To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (Intro/Outro) (00:06):
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome to yet another episode of the Virtual CISO Podcast. With you as always, your host, John Verry, and with me again is the today Norton to my Ralph, Andrea VanSeveren.
Andrea VanSeveren (00:38):
Hey, John. Hey, everyone. Yes, starting when you talked about her drink of choice, she said, the Norton grape and I just couldn’t get out of my head no matter how hard I tried.
John Verry (00:46):
So immediately I go, “To the moon, Alice. To the moon,” but we’ve lost everybody because no one is old enough to know that reference. Neither am I. My grandparents told me about it. And the reference was the Norton… Yeah, I’d never heard of a Norton grape that she likes. I’m a red wine drinker, and I’m going to have to go out and buy a bottle just to try it. Other than the Norton grape reference, what did you think of my conversation with Stacy?
Andrea VanSeveren (01:18):
So, I think she provided a lot of clarity around what to expect for a CMMC Level 3 roll-out, and the importance of the AB certified third-party assessor organization, which is really going to perform and manage the whole assessment process.
John Verry (01:35):
Yeah, Stacy has been… And she’ll probably get mad at me for saying this. She’s been doing this a long time. She’s really, really smart. Very, very experienced, and she really knows her stuff. So it’s very interesting as CMMC is rapidly evolving and we’re getting to a point now where the C3PAOs are being certified, right? In fact, I think they’re actually undergoing their audit this week. And they’re learning about how the DIBCAC is holding their feet to the fire, we’re getting a better sense of how the C3PAOs are going to hold your feet to the fire if you’re someone who’s becoming CMMC certified. So, it was a very interesting conversation to kind of see where this is evolving to, and what it’s going to mean to folks in terms of level of effort, in terms of cost, and how robust these audits are going to be. So, I thought it was a really good episode.
Andrea VanSeveren (02:27):
Yep. No, absolutely. And if you’re doing business in the defense in the defense industrial base or are going to continue to, and you’ve got your CUI in your environment or you’re not sure, right? The Level 3 assessment is something you’re definitely going to need to continue to work in the space, so you want to listen to this episode and hear directly from Stacy about how you can prepare for the assessment process, what it entails, and how critical the ABC3PAO is and to help you manage and perform that assessment.
John Verry (02:58):
Yeah, and just to be clear: So, as of today… If you’re in the DIB, this is important. When we look at what’s happening with the CMMC program, remember it protects CUI, controlled unclassified information and DoD information is only like one of 18 or 19 categories of CUI. You can see that at the NARA registry, the CUI registry. So this is going to really apply as we see DHS, as we see Department of Education, as we see the SEC beginning to start to refer to these standards. GSA is another agency that has. Realistically, this CMMC certification is going to go well beyond the defense industrial base over the next couple of years, so I think there’s a lot here to chew on.
Andrea VanSeveren (03:40):
John Verry (03:41):
Excellent. So with no further ado, let’s get to the episode.
John Verry (03:48):
Stacy, good afternoon. How are you?
Stacy High-Brinkley (03:50):
I’m good. How are you doing, John?
John Verry (03:52):
I am wonderful. I’m on the phone with you. I’m going to talk about one of my favorite subjects, CMMC. So let’s start simple. Tell us a little bit about who you are and what is it that you do every day.
Stacy High-Brinkley (04:04):
Okay. My name is Stacy High-Brinkley, and I am VP of compliance solutions for Cask, and what I do every day is prepare for my DIBCAC assessment lately, to be honest. What we do every day is we work in the compliance governance continuous monitoring area for DoD. So we support them on a daily basis.
John Verry (04:28):
And most important and relevant to this particular call is you guys are going to be AC3PAO.
Stacy High-Brinkley (04:35):
Yes, sir. We are.
John Verry (04:36):
Excellent. All right. So before we get down to business, I like to ask what’s your drink of choice?
Stacy High-Brinkley (04:40):
John Verry (04:42):
Ah. Any particular red wine, you’re a blend person or a particular varietal?
Stacy High-Brinkley (04:48):
I like Cabernet Sauvignon and Norton.
John Verry (04:52):
Norton is a particular… I’m not familiar with Norton. A particular winery? Oh, great.
Stacy High-Brinkley (04:59):
Yeah, there’s not a lot around here in Virginia, but it’s really good if you can get some. It’s expensive.
John Verry (05:05):
I’ve never heard of Norton. Is it grown overseas, is it is an Italian or French or US, or Australia?
Stacy High-Brinkley (05:14):
I think it’s more out in California, I think. I’m not too sure. But speaking of Italy, I do like Chianti though.
John Verry (05:22):
Yeah, a few years ago I was out in the Castellina Chianti region, and you get to the southern region there in the Montepulciano, and that area is just outstanding. And the wine is different there. If you over-drink there, you still feel okay the next day. You can have three glasses or four glasses of wine and you get up and you’re like, “Hey, good day.” I drink three or four glasses of wine here, and it’s like two days later I’m still like, “Eh.”
Stacy High-Brinkley (05:51):
I love it.
John Verry (05:52):
So thank you for coming on, and the reason I wanted to chat with you is that for so long, we’ve had this thing where CMMC is ahead of us, and I feel like we’re right at that precipice, right? And we’ve got the training rolling out, the CMMC assessment plan has been published, now you guys can start to do your preparation work, we’ve got DIBCAC audits of C3PAOs beginning to take place. So I think the picture is getting clear for all of us, so I thought it would be kind of cool to be able to share what we know at this point.
