The DFARS interim rule that went into effect on November 30th has a lot of nuances to it — and many out there have questions about how it applies to them.
In this episode, I sit down with Corbin Evans, Principal Director, Strategic Programs at National Defense Industrial Association, to get answers to some of the most common questions about these CMMC nuances, including:
- What do DIB orgs with a 7012 clause in their contracts need to do now?
- What happens if you submit a low SPRS score?
- What are the different types of CUI?
Check out this resource we mentioned during the podcast:
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry: (00:25)
Hey, there, and welcome to another episode of Virtual CISO Podcast. As always, I’m your host, John Verry. And with me, unfortunately as always the Morty to my Rick, which is why I actually love Dan Harmon, God bless you, Jeremy Sporn. Hey, Jeremy.
Jeremy Sporn: (00:39)
Hey, John. Hello, everyone. And I think it fits, because you’re like the eccentric, weird, older man that takes me on crazy journeys. And I’m the gullible, young [crosstalk 00:00:52].
John Verry: (00:52)
You didn’t put that into the script intentionally?
Jeremy Sporn: (00:54)
I didn’t. I didn’t, but I do [crosstalk 00:00:55].
John Verry: (00:55)
Well, you must have enjoyed that one. You let me walk right into that.
Jeremy Sporn: (01:01)
You got to take your wins when you can get them, man.
John Verry: (01:04)
That was a win. That was a clear loss for me. And you do know Dan Harmon who is Rick and Morty? He’s Community which is as you probably know, is one of my favorite TV shows of all time. [crosstalk 00:01:15] The first three seasons are amazing.
Jeremy Sporn: (01:18)
Yeah. I hear it falls off from there, but I do know you love it, which makes this joke even better. Yes.
John Verry: (01:24)
Season five was actually really good, too. But then after, what happened was four, Harmon, he had a big drinking problem. They threw him off the series. Four, he wasn’t the executive producer or director, whatever the right term is. Then he came back for season five. And that was when Troy left, Childish Gambino. And after that, it was never quite the same.
Jeremy Sporn: (01:45)
Got it. All right. Well, let’s get back on track here, because we can talk about …
John Verry: (01:51)
I can talk about Daniel Harmon for a long time, and his podcast, Harmontown. What do you think of my conversation with not Dan Harmon, but Corbin?
Jeremy Sporn: (02:00)
So I remember when we spoke to him about being on the show, originally. I couldn’t believe how young he is to have such a key role at NDAI … to the NDIA, which I believe is the largest trade association for DIB organizations. Then he opens his mouth, and it’s very clear why he is where he is, because he’s a brilliant, brilliant young man. And with a wealth of knowledge for DIB orgs.
Jeremy Sporn: (02:25)
What I like most about his approach is it actually reminded me of a marketer in a lot of ways. He really understands the people in the DIB organization. He serves, knows his audience, what they care about, their strengths, their struggles, and most importantly, how to get them from where they are to where they want to be.
John Verry: (02:44)
Yeah. Listen, I couldn’t agree with you more. I thought he did a great job in our conversation, talking about all of the critical issues that are facing folks that are in the DIB, his membership, if you will, CMMC, the new Interim Rule, and what some of the challenges are out there, the new guidance on ITAR, et cetera.
John Verry: (03:01)
And I think in doing so, at the same time, the fact that he’s communicating that well, and hitting on these issues, really also communicates the value proposition that NDIA provides to its members. It acts on their behalf to shape policy. And then when policy is established, it helps them get up to speed on how to navigate it. So yeah, really cool episode.
John Verry: (03:25)
Only thing I’ll apologize for ahead of time, as you probably noticed, there was some bandwidth issues. So a couple of times, the video gets a little choppy, but didn’t want to let it … It certainly doesn’t distract from the message, which is awesome.
Jeremy Sporn: (03:36)
I completely agree. And the NDIA Connect forums, for anyone out there who’s listening, they are a place that I go too often to learn what’s going on and what’s new, and hear directly from people in the DIB. And he is on there often answering questions. So if anyone hears this and wants to go there, that’s a great way to interact with Corbin.
Jeremy Sporn: (03:56)
So if you are a part of a DIB organization who has questions around the new DFARS Interim Rule or SPRS and many other key CMMC topics, this is the episode for you. NDIA, wow, I don’t know why that’s so hard to say. NDIA is one of the most respected names in the DIB, and for good reason. The education and insights they provide are second to none, and that is certainly the case with this conversation with Corbin.
John Verry: (04:23)
Yeah, yep. And that was really, really why we had him on the show, to provide those insights. So with no further delay, let’s get to the show. Corbin. Good morning, sir.
Corbin Evans: (04:38)
Hi. Good morning, John. I really appreciate you having me.
John Verry: (04:41)
Yeah, I appreciate you coming on. So excited to have the call with you. Let’s start super simple. Tell us a little bit about who you are and what is it that you do every day.
Corbin Evans: (04:50)
Sure. Thank you. So Corbin Evans. I am the principal director of strategic policy and programs at the National Defense Industrial Association, one of the nation’s largest trade associations specific to the Defense Industrial Base and our defense-specific manufacturers. We have about 1,650 members all across the country, that are mostly made up of defense contractors.
Corbin Evans: (05:14)
So your largest folks, your Lockheed Martin’s, your Northrop Grumman’s, all the way down to your mom-and-pop folks, your new entrants, your tech companies, et cetera. So I help those folks out with their policy needs and organize the both external and internal strategic policy of NDIA.
John Verry: (05:32)
Gotcha. So when you say policy, I’m just professionally curious, does that cross over towards that lobbying and representing their interests in Washington as well? Or is it more just in being a trade group that helps them understand and implement things and work more as a cohesive whole?
