says that you need a capability similar to a sim as long as you can achieve those, the objective of those requirements, right? Do the correlation, do the monitoring, help you achieve those, uh, continuous monitoring, uh, rapid, uh, response and reporting, then you can do these things without a sim. Uh, I actually took, I’ve been hanging out a lot in, uh, N a hundred one seventy two, uh, just to get ready for level three because that’s how ambitious I am. Uh, and there’s one instance there that mentions the sim, and it is, uh, of course a control enhancement for threat hunting. So not until you get to that high level, I’m sorry, the, um, high value assets and the, the intent of the, uh, 1 72 or cmmc level three is when we start seeing explicit as an example, right? It’s not even a requirement saying that SIM can help you achieve this thing. So in short, John, uh, no, you don’t must have a sim, but it’s, uh, it simplifies a lot of the, the ways in which you’ll achieve the, the AU family in the continuous monitoring.
John Verry (42:04):
Right? And just to be clear, I think what you’re saying is that the way to meet the logging and auditing requirements, a sim is not the only, it might be the most common, it might be the path of least resistance, but you could take a Kiwi syslog server and then from the correlation perspective, you could write some Python scripts that sit on top of that and alert you when things go on and that combination is gonna work. Or some people have used gray log. So that’s, that’s what you’re saying, right? I mean, you, you need the SIM capabilities, but you don’t necessarily need a sim,
George Perezdiaz (42:35):
You don’t necessarily need to go buy a sim. You, if you’re good at scripting, like you said in coding, you can build yourself that logic, right? And, and live without it. But is it recommended? Why would you build something that you can buy? Right? So
John Verry (42:49):
For most people it’s probably, yeah, it’s probably the path at least resistance. And then, and then, and then the other, the other reason why I said I thought it would sound a lot like the last answer is until you really understand like how that data, you know, the COI flows, you know, to you through you in your use systems, you don’t know what, which logs from which applications and which systems need to actually be talking to your sim. I mean, if you got down to a point where there’s three systems are the only three systems, then you probably don’t need a full featured sim, right? A Kiwi syslog server is gonna work great.
George Perezdiaz (43:19):
Yeah, that’s a, that’s an excellent point. And we have seen it too, right? Let me see a report. And they’re getting reports for their sim for a system that has no business. It has it’s far away from the C ui. Do you
John Verry (43:30):
Have or, or the opposite. They have every system except the ones that they need. Oh, well look at, look at all these logs we have. Yes. But you know, this, this system over here that houses all of the diagrams, uh, do, do we have any No, no, no. We, we don’t log on that. We don’t wanna disrupt it. You know, we’re worried that it’s not gonna work. Right? You okay? Um, okay. Um, so this is, this is, um, alright, so there’s a requirement in, um, the standard, uh, security engineering, um, you know, S C L two dash three 13.2, uh, and it says, um, employee architectural design software development techniques and system engineering permits principles that promote effective information security within organizational systems. If I don’t develop software, uh, you know, do I, do I need to worry about that? That, or is that not applicable to me?
George Perezdiaz (44:22):
Yeah, that is, uh, that’s true. We do get a lot of that, uh, from our clients and potential clients. Uh, so the key there is, uh, secure security engineering, right? It’s, uh, it’s the one thing that you need to zoom into. Uh, organizations need to start thinking about what we just talked about, that acquisition pro process. Do I have it in my enterprise? Is it something that I can reconfigure? Is it something that I’m gonna have to buy? Once you make that determination, now you have to think about harnessing that system, making sure that it is this functionality that it is, um, available whenever you need it, and it has the, the security controls necessary to help you achieve those, uh, your mission objective securely. So that’s, uh, that’s where your essentially, your sdlc, secure SDLC comes from, you know, your, uh, secure system security, life cycle management, uh, while system development lifecycle management, which often it used to be just software, right?
Uh, you have to think about that golden image if you’re old enough. You remember having fun with ghost and scanning something and making it there. So that’s what this requirement is looking for in including, uh, embedding security practices, whatever you have that system acquisition with system lifecycle process that includes, uh, in your change management as well, right? That’s why I, I mentioned that the SSP is so important and the diagrams within your SSP change request comes in says, I want to add or remove this particular one system. How does that going to affect your SSP and your entire S C I ecosystem? Is it going to affect your monitoring capabilities within the sim? Is it going to introduce new, uh, uh, vulnerabilities? Are your assets going to be, uh, affected? Your c i assets, your s sps, your security protection assets and your cr uh, your contract risk manage assets, Are they going be affected? Are they going to continue to, uh, execute in the same manner before you make that change? So just having that at, at as a day to day operation and activity and, and making sure that you look at those line items and anything that’s coming into and out of that ecosystem. Have you done a, uh, a security impact assessment of sort before you implement any of those changes securely?
John Verry (46:28):
I think if you summed it up, the idea that a, you’re moving from a system dev, a software development lifecycle to a system development lifecycle means that the principles within that particular control come into play, whether you wrote the software or whether or not you’re just acquiring it and then implementing it, correct?
George Perezdiaz (46:46):
Yeah. And then instead of software, it will be that information system, right? Anything that, that you’re plugging into your network.
John Verry (46:52):
Perfect. So the good news is, uh, you were pretty damn efficient and we got through all of our questions in a reasonably, a reasonably good timeline. So, uh, appreciate, appreciate that. Um, George, man, thank you. Um, I appreciate your help here.
George Perezdiaz (47:07):
Okay, My pleasure, John. Always happy to be here.