John Verry (06:21):
So let’s talk about some specifics, and for sake of argument, we can use any metric you want or any model you want, but I think a decent one would be a lot of the clients that we’re dealing with are, let’s say, 300 people-ish, more, maybe say manufacturing single system security plan. So, let’s kind of use that single location just to kind of keep the conversation centralized and have something to talk about. So talk a little bit about what are we expecting in terms of a level of effort for a CMMC L3 audit.
Stacy High-Brinkley (06:50):
So, for a Level 3 assessment, you’re going to have to have three folks as of now. You have to have a certified assessor, a provisional certified assessors, so the only ones out there right now, and they will be performing the formals. They’re not going to be called provisionals, like some people are confused about. And then you need two CPs. Well, there are not two CPs available right now, so what we’re going to have to do is looking like is leverage other PAs, provisional assessors. So you need three people as it stands today, three assessors to do a Level 3 assessment, and so that’s kind of where it starts there. So the big deal is size and scoping. So, that’s when we come in and we get more into the nitty gritty of things with the intake forms and the assessment plans and things like that, so it’s coming back and forth from us to the customer to figure out exactly their size and scope before we give them a proposal.
John Verry (07:51):
So a question for you, and I know you and I chatted about this prior and you actually went and did some validation because you and I had been speaking a couple weeks ago, and in the RP training, the registered provider training, registered practitioner training, they had talked about the fact that… They had said there that an RP could assist a either CA-3 or a provisional auditor doing the audit, but you said you got clarification very specifically that that is not the case at this point in time, and that at this point, you’ll be stuck using three provisional auditors until the CCP programs are actually out in the hands of the LTPs?
Stacy High-Brinkley (08:34):
Yes, and that’s what I heard, and I am so hoping that that does not come to fruition. I’m so hoping that they realize the criticality of getting these assessments started, especially what’s happened in the last few weeks, and I hope that we can move forward with Rps. That will be massively not good if we had to use provisional assessors because as you know, all of them have been in the field for over 25 years, and you’re talking about a substantial amount of budget drills that these folks are going to have to do to reassess and to redo these proposals.
John Verry (09:14):
The other problem is there’s just not many of them out there.
Stacy High-Brinkley (09:14):
No, and the thing is that we need to make sure that they’re on board and they’re ready to go with our tools, our processes, our procedures, even though the assessment methodology is the same across the board. I have synergy with my folks and we work well together and they’re ready to be trained. They’ve been ready to be trained, and there are already assessors and DoD, but right now, I can only leverage them as support. I will have to use other PAs and I am in conversations with some of them, but it’s going to be a heavy life, I believe.
John Verry (09:45):
Quick question: In terms of the level of effort, man-days, I’ve talked to a number of different candidates, C3PAOs, and typically hear a number that’s in the 25 to 30-ish number of man-days. Does that sound about where you think it’s going to land?
Stacy High-Brinkley (10:01):
If they’re ready, which they’re supposed to be, right? So are we still talking about the level of effort for a 300 person company?
John Verry (10:07):
Yeah, let’s that is the model.
Stacy High-Brinkley (10:09):
On-site, cloud or on-prem, it depends, right? So it depends if they’re really in a secure environment already, or if they have put other security implementation pieces of the pie together to get to that Level 3 compliance. So that’s where the scoping comes in. So 25 to 30 days is pretty, pretty tight. My assessment right now with the DIBCAC is going to be… Well, we upload tomorrow and they start, and then I think we’re done mid-June, and then it takes a couple of weeks if we’re going to get authorized when we pass, if/when, if/when. So that’s taking longer, and we’re literally a lot smaller than that. I mean, we’re a 50 person shop. The scope’s about 10, but we’re going to scope it out for our whole shop, and that’s going to take longer. So it depends if they’re really ready on their game and the documentation is great, during that [inaudible 00:11:07] review, once we get the documentation and review that, if it looks great, it could be within that 25.
John Verry (11:12):
Okay, but they might need to plan for more?
Stacy High-Brinkley (11:14):
John Verry (11:15):
Okay. What level of diligence do you need to do to get to a point where you can give someone a good estimate? So if I’m ready to proceed towards my audit, I’m assuming that I’m going to fill out some type of a questionnaire with you. How in depth will that go, and is your thought process… I know a ISO 27001 a lot of registrars will do some type of readiness assessment to ensure they don’t try to conduct the audit without validating that the entity is ready. Is that the way you think it’s going to be?
Stacy High-Brinkley (11:42):
Yes, yes. First off, they have to have their SSP, and for the maturity, they have to have their processes and their procedures, their plans and policies in place with a supporting documents, like HR and awareness training and things, anything that touches security in your company is really going to be a supporting document, but the most important thing is the security implementation on all of your assets, right? Your networks, your firewalls, your VPN, your laptops, your printers, everything that touches that network that transmit, stores, or processes CUI for a Level 3.
Stacy High-Brinkley (12:23):
So that’s why it’s really important to scope it out, maybe VLAN things off, have a total separate network for CUI. If you’re a large company, it’ll be a lot quicker, but then again, the identification of CUI is going to be a bit tricky as we go down the road. Hopefully we’ll be able to get some AI labeling in place or something.
John Verry (12:41):
Yeah, that’s one of the most common complaints I hear is that do you have CUI, well, nothing is labeled that way, and you’re like, “Yeah, that doesn’t mean you don’t have CUI.” So that preparation is critical, and so I would assume that your first sniff test is going to be that SSP because in a well-formed SSP, you’re going to have the definition of the data, you’re going to have the definition of the assets that are in scope, hopefully you have a data flow diagram, you know who the key stakeholders are, you have an idea of how each of the 120 practices are being actually implemented, and I like in a good SSP to even have some indication of how we’re going to evidence each of those practices. That way from an auditor’s perspective, they can walk in, and they got one sort of consolidated package to look at. So assuming we do a great job on that and we hand that to you, will that be the bulk of what you would call a readiness assessment, or will you actually begin to even look for forms of objective evidence on each of the practices?