Corbin Evans: (05:50)
So we are located in Washington DC, actually, right across the river, at the Court House metro stop for folks that are familiar with the area. But we are a 501(C)(3), which means we are an educational nonprofit. We do have the ability to lobby up to about 20% of our legislative team’s total time, but I can tell you we don’t get anywhere close to that.
Corbin Evans: (06:12)
We do really focus on that education piece. We do respond to legislative inquiries from policy makers up on the Hill, if they ask us to essentially compile what we view as the Defense Industrial Base’s take on particular policies and positions.
John Verry: (06:29)
So that makes it easy for them, if they … Rather than having to go out and talk to 20 people to get an opinion, they can come to somebody like yourself and get an opinion from 1,650 opinions all at once?
Corbin Evans: (06:39)
Yeah, that’s exactly right. So we do a lot of information collection, a lot of information collation and synthesizing a lot of research reports and analysis.
John Verry: (06:49)
Good. Well, I can see what your value prop is, and I’m sure a lot of people that are not yet part of it would probably. With CMMC and all the crap coming down the pike, probably a good idea for them to be involved with you guys.
Corbin Evans: (07:01)
I appreciate that. Ndia.org, for folks that are interested.
John Verry: (07:05)
Sounds good. All right. Before we get down to business, I always like to ask people, what’s your drink of choice?
Corbin Evans: (07:11)
Sure. So I will tell you that one thing that I’m really missing as part of the pandemic, 2020 here, of course, our offices have been fully remote since the second week of March, as I’m sure you know a number of your listeners have. But on Fridays, we typically have what we call Scotch and Policy.
Corbin Evans: (07:28)
Our CEO and some of our executive team leaders bring out the nice bottles of Scotch and we essentially sit around and shoot the shit around current policies and topics, from 4:00 to 5:00 PM on every Friday. So I’m partial to expensive single malt, if the boss is paying. And I will say that I’ve really missed that during 2020.
John Verry: (07:51)
Well, first off, that sounds so damn Washington.
Corbin Evans: (07:55)
That’s exactly right, yeah. We have the leather chairs and everything.
John Verry: (07:59)
Yeah. And then the second thing is it officially means that I will never come work for NDIA, because while I love whiskey, I think there’s no better way to ruin it than to add P. So I’m not-
Corbin Evans: (08:11)
Fair enough. Fair enough.
John Verry: (08:12)
I’m a bourbon guy. Even Irish-
Corbin Evans: (08:15)
I don’t discriminate.
John Verry: (08:15)
Once you’re going with the P, no, I’m not there. Cool. All right. So let’s get down to our real business, what we’re really here to talk about.
Corbin Evans: (08:27)
John Verry: (08:27)
Obviously, CMMC is the buzzword, but we also had recently, the Interim Rule come forth. And I don’t know about you, but we’re seeing a lot of questions on this. So if you have a member and they’ve got an existing 7012 clause in their contract, do I have to do anything? And what do I have to do at this point in time relating to that Interim Rule, or guidance?
Corbin Evans: (08:48)
Sure. Well, great place to start, John. And we certainly have also fielded a huge influx of questions following the release of the Interim Rule, both implementing the CMMC language for the first time, and also creating this requirement for a self-assessment related to the 7012 clause.
Corbin Evans: (09:06)
So my first piece of advice for a contractor in the situation that you described, is first, they need to read their contract. And if the 7012 clause is in there, they really need to go above and beyond to ensure that they’re in compliance with that requirement, not only because they should be in compliance with all of [inaudible 00:09:27] present in their contracts, but also because of the cybersecurity requirements that that actually places on a company, and the increased security that they receive by complying with that part of their contract.
Corbin Evans: (09:40)
We want to make sure that all of our contractors all across the Defense Industrial Base, have a robust cybersecurity program in place, so that we ensure that no information is being lost to the adversary, or is particularly vulnerable to adversary attacks. So the first piece of advice I would give is ensure that if you’re not compliant with the NIST 171 standards outlined in the 7012 clause, take the first step of ensuring that you’re on the path to getting compliant with that standard.
John Verry: (10:11)
So I agree completely, but I’m going to ask a question slightly different. We’re getting a ton of panic phone calls from folks saying, by November 30th, I’ve got a 7012 clause by November 30th. Do I have to have conducted a DOD assessment methodology, conforming assessment of our 171 implementation? And do we have to have that registered in SPRS?
Corbin Evans: (10:38)
So not exactly is the short answer. It’s our understanding through conversations with the DOD, and our own reading and interpretation of the Interim Rule is that companies should certainly with the pre existing 7012 clause should certainly be on a path to compliance, to reaching that 110 score that they would be self-assessing themselves to, and then implementing next to the SPRS system. But they don’t have to be at that 110 score at November 30th.
Corbin Evans: (11:12)
So one advantage of the 7012 clause and the self-assessment requirement is it does allow for POAMs. So essentially, you can outline when you’re going to get to that 110 score, and submit a score lower than 110 in the SPRS system. But also, the timing related to you submitting that score is going to vary for each contractor. So you essentially need to ensure that you have a self-attestation filed in the SPRS system, when you’re competing for new contracts or submitting RFPs for new contracts moving forward.
Corbin Evans: (11:46)
So if you don’t plan to submit a bid or proposal for a contract from let’s say, November 30th to January 30th, you essentially have that time to ensure that you can get your internal score as high as possible, prior to filing that in the SPRS system.
