Are you ready for your DIBCAC/CMMC audit? Let’s make sure.
We’re speaking to two of our best Security Consultants from right here within our ranks at Pivot Point Security. Joining me are George Perezdiaz, CMMC / NIST Security Consultant, & Caleb Leidy, CMMC Consultant/Provisional Assessor.
What we talked about:
- How to prepare for your DIBCAC/CMMC audit.
- What can you expect from an audit?
- George & Caleb’s pearls of wisdom for your next audit
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Speaker 1 (00:06):
You’re listening to the Virtual CISO Podcast, a frank discussion, providing the best information, security advice and insights for security IT and business leaders. If you’re looking for no bs answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hi guys. How is everyone today?
George Perezdiaz (00:28):
Hey John. Hey Caleb.
Caleb Leidy (00:30):
John Verry (00:32):
This is one Marley looking crew and no, that’s not an eighties hair band references it’s just a statement of how we all look. So let’s start simple. We’ll go to Caleb. Caleb, tell us a little bit about who you are and what you do every day.
Caleb Leidy (00:48):
Sure. So I work here of course, as you know, with Pivot Point Security on the CMMC in this space. Background in DOD, started out in the Navy a little while back the Navy blue team, December cyber defense operations moved into some signals intelligence. And when I was finished with my time, there started up as a defense contractor supporting the cybersecurity directorate of the defense contract management agency, got to meet the folks there who transitioned over to start up the defense industrial based service security assessment center, the DIBCAC that goes around and assesses compliance with the DFARS 7012 clause and then 800-171.
Caleb Leidy (01:29):
So it got a chance to dive in on the front end of that process and assess a lot of defense industrial base organizations, including the one that my good friend George here was working for at the time and got to go see what he was able to implement in his organization, which was a lot of fun to look at. I won’t divulge how good and or bad he did, but yeah, it was a good experience. And then to find out that-
John Verry (01:57):
I think in the industry that’s what they call a tease. I’m not sure I’m not that skilled at this stuff, but well done Caleb.
Caleb Leidy (02:02):
Well, for our purposes here, actually I will say that it was one of the better organizations that we assessed. So they did a very good job, had a good program implemented there.
John Verry (02:15):
Awesome. George, same question.
George Perezdiaz (02:17):
So in a nutshell, I help organizations protect control and classified information by guiding them through their path in order to achieve regulatory compliance and also achieve their desired or required cyber hygiene. Like Caleb, I have a DOD background. I was a Air force veteran where I was an information security manager, network manager, exchange administrators, and you name a whole bunch of odd jobs if you will. Then after that I became a federal independent contractor helping the department of state and the department of the army had the logistics agency.
George Perezdiaz (02:53):
Then I became a civilian later in life. I was supporting the joint of staff with their nuclear command and control mission architecting over 80 processes to ensure the five teams can perform in the same manner protecting of course, national security. And then that led me to join a fortune 500 company where I was passed to establish support and maintain their NIST 800-171, their NIST 800-153 requirements and also their CMMC preparedness. I was one of the lucky organizations that got tagged by the DCMA to have a DIBCAC assessment. And this is how Caleb and I became acquaintance and friends, if you will and now happy to be here.
John Verry (03:38):
I love that you were friends at first, maybe now, but I’m not sure in that first meeting, you were friends exactly.
George Perezdiaz (03:43):
It was good arguments.
John Verry (03:45):
You tolerated him. Well, come on, let’s be honest.
George Perezdiaz (03:48):
John Verry (03:50):
So anyone hearing those two very impressive histories would understand why pivot point is so excited to have these two guys on our team. So let’s talk about that guys. So we’re getting closer to CMMC being a reality. Certainly we’re seeing more DIBCAC audits towards for either [inaudible 00:04:08] or as part of the interim rule, 7019, 7020 type audits. So there’s going to be a lot of people that are going to need to survive an audit over the next four years, five years.
John Verry (04:18):
So let’s talk about what would be some good help if you will, to get them there. So let’s talk about initial preparation. So this is, oh, we’re going to have to go through CMMC audit or a DIBCAC audit. What should folks be thinking about what are the key things they should be thinking about as they’re building out their SSP and their controls and getting ready?