Stacy High-Brinkley (13:39):
So, for all the documentation you need is an SSP, because that’s your plan, right? You need the policies that are in place for your company that have been there. So you might need to update those, all your policies for all 17 domains, and you also need procedures. So policies, this is we say we do this. Procedures, this is how we do it. So step-by-steps on how you do things. That’s really important. So that’s repeatable process, and it can be proven that you’re doing that for maturity. That’s what their foot stomping to me, literally, when I talked to them today while we’re preparing for ours. And that’s important because in the old days, old, old days, when we did DITSCAP, it was a paper drill. No one went out and touched the boxes and ran these scans, Retina and all these things and Nessus. But now, it is not. It is ensuring that they’re secure, they’re keeping that CUI data secure wherever it is, and that their documentation states that. That’s the most important thing.
John Verry (14:40):
So whether it’s 30 or 35 days, can you give me some idea of how much of that would be what I would call preliminary work, what you expect, like an on-site component to look like, and how much of that will be off-site and what maybe that little timeline would be for that?
Stacy High-Brinkley (14:55):
So just for us, to give an example, our readiness review they say is about a week, but they’re going to start reviewing those documents probably as soon as I upload them tomorrow night. Even though our readiness review for them reviewing the documents is one week, five working days, then they’re going to be on-site for a week, I think, I don’t think it’s going to be that long because we’re all remote right now due to COVID. The only thing on-site are those physical practices, the personnel, the logs, all those things they want to see on-site, your physical security, all of those things. So that would only be a couple days, I would think, as they go through all those plans, procedures and policies. So that’s why I’m thinking that it’s only going to be a few weeks, hopefully, for us if the documentation is good, because you have your three lead people, but I’m going to have more people in the background so we can get these folks through quickly because there’s a lot to do and we need all hands on deck to get this done as quickly as possible.
John Verry (15:56):
And in terms of when we look at these 130 practices and 51 processes, give people some idea of what type of objective evidence that you guys will be looking for.
Stacy High-Brinkley (16:08):
So for instance, there are three types of objective evidence. It’s examine, interview or test. Now, it’s real tricky if you think about it because if you’re doing this remotely, sometimes you’re going to need three pieces of evidence because if you do an examine, a document, and then interview someone, they could be reading from the document. So you might have to have a test done. “Go ahead, bring up your VPN log, let me make sure it’s a full tunnel IPsec, you’re logging all your users. Can you bring that up for me, log in? Okay, good. Talk to us about that today,” And I was thinking about that before because you really need to make sure that you have exactly what’s happening down, but per the assessment guide, it’s two pieces of objective evidence if you’re on-site. So right now, it’s going to be up to the assessor whether they want two or three. I believe it’s probably going to stay mostly two for most of them, probably test for a few things, want to see some actual log in and things like that.
John Verry (17:06):
Persistent habitual is a term that I’ve heard used with regards to your obligation. Where do you think we’re going to land with persistence habitual? How long do you think an environment needs to either run for, or how many samples of particular control practice might you need to be able to gauge something as meeting the persistent habitual requirement?
Stacy High-Brinkley (17:26):
So what I’m going to look at is the examine the documentation, talk to the folks who are implementing that security control, and that should be good. If I know that I can see it’s obviously they’re doing this over and over again, the goal is continually monitoring. People need to continually monitor their networks to make sure they’re keeping threats out of their environment, so you’re going to see that in their documentation flow and in their personnel, and how they’re taking care of all of their logs and their auditing and their access control and their incident response plans, everything, restoration. I mean, you’re going to see that. If they say, “Oh, we restore data.” Well, what else do you do for recovery? What do you do for incident response? Who’s your team? So there are a lot of questions that really get in-depth that you can tell if they are truly doing this repeatable process in a persistent manner, I believe.
John Verry (18:20):
If you have a quarterly process, that idealized if we can get to two times that that process is actually triggered, right? So if we do quarterly user account management reviews for all in scope CMMC systems, then if we got to 91 days worth of information, because I fire that that practice on day one, I fire it on day 91. From an auditor’s perspective, if I’ve got all of that process document and I’ve got two pieces of evidence to show the last two quarters firing, to you, is that approaching that persistent perpetual requirement?
Stacy High-Brinkley (18:55):
Yeah, I would believe so, especially if you’re showing past logs. They want to see past data, that you’ve done things in the past. Some folks have just started doing it, but as long as you… Let’s say you started six months ago when you thought CMMC was going to roll-out, and you’ve been doing it persistently every day, continually monitoring the things that are important to protect your critical data. I think that’s fine. I think if you just throw it together real quick, you’re going to be able to tell.
John Verry (19:23):
So in terms of optimal preparation for you, to make your life as easy as possible, which is always a good idea because that makes you as the OSC being audited, your life as easy as possible, what would be some great tips for organizations that are… Your team’s about to come in, right? How can they optimize their preparation?
Stacy High-Brinkley (19:43):
I think what they need to do first is get everyone that’s involved on the same page. Have one area where you keep an authoritative place for all the documents you’re reviewing. You do not want to be sending documents back and forth over and under and version control. You need to keep that version control of those documents you’re doing really, really tight so that you know exactly where you are because it’s a lot of documentation to review. It’s a lot of documentation to obtain from your FSO, from HR, from your CM, for your corporate ops, your budgeting, your funding line for IT. They want to make sure that they’re seeing everything. So, that’s the most important thing to me that I’ve found. We have kept it in an authoritative space all along, and it really helps. Hey, can you guys go out and check our acceptable use policy again, make sure it’s looking good, and… I don’t have to send it to email or we don’t have to send it around, it’s in one place, and people can see who’s checked it out. I think that’s real important.