John Verry: (12:04)
That’s a good clarification. Because there’s a lot of people that think, hey, I’ve got a 7012, I need to be in there and I’m not ready. So quick question for you, to that end. So you mentioned if you were going to be bidding on something new, and that I think that makes sense.
John Verry: (12:16)
Well, I’ve also heard, and I don’t know if this is true, if a contract is going to renew, or if there’s going to be a change to a contract that would trigger that same requirement, and then I had a question and I should know this, I’m a little bit ignorant here, do contracts renew automatically? So in other words, does it say that the contract is issued on January 1st, and will renew automatically each year? And if it has an automatic renewal, does that trigger that SPRS requirement?
Corbin Evans: (12:40)
So excellent clarification here. Any contract renewals or modifications would also essentially create the opening to include the new Interim Rule self-assessment requirements as part of that contract change. In the situation you described, if your contract is on an auto renewal, which is something that sort of exists within the contracting system, typically it varies from contract to contract, from program to program. But oftentimes, there is written in a renewal period into the original contract.
Corbin Evans: (13:13)
So after five years of performance, the contract will be re examined for potential modifications or renewals. Or that time could vary. It could be month to month. But if you do have contracts that are opened up, and this is also an important point, we have folks that have dozens or hundreds of contracts, if you have any contracts that are opening up for either renewal or modification, you will need to ensure that you are compliant with the Interim Rule that goes into effect November 30th, requiring you to file your self-assessment in the SPRS system.
John Verry: (13:45)
Gotcha. That’s another great clarification. So you mentioned a score of 110. So a score of 110 means that you’re fully conforming with 800-171, as assessed by the DOD Assessment Methodology in 171A. What if I’ve got clients calling up and saying, “Oh, my God, my score is a minus 164”? Are they going to come and arrest me? Does that mean they’re immediately going to terminate my contract?
John Verry: (14:10)
What happens if you do due diligence, and you answer the questions honestly … and by the way, anyone listening, answer the questions honestly. The worst thing you can do is submit something which isn’t factual or as accurate as it can be, in my humble opinion. But if they submit something factually and honestly, and it’s a minus X, does the police show up at the door? What happens?
Corbin Evans: (14:31)
Well, I will absolutely foot stomp the need to ensure that your self-assessment is honest and accurate. There have been a lot of conversations around the False Claims Act and some of the additional contract corrective actions that can result from submitting a inaccurate score. So we’ll certainly foot stomp that for your listeners here.
Corbin Evans: (14:50)
But additionally, if you do find yourself in a situation after performing that honest self-assessment, and you find yourself negative or far below that 110 requirement, well, you certainly have some work to do to get to the full requirements of 7012. But there are not going to be police that are going to show up at your door. DCMA isn’t going to come knocking immediately. Your contracting officer isn’t going to try and drop you from the contract. Essentially, there are no wrong answers when it comes to the self-assessment for this requirement.
Corbin Evans: (15:27)
And that may change or certainly will change when it comes to the implementation of the CMMC program, because there are no POAMs allowed under that program. Essentially, it’s a go, no-go. You must have all requirements, or you don’t meet the CMMC standards. But for this self-assessment requirement, they’re essentially accepting any and all honest and accurate scores.
John Verry: (15:49)
All right. Excellent. Now that might differ, right? So if somebody gets issued a new contract, something which is subject to the Interim Rule specifically, where it includes the 7019 or 7020, specifically the 7020 clause, the 7020 clause allows also by signing that contract, you authorize DCMA or DIBCAC to assess you beyond that basic level.
John Verry: (16:15)
So just out of curiosity, once we start hitting that 7020, the 7020 does not require CMMC, it requires 800-171, 7012 style conformance. If you issue an SPRS score below 110 at that point, do you think that your answer would be different? And would it depend on the criticality of the program? How would somebody go about navigating that?
Corbin Evans: (16:38)
So I think it’s important to recognize that you’re able to essentially submit or operate your own internal security levels, because of the availability for POAMs within the NIST 171, or within the 7012 requirement and the future 7020 requirement that you don’t have to be at that 110 level right off the bat. You essentially need to ensure that you have a plan to get there. But also you need to recognize that you might be compared.
Corbin Evans: (17:09)
Say you file a score of 75, and you submit an RFP. You submit a proposal for a future contract. And you might be compared to someone that has an internal score, a self-assessment score, whether it be self-assessment or the DIBCAC medium or high assessment level. And their score is 95 or 100. You have to recognize that a contracting officer or a program manager is going to look at those two scores, and essentially allow those as a point of comparison of your bids.
Corbin Evans: (17:40)
So if you come in at the same price, as a performance schedule with someone but have a lower level of that self-assessment score, it is likely that that contracting officer or program manager is going to move forward with an award to someone that has a higher score.
John Verry: (17:54)
Cool. That was excellent. Excellent way to help folks understand how this data might actually be used. So we got this Interim Rule. The Interim Rule maintains 7012 and new requirements through the 19 and 20 requirements. And formally now, we have a way to call CMMC, right? That’s the 21 rule?
Corbin Evans: (18:15)
John Verry: (18:16)
So CMMC is obviously a moving target. All of us in this industry are constantly trying to stay on top of where we are. I guess that’s probably one of the primary services you provide.
Corbin Evans: (18:26)
You and me both, yeah.
John Verry: (18:27)
Yeah. So, what’s today? Today is November 18th. So on November 18th 2020, what’s the guidance that you’re giving at this point with regards to dates and timelines if I called up and just said, “Hey, what should I be doing right now”?