George Perezdiaz (04:37):
I’ll dive in first because Caleb has a little bit of a different perspective than I do. So for a NIST 800-171 DIBCAC assessment, you have to account for the NIST 800-171 objectives. If you have not done your self-assessment and have a fresh set of eyes, come and look at what you have implemented, deployed and maintained for the last three years or plus, then you’ll be going blind into an assessment. For CMMC, you have to definitely account for your control owners, your assessment guide objectives, including that institutional knowledge of the practices, policies and the supporting processes and procedures.
Caleb Leidy (05:16):
Yeah, for me, I mean a couple of keys, one that was a big one that we saw a lot in the DIBCAC is an understanding of the requirements. Get those requirements out, read through each one and make sure that you understand the intent behind each and every requirement that came across it a lot that folks didn’t have things implemented just on the fact that they were asking us questions during an assessment phase. What does this mean? So that’s a big deal, right? So again, that understanding upfront.
Caleb Leidy (05:45):
And then the second key for actually going through your assessment and even running a good program day to day is documentation. I mean having everything thoroughly documented and accurately based on what you do or what you want to do and making sure that your settings, your configurations and your implementation of those controls matches up to that. And vice versa that everything that you have implemented has some sort of backing documentation behind it. It makes it a lot easier for for an assessment perspective.
John Verry (06:16):
You know, it’s interesting because my perspective, not surprisingly is a little bit different as well. The way I look at it is that, to me, it all starts with the scope. It always does. And any security engagement does. And in this particular case Understanding, I think most importantly, the flow of both CUI and or FCI, depending upon which of the two that you have.
John Verry (06:35):
I think understanding whether or not, because we’ve seen this quite a bit where organizations have requirements above and beyond CMMC level three, and they’re not aware of it. Things like [inaudible 00:06:44] data and things of that nature, because if you don’t have that I like to use a stupid analogy, but if you don’t have the ladder against the right wall before you climb it, you’re not going to be happy when you get to the top.
John Verry (06:54):
So to me, it all starts with making sure that we’ve got that right. And I think the best way to do that is to get that front section of your we’ll have the SSP nailed down and make sure you guys are super comfortable with it, make sure that we’ve got the idea of an enclave established well. And then not even accepting the fact that this is our current enclave, because I think that many organizations have broader access and broader use of data than they probably need to, and that’s going to increase their costs on a go-forward basis and the complexity of operating the environment. So I think also getting them to think through, yes, this is the way we do it now, but is there a way that we can do it a little bit better? That’s going to reduce the scope of the CUI the enclave. Thoughts?
Caleb Leidy (07:35):
Yeah, I agree. Yeah. And understanding the data. That’s the other huge question. Even from a consultant perspective now and doing assessments with the DIBCAC. What is our CUI? Can you help us identify what our CUI is? It’s a big deal. And we know the DOD has had a rough history in identifying that in contracts and that’s flowed down through other contracts, some contracts with suppliers and things of that nature to actually put that tag on something. We recently had someone who we were on a call with, say, I know we don’t have CUI because I’ve personally never seen a paper come through that was marked CUI. And so getting that understanding of what that is digging into that narrow registry and understanding what data you have and how you use it is a huge deal.
John Verry (08:29):
George Perezdiaz (08:30):
Yeah, exactly. It’s about that traceability. And what I often referenced is FIPs 199, the classification and categorization of your information and your information systems that essentially it’s where I recommend you start. And so that you can see where the data’s coming in, what data is coming in and what level of protection you have to have around that data. So that’s how I like to start with the scope.and to Caleb’s point, the government pretty easily puts a blanket purchase statement that throws just about every DFAR so far as regulatory requirement in there. It’s the organization’s due diligence and responsibility to challenge those things. If they know that that product it’s specific to the DOD, that is commercial off the shelf, by all means challenge it. That requirement can become rather expensive if you do not have CUI or just government protected data in general.
John Verry (09:21):
Yeah. Another good thing to cover during that scoping. I agree with you, documentation is critical. You’re not going to pass a CMMC audit without your policies and SSP being well-documented. What do you recommend in terms of evidence? I mean, that’s going to be a big part of a DIBCAC or CMMC audit?
George Perezdiaz (09:38):
It starts with the SSP. You go through your 110 or 130 controls depending on the regulatory requirements that are affecting your organization. And that SSP will start that high level policy statement, potentially some processes around how you’re handling controlling protecting data. And that’s your starting point. The second evidence would be an interview, which is essentially pretty heavily what the DIBCAC does to an 800-171 organizations. If Caleb would like to elaborate on that.