John Verry (20:43):
Yeah, I’m a fan of using some type of solution that gives you sort of a single pane of glass to know where all of the information is and where you are relative to stuff, like the way we manage our ISO… We’re not CMMC Level 3 because we don’t need to be. We will go there at some point, but we’re ISO 27001 certified, and we really keep all of our data in a couple core places, like SharePoint with great document control, version control, and then we keep all of the evidence of the individual tasks that need to fire and the evidence that says fired.
John Verry (21:13):
We keep that in some combination of our help desk ticketing system and inside of Wrike, which is a good project management tool, but I always encourage people to… Either use the tools you have and have the management system meet you where you are, or if you don’t have these types of tools, then purchasing some type of a platform to manage this on, I think, is going to make their lives a lot easier, especially because then they can give you access to that platform, which then makes your life a little bit easier.
Stacy High-Brinkley (21:42):
Right, right. And we do have a compliance platform we use for our compliance continually monitoring, and it saves me three people. So, that saves us.
John Verry (21:54):
And more importantly, I think it gives you that peace of mind and it gives you that authoritative trusted source of information that you need, and it gives you that peace of mind to know that, “Okay, we’re going to ace this audit,” right? Because anyone listening to this who you can’t afford not to ace your audit, right?
Stacy High-Brinkley (22:13):
John Verry (22:14):
Exactly. So I know cost is a hard thing to talk about. When I’ve talked with some folks on the C3PAO side of the fence, I’ve heard some interesting numbers. Yeah, you’re laughing. And you know the game, there’s the low-ball people and then there’s the high-ball people, and then there’s the bulk of us, but I’ve seen someone’s who talked about minimal cost they think they could ever see would be like $2,000 per day, and you certainly could do it at $2,000 per day if you had to need three provisional auditors, and then I’ve heard people go as high as three or $4,000 a day. And if we’re talking 35 days, let’s say as an example, it gets kind of expensive. What are you seeing, or what are you thinking might be the ranges that we’re going to see across the industry? I wouldn’t necessarily just say Cask, but let’s just talk about what we might see across the industry.
Stacy High-Brinkley (23:06):
Well, like you just said, if we have to leverage three provisional assessors, that is definitely going to drive the cost up. Now, does that mean that all three are 100% on for all those days? No, you just need a lead assessor and two others. Right off the bat, it’s going to be expensive until we get those other folks trained because the CPs are going to come in at a much lower level than a PA for instance. I mean, someone in the field 25 years, 250 an hour and up is it for them. For a CP, a lot less, and that’s going to drive it. The RPs. If we can have RPs help us, that’ll drive it. So it’s really hard to talk cost when you don’t know who’s going to be allowed on the assessment. You can put hourly rates to it and say, “Hey, if you have provisional assessors, 250 and up an hour. If you have CPs, a lot less.”
Stacy High-Brinkley (23:58):
I mean, they’re just coming in, so one provisional assessor and two CPs, that’s what I’ve been trying to generate all along and everyone’s told me that that looks good, that that looks like a good price. That’s why I really hope we can leverage RPs so that we can keep those prices around that point. That helps at all. It’s hard because we haven’t done one. I’ve thrown stuff over the fence and folks are like, “Okay.” But it does sound better than a lot of folks. I know there are some websites out there that… There’s one in particular, I don’t know if it’s still there. It had extra small, small, medium, extra medium, large, up to 200, $500,000. I was like, “Are you kidding me?” And I don’t know if it’s still up, but I was shocked. I was shocked.
John Verry (24:46):
Yeah. Logically, it shouldn’t scale that high unless you’re talking about an organization having a number of system security plans. We did work for one large name brand consulting firm, and the way they handled the 800-171 was that each of the roughly 20 applications each had its own SSP. Now, that’ll be an interesting case, by the way. Do you anticipate if I have multiple SSPs, will I get multiple CMMC certifications or will I have one umbrella certification with multiple SSPs under it, and will that influence significantly cost?
Stacy High-Brinkley (25:27):
All right, so two questions. So what we were taught that you go by CAGE code, and that’s how we do the proposals in the ROM. So if you have 10 CAGE codes, then I’ll be giving you 10 different proposals, right? Could I put into one big proposal? Sure, sure. You can do it any way you want. The assessor can actually put them all together and give them one big huge proposal and ROM, but basically, you’re going to get a number based on your CAGE code. So when you actually start an assessment, the CMMC-AB gives you a number, and that will be your number all along.
Stacy High-Brinkley (26:01):
So if we go in and I say, “Here is the Scooby Doo Company, and they have 10 SSPs, and it’s going to be $1 million, and these are their CAGE codes.” So they’re going to give them a number for that ML3. I don’t know if they’re going to give them separate numbers for each CAGE code yet or not. That’s something that I haven’t been told, but that’s where how they were going to start managing it. And that ties back to the SPRS scores, and everything that goes back up to the nest.
John Verry (26:33):
So for people that are listening that know what a CAGE code is, can you define what a CAGE code is?
Stacy High-Brinkley (26:36):
Well, I’m not a business person. I’m a cyber person, John. So a CAGE code is basically the code that you use to register as a business, for instance, Cask, we have one CAGE code. It’s what, five digits, six digits? Something like that. And that’s how you identify yourself in the business world.
John Verry (26:57):
And is a CAGE code tied to a specific logical entity, like a data center or a block of applications or something of that nature, or does the CAGE code just tie to the business itself, like a DUNS number or something?
