March 9, 2021

In this episode of The Virtual CISO Podcast, host John Verry, CISO and Managing Partner at Pivot Point Security go over everything government staffing agencies need to know about CMMC Level 3 requirements. 

John outlines:

  • How to tell if you have CUI in your environment
  • Whether your FCI can become CUI
  • If you need (or want) CMMC Level 3 compliance
  • The 3 steps to take when it comes to CMMC Level 3 compliance

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.


Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

Jeremy Sporn (00:26):

Hello, and welcome to another episode of the Virtual CISO Podcast. I am your host, Jeremy Sporn, and with me as always the SpongeBob to my Patrick, John Verry. Hey John.

John Verry (00:39):

Somehow in my head, I thought I was going to hear SpongeBob to my square pants. But I realized that sounds wrong.

Jeremy Sporn (00:46):


John Verry (00:46):

And my favorite thing about SpongeBob is… I used to like a TV show called Coach and Patrick, Dauber I think his name might be, but that big giant guy that was the assistant coach, that’s actually, it turned out to be Patrick, so.

Jeremy Sporn (01:03):

The best part about that is this voice is the same on Coach and as Patrick [inaudible 00:01:07] identical.

John Verry (01:08):

Yeah, exactly.

Jeremy Sporn (01:10):

So today we have a bit of a unique topic or a challenge within the CMMC world. There are these firms, these government staffing agencies, companies who we say put bodies in seats within the DoD. And they’re seeing CMMC Level 3 language and upcoming contracts. They’re having conversations with their primes about it. The interesting thing here is that many of them don’t have what we usually think of when we say CUI and their environments. And as we all know, CMMC Level 3 is all about protecting CUI.

Jeremy Sporn (01:44):

So, John, I know you’ve spoken to a few of these government staffing agencies and we are all on the edge of our seats. Hoping you can give us some good guidance here. There’s a lot to unpack. Obviously we have the FCI, CUI differences and similarities that we’ve got to go through. What if information is seats GFEs. Let’s start as all information security should with scope. Thank you for teaching me that, by the way. If you were talking with a government staffing agency, how should they look at the scope of their CMMC environment knowing that they’re getting these L3 requirements pushed down to them, but they may or may not really have CUI to deal with.

John Verry (02:25):

Gotcha. So generally speaking scope could be considered to be equal to the flow of data, which is subject to the CMMC regulation. So as you alluded to, there are two forms of data that are governed by CMMC what we call Federal Contract Information or FCI and CUI, Controlled Unclassified Information. When we talk about CMMC, logically if you are a staffing agency, right? So you’re putting bodies on bases or bodies at agencies. And often these bodies are working on what we call GFE, Government Furnished Equipment. You logically think, hey, CMMC Level 1 would apply cause I have a federal contract, but I don’t think that CMMC Level 3 should apply because I don’t have any CUI in my environment.

John Verry (03:15):

So the way that you establish those environments, right? The basis of scoping is to understand what data that you have, which is FCI. What data you have, which is CUI, and then follow the data. How does that data come to you? How is that data processed within your organization, used within your organization, perhaps even created within your organization? Who is that information shared with? Maybe some downstream vendors or some people that work for you, people work as an extension of your organization. And then how does that data get back to let’s say the agency or a prime that you’re working with, right? So that’s what we call the data flow.

John Verry (03:50):

Another way you can look at it in the same concepts stated differently. And if you’re familiar with something like the payment card industry data security standard, you might have heard the term store, process, transit. So another way to look at this is, does this system, does this application, does this individual store process or transmit or transit FCI or CUI. Any system that does, right, is considered in scope. So that would be within your CUI or FCI scope.

Jeremy Sporn (04:22):

Gotcha. So let’s go down a particular path here. Someone’s at a government staffing agency, they run it, they could be a one man or two man shop and they don’t think they have any CUI in their environment. All they don’t touch it. It’s just FCI. One of the things that you’ve pointed out to me before is that not all CUI is created equal and that FCI can sneak its way into the CUI world. How would you advise someone to say, be careful if you only think you have FCI and not CUI?

