Preparing to achieve CMMC compliance may seem daunting.
Especially in 6 challenging components.
But we’re going to make them easy.
In the latest The Virtual CISO Podcast episode, the tables are turned and I’m the one being interviewed. I explain these 6 problem areas and offer ways you can solve them.
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
Jeremy Sporn (00:25):
Hi there, and welcome to another episode of the virtual CISO podcast, snickering from the peanut gallery as always.
John Verry (00:34):
You thought it was easy. You thought it was easy.
Jeremy Sporn (00:38):
I am your host, Jeremy Sporn, and with me, unfortunately, as always, the cheese to my macaroni, John Verry. Hey, John.
John Verry (00:48):
Hey, Jeremy. Something feels funny here. I’m not sure what.
Jeremy Sporn (00:51):
Yeah, it is a little weird. We are flipping the script today. And instead of John asking the questions and guiding the conversation with a more intelligent guest, today, John is our CMMC subject matter expert who’s going to take us on a deep dive look at the, what we call the six gotchas of CMMC. These are the six areas of CMMC level three we see organizations in the DIB struggling with the most.
Jeremy Sporn (01:23):
For reference, John is actually the most knowledgeable CMMC person on our team. He developed the service offering we are using to help our clients get CMMC audit-ready. And he is a 30-plus year information security practitioner. Put on your scuba gear, everyone, because we are going deep into what you need to know about being ready for CMMC. John, any final words before we kick this thing off?
John Verry (01:50):
I hope I live up to that quite significant introduction.
Jeremy Sporn (01:56):
I’m sure you’ll be just fine. All right. So like we said at the beginning, you and I have talked about these six areas that tend to be the most challenging for DIB organizations to achieve under CMMC level three. And they are mobile device management, multifactor authentication, end-to-end encryption, e-mail spam protection and sandboxing, logging and alerting, and last but not least, managing supply chain risk. It’s a bit of a mouthful. We’ll break them down one at a time, starting with mobile device management.
Jeremy Sporn (02:30):
So according to the access control practice, ac.3.022, C1 mobile devices must be encrypted. How do you go about advising companies on how to achieve this?
John Verry (02:45):
So as is always the case, any one specific control doesn’t stand-alone. So as an example, when you talk about that particular control. I think another one which speaks equally directly to this particular requirement is 3.1.18 control connection of mobile devices. Actually, that reference was from this NIST SP 800-131 because I was just looking at it.
John Verry (03:10):
But the idea is we really need to control connection of mobile devices. And if you just take it back a step further, we have an obligation to maintain the confidentiality of CUI throughout its life cycle. So to the extent that your organization gets mobile, and when I say gets mobile, that could be laptops, that could be phones, that could be tablets, whatever it might be, we have that obligation to ensure that we’re controlling connection on these mobile devices, that the data is remaining in a FIPS-compliant encrypted state.
John Verry (03:43):
So generally speaking, the easiest way to think about that is if you’re going to have a lot of mobile devices, is to move towards a mobile device management solution. One of the nice things, and I think one of the groups that has a little bit of an easier time with this are organizations that are on the Office 365 environment. Now I guess the calling it Microsoft 365. Because they’re like… and this is what we do, by the way, internally, is we use their Intune solution. It’s a fairly solid, fairly robust mobile device management solution.
John Verry (04:13):
Now it gives you a lot of great features in terms of being able to ensure… it almost works, in a sense, as part of what we refer as like almost network access control so we can actually ensure that devices meets a minimum baseline of configuration, which is another one of the requirements of CMMC, configuration management. So we can ensure that the devices meet this minimum baseline before they actually connect to a network location, if you will, or an application where CUI is being stored. We can also control coin the device. We can also ensure that the device appropriately being encrypted in accordance with our requirements. And we can also do things like remove that data automatically in the event that a device is lost or in the event that an individual leaves the organization, it was part of a BYOD solution. That makes sense?
Jeremy Sporn (05:03):
It does. Yeah. Now one of the things I always like to ask around mobile device management is the end user challenge, because there does seem to be some feedback from end users that mobile device management is not a fun thing. It’s another hoop you have to go through. What would you say? Is there anything you can give our listeners feedback on that would help them sort of talk to those end users and say, hey, this is important. This is why it’s important. This is why we got to do this.