Stacy High-Brinkley (27:10):
Yeah, it ties to the business, it ties of the business. But for instance, when I upload my SPR score, I put my CAGE code in. So they know based on the documents that I’ve put up what the size of my company is, but only by that SSP.
John Verry (27:24):
And when you the SPR score, are we talking SPRS, or you… Okay, good.
Stacy High-Brinkley (27:28):
Sorry about that. Acronym world over here.
John Verry (27:32):
Yeah. No, I’m thinking to myself, “Uh-oh. There’s one I don’t know. One more I got to learn.” And for those folks that are listening, SPRS is Supplier Performance Risk System?
Stacy High-Brinkley (27:43):
John Verry (27:43):
Yeah, and it’s where you put your score relating to NIST SP 800-171 conformance, and that became much more important with the interim rule, and more specifically, the DFARS 252.204-7019 and 7020, if I recall correctly, and 21 is the first one that actually calls CMMC. Cool. So this ties into that big giant trillion dollars if you’ve got a lot of stuff. How do you see multiple locations influencing levels? So as an example, in ISO, when you have multiple locations, what has to happen is the auditor will have to visit those locations over the three year period of the certificate. How will multiple locations influence a CMMC scope?
Stacy High-Brinkley (28:32):
Well, like we talked about earlier, it will influence it quite big on… The more I think about it, and I thought about this before where there might even be multiple C3PAOs getting involved, if it’s that large. I thought about this before, and I believe that that’s something we might think about, because how else are you’re going to do it? To add to your question, I think it’s going to be important for the C3PAOs to get together and to make sure this gets done in the best fashion possible. We’re all one team. There’s so much work out there. It’s really we’ve all really been together, provisional assessors, we’ve been talking, we’re a group, we’re a team. In my realm with the folks I work with, we’re not competitive. We’re here to help people. That’s what we’re here to do, to secure the DIB and something I’ve been doing for decades, and I’m excited to turn around and do the same thing for industry.
John Verry (29:24):
From your perspective, if there’s multiple locations and each location is CMMC relevant, systems there store process or people store process or transmit information at those locations, will you need to go there as an auditor specifically to look at those physical security controls there? Is that what will bring that cost up?
Stacy High-Brinkley (29:45):
Yeah, we will, we will, and especially now that more of the population, of course, has been vaccinated, and we’re starting to move about the cabin again. Yes, we will. We will have to go to those locations.
John Verry (29:57):
Got you. I know we’re going to have some type of ongoing monitoring or reporting requirements. Has that been clarified and do you think that in year two or year three that you’re visiting these organizations again, do we have that clarity yet?
Stacy High-Brinkley (30:11):
For the reassessments, do you mean?
John Verry (30:13):
Stacy High-Brinkley (30:13):
Yeah, as of now, it’s three years.
John Verry (30:16):
Okay, but nothing would happen in year two and year three? It would just be last year one, there’s an audit and then you don’t do anything until year four, or there’s some type of reporting requirements, we just don’t know what they are yet?
Stacy High-Brinkley (30:27):
Exactly, and that’s going to be driven when we get down to the road, when they decide on the tool. I know they’ve decided on the tool, they just haven’t rolled it out yet. A lot of us are very familiar with it, but I think what’s going to happen is… Remember, there’s still the reporting you’ve got to do for those folks that are on these contracts. So you still have to be reporting in your compliance with security, so that’s still there. And if you are complying and your compliance folks and the president of the company, the CEO is wanting to be compliant, they’re going to be… If there’s a change in their environment, if there’s a security posture change, they’re going to want to get something and say, “Hey, can you just check this, make sure we’re good?” That’s the way to go. I mean, you don’t want to be on the other side of that, where you’re not reporting and then get caught and then get hacked, and then pay $5 million.
John Verry (31:18):
So as the context changes. So if I were to… Let’s say as an example, I get certified, and in the second year I open up another manufacturing facility. Business is great because I got CMMC certified, I’m driving a lot more business. At that point, obviously I’ve got to update my system security plan. I’ve got to update my monitoring tools, my SIM, make sure I’m getting all that information. If it’s in another state, I might need to make sure I update my HR practices to reflect that, and then do you think that at that point that I’ll probably want to engage my C3PAO to kind of verify that the new part of my scope has been implemented properly? How do you think that’s going to work?
Stacy High-Brinkley (31:58):
I would definitely do that, especially… I mean, you’re standing up a whole new site. If you re-image everything, that’s perfect, and roll it over. That’s what I would do, and I’d have it reassessed. At least it would show due diligence on your part.
John Verry (32:12):
Yeah, that makes sense. As much as we’ve learned over the last three months, there’s that much more we’re going to learn over the next three months, I assume? Otherwise, six months or a year, whatever it’s going to be. So one of the other questions that I get asked a lot is you see some organizations where they have relatively distinct service lines or product lines, and they’ll end up with multiple CUI enclaves for, let’s say, different business units and maybe even multiple system security plans. How much will that, do you think, influence the level of effort for going through a CMMC audit?
Stacy High-Brinkley (32:47):
Well, it’s going to expand it of course. I mean, the more assets, people, processes, technologies you have, the more folks we need in there to assess it and you want it done quick, as quick as possible to bring that budget line down, but you want to be prepared, right? And it might behoove you to hire some good cyber folks, folks that are really good at compliance and security, folks that maybe have good vision, cloud tenants, zero trust, multi-factor authentication. We’re in a moving world now. You’ve got to secure everything. I mean, the Jetsons. Get in your little bubble and fly, but make sure it’s secure, right?
John Verry (33:32):
I’m waiting for the Maxwell Smart Cone of Silence, but that’s another story. I just gave away my age.