Corbin Evans: (18:40)
Well, you started exactly where I would start that conversation, John, ensuring that you do have 7012 as part of your contract, that you’re in compliance for in the process of … on a path towards compliance with that requirement. Not only because it’s in your contracts and you need to be in compliance with it, or on the road to compliance, but also because it puts you in a position to essentially transition your compliance from the 7012 program and requirements, the NIST 171, into the CMMC program.
Corbin Evans: (19:09)
It makes that pretty easy. It really sets you up for success when you’re thinking about transitioning into the CMMC program. So I’m sure the majority of your listeners know that the 7012, NIST 171 requirements map pretty closely to the CMMC level three requirements, which we do expect. It is not the plurality. Certainly a large portion of future contracts from the DOD will be at the CMMC level three or higher.
Corbin Evans: (19:35)
Likely, we do expect to see a pretty large percentage of those come in at level three, but that essentially creates a situation in the event that you do receive a contract. So they expect to essentially start the … DOD has done a bit of a pilot program up to this point, which I believe they’re calling the Pathfinders Program, just to ensure that I get the terminology correct, to map CMMC requirements on to existing contracts. Now, they haven’t went in. It actually provides the contracts. This is more of a tabletop exercise internally to work through some of the logistics and requirements. But at this point, we’ve seen no contracts released that actually have the CMMC language.
Corbin Evans: (20:17)
So the first thing is comply with 7012. The second thing is pump the brakes on the CMMC piece. You need to be learning about it and seeking out compliance, but you don’t need to be running around with your hair on fire yet, thinking, oh, my gosh, how do I comply with this new program? There are all these new requirements from DOD. It is going to be a phased rollout over the next five years, and so we do expect companies to have a bit of a lead time in becoming CMMC compliant, getting certified and going through the entire CMMC process.
John Verry: (20:49)
Gotcha. So honestly, I feel like there’s two streams of communication that are diametrically opposed to each other. So there’s the rational approach that you just measured out, and then there’s the approach that I hear. So recently, we went through the RP training, the registered practitioner training, and they could not emphasize enough the importance of organizations starting now, to move towards CMMC level three. And I think that part of that is that they’re concerned of the gap. It’s fairly significant based on their knowledge, which, of course, is why we have this program anyway.
John Verry: (21:21)
The second thing is that we’ve also seen increasing guidance coming out that they use the term persistent, I think it’s persistent and habitual operation of practices will be necessary. Independent, objective criteria that indicates habitual and persistent operation of practices and processes. So the clarification we’re seeing is six months worth of evidence of that. Then we’re also hearing that a lot of the primes are encouraging or pushing folks towards CMMC level three on a faster basis, and the criteria for calm pursued, calm capture team participation.
John Verry: (22:00)
So those are the two. One is that, hey, guys, don’t worry about it. It’s not really, fully in place for five years. And the other one is, hey, guys, if you don’t start it now, you’re never going to get there, and there’s going to be a long queue of people trying to get through the program as well. And now your primes aren’t going to let you bid. How do you navigate those two, I think, relatively extreme positions? But I hear good arguments for both.
Corbin Evans: (22:20)
Yes. So I’ll pull out the lawyer card out here and try and wedge a difference in between those two camps. So I would say there’s a difference between worrying about it and taking action now. So I think that the advice that you’re hearing from the CMMC-AB, from the large primes and others is start now. And I certainly would agree with that. And the advice of getting 7012 compliance is going to be as good as any in terms of your ability to start now. That’s going to put you on a road to … I think that percentage wise, you’re about 90% of the way there to CMMC level three compliant if you have those NIST 171 controls in place. So that would be my first piece of advice.
Corbin Evans: (23:05)
Secondly, you’re right, that this is a process, but so is the process of actually getting the CMMC language in your contract, getting CMMC certified. All of this, they expect to, they being the DOD and the CMMC-AB, expect to roll out over the course of the next five years. So if you’re protecting your data today, you have NIST 800-171 fully implemented, you’re going to be in good shape, essentially, to enact the additional controls to get to CMMC level three, to schedule an assessor to come out to your location to talk to your prime contractor, and ensure that they know that you’re compliant with the current regulations, and that you’re ready to go to put yourself in a place to be compliant, as soon as you need to be.
John Verry: (23:51)
Gotcha. Okay, cool. So restating that just a tweak, just to make sure I’m capturing your thought process right, is move now. Prioritize moving towards 7012, 800-171 conformance. While you’re on your way there, pay attention to the additional 20 controls from CMMC. Because if you’re doing a lift, doing a little extra lift is really not that much more work. Like you said, you’re 90, 85% of the way there anyway.
John Verry: (24:16)
That way, when you get to the point where those CMMC contracts are around the corner and you’re starting to see them, you’re in a position to actually just pull the trigger on the audit. And if we’ve done our 800-171 well, we’re in a position where we actually have already created those objective artifacts. So once I finish that, have that, another six months of what we call soak period, operation period before I’m able to go through an audit. So get ready. So you have everything in place, so you can get audited when you need to be audited.
Corbin Evans: (24:43)
[crosstalk 00:24:43] Exactly right. And it’s certainly the added security benefits associated with actually enacting these controls. We sometimes lose sight of the purpose of all these activities is actually fortifying your system. That’s going to be an important positive externality starting today.
John Verry: (25:04)
You embarrass me. The security guy in the conversation didn’t stress the security. He’s been stressing the compliance. But listen, for security to matter, you still have to be in business. And literally, I think a lot of the people I’m talking to, that’s what their concern is. It’s like, why still be in business in a year?
Corbin Evans: (25:20)
No, you’re exactly right.