Caleb Leidy (10:10):
Yeah. So essentially it’s all broken down into the confidence levels. So we would never give a high confidence to an assessment if we weren’t actually seeing things. So a lot of people like to use artifacts, which is great, but if you’re showing me a screenshot of your active directory settings, I can pull that from Google in lots of other places. So like George said, starting out with that self assessment and getting in understanding of those controls and where you’re actually implementing those things. What settings are being set, who has control ownership over that, coming out on the other end, when you have to answer to it and an assessment or an audit as John likes to say, let’s use that audit word. You know, it’s easier to say, all right, well, we know Bill has control over that and he can go in and show you that in our system, the settings, live real time.
George Perezdiaz (11:06):
Yeah John, so it comes down to sorry about that. To that institutional knowledge. You can have a policy, but if no one knows that that policy exists or there’s a process enforcing those policies, then you’re missing the entire intent of the requirement. And to Caleb’s point, there’s no set number of magic number or approach to the evidence it’s too, when we as assessors will feel comfortable. And I’m saying, we, for some reason, probably to relate to Caleb just once, but until they get comfortable with tests or the interview or the sampling or the evidence itself, then that’s when you can say, yes, you pass.
John Verry (11:42):
Got you. So like, I’m still like in the getting ready for the audit side of it. So in terms of what is the good guidance there? So would you, as an example, as a person looks at each of the 110 or 130 controls, should that control somewhere document how we’re going to evidence that, so that way we facilitate the audit and we’re in a better position to prepare for it and survive the audit assessment. That’s to Caleb. You’re welcome.
George Perezdiaz (12:10):
Yeah, John, it goes to NIST 171 that self-assessment, that has those various objective. If, when you’re going through each one of those 110 or 130 requirements or practices you account for each one of those additional attributes, if you will, then that’s where you can be comfortable that you are doing what is intended for that particular requirement. So one thing that we did was to ensure that we had all those attributes, not just one or two, but can we generate evidence to say that we’re doing a through in a particular control?
Caleb Leidy (12:43):
Yeah. And in doing that preparation. And John is talking about documentation and getting prepared. When you do your SSP, no one expects you to have in your SSP for each control very specific, detailed layout of every setting and all of that. You can reference your other documentation and you could just say, yeah, that’s an active directory. That’s probably a good enough level, or that’s handled by our SIM tool. And then whoever has ownership of that SIM tool and manages that would be able to go in and go get the details on that for an assessment.
John Verry (13:22):
Good. All right. So we’re prepped, right? We’ve got all our documentation ready. We’ve done a great job. We’ve got a kick butt SSP in place. We’re prepared. We’re prepared, right? Yeah. Caleb or his X peers, as it can be walking in the door, we’re about to go through the audit. What is the audit structure? So the guy’s going to, I’m sure you’ve had some preliminary conversations, but now that initial meeting. The person walks in talk about that meeting. What are we trying to accomplish? What are some of the goals from our perspective? What are some of the got you things to be careful of not doing that initial meeting.
George Perezdiaz (13:54):
Caleb, go ahead.
Caleb Leidy (13:55):
All right. Well, George usually likes to start this part and that’s okay.
John Verry (14:00):
Then you correct him.
Caleb Leidy (14:02):
Yeah, I always correct him. It’s half of my job actually.
George Perezdiaz (14:08):
He criticizes everything.
John Verry (14:08):
And the other half is reminding me to not say audit and say assessment. So basically your whole job is just fixing the screw ups that George and I make.
George Perezdiaz (14:17):
Criticizing John [inaudible 00:14:19].
Caleb Leidy (14:19):
Yeah absolutely. And this not particularly written in my job description, but, I just take things as they come. So coming in and there’s a bit of a difference here between 800-171 assessment and a CMMC assessment. And then the way that those are dealt with. You’ve got to remember that DIBCAC was spun up early 2019 as a brand new program that nobody had ever done before. So it evolved eventually to a point where we were pretty comfortable with our process coming, not having necessarily an understanding of the architecture, the infrastructure, the scope of each organization that we were going to see.
Caleb Leidy (14:59):
So we need to understand that first thing coming through the door, we prefer that you hand us over your SSP, that’s going to be your first requirement. We want to see that we want to start getting an idea of what you have in place, but then also all the rest of your policies and things that, like you said, John, that evidence that you have prepared, we want to get as much of it upfront as we can. So we can start deriving our targeted questions and reveal a little more detail here, a little more detail here.