Stacy High-Brinkley (33:39):
John Verry (33:40):
Yeah. I did recognize the Jetsons reference. It was George and I’m trying for the dog’s name.
Stacy High-Brinkley (33:48):
Elroy? Was it Elroy?
John Verry (33:49):
Elroy. It is Elroy, yeah.
Stacy High-Brinkley (33:51):
Wow. And my memory’s still intact.
John Verry (33:55):
That’s amazing. And again, this may be an impossible question to answer, but if the SSPs were similar and a lot of the controls are the same, if you had to guess, does it double the cost, does it add 50% of the cost, 25% of the cost?
Stacy High-Brinkley (34:12):
If the SSPs are the same, and-
John Verry (34:15):
Well, very similar because the controls in most organizations are going to be pretty close.
Stacy High-Brinkley (34:18):
So they’re using the same security implementations across the board.
John Verry (34:22):
Stacy High-Brinkley (34:23):
So I mean, that’s going to help. You’re going to know when you’re looking at all their processes, right? So if it is, that’s going to help. Anything to speed it up is going to help.
John Verry (34:34):
Okay. That’s kind of what I was figuring. Okay, one other question for you. So if an organization, any organization that’s got a CUI, that’s pursuing Level 3 also is going to have, by definition, FCI, which is Level 1. So any recommendations to people, do we treat FCI like a CUI, and just simplify stuff? Are you seeing people do I’ll call it an L3 enclave, a CUI enclave and an FCI enclave? Any thoughts there?
Stacy High-Brinkley (35:03):
We are going full CUI even though we have FCI, CUI. We just don’t want to have anything mixture or anything? Folks know we’re not to… Some folks are not too sure what CUI is. A lot of us are. When you get into the bigger companies, yes, they’re going to have a ML1 enclave and an ML3 enclave, so that they can process a little bit quicker on their feet. Let’s say their contract shop is just all FCI and maybe their cyber shop is over here, their shop that’s handling all the CUI are totally VLAN’d off with total different processes in place, hardware, etc. I can see that for large companies splitting that off. I think for the smaller companies, I think they’re… What I’ve seen so far, they’re going ML3 because they’re not sure. A lot of folks are just not sure, and they don’t want left behind or not be able to bid on a contract.
John Verry (35:58):
Yeah, the other thing which we see is that with a lot of the manufacturing concerns, as an example, occasionally the FCI becomes CUI because there’s enough specificity in the contract itself with regards to the manufacturing process, or a dimension. Yeah, in the smaller companies, we’re kind of seeing the same thing. It might be the easiest thing to do is just roll everything into the single CUI enclave, but then the bigger company, I can agree with you completely because now you’re into ERP systems that they’re tracking the contracts in, legal and contractual systems. And now all of a sudden, you don’t want those to be, quote unquote, CUI relevant.
Stacy High-Brinkley (36:38):
Yes, exactly. And plus, you’re talking CUI, but in reality, if you look at this, you’re protecting your company too and your critical assets. So it’s great for the company too because they’re getting in shape, they’re getting in cyber shape.
John Verry (36:53):
Got you. So if you were doing a… And somebody calls you in to do a CMMC L3 audit, by definition, is that also an FCI audit? I mean, that’s not done under a separate audit, is it? Is there a CMMC ML3 audit, and it’s CMMC ML1 audit that you do, or does the L3 audit acknowledge the FCI enclave and just look at the FCI enclave to L1 level? And is it one certification at that point?
Stacy High-Brinkley (37:21):
Yeah, so if they’re going for Level 3, we go in and do an assessment for Level 3. So we go all the way from Level 1 up to 3. If they say, “Oh, that’s just FCI.” Well, they’re going to get ML3 anyway because we’re assessing them for ML3. Unless they’re going to say, “This is just FCI. We only want a Level 1 assessment for this shop over here,” then they could possibly get a Level 1 assessment and certification over here and a Level 3 over here, but if you’re already doing Level 3 over here… Yeah, I haven’t seen that yet. I’ve seen either Level 1 or Level 3.
John Verry (38:03):
One other question I get quite a bit is that we’ve got a number of clients that are working on GFE, right? Government Furnished Equipment, for those people don’t know what that means. So if you’re working with GFE, how does that influence your scope? Does it influence it notably?
Stacy High-Brinkley (38:20):
So that’s GFE, the government furnished equipment is supposed to be STIG’d and baselined and secure, and that comes under a-whole-nother authorization process within RMF, and so that’s out of scope. Now, you need to ensure when you’re doing this kind of assessment that those folks aren’t using those assets for anything else but attaching it to the corporate network or things like that. Most of those devices cannot attach to the corporate network, but I’ve seen some that have not been STIG’d properly, and you can… Back in the day, a few years ago when they locked them down so tight, you could do anything, and then they started opening them up a little bit.
Stacy High-Brinkley (39:00):
So you have to be careful with that. You have to really look at that and make sure they have the secure build on them, make sure that they aren’t touching the network as much as you can, right? That’s out of scope. You’re not supposed to go there. So when they tell me, “Hey, I’ve got these 10 GFE laptops, they’re not in the boundary.” I might say, “Okay, great,” and I can look at them and they’ll have the labels on from the government. If I don’t see those labels, I might make them turn them on. But GFE is supposed to be labeled on the outside and on the laptop’s inside.
John Verry (39:34):
So if they have GFE, and the bulk of their works on the GFE, they’re still obligated to CMMC Level 3. So you might not have to look at, let’s say, the configuration management and the logging and things on those particular pieces of equipment, but you still have the obligation for, let’s say, physical security and human resource security, of course, is still going to be in play. And if those devices are transiting their network to get back to wherever they’re going, the agency or the prime contractor, do those network segments come into play, if that’s crossing a firewall and a router and a LAN segment? Is that segment in scope from your perspective, is that CUI relevant?