John Verry: (25:22)
All right. Cool. So we’ve really emphasized 171, the Interim Rule, CMMC. One of the things that I’ve experienced from working with clients recently, is I think there’s a criticality to reviewing contracts because there are other requirements beyond CMMC that your copy of your contracts might have, that you need to be aware of. So as you’re going through this process, you’re doing everything. And you could make a mistake.
John Verry: (25:47)
So as an example, so let me ask a question. What I’ve been saying to clients is not all CUI is created equal. So can we talk a little bit about why sometimes CUI has a different terminology, has different sets of contractual obligations, and what some of those might be, and what people should be looking for in their contracts beyond just this 7012 guidance that they see?
Corbin Evans: (26:09)
Sure. Yep, I will tell you. I will say that yeah, I think you’re right that CUI is not created equally. And it’s not defined equally across from contracting officer to contracting officer. This has been something that we’ve had a lot of conversations with the DOD and with NARA, the FARA Council and others in government to try and create a more unified and a clear definition around CUI, to ensure that not only the CMMC program is able to be implemented successfully, because obviously your CMMC level hinges on whether you have CUI or not, that level one versus level three requirement, but also, the amount of CUI you have can make the difference between your contract having a level three requirement or a level four or a level five requirement, depending on the quality of that CUI.
John Verry: (27:01)
I didn’t know that.
Corbin Evans: (27:02)
So the definition of CUI, sitting up from here, I will point folks towards a new resource. I think it’s the biggest released. Dodcui.mil is a new website that includes some additional definitions, some additional training that they’re actually using internally for contracting officers and program managers for round CUI, and ensuring that folks have a good understanding of controlled unclassified information, and to know how to essentially market when sending it out to contractors.
Corbin Evans: (27:32)
And that’s an important part of this equation, ensuring that the government rightsizes the information that they’re sending to prime contractors, to ensure that they’re not overly burdening prime contractors to protect CUI that might not be necessary to perform the contract. And then the other side of that equation, ensuring that prime contractors are rightsizing the information that they float down to their subcontractors.
Corbin Evans: (27:56)
We hear these horror stories of folks taking large packets of CUI at the prime contractor level and sending it down to all 300 of their subcontractors, three or four tiers deep. And that, really creating a problem where that CUI is essentially available for extraction or manipulation by an adversary. So ensuring that the process is rightsized both from the government and the prime contractors to subcontractors size is an important piece. And knowing what CUI is, to your point, the difference between controlled unclassified information, controlled defense information, controlled technical information.
Corbin Evans: (28:36)
I know we talked a little bit previously, about ITAR and how that plays into the CUI conversation. So there are all these different categories of information. Understanding, to your point, what’s in your contract, what requirements are there, but actually what information you have on your systems is certainly going to be an important part of the path to compliance, whether it be to the 7012 clause or the CMMC program.
John Verry: (29:01)
Yeah. So you mentioned some interesting stuff. So stuff that they should absolutely look for would be like no foreign, would be like one class advocate that’s going to have some additional requirements. You mentioned ITAR specifically. And the danger with ITAR is you can conform with CMMC, and you may migrate to a different email solution, as an example, that conforms with the CMMC requirement, spend a lot of time and money doing that, but it doesn’t conform with the ITAR requirement because of the data center access and who’s involved with it. So it’s really critical.
John Verry: (29:32)
So as an example, I think the most recent guidance from Microsoft is you’d have to go to GCC High if you’ve got ITAR data. And if you fail to go there, you’re going to … So that would be an interesting question as well. So if a CMMC auditor comes in and you’re conforming with CMMC, but were not conforming with ITAR, do we know yet where their boundaries are? Again, I never even thought of that until we just had this conversation. I mean, that would be a mistake.
John Verry: (30:00)
Do you think that’s something that they’ll end up pointing out in audit? I would think they should, because the reality is that we failed to live to the contractual obligation. And/or really, as you said, it’s about security. It’s not about compliance. Any-
Corbin Evans: (30:12)
So you’re exactly right that that should be something that would be a great part of that conversation. But it an unknown, currently, as to whether those third party assessment organizations, those folks are going to send the auditors out into your system, and they’re going to have a robust knowledge of all the contractual requirements.
Corbin Evans: (30:35)
I haven’t sat through the training, so I can’t tell you exactly what the CMMC-AB is educating these prospective auditors on, and whether ITAR and other protections required in contracts are part of that process, part of that education process. But to your point, I certainly think that it’d be advantageous for them to at minimum, point it out. Whether that means that they receive some sort of deduction on their overall score or not, I think that that it’s probably a larger conversation, but I think to a certain extent that these auditors and really the community more broadly, can be sharing best practices from contractor to contractor.
Corbin Evans: (31:16)
I know there are a lot of different forums. NDIA has a couple and is involved in a couple as well, where contractors have the ability to share, what email system are you using? What multi factor authentication program or solution have you implemented? And is it both CMMC compliant? Is it NIST 171 compliant? Is it ITAR compliant? And some of the other requirements. That really comes down to a conversation among the contractor community.
Corbin Evans: (31:47)
And I will say, whether the DIBCAC auditors, the DCAM folks that are going to come out and potentially audit your system to the 7012 requirements, the same point, whether they’re commenting on your ITAR compliance or not, is an unknown, but again, an important piece to keep in mind when you are having conversations or asking questions with these folks about best practices.
John Verry: (32:11)
Cool. And let me ask a question or two. Well, actually, one question on ITAR. In regards to the updated ITAR earlier this year, I believe, do you see that … I mean, have you guys pined on this? Some people differ on whether we need end-to-end encryption, and whether or not any storage outside of the US is possible. Have you guys released any guidance on that?