John Verry (05:30):
Well, so I’ll go the other way, right? So you work at Pivot Point Security, and I act as our CISO, and I make you have mobile device management on all your devices.
Jeremy Sporn (05:39):
This is not how I saw this going.
John Verry (05:41):
No, no, no. So how did we do that successfully, right? Because I think if you look at the way that we’ve implemented things, I mean, listen, nobody loves having to put in multi-factors for authentication. Nobody likes to have to… every once in a while, have the device, say, hey, your password is no longer conforming with our revised password policy. Please update it.
John Verry (06:02):
But do you find it that much of a… like I said, we’ve used Intune, which I think is a really solid tool and it comes along for free, which is awful nice. Do you find it that restrictive yourself?
Jeremy Sporn (06:12):
It’s funny. The first week or so, it was a pain in the ass to people.
John Verry (06:15):
Yes, I agree.
Jeremy Sporn (06:17):
Then you just get used to it. It’s just another part of how you access your information, how you communicate with people. We’re fortunate enough that we leveraged the tool LastPass as well. So those two in conjunction for an end user like me have made it simple to manage passwords and logging in and moving some things around. So now, it’s natural.
Jeremy Sporn (06:39):
In the beginning, it was annoying, but it turned natural pretty quickly, actually faster than I thought it would.
John Verry (06:44):
Right. And the reason it became… I mean, like if you really go back to the days when we started turning all this crap on, it was around the time that we got fully ISO 27001 certified. And to you… and I think you bring up a good point. The answer to all of this in terms of managing user expectation has a lot to do with the management and what we refer to as tone at the top. I think it’s really critical that as you’re making the changes to move to CMMC, when you increase security, there is definitely some impact on what we call effectiveness and efficiency of operations. You didn’t have to put a password in, now you have to put one in. You had to put one password in, now you have to, on occasion, put in two passwords, things of that nature. So it’s definitely going to impact users.
John Verry (07:26):
The key there is to make sure that the users are… when you’re making these changes, it’s important to communicate why you’re making these changes to the users. And when a user understands that if we don’t do… if I don’t do what I’m being asked to do, we will not be able to maintain a CMMC level three certification, and our company will no longer exist, and I would no longer have a job. I mean, that was really what it was with you, right? Hey, we need to be as ISO 27001-certified for our clients to continue to trust us to do work with them.
John Verry (07:54):
Okay? So once you heard that, it was like, hey, this is what we need to do, right? This is the way the world’s going. So I think that’s a good point.
Jeremy Sporn (08:04):
Yes. And that actually leads into the next gotcha pretty well, which is that multifactor authentication challenge. And it’s pretty wild here. According to the identification and authentication practice, access to CUI must be via MFA even on your local network. What’s the approach you take there?
John Verry (08:23):
Yes. Yes, this is actually… it’s funny that you brought this up ’cause this is actually one of the more confusing areas of CMMC because the guidance is a little bit hard even for someone like myself to interpret. So really, what they say is use multifactor authentication for local and network access to privileged accounts. And for network access to non-privileged accounts.
John Verry (08:47):
So what they’re saying there is… so first off, and this is one of the requirements that goes back to NIST SP 800-171. And within SP 800-171, there is a concept of a definition for what a privileged user is. So a privileged user is a user that is authorized, and therefore, trusted to perform security relevant functions that ordinary users are not authorized to perform. So when you think about that, you say, oh, this is great. So what we’re basically saying is only our, like, admins our privileged users need to actually use two-factor authentication.
John Verry (09:20):
However, they go on a little bit later on to clarify it, and they actually use a phrase from it for a non privileged user. Using a standalone computer with no network access, the access can be via single-factor authentication. But what is the likelihood that that is going to occur, right? So in other words, if you’ve segregated a machine and it’s sitting by itself, it’s okay to do single-factor authentication. However, if you’re connected… if that machine is connected to a LAN, then the network access must be multifactor authentication.
John Verry (09:55):
So there’s a lot of confusion there. At the end of the day, the way… the simplest way to look at this is multifactor authentication for all users is really what your target should be. And I’ll say that for two reasons. One is that we don’t know exactly how this will be adjudicated by the CMMC AB CA3 auditors when they come out. So first thing is that we don’t want that issue to occur.