Stacy High-Brinkley (40:17):
Yeah, so if they’re… Let’s say someone’s on my network, and they plug in a GFE, right then I’m on high alert because they’re not supposed to be on my network, they’re supposed to be in their own tunnel, their own VPN back into the government network where their work. Even though it is out of scope for Level 3, all the other assets, if they touch any of the assets that I’m assessing for Level 3, then that’s coming into scope and is coming into concern. That would concern me more because I’m going to do DoD assessor. I’d be like, “Whoa, whoa, whoa. Someone didn’t tell you, you can’t plug this into this network, even though it doesn’t work, or does it? Is it not truly locked down?” I’d put on my DoD assessor hat and get a little concern for that. I would think that they would have those offline and de-scoped. But if I saw them, I’d definitely inquire. I’m just trying to keep them safe from any kind of breach.
John Verry (41:12):
Got you. And then in terms, again, influencing scope. So some people looking at maybe moving on-prem, mail, and SharePoint or something of that nature, or even commercial Office 365 to GCC High, if they’ve got ITAR, maybe just straight GovCloud if they don’t, or a solution like PreVeil. Does that significantly change your audit, and what that costs, or is that just a different way of implementing that set of controls and you still have to do the same level of validation?
Stacy High-Brinkley (41:42):
We still have to do the same level of validation. Whether you’re doing someone that’s not on a GCC High or not, you’re still going through all 130 practices for that assessment and obtaining two pieces of objective evidence.
John Verry (41:58):
Okay. I know from previous conversations that we’ve had, that you guys are having a lot of reached out… A lot of people are reaching out already to you. Is that part of the initial 2021 contracts? Are they actually going to be in that first group of contracts that we’re seeing, or are most of those organizations, organizations that are trying to get ahead of the curve, that think that there’ll be a strategic or competitive advantage to be getting CMMC certified earlier?
Stacy High-Brinkley (42:25):
Yeah, I’d probably say, John, it’s about 20 to 30% folks that know they’re going to be on contracts that require it, and then the rest, literally just coming out of the woodwork wanting to be ready to be able to bid on any contracts, and some of these folks are hoping to get on some of those contracts. They have a ton of subs. So there’s hundreds of companies involved in those pilots and path finders.
John Verry (42:48):
All right. Yeah, and we’re seeing that a lot of the companies that are coming to us are concerned that… They’re concerned that they’re not going to be part of the pursuit or capture teams if they’re not there, so they see this being a competitive differentiator to be able to join up with the primes on these contract. We’ve probably seen the same margin here. We’ve probably got about a quarter or a third of our guys that have been doing high-end heavy munitions oriented DoD work for years and know that their contracts are just rolling over, and then you got the guys that are saying like, “Yeah, we want to get ahead of the curve,” and that’s probably the other two thirds, three quarters. Okay, and then we heard last week that the first, quote unquote, C3PAO was actually passed their audit, although they’re now anonymous, did you see it was like-
Stacy High-Brinkley (43:33):
John Verry (43:34):
There’s three now? Okay.
Stacy High-Brinkley (43:35):
Yep, three. Three that passed. And if you look on the CMMC-AB, there’s a place for the authorized C3PAOs, but they have to go through DoD and CMMC-AB first and get blessed off.
John Verry (43:47):
And I think they also don’t want to be unfair to the C3PAO market, getting these people too far out ahead of the curve, right? So I think they’re trying to get a whole bunch approved all at the same time and push more to the marketplace similar timeframed.
Stacy High-Brinkley (44:01):
Yeah, and you’re talking manpower and there’s probably another DoD requirement coming out for C3PAOs, and I think most of them probably have it. I’m not sure if all of them do, but that’s just something new I heard today, but I don’t know if I can talk about it. You’ll probably find out about it soon.
John Verry (44:22):
Yeah, I’m sure I will. Although it doesn’t impact us, thank God. So if you had to guess, when are we going to see the first organizations that are not under the 2021 contract provision where they kind of DIBCAC to the audit? Where do you think we’re going to see C3PAOs delivering audits to folks, is that September, is that sooner?
Stacy High-Brinkley (44:45):
I’m hoping July, John.
John Verry (44:47):
Stacy High-Brinkley (44:48):
Yep, because if those three, and then let’s say us get assessed and authorize, we can start knocking out some ML1s, some ML3s. I mean, Stacy Bostjanick on one of the calls… I think it was one of the town halls, someone asked her, “Do you have to wait until all the pilots and pathfinders?” And she said no. The C3PAOs can actually go out once they are authorized and they can start assessments. So I think there’s some confusion there. I think if you have the bandwidth and the personnel to move forward, you can. To be honest, as a provisional assessor, I’ve been waiting since I was certified in September to be, “Hey, can you come over here and help us?” But none of us have so far. So I’m hoping that that’ll start up soon so we can get going.
John Verry (45:35):
When does that get to scale? Is that early next year, by the time we get enough CPs and by the time we have a number of C3PAOs get through the process? Would that be a decent guess?
Stacy High-Brinkley (45:46):
Yeah, I know there’s a lot of people chomping at the bit on September, October. Yeah, I would think in January, February, it’ll probably be rolling heavy. I mean, there’ll be… Let’s say some of us start in July, some are ML1s, ML3s, even some small ML3s, you need the glitches out. You’ve got to get the WD 40 out a little bit, get it rolling, and then I think we’ll see a lot more folks getting certified.