Corbin Evans: (32:32)
So we haven’t released any guidance, so I will proceed with a bit of caution here. But in my understanding, my reading of the updated regulations which I believe were March of this year, March of 2020, although such a busy time in the world. But that seemed to be happening.
John Verry: (32:47)
Did something happen in March that I missed, Corbin?
Corbin Evans: (32:53)
Many, many years ago in March 2020, they updated the regulations to allow as I understand it, a little bit more flexibility related to data storage, and created a option essentially, where you could have US persons access data outside of the US. So outside of essentially an exception to that domestic requirement, if the data was encrypted via an end-to-end encryption.
Corbin Evans: (33:26)
So it is a pretty narrow exception, and I would encourage folks that are seeking to take advantage of that exception to read that regulation very closely, but to ensure that they are in compliance. And above all else, as we’ve mentioned, that that data does remain secure. But I do understand that there is an exception for US persons to access data outside of the United States, using end-to-end encryption.
John Verry: (33:51)
Cool. That was our interpretation as well. I was just curious if there was any formal guidance there. And then one other question for you. So we talk about these, because I think it’s such a critical part that we make sure that when we go in, we just don’t blindly say 171 or CMMC level three is the target. We understand really what’s in your contract. Is there a cheat for this?
John Verry: (34:09)
So based on the programs that you support, or whether or not you have previous classifications like FOUO or SB, or anything of that nature, that if you’re working with certain types of programs, do you automatically know that you’re probably going to have some additional level of obligation beyond level three? Or is that too broad a statement?
Corbin Evans: (34:31)
So probably too broad a statement at this point in time. What we know about levels four and five of the CMMC program is they’re going to be rarely used. Miss Katie Arrington, John Ellis, the DCMA and other DOD officials have made it clear that they intend these levels, these CMC levels to be rare. Very small percentage of contracts will contain these requirements.
Corbin Evans: (34:56)
But what we know about what contracts will contain levels four and five, some information we received, potentially sensitive contracts that are within the Missile Defense Agency. So you do whole contracts in that area. Some of the higher profile weapons systems, F-35, some of the attack submarines and pieces like that, you might be in a situation where you know that you can predict that you might need to be at that level four or level five.
Corbin Evans: (35:28)
And additionally, this is going to be something that’s not going to come as a surprise. We’ve been told that contracting officers, program managers are going to start to have conversations with prime contractors over the course of the coming years to ensure that they can start to map those CMMC requirements further down their sup … to ensure that it’s not a surprise, because levels four and level five CMMC compliance is certainly going to be a larger lift than level one or level three.
John Verry: (36:00)
Yeah, I think it’s going to be a significant lift. And just beyond the additional 41 controls, I just think that the due diligence that they’re going to do during the audit process and that whole threat component, and being on top of that is non trivial. And it’s funny, because … and to echo what you said, I chatted as recently as yesterday with somebody who’s involved in one of the programs relating to missiles.
John Verry: (36:22)
And for the last six months, at least, he’s been talking about the fact that their expectation is that they need to go to level five. So I do think you’re right. I think the good guidance for us, when we’re chatting with people is the people that really are definitely going to need to get there probably already know that. We’re not going to be [crosstalk 00:36:42].
Corbin Evans: (36:41)
The definites I hope are already having those conversations, because of the significant lift involved with compliance.
John Verry: (36:51)
Right. So earlier on in the conversation, you talked about something which I thought was really relevant, where you talked about this idea of not only do we need to get our data to where it needs to get to, but I think it was a clarification. I think there was always some confusion around CMMC level three, and the fact that you don’t see a defense supply chain requirement come into level four. People are saying, “Well, I don’t have to worry about the flow down.”
John Verry: (37:12)
But the reality is in 7012, you had the clause and that specifically called it. And I think there’s an homage or nod to the lack of clarity there and making sure it was more explicit in 7019, 20 and 21, where it’s very explicit. Right within that main part of the clause, you will flow this down. You have an obligation to make sure that before signing a contract or before sharing, either FCI or CUI, be holding data. With your vendor, you have an obligation to ensure that.
John Verry: (37:42)
I’ve heard some people talk about the fact that there are some vendors, and probably some of the members of your community that are extremely concerned about that. Because you might have a program that you’re supporting as a sub to a prime, but you might have three or four, 10 or 20 organizations that are part of that program. And a lot of them are going to be small guys. And getting to a CMMC level three environment, it’s going to be hard.
John Verry: (38:08)
So once you’re [inaudible 00:38:09] there, are you helping them come up with mechanisms to produce enclaves that were allowing sort of gated access into that environment? How do we not have CMMC level three requirements or even 7020 requirements break your members’ ability to deliver their services and products to the government?
Corbin Evans: (38:34)
Yes. So it’s a complex question, certainly. A couple of things that we’ve been seeing up to this point, some prime contractors, especially the large folks have already gone through the process of standing up some educational programs for their subcontractors, and essentially taking them through the 7012 compliance process to ensure that any help, that they need any questions that they need answered can be answered. And essentially, you get to a situation where a rising tide floats all boats in those situations.
Corbin Evans: (39:08)
Some folks are adopting enclave as a system and allowing subcontractors to essentially port their systems into a prime contractor’s enclave system. Of course, that’s adopting more risk on the prime contractor’s side. And they need to ensure that they’re not only protecting their own data, but they’re protecting their subcontractor’s data as well. And so a fine solution, but I just want to ensure that the books are mindful of that additional piece there.