John Verry (04:52):

So let’s start with the first thing that you said that, well, the second thing you said. That FCI can be sneaky as well, right? Both FCI and CUI can have sneaky elements. How about I say it that way? FCI, Federal Contract Information generally is any information relating to that contract. But on occasion, the actual FCI can rise to the level of becoming CUI in and of itself. A very common example of that would be, if the contract includes, let’s say you’re manufacturing something that’s going into munitions and the specifications for the product in and of itself that are included in the contract rise to the level of CUI. So that would be the first question. Generally speaking, I think in talking with staffing agencies, these jobs are jobs that get posted somewhere and they’re not typically including CUI. So I think in a staffing agency, it’s probably unlikely that the FCI would become CUI.

John Verry (05:50):

Again, worth pointing out, but probably not super germane to… Well, it could be a little bit germane to a staffing agency is that CUI might have different requirements beyond just CMMC Level 3. So as an example, it might be covered by CUI, but it also might be ITAR or EAR or [inaudible 00:06:08] right. Have it in additional data classification requiring additional treatment. So if you are placing bodies in someplace where those additional classifications could come to arise, if that data does leak into your environment, you’re going to have additional requirements beyond just that CMMC CUI.

Jeremy Sporn (06:25):

Makes sense. So then one of the areas that I think is a little challenging and we talk about this a lot when we talk to SaaS firms that says this idea of shared responsibility, and you refer to the shared responsibility matrix quite often. Can you touch upon how that relates to this particular area of the responsibility of both the agency, as well as potentially the staffer that they put on the job?

John Verry (06:53):

Yeah. So taking a slight step back before we take that step forward. So you asked like, how does somebody know what to do? So if you’re being asked for CMMC Level 3 and you truly don’t believe that you’ve got CUI coming into your environment, you’re going to want to go back to the prime. You’re going to want to go back to the agency and talk to the program manager, talk to the contracting officer.

John Verry (07:15):

And perhaps they’re making a request which is illogical. And you can be successful working with the government, asking them to change a clause in a contract if it’s not relevant to you. I have seen multiple staffing agencies that we’ve talked to very recently that have said, we think they’re going to ask us for CMMC Level 3, but even if they don’t, we want to be CMMC Level 3, because we’re worried that if we don’t have that, there might be some opportunities that they don’t give to us. So they might give opportunities to people who have CMMC Level 3, despite the fact that it’s not required, right. Because it’s a safer… If something goes wrong, those people are safer than us. So we’re seeing people that are either being asked for it and saying, I don’t think I need it, go back. We’re seeing people that are saying, I’m being asked for it. I don’t think I need it, but I still want it. And I don’t think either of those is a right or wrong response.

John Verry (08:05):

So why might you need CMMC Level 3? Or why an entity require you to have CMMC Level 3, if I’m just putting bodies on basis using government furnished equipment and using their email. So that’s a great question. So I think the biggest… And the way you would address that particular question is use of what we refer to as a risk assessment. So, and it’s a requirement by the way of CMMC Level 3. So what are the risks, right? What are the scenarios in which CUI might leak into your environment? So if you think about it logically, I hired Jeremy. Jeremy goes to work at the DoD. He’s working on projects that require high level of clearance that obviously involves CUI. And Jeremy sends me a note as the entity that placed him there asking me a question about paycheck or saying, “Hey, for project X, should I be billing this code or this code. I asked, because in both cases it ties into this particular issue and that CUI.

John Verry (09:15):

So one of the questions would be, what protections do you have in case data does leak into your environment? Right. Or do you have protections that would prevent that data from leaking into your environment? Now those could be technical measures, right? Where you’re filtering data, or you’re preventing email from coming in from a military email address, or what it could be is compensating controls that are in place so that if it does enter your environment, you’re still not at risk or not in compliance. So maybe you’ve moved intentionally to… I know of a two person staffing agency that’s moving to Microsoft GCC High just in case somebody sends them content by mistake.