John Verry (10:19):
The second thing is that, honestly, multifactor authentication is one of the single most important mechanisms to reduce the likelihood that your organization has a breach or a [inaudible 00:10:30]. And at the end of the day, yes, we want to be certified, but we also want to be secure, right? This is national defense. This is our national economy. And with the minimal amount of additional overhead associated with multifactor authentication for all user accounts, it’s a no-brainer to do that.
John Verry (10:46):
So I’m a fan of I think multifactor authentication is something you should be targeting. Again, one of the great things is if you’re on either… like a lot of our users are on Microsoft, it comes along with the application. It comes along with Office 365 for free, right? Microsoft authenticator.
John Verry (11:01):
Same thing if you’re on Google Suite, there’s a free Google authenticator. So these are tools that you don’t have to spend a lot of money on. If you want a more robust solution, if you want a solution that has greater capability to be integrated into legacy applications and things of that nature, you can use something like Centrify. Okta is absolutely the market leader in multifactor authentication-style solutions. Certainly couldn’t go wrong looking at what Okta’s done. They’re a phenomenal company.
Jeremy Sporn (11:31):
Very cool. Yes. I’ve heard you talk about MFA for a long time as that one thing people should do. It’s one of the simplest things someone can implement to increase their security posture. So —
John Verry (11:41):
Well, if you think about it, when somebody is trying to… what is one of the biggest breaches we see, right? We see credential thefts, people… credential stuffing attacks, things of that nature, where somebody gets somebody’s credential, somebody’s password. And in that case, once that person has your password, they are you, right? They have access to the CUI.
John Verry (12:00):
The simple idea of adding a second factor, so that there’s a text message or there’s an authenticator app on your phone. Now, even if you have my password, you still can’t get to the CUI.
John Verry (12:11):
The other thing too is protect other key apps there. So not only do we have to… can we protect access to the network or access to Office 365, but if you look at my authenticator, like I’m using it for LastPass, I’m using it for my banking applications. So listen, everybody should be using multifactor authentication on any information that’s important to them, is my opinion at this point in time.
Jeremy Sporn (12:35):
All right. Perfect. We’re going to move on to end-to-end encryption. So according to system and communications protection practice, sc.2.179 plus a few others that I won’t read out, file sharing and e-mail containing CUI need to be encrypted. What are DIB organizations options here?
John Verry (12:58):
Yes. So as you alluded to, there are awful lot of places within CMMC where this concept of encryption comes into play, through SC is one of the areas we definitely see the most. And that makes a lot of sense because, really, what we’re trying to do, 800-171, for sure, CMMC as well, there is a significant focus on ensuring the confidentiality of this control on classified information. And encryption is the single most significant way of providing that confidentiality.
John Verry (13:33):
And it goes further as to kind of give you guidance that the information should be encrypted in transit as well as the information should be encrypted at rest, which is why you speak to this idea of should we be using some more robust e-mail file sharing, fully encrypted end-to-end solution?
John Verry (13:52):
It even goes a little bit further that the cryptographic mechanisms need to be a FIPPs validated, a federal information processing standard, I believe that is. But there’s a FIPPs standard for ensuring that the algorithms that are being used are reasonably and appropriately strong. So where that lands out is that we’re going to need to get to a point, because the predominant place that we share and store information is probably through our file sharing mechanisms and through email.
John Verry (14:23):
So the most common way that people are crossing this bridge is how do we, in our brave new world as we move towards this, how do we manage this? So as an example, we’re on Office 365. Is that a suitable solution? And the answer is, yes, and the answer is no. So I’ll start with the no.
John Verry (14:40):
The answer is no, if you’re on a commercial instance of Office 365. So Microsoft offers commercial licensing. That might be something like you’ve heard of like E3 or E5 licensing. And then they also have other environments that are intended for higher-level government usage. And one of those environments is labeled GCC high, the government computing cloud high. There’s a gentleman over at Microsoft, Richard Wakeman. His blog is fantastic. It’s a great point to look at, a great blog to look at. And in that, you’re going to see some really clear information about the different environments and where you achieve either 800-171 or CMMC conformance.
John Verry (15:27):
Also, as a lot of the organizations that are in the DIB are going to be working with munitions information and may have ITAR requirements, you also will see the reference to which environment gets you to ITAR compliance as well. And the good news is that when you get to GCC high, you’re going to be 801-171, CMMC and ITAR compliant. So the good news is that we’ve got the encryption that we need throughout the life cycle of that data as it’s being transited, as it’s being sent, and as it’s being stored in Microsoft.