Corbin Evans: (39:37)
I think that it’s going to be a bit of a learning process in terms of where the requirements related to CMMC fall within the supply chain. So if you come into a CMMC contract, and as a prime contractor, and there’s a level three requirement for you, what does that mean for all of your subcontractors? Because we know to this point, it doesn’t mean that all of your subcontractors need to be CMMC level three. And that would be quite an extensive burden when you think about some of the supply chains that are supporting some of these critical programs. They can be several 100 companies just supporting one contract.
Corbin Evans: (40:17)
So what exactly that process looks like is still a bit of an unknown, but what we do know is that it’s going to essentially be a competition between the sector and the contracting officer. So what advice I would have for prime contractors, or even subcontractors that have lower tiers underneath them is start to think about where your data is coming from, and where it’s flowing to, because that’s going to help to inform that conversation related to what CMMC requirements are essentially coming down from higher tier suppliers in your supply chain, and what CMMC requirements you need to pass and flow down to lower tier suppliers in your supply chain.
Corbin Evans: (40:58)
Because that transfer of information from tier to tier, it’s in the supply chain, is going to essentially dictate the CMMC levels required. And that prime contractor is going to need to have a good idea of where that information is going, to ensure that they can have an honest and frank conversation with the contracting officer about which contractors need to come into the CMMC program at level three, and which folks can stay at level one.
John Verry: (41:30)
Thank you. You supported the way we do this. I mean, one of the first things that we do, the two things which we think are incredibly important to forming the basis of the scope of your system security plan is exactly that, is understanding data flows. And that we literally like to document the data flows explicitly around FCI and CUI, because that’s the only way that you really understand how that cascades, if you will, not only within your own organization.
John Verry: (41:55)
Because in many organizations, everyone in the organization might not be touching or responsible for processing CUI. Not all your business is DOD, or not all your business is part of a program that processes CUI. Not everyone needs to be within that scope, so that scoping is really critical. And those data flows are really critical. And then I think also, like you said, getting to those contracting officers, and really understanding who we’re contracting with upstream, and who we’re contracting with downstream. So great guidance. Great guidance.
John Verry: (42:27)
Looking through our list of things that we talked about, and you’ve been incredibly efficient at covering them, from your perspective, anything we missed, or anything else we should be talking about?
Corbin Evans: (42:39)
So I will say just on that previous conversation related to enclaves, we’ve had a lot of conversations with contractors about what decisions they should be making related to whether they should create enclaves in their internal system, or they should try and bring their entire system up to, let’s say, level three CMMC compliance. And there seems to be a split among the community currently, whether folks are going to essentially adopt enclaves internally. So essentially create a internal enclave where all CUI is housed, and ensure that no CUI is accessible outside of that enclave.
Corbin Evans: (43:19)
And that’s certainly an option, to bring themselves up to CMMC level three compliance, or try and bring the entire organization up to level three CMMC compliance and ensure that all the practices and processes required at level three are pervasive throughout the organization. I think both are legitimate options. I would encourage your listeners to think about what makes sense for the data flows within their internal system already. But additionally, a question that we’ve been batting around at our virtual Scotch and Policies recently is whether a contractor would have the ability to create multiple enclaves within their system and receive different levels of CMMC compliance and scores across those multiple enclaves.
Corbin Evans: (44:08)
So we spoke about levels four and five, and how those are cumbersome and potentially expensive. If a contractor creates a small enclave within their internal systems that didn’t need to get to level four or five compliance, that might be a method for reducing cost and complexity of compliance, just because it wouldn’t be their entire system that needed to get to level four and level five.
John Verry: (44:34)
Yes. So I couldn’t agree with you more. To be honest with you, our strategy is around exactly that. And actually, it’s interesting. We’re doing a webinar tomorrow on this subject, really, because what we’re trying to do is say CMMC conformance differs depending upon, are you an organization that’s 1,000 people that’s 95% DIB? Are you an org that’s 50-50? You’re doing commercial work, you’re doing DIB work. You’ve got different requirements on each side of the house, if you will.
John Verry: (45:04)
Or are you an organization that 10% of your business is DIB? And how are you going to manage that? And I think in each of those environments, so if you get to that 95, 90%, you’re probably the most effective and efficient way to do that. Your system security plan basically covers your entire company. Your company is your enclave. But if you get down to a 50-50, can we do this a lot with FedRAMP? You do not want to treat all data at the highest level of the most expensive, if you will, from an effectiveness and efficiency of operations, as well as a cost, you don’t necessarily want to treat all of your data at the highest level of security treatment.
John Verry: (45:41)
And there you’ll see people doing things like so in 95%, maybe you move everything to GCC High. When you get to 10%, moving everything to GCC High and paying that additional freight, when very little data that you want might not be the most effective way to do that. So we do see that this idea of creating one or more enclaves, if you are at a lower percentage of your business being through the DIB, is going to be a really good strategy. Because if you think about it, you’ve got to … if you look at the logging requirements, you have 25% or 30% of it is all around that logging requirement.
John Verry: (46:19)
And if you infer the user account management reviews and the incident response, are also tied to that, if you’ve got to manage and monitor all of those systems, every system in your environment versus a small subset, it’s going to be a high cost. It’s an ongoing cost of doing that. So I like your idea. I think that enclaves, we’re going to see people really using enclaves in a very strategic way. Great. And I’m glad to hear that our own conclusions were the same as the cyber professionals like yourself.
John Verry: (46:50)
[crosstalk 00:46:50] Yeah. And by the way, I’ve talked to a couple of people on the audit side of the business, right where we think this is going. So some of the tools that are out there now will allow you to have multiple system security plans within a single environment. And my understanding, and of course, this is not official because no one really knows where this is going yet, but my understanding is that the CMMC-AB is already considering mechanisms to allow you to have a single certification with multiple SSPs within it, with each SSP correlating with an enclave, if you will.