Jeremy Sporn (09:54):

Wow. That’s incredibly nuanced. Okay. So as a, as a staffing agency, you outlined sort of two routes doing it and you can go back to the government and say, “Hey, I don’t feel like this is appropriate.” Or you can go ahead and try and get that Level 3 for almost sounds like a marketing play in certain ways to get [crosstalk 00:10:13]

John Verry (10:14):

Well, and now you also get into another interesting. So I think it’s a marketing player in some cases. Right. So let’s go a different direction. You talked about the shared responsibility matrix. So the idea behind the shared responsibility matrix is that in any relationship with a third party, right, we share the responsibility for managing the risk associated with the relationship. So if I’m hosting my own equipment and I am managing the risk associated with the, almost the entire layer, right. I’m responsible for making sure there’s locks on the doors. I’m responsible for making sure that there’s security guards and badges and people being escorted. I’m responsible for making sure that the underlying computer system is properly configured and patch. I’m responsible for asset management. I’m responsible for background screening of all the employees. Right. So literally like every control that you might imagine would be necessary to manage the universe of risk is in my responsibility.

John Verry (11:14):

Let’s say now I compare that with, instead of hosting that application in my environment and all that full technology stack, I go to a software as a service company. Am I now responsible for the physical security of those servers, the patching and management of those servers, the underlying operating system, and ensuring that the database stays up-to-date? No. That’s been outsourced if you will, to them. But I still have the responsibility of, let’s say making sure that the users that are using the data, know their obligations, that they’re being properly validated, vetted, background checked, that they’re using strong passwords.

John Verry (11:47):

So that’s where that shared responsibility comes in. And I think that if I’m the federal government or prime, I’m thinking you still own some responsibility. So as an example, you’re putting a body on my base, did you properly background screen that body? I mean, maybe I’m going to do that on top of that. So maybe I don’t need you to do that. Have you given them the security awareness and education that is necessary for them to understand the risks? Have you told them not to send the email out or will I cover that on my side? Right. So maybe the government entity or the agency would say, “No, we’re going to handle all of that.” And I think that’s where you might see some elements of CMMC Level 3 as being “on your side of the fence” or in scope for you. Some might be on their side. And I think getting that clarity is going to be important for most staffing agencies.

Jeremy Sporn (12:37):

Yeah. That sounds wild. So you could get to a point where of the 130 controls, you were responsible for a subset of them. Is that what you envision?

John Verry (12:47):

Yeah, perfectly said. Perfectly. So think about it this way. All right. And now you got, or you both have responsibility. So who owns the responsibility for preventing physical access to a keyboard that has access to FCI?

Jeremy Sporn (13:07):

Wow. I guess you could argue both do, right. I mean that would make sense to me. Yeah.

John Verry (13:14):

Both. Right. Absolutely. So that’s where it really comes into play is like, all right. And that’s where that idea of understanding risk and understanding those scenarios and in each scenario saying, what if this happened, what would be my responsibility? What would be their responsibility?

Jeremy Sporn (13:32):

Thinking about this and having this conversation, it makes me feel it’s more complicated in this situation than when you have a traditional DIB firm who knows they have CUI, knows that they have to protect these 130 control. You know what I mean? It almost sounds like it’s going to be a larger challenge for the staffing agency.

John Verry (13:51):

Yes and no. So, look, if you’re a staffing agency, I think if you can get clear definition of what the expectation is from the agency or prime, that’s really what you want to shoot for. That way we’re not in this debating and trying to figure it out level. That being said where it’s not any more difficult, I think, then in a lot of CMMC Level 3 is that in almost any entity we’ve got the same kind of an situation, right? Because almost all organizations have some level of third-party vendor support. They might be using a managed services provider. They’ve got someone who might be providing outsource security operation center. They’re using cloud cloud-based applications for the processing of CUI. So in all of those cases, we still have that shared responsibility that we need to understand and make sure that we’re addressing well.

Jeremy Sporn (14:40):

Got it. And at least minimum, every government staffing agency should be focused on, at least in the near term if they haven’t, implementing the 17L1 controls, correct? Those are given at this point?

John Verry (14:53):

Yes. So right. If you think about it, even prior to CMMC they were responsible technically for the same controls because they’re specified in, I believe it’s 48CFR52.204-21. Right. That’s a mouthful, but either way. So there was 15 controls there. They broke a couple of them apart. It’s now 17 within the CMMC ecosystem.