Jeremy Sporn (16:01):
The biggest challenge I understand in GCC high is that Microsoft teams doesn’t allow you to use emojis, and that is a significant challenge for many people, is my belief.
John Verry (16:13):
For a marketing guy like you, that’s probably a deal breaker.
Jeremy Sporn (16:18):
CMMC? We don’t need that. We have to be able to share emotions through our text messages in Teams. I don’t know how we can work together.
John Verry (16:25):
They didn’t block out animated GIFs, did they No, you’re right, though. You’re right. There are some are some capabilities within the commercial licensing that are not yet available in GCC high.
Jeremy Sporn (16:37):
Which makes sense. One thing that I always hear about that we’ve tried touch on real quick, is there are other solutions if you want to stay on Office 365 commercial. We hear things like Prevail. We had Sanjeev on the podcast. Quickly touch upon that kind of option.
John Verry (16:55):
Yes. And I think we should.. let’s take a step back and touch on the Microsoft option as well. So listen, I’m a fan boy of Microsoft, an unabashed fanboy. I think they do great stuff. I think the value proposition that you get if you’re using Office 365 is amazing. And we’re on Office 365, and we’re incredibly happy.
John Verry (17:13):
So if you want to be in the Microsoft GCC cloud, which is certainly going to be an excellent option. The migration, there’s only, if I recall correctly, only nine authorized companies right now that are able to help you migrate from… or help you license GCC high. In fact, we’re going to be speaking with [crosstalk 00:17:35] summit seven.
Jeremy Sporn (17:37):
Yeah. I believe as of right now, there are nine that can do it for companies 500 users [crosstalk 00:17:45]
John Verry (17:47):
No. 500 or below.
Jeremy Sporn (17:49):
Yeah. And I’m sorry, and 11 that can do 500 seats and above. So that’s how it’s broken up currently.
John Verry (17:55):
Exactly. And because it is a complex environment, it has to be done right. And Microsoft has given these entities the special training and knowledge that they need to be able to do that.
John Verry (18:04):
So if you are someone who’s on Microsoft, and you want to just remain completely in the Microsoft environment and just kind of go forward down that path, contacting someone like System7 or some other one of the other entities on that nine-person list is going to be your best choice. We’ll probably have a little bit more information after chatting with them, but from other conversations that I’ve had and clients that we’ve spoken with in Prevail, who was on the podcast as well, we know that there is some level of cost associated with migrating from commercial to GCC high, and we know that there’s additional cost to being in GCC high.
John Verry (18:41):
So numbers we’re hearing is, let’s say, 10 to $50,000 to migrate, depending upon how big an organization you are. And we’re typically seeing somewhere around a doubling to tripling of the cost for your monthly fee if you’re going to stay in GCC high. And I’m actually really anxious to have that conversation with them because I’m sure that there are probably some advantages to that that I’m going to be curious to hear them expound upon.
John Verry (19:05):
Another alternative, as you alluded to, is Prevail. Prevail is a very interesting software overlay, which preexists CMMC. They happened to come up with a very clever answer to a question that CMMC asked. And that’s going to be fortuitous for them because I think they have a very elegant solution.
John Verry (19:24):
What they do is they allow you to stay on Office 365 commercial. And only those users that are going to be handling CUI, you will enable an account for them on prevail. And what happens is they continue to use Microsoft Office as if it’s just Microsoft Office, except they have another inbox and sent item folder, and those are their encrypted e-mails. So when they go to send CUI to somebody who’s on a specified list that says, hey, if I send something to this person, please make sure I encrypt it. That information is encrypted automatically, transparently. And what happens is that information, instead of being stored in the Microsoft commercial cloud, is being stored AWS in their FedRAMP high certified, IL-4 certified environment. So that’s really what they’re doing.
John Verry (20:20):
So you end up… the cost is about similar. It’s like $30, I believe, or so per user when you do in Prevail. The difference is we don’t have the migration cost and you have an ability, currently, that you can just migrate a certain percentage of your users, where, currently, at this point in time, Microsoft recommends if you’re going to move to GCC high, you move everyone to that. So if you happen to have 200 users, only five process CUI, then something like that Prevail solution might be a little bit more interesting. If you’ve got 200 users and all 200 users process CUI, it’s probably a little less interesting.