John Verry (46:18):
You’ve done a great job. Anything else we should cover?
Stacy High-Brinkley (46:20):
No, I think this is a great chat. I enjoyed it a lot. I really love what I do, something that I’ve been doing for a long time. I don’t know if I told you this, my dad was one of the guys that released the ARPANET to be the internet, and he told me, he goes, “This is a good thing, but it’s going to be a bad thing.” And when we used to do security in the old days, we had it locked down and boom, it just got away from us, and now look what’s happening. So we’re doing what I’ve been wanting to do my whole career, so I’m really excited about it.
John Verry (46:52):
It is fun, and I think the next five years are going to be fascinating years to live through.
Stacy High-Brinkley (46:58):
Yes, they are and then I’m retiring.
John Verry (47:04):
And you’re going to sit at home and watch Jetsons cartoons all day.
Stacy High-Brinkley (47:06):
Nah, I got to keep moving. I got to keep moving.
John Verry (47:10):
Well, he did have that treadmill that he used to walk the dogs outside.
Stacy High-Brinkley (47:14):
Yes, he did. He didn’t seem real good at it, did he?
John Verry (47:16):
No, not at all.
Stacy High-Brinkley (47:16):
Or was that Elroy? Maybe that was Elroy.
John Verry (47:17):
I think Elroy pulled him off, if I remember correctly. So did you prepare? Do you remember that I was going to ask you the question about the amazing horrible CISO? She didn’t prepare, folks. She’s got the blank look on her face. All right, then I’m not going to ask it. I’m not going to ask it. And you were doing so well today.
Stacy High-Brinkley (47:37):
I was doing really well, John. That’s what happens.
John Verry (47:43):
Awesome. So last question, you are smack dab in the middle of the CMMC, the DoD stuff. Knowing the podcast is listened to by a lot of people that are interested in the same stuff, any ideas on interesting topics for the podcast going forward?
Stacy High-Brinkley (48:00):
I think it would be fun for folks to see a sample of an assessment as you go through some of the harder ones maybe because folks are having issues with that, especially the smaller companies, they’re having issues with some things. It’d be interesting to actually go through a couple of the practices, and show them exactly how it’s going to be done. I think that might be a little interesting. Maybe have the players there with the right answer, so it’s not so hard, so they can help them. We’ve seen people that really need a lot of help in that area.
John Verry (48:33):
So almost like a faux audit?
Stacy High-Brinkley (48:34):
John Verry (48:37):
Yeah, I think that’d be cool. I think that’d be a cool idea.
Stacy High-Brinkley (48:38):
And get folks to tell you which ones they want to go through. Probably the hardest, right? But things like how do I do a tabletop incident response? If I don’t have any incidents all year, how do I do my incident response annually? Well, there’s some fun tabletops you can do. Things that people don’t realize are out there, maybe tools they can use that are there that you don’t have to pay for. There’s a lot of different areas you can go and get information from that will really help you get ready for your assessment.
John Verry (49:07):
Yeah, I think where people are going to struggle is the objective evidence. Because if you think about CMMC, honestly, if you have not been through FedRAMP, this will probably be the hardest audit you’ve ever been through because even if you’ve been through SOC 2, which is a very evidence-oriented attestation and audit, it’s not as significant as what CMMC is. And ISO 27001 I’m a huge fan of is pretty robust on the management system side, but because it’s so robust in the management system side, it only samples the controls and practices side. So I think the vast majority of people are going to be shocked. They’ve not been through this type of an audit before.
Stacy High-Brinkley (49:48):
Yeah, and that’s why we are seen a lot of gap assessments and pre-assessments, folks getting ready, reaching out to the provisionals and having them go through that. Now, we’ve done some gaps and pres, but we can’t do the formal. So we hand those off. I mean, it’s in our code of conduct. We’re real strict about that. But yeah, I think that’d be a good thing to do, anything to help them out.
John Verry (50:14):
So how can folks get in contact with yourself and Cask if they’re interested?
Stacy High-Brinkley (50:15):
I’m on the CMMC-AB marketplace under Cask Government Services. My email’s up there. You can go to caskgov.com, and I’m up on there too. My email, shoot me an email anytime, and you can ask anybody, I’m really good at responding very quickly.
John Verry (50:31):
Stacy is on my shortlist of people when I have a question with regards to CMMC that one of the guys on our team can’t answer, she’s on the shortlist of people that I reach out to and I will validate for you that she returns every email in a pretty prompt fashion.
Stacy High-Brinkley (50:45):
And if I don’t, come look for me. Something’s wrong.
John Verry (50:50):
All right. Well, listen, awesome job today. Thank you so much. And maybe we’ll have you on when we get to six months or nine months down the line and we really have some, let’s call it, lessons learned from audits. And it would be interesting because there’s going to be lessons learned on both sides of the fence because you are on the C3PAO side, and we’re on the preparation side, right? We’re a consultative organization, helping organizations get ready for their CMMC certification.
John Verry (51:19):
So it’s funny, we don’t know everything we need to know exactly about what standard we’re going to be held to until you start holding us to that standard, and you don’t know exactly where the line should be for the standard until you see what people are doing and see what other certification bodies and the guidance you’re getting, so there’s always this shakeout period. We just went through it with ISO 27701, which is the privacy standard. So we just went through a first three or four audits, and we just did a lessons learned because it was really interesting because the auditors are learning at the same time as the customers at the same time as the consultative bodies like us, so it’s been a fun process.
Stacy High-Brinkley (51:55):
John Verry (51:57):
Awesome. Thanks again.
Stacy High-Brinkley (51:59):
Okay. Thanks, John.
Narrator (Intro/Outro) (52:00):
You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.