Jeremy Sporn (15:18):

Yeah. Got it. So the one area which I have been confused about and not surprising, I’m not the brightest person alive, so I’m allowed to be a little confused, but is how on earth are these government agencies supposed to fill out the SPRS accurately? Do they still need an SSP? It seems like a lot of the controls there you’d want to be able to put not applicable, but can they say yes to something if it’s not applicable to them? Can they gain the points? So [crosstalk 00:15:52]

John Verry (15:51):

So, remember SPRS though is only… You’re only going to see SPRS in a contract for a 7019, 7020, or 7021, which all are definitively CUI. So if you’re just a level one SPRS doesn’t come into play.

Jeremy Sporn (16:09):

Gotcha. So in the case where you’re the staffing agency and you want to get CMMC L-3 because for whether it’s a marketing reason, you’re looking at that as a way to grow your business, but any way you want it. There are going to be questions in the SPRS that are going to be hard to answer. Do you know how they would go about doing that?

John Verry (16:28):

Yeah. So if you think about it this way. So let’s say that we get to a point where we’re mostly bodies on basis, we don’t think data’s going to be in our environment or there’s an insanely limited amount. And let’s say that we look at the risks and we say, the physical security of our office is something we really need to account for, let’s say, employee background screening, and… Maybe the background screening of not the employees that are going on base, that would be an interesting variation of what I talked about before. Right. So employee screening, employee education. Minimally, even if you’re not responsible for the screening and education of the people that are going into the agencies on your behalf, right. Who you’re contracting for your own employees that are actually interacting with FCI and perhaps interacting with CUI, you might have that responsibility.

John Verry (17:15):

So the way that you would handle this is if you were going to proceed towards CMMC Level 3, and you thought many of these controls were really outside of… They didn’t make sense for you to implement. The way that you do that properly, if you will, in a substantial way is you conduct the risk assessment, you say which risks are in play, which aren’t, and then you use that to substantiate why certain controls are not applicable in your environment. And that gets documented in the SSP. Because if you think about what an SSP is, it’s a plan to provide to a system. A system doesn’t necessarily be one PC or one application. It’s the collection of assets that support the operation of a particular function. So what you’re saying in that particular case within this SSP is, hey, we’re receiving this data from these entities. That data is being processed in these locations, on these IT assets, touched by these people. Okay.

John Verry (18:18):

And then what you’re doing is here are the stakeholders, right? You’re defining all of the context relating to that data. And then what you’re doing is you’re documenting each of the 130 controls that you’re responsible for how that control A, meets the requirements of the CMMC standard and B, effectively manages the risk associated with the data within the context that you’ve outlined. So where a particular control, right… So if you have no systems that store, process or transmit CUI, could you make the argument that I don’t need to have a log management solution. That my log management solution doesn’t have to address these issues, so it’s not required. Yeah. You could make that logical argument. So you’d go through for each of those particular points, right. Each control and say, “Here’s how we’ve implemented. Or if we haven’t implemented here’s why.

Jeremy Sporn (19:07):

Got it. Okay. Of all the points I wanted to make sure you hit today, you hit the ones on my list. But as always, my list could be different than yours. Is there anything else you feel like we need to share to give good guidance to government staffing agencies when it comes to CMMC?

John Verry (19:24):

No. I think at a high level… I mean, I think we’ve communicated the importance, right. And if I summarize that, if you are a staffing agency CMMC L 1 almost definitively applies, right. I can’t say that definitively. So it’s highly, highly likely that L 1 applies. If you’re being asked for L 3 and you don’t think that it makes sense, gain that clarification. Right. And make sure that you’re being asked for it. If you either decide that you’re going to go forward with L 3 for reasons of marketing, for reasons of future contract potential, to sleep well at night or because the agency is telling you that, and you can’t get them to not say, although you don’t need to do it, then be strategic about your implementation of those controls. Like I said, make sure that we account for both expected and unexpected data flows. Then make sure when we review the L three controls that we need to implement, that we do that it properly informed by the context and data flows and properly informed by the risk scenarios that we’ve identified.

Jeremy Sporn (20:37):

Awesome. John, appreciate you shedding some light on a peculiar situation that we have here. As always appreciate your time. Everyone, thank you for your time and let’s stay safe out there.

Narrator (20:49):

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.