Jeremy Sporn (20:56):
Yep. A bunch of decisions that people got to make here, John. This is a —
John Verry (21:06):
These are the conversations that we’re having every day with clients as they’re making this migration to be ready for their certification.
Jeremy Sporn (21:13):
All right. Let’s jump into e-mail, spam protection and sandboxing. First of all, for someone who does not understand this stuff, what is sandboxing? Because I know what spam protection is because I’ve had an e-mail address for most of my life. But what the hell is sandboxing?
John Verry (21:30):
One of the things that I love about information technology and information security is we use the same concepts and principles and terms often. And so what it gives you is an ability… so if you understand the cost of caching data, which basically means that we’re going to temporarily store it in a place where it’s easier to get to faster than if I said to you, oh, that chip has a cache on it. You do, oh, okay, so that makes the chip faster because it keeps certain information locally. If I said I was using a web caching solution to distribute content or something of that nature, oh, I’d understand that.
John Verry (22:09):
Same thing with sandbox. It’s a term you hear very often. So you might hear the term that in like a Java runtime, it sandboxes itself. So what that basically means is that it’s in a sandbox on top of the underlying operating system, and it’s not able to reach into that. Think of it as being in a sequestered place. And that’s what happens with sandboxing in e-mail.
John Verry (22:30):
So let’s say that I send you a malicious file attachment, and my goal is to get it onto your machine. And what’s going to happen is if you open that, it is going to run a macro, and that macro is going to try to pull a remote access tool from the Internet and put it on to your machine.
John Verry (22:45):
So what we can do is at our mail servers, we can have the mail server, while it’s investigating for spam, we can have it actually follow links or explode or open their attachments. So what it does is it actually takes that file attachment. It puts it into a sandbox. So it’s a dedicated environment where if it tries to do something bad, it won’t get out. They’ll execute it. They’ll find out what it does. They’ll characterize it’s behavior. If it doesn’t look like it’s doing anything wrong, that e-mail will end up in your mailbox. If it looks like it’s doing something malicious, that e-mail will not come to your mailbox, much the same way spam does. Or will come to your inbox, but there’ll be a… it will remove that link or it will remove the file, and you might have a note that tells you what exactly happened, depending upon how the threat protection mechanisms are being configured.
Jeremy Sporn (23:36):
Got you. Okay. Much appreciate the lesson on a term that I had no idea what it meant. So CMMC level three orgs according to some system information integrity practices, I mean, si3.218 219 220, a bunch of others as well, it looks like they need very strong e-mail protection mechanisms. What do you look for as someone helping these organizations guide them to compliance here?
John Verry (24:07):
I agree. And I do think that CMMC has done a good job of recognizing the single largest threat vector for most organizations, is e-mail. So I think the idea that they’ve been very, very specific in this SI domain about this is very good. I mean, the e-mail forgery protection, the sandboxing to block potentially malicious e-mail, the idea of spam protection, really critical for everyone.
John Verry (24:32):
The good news is that the vast majority organizations already have the basics in place, right? The spam protection, maybe even the e-mail forgery protection. The more sandboxing is a little bit more advanced. If I recall correctly on the Microsoft platform, I don’t think E3 does the sandboxing, and I think they call it advanced threat protection, if I recall correctly. Maybe what we can do is just put a link in the… add to our notes afterwards. I’ll get you that information and make sure we cover that. But I know if you get to E5, that you’ve got the advanced threat protection built in, and that includes that sandboxing capability.
John Verry (25:07):
The other ways you can do that is you don’t… there are other mechanisms that people can employ something like Mimecast or something like Proofpoint. There are a lot of good e-mail add-ons, let say, if you’re hosting your own e-mail. Or if you don’t want to upgrade your Microsoft licensing to E5, and you already have a tool that has this capability built in, you can do that as well there.
Jeremy Sporn (25:28):
So one of the key things that seems like keeps coming up is many of the systems that DIB organizations already have may have the capability to achieve the CMMC compliance focus? It’s just how they tune them correctly, how they leverage them correctly. Is that something that you see often when people need to use their tools well?
John Verry (25:49):
So I would say the answer is for organizations that have a at least moderately robust information security set of practices, yeah, the answer is yes. And it’s the same way when we work with orgs that are going towards ISO 27001. They’re always like, oh, we’re going to have so much work to do.