John Verry: (47:27)
But we have one client that has software applications for the government, and there’s 15 of them. And we’ve had them develop 15 different SSPs. So in their environment, it wouldn’t make sense to have 15 CMMC certification, so we suspect that what they’re going to be able to do is actually have a single CMMC umbrella certification that has each of those different SSPs called out explicitly within them.
Corbin Evans: (47:52)
Yep. And that seems like a perfectly acceptable design. And I think it really gets to the point that it’s not a one-size-fits-all solution when it comes to implementing these regulations and ensuring your compliance. And certainly, it speaks to some of the complexities involved with auditing, and some of the challenges ahead for the CMMC-AB and their education and certification of these auditors. But certainly, it seems like a reasonable method for actually securing the data.
John Verry: (48:20)
Yeah. And look, it makes sense to me. It’ll be interesting to see if that is the way that it goes. Unfortunately, this just feels like medicine a little bit. As much as we know, there’s not much that we know. Or the more we learn, the less we know; you hear that medicine a lot. And I almost feel that way with CMMC a bit. The more I learn, the less I know.
Corbin Evans: (48:39)
John Verry: (48:40)
Cool. All right. Anything else we should touch on before we say goodbye?
Corbin Evans: (48:43)
I don’t think so. I think it’s been comprehensive.
John Verry: (48:47)
Did you do your homework?
Corbin Evans: (48:47)
I did do my homework, yes.
John Verry: (48:50)
[crosstalk 00:48:50] Then I’ll ask the question. So, what fictional character or real person do you think would make an amazing or horrible CISO in the DIB, and why?
Corbin Evans: (49:01)
Yes. So thanks, John. I did have a chance to think about this briefly, prior to this conversation, and I’m going to go with Lisa Simpson. One, love to keep a woman in that position. I think Miss Arrington has been great, bringing a bit of diversity to a traditionally male-dominated field. I think that that is something that certainly is an advantage, but also Lisa’s middle child syndrome, I think is going to be helpful. Managing up, managing down is something that’s certainly important for any successful CISO. So, I would think that my personal answer is Lisa Simpson. Hopefully, some folks out there agree.
John Verry: (49:45)
I’m surprised you didn’t go with Homer, but maybe I shouldn’t be.
Corbin Evans: (49:49)
I didn’t say what fictional character was a representative of the CISO.
John Verry: (49:58)
I just got that one. Well done. And I think unfortunately, there are a few too many Homers out there. All right. Cool. Last question. Based on the everyday conversations you have with your NDIA members, any suggestions on a future podcast topic?
Corbin Evans: (50:17)
So I think it’s something that you all would benefit from, and certainly myself and other listeners in this policy space would benefit from is a deep dive on cost associated with CMMC compliance. This has been an ongoing conversation between ourselves and the DOD, what is the actual cost for not only that delta of NIST 171 to CMMC level three, but also the overarching cost of getting compliant and maintaining compliance at each of the CMMC levels.
Corbin Evans: (50:51)
So any conversations that you could tease out from industry members. Some folks seem to hold that information pretty close to their chest, and I certainly understand that. But any conversation there, I would certainly benefit from and I’m sure your listeners would as well.
John Verry: (51:06)
So we looked in a crystal ball. We have a couple blogs on our website that we looked in the crystal ball on this subject a while ago. So we actually did post some stuff there. It is going to be really interesting. What I’m wrestling with is that the biggest variance to me is, what is the audit going to cost? And the reason I say that is because on one side of the fence, I know that they want to keep it reasonably priced. And on the other side of the fence, if they’re going to stick with the guidance they gave us during RP training, that they are going to need to validate, define two independent objective forms of evidence for the persistent and habitual execution of each practice and each process, that’s not a cheap, easy audit to do.
John Verry: (51:49)
I mean, I talked John Ellis, and I know the DIDCAC audits, he went on record as saying that they were sending like five auditors for five days. And you think about 25-man days and going rate in the industry is no less than 2,000, maybe as much as $3,000 per audit day. I mean, I can’t see that they’re going to charge $75,000 to these companies for audits, so I’ve landed in that 20 to 40 range, if we take 30 as the midpoint. And then we actually put some estimates out there on what it would cost you if you don’t have some of this technology.
John Verry: (52:17)
But it really depends on like we’ve got some clients that, where are you at in the implementation? I talked to a client recently. He said he spent $175,000 in his mind, to get to [crosstalk 00:52:27] if you want performance. And that was probably about a 200 person organization in the manufacturing sector. So, where are you at in that continuum? Did you already spend that? No? Then the lift to CMMC level three is not very high, but if we’re starting from ground zero, and you don’t have the logging and monitoring capacity, you don’t have the multi factor authentication, you need to do a lift into an ITAR compliant environment. Yeah, it’s going to be sizable.
Corbin Evans: (52:53)
John Verry: (52:53)
So maybe an update on that would be a really good idea. Thank you. Cool. Last question. How can folks get in contact with you if they’re interested in chatting further, or they’re interested in membership at NDIA?
Corbin Evans: (53:05)
Sure. So ndia.org is the trade association’s website. So please do check that out. Ndia.org/CMMC has some information and some previous comments, submissions and some of our analysis around the CMMC rules specifically. You can reach me, my email is cevans, E-V-A-N-S @ndia.org. I would love to speak with folks.
John Verry: (53:29)
Excellent. And by the way, I will throw kudos to you. Your message boards, your forums are as about as good as anything out there. There’s a Discord channel that we like to follow, and there’s the NDIA forums. And we get a lot of our leading edge information off of that. So thank you.
You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.