John Verry (26:08):
My answer is always you’re probably doing 80, 85, 90% of the stuff right already. And really, what we’re just talking about doing is that last 10, 15, 20%. Usually, it’s just tweaking things a bit. But now, unfortunately, in the DIB, there are a number of smaller organizations. And some of them are from less traditionally fields that make investments… significant investments in information security, right? If you are a company which process… a law firm, you’re already going to have a pretty good security posture. If you’re an organization that processes personal information or financial information, probably have a pretty good security posture. If you’re a 25-person manufacturing organization, very often, those will be a little bit less mature, and these hurdles could be a little bit higher for them.
Jeremy Sporn (26:58):
Got it. Moving on to the next gotcha, logging and alerting. So according to audit and accountability practices, there are a bunch here that reference it. 2.042, 44, 45, 46. Extensive audit logs need to be captured, reviewed and alerted on. This seems to be the golden question in some cases. But does this mean an organization needs a SIM security incident and event monitoring tool to achieve CMMC level three?
John Verry (27:32):
Good question. So first off, let’s talk about that whole audit domain, which is a really significant domain. And what’s important, and what I always talk about the audit domain with folks is that the audit domain has requirements in and of itself, but the audit domain supports, I think the number is… do you remember, Jeremy, we put it into the new proposal template up under the SIM option? And it explicitly supports these AU requirements. And I think I did a count. It was, what, 70 other. It was a pretty significant number. We’ll put that into notes as well, or if you can look that up while I’m doing this.
Jeremy Sporn (28:08):
I’ll get it. Don’t you worry.
John Verry (28:09):
Yes. Yes. It just doesn’t seem small to me.
Jeremy Sporn (28:12):
It’s 21 plus other practices.
John Verry (28:13):
Okay. 21 other. Okay. Yes. So if you think about it logically, within AU, we’ve got ADA at three, we’ve got one, two, three, four, five, six, seven, eight, nine, 10, 11, 12, 13, 14. We’ve got 14 practices specifically, and then we’ve got another 21. So 35 of the 130 controls minimally are directly impacted by how we handle the audit accountability. So I would argue that this is probably one of the most important areas for us to look at and for you to consider.
John Verry (28:44):
So we can look at the explicit requirements, right? So we have things like review and update logged events, create and retain audit logs and records to the extent needed to be able to enable the monitoring analysis investigation reporting of unlawful or unauthorized system activity. And we’ve got a number of these. So what’s important here as we go through this is there’s requirements to limit access to it and ensure that we’ve got appropriate segregation of function. We’ve got a requirement to review audit logs. We’ve got a requirement to be able to… under the incident response to be able to detect and respond to incidents.
John Verry (29:18):
So when you start to look at the sum total of this, the answer is explicitly, do I need a SIM? No. Could I do this with ray log, which is an open source log management tool? Could I do this with a Kiwi Syslog server and some Python scripting? Sure. Could I do this with Azure Sentinel if I’m in an Office 365 environment? Potentially, because a lot of the events that we’re going to be monitoring, access to CUI information, are going to take place through that environment. So that being said, do I need a SIM? No. Well, I think many organizations, as they get to be beyond, let’s say, 50 people, will they probably be better off having a SIM? I think the answer is probably yes because it’s going to give them that… it’s going to make each of those requirements simpler to account for. That makes sense? Do you need any clarification on any of that? Because I know it’s a mouthful.
Jeremy Sporn (30:16):
No. So in the end, is it an efficiency game? Because if you’re… I would imagine if you’re trying to manage dozens of practices or control areas that are requiring me to do a whole bunch of things, you can either piece together a solution, which may take more effort and time to manage, or spend the money to have a solution that’s just more automated and efficient, and it just depends upon your budget and the size and how significant that effort becomes, is what it sounds like.
John Verry (30:49):
I think that’s good. And if you think about it this way. So if you looked at a more robust tool, something like an Alien Vault tool or a Splunk tool or one of the good log monitoring solutions, the disadvantage, if you will, of those solutions is going to be cost, right? They’re not going to be inexpensive.
John Verry (31:10):
That being said, so the upfront cost is going to be higher, but then the ongoing cost in terms of effectiveness and efficiency of operations, how quickly you’re able to detect and respond to events, what the level of effort is required each day, week, month from your people, let’s say, to do review as opposed to, hey, all right, I’m going to have to jump in and look to see and spend 30 minutes each day looking through logs to see if anything happened. Versus, oh, I’m going to use a tool that costs me more, but it’s going to let me know dynamically when I need to do that. So I don’t need to go spend 30 minutes a day looking through logs unless it tells me to. So that’s kind of where the trade-offs are going to be there.
Jeremy Sporn (31:54):
Yeah. But at least you give people the option. The nice part about this area is that there are options for folks, which I think is very helpful.
John Verry (31:57):
Yes. And again, it’s really important as you consider what the right approach is here, right? So when you document a system security plan, one of the things that we have to document is we have to document the stakeholders and the boundaries and things of that nature. But we also have to document assets, right? What are the assets in scope, right? What assets store process or transit CUI is one way to look at this.
John Verry (32:20):
So one of the nice things as well is that when you get into a SIM solution, very often… or good log management solution, very often, they have that. That becomes a solution within your organization that can fill multiple parts of this void. We’re going to need to have a good incident response plan, good incident response procedures. We’re going to need to have mechanisms to track incidents and events and track them through resolution and through corrective actions and lessons learned, as an example. And again, very often, these SIM type solutions incorporate those kind of capabilities as well, right? We’re going to have a requirement to ensure that we’re monitoring for phone abilities and we’re making sure our configuration’s where they need to be. Again, those are the types of things where I can do them through some other process. But if I do use a Sim, I get a little bit more bang for my buck, if you will, right? More of these requirements are being done utilizing a single tool.
Jeremy Sporn (33:15):
Makes perfect sense. All right. Last but not least, managing supply chain risk. I’m glad we’re able to talk to John Ellis before you were able to give this answer, because I’m sure that’s going to help.
Jeremy Sporn (33:29):
And it’s tricky. Directly, CMMC only refers to supply chain risk when you get to level four. But I’ve heard you talk to organizations already looking to achieve level three, that they need to look what you refer to as one layer down into the supply chain for whoever they’re passing CUI to.
Jeremy Sporn (33:49):
Give people an understanding. How does this work? How do you suggest that they take this guidance, like I said, ’cause it is not officially a level three requirement, but it kind of is. And any guidance you can give us there is helpful.
John Verry (34:04):
Yeah. This is one that vexed me for a little while, to be honest with you, ’cause I think about it logically.
John Verry (34:10):
So CMMC is about being provably secure with CUI, controlled unclassified information. So we’re going to ask you to implement 130 controls, and we’re going to ask you to undergo an audit to prove to me that you’re doing everything that I did. So these 130 controls have been implemented. We think these 130 controls are necessary.
John Verry (34:31):
But now, you’re going to then take that data and put it, let’s say, in a third party’s application, or you’re going to give your IT service provider unvetted access to the locations of all of that information, the ability to administer that information, and we’re not going to ask them for any evidence that they’re doing any of these things. So logically, that doesn’t make a lot of sense.
John Verry (34:54):
So now, we’re into the point where, okay, John, you’re making sense logically, but the standard doesn’t require it. Right? Why is it sitting in the level four column? So there’s a couple of things which are interesting there.
John Verry (35:07):
So we have to look at where we are right now in CMMC’s adoption. So CMMC, technically, doesn’t really exist as part of any federal contracts. And it won’t exist until the DFAR, defense federal acquisition regulations, I think it stands for, that comes out of DCMA, and you referred to John Ellis, who’s a brilliant guy who works there. Until the DFAR clause… so there’s currently a clause in contracts. It’s DFAR 252.204-7012, if I recall correctly. And that clause is the clause that says you need to do x, y and conform with NIST SP 800-171. So that’s the clause that’s in a contract that encumbers you to 800-171. So they’re going to need to change that clause so it no longer encumbers you to just 800-171. That encumbers you to CMMC.
John Verry (36:01):
Now what’s interesting is within that clause, I think it’s a sub clause M, it says something to the extent, and I’m paraphrasing, that you have an obligation to ensure that this requirement, this DFAR requirement, exists and is promulgated down to any user… any other third-party organization that you’re sharing this information with, right? And very often, you’ll hear the term in the DIB, flowdown. So prime has a contract that says this. They’re flowing it down to their subs, right? So I think the answer to the question is why is it not explicitly in CMMC until level four is that it’s already in the DFAR clause, and I expect that it’s going to be in the DFAR clause that points to the CMMC as well.
Jeremy Sporn (36:49):
Got you. So in the updated contracts that you see coming down, you expect that same clause M, as you referred to or something or whatever you referred to it when the DFAR’s clause change, that we’ll refer to that slowdown again, and therefore, necessitate supply chain risk management at least one level down, but it will not be a requirement in the actual CMMC.
John Verry (37:14):
That’s the way that… it’s illogical for anything else to occur, in my opinion. But then again, I’ve been wrong before.
John Verry (37:23):
So that would be my guess. And I think there’s another part of this which is also interesting. So I would encourage people that.. especially anyone who is trying to do this on their own, either become 800-171 conforming, or is looking to become CMMC level three conforming, and they’re a DIY, right? They’re going to roll their own. To you look at a document called NIST HB 162. So that’s a National Institute Standards Technologies. HP, I think, stands for, or most of the time, it’s SP.
Jeremy Sporn (37:59):
John Verry (38:00):
Handbook. I think it’s Handbook 162. And it’s a document that I refer to quite frequently. In fact, I’m looking at it right at this moment. And what Handbook 162 is a handbook, I think what they call it, let’s see what the name of this was. The self-assessment handbook for assessing 800-171 security crimes and response to DFAR cybersecurity requirements.
John Verry (38:18):
Basically, what it is, it’s a cheat sheet for people that are not super IT infosec literate, to how to interpret what they say within the standard. So as an example, for a particular control, it will tell you what does the control say, here’s some additional information, here’s some places you can look for other information, here’s who you should talk to in the organization. If you were going to test for this, how would you test this? So it gives you some pretty good information. And if you actually search for the word supply chain in that document, it comes up about 13 times. And where I’ve always told people that we don’t have a choice, and it does specifically state this, is that under risk management, when we conduct our risk assessment, it specifically does say that you need to look at the risk associated with the supply chain does need to actually be considered. So if my risk assessment did not address supply chain, in theory, I would not be conforming with the standard.
Jeremy Sporn (39:12):
It’s going to be very interesting when those C3PAOs come around for the first time, and we get a real answer to how this one’s going to work. I am very, very interested in that one.
John Verry (39:23):
Right. And just for the record, like I think one of the reasons I feel confident that my interpretation is right, is, I mean, it goes throughout this document. So as an example, they specifically cite in there, supply chain as being part of our incident handling capacity and the ability that if we have a reported supply chain event.
John Verry (39:44):
So anyway, that’s how I interpret it. And like everybody’s heard me say that’s ever chatted with me about this, right now, there’s an awful lot of room for interpretation with CMMC. I think CMM v1.02 is there. I don’t think that’s going to change a lot. I think how the CMMC AB is going to audit against that is something that we’re not going to know and exactly how they’re going to define certain… the tests that need to be performed, I don’t think we’re going to know that until the end of this year, that being the end of 2020.
Jeremy Sporn (40:18):
We are still in 2020? Is that still a thing?
John Verry (40:21):
Yes, we is. It is the never-ending year. It just feels like five years because of our friend COVID.
Jeremy Sporn (40:28):
Yes. Anything else you think people should know before we let them get back to their day jobs. I think we covered all six of these gotchas pretty well. But anything else you think they should know before we let them go?
John Verry (40:42):
No. I think that these are the areas that we see people needing to either invest. Like part of becoming 800-171 conforming or CMMC conforming, is ensuring that we’ve got the… . especially CMMC level three because we have the 130 practices, and we’ve got the 51 processes. So because of the processes requiring a plan and requiring that we have a policy that documents each domain, and that each policy incorporates the practices that are required, a lot of what we’re doing with CMMC is helping organizations build the information security program, the policy standards, procedures and practices that are necessary to become conforming. So that part of the effort is going to be consistent across the way.
John Verry (41:32):
The six areas that we touched on are very often the areas where we have to have the deepest discussions and our organizations have to extend additional dollars for beyond just the more paperwork process-oriented parts of the process.
Jeremy Sporn (41:47):
Makes perfect sense. Well, I hope everyone listening got out of this what they need to be successful. If there are any more gotchas that come out of some of our work, we’ll be sure to update people as that comes up.
Jeremy Sporn (41:59):
But John, thank you for your time. Thank you for your expertise. And everyone, stay safe out there.
You’ve been listening to the virtual CISO podcast. As you probably figured out, we really enjoy information security. So if there’s a question, we haven’t yet answered or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.