Caleb Leidy (15:28):
So for those, we were kind of getting an idea of the organization. What do you do? Who are you? One of the big do nots that you referred to is for example, we had an organization who their point of contact who was briefing us when we came in, decided to take half the morning to give us a history lesson on their organization and all the wonderful things that they had invented and created over the last 50, 60 years, which was cool, but didn’t necessarily fall into our timeline and our purpose there.
Caleb Leidy (16:03):
So yeah, a focus on your actual security program, the things that you were doing without getting into a huge amount of detail, because we’ll get to that in the interview sessions. And then just have that evidence and a good scoping perspective laid out for when we come in.
John Verry (16:20):
George any thoughts on that?
George Perezdiaz (16:21):
I don’t know if Caleb mentioned this, but that executive presentation that shows how your enclave looks or may look your security in depth. This is your opportunity to show an or educate the DIBCAC assessment team, because they’re not generalist or a technologist. They will know every single tool or how you have the single your tools configure within your environment. So you take that opportunity to educate and walk into the process all the way from the edge to your end point. What are the things that you’re doing that you have in place to assure them that you’re taking security seriously, above and beyond potentially the regulatory requirement.
John Verry (16:59):
George Perezdiaz (17:00):
Without saying too much.
John Verry (17:01):
I guess what you mean there, with regards to the tools of perhaps rather than using like a term like gray log or alert logic, or whatever, just refer to, Hey, gray log, our SIM solution, or it kind of makes sure that you’re letting, making it easy for him to stay in touch with what you’re saying and understand what you’re saying? How it’s going to be beneficial?
George Perezdiaz (17:22):
John Verry (17:23):
Got you. Do you typically, like when you’re working with clients, do you typically try to make sure, like, as an example, are you typically putting any detail on the tools that they’re using in the appendix or anything like that, of the SSP?
George Perezdiaz (17:35):
Definitely appendix. So we want to keep the SSP and even the policies as high level as possible. You’re kind of saying the what and referencing the things that will inevitably change because your configuration items will change with time. Especially if you’re maintaining your environment with constant monitoring, the way it’s supposed to be, those things will change your SSPs and policies. You want it to be as static as possible.
John Verry (17:58):
Got you. So we get out of that initial meet and greet, call it bunny meeting. I love you. You love me.
George Perezdiaz (18:06):
John Verry (18:09):
What’s going to happen post that. So tell me a little bit about like, what’s the structure of the audit, is it one guy and he’s there for an hour? Is it 10 guys? Are they’re doing things through interview? Are they doing things through observation what’s going to happen on onsite offsite? What’s the level of effort to kind of give someone a sense of what it’s like to go through one of these audits?
Caleb Leidy (18:31):
Yes. Yes to all of those. You get out, you do your meet and greets and we have an understanding of what we’re doing. Of course the assessing organization should also have something prepared or have already been in talks, especially for a CMMC there’s a big planning phase for how this is all going to go. From a DIBCAC perspective, right after that, we start breaking out. We were doing document review usually for the whole first day. That was just to get a better understanding of the policies and where to find things and where to look for information may not quite be the same for CMMC, but you’re going to want to break off right away into your interview rooms. So it’s changed a bit over time. It used to be everybody break out into three rooms, you’d have your, your SMEEs on your side and we have our assessments SMEEs on our side and we’ll take each of those areas and knock out as much as we can.
Caleb Leidy (19:28):
That was typically with a team of about four assessors and an assessment lead for DIBCAC over the course of a week. And it would sometimes take till every bit of that last hour on a Friday, eight hours a day of getting in there. And sometimes it would be almost wrapped up by Wednesday level and preparedness can definitely make a huge difference on level of effort for an actual assessment. Coming in into CMMC, we know we don’t have quite the same structure and resources as DIBCAC has set out. So there’s a, for a level three assessment, we know we have a minimum of three assessors, so you could have something along those same lines.
Caleb Leidy (20:15):
Break out into a couple different rooms or a couple of different areas, have different people look at a certain control families. Or we started once we were at the end and had good solidified process, which maybe some of the C3PAs will have that are well-staffed or just have good processes in place where you can have everybody sit in one room and have everything laid out to target your questions and lay out your questions and your interviews in a way that just flows, that you can get things done in that amount of time. But starting now, I wouldn’t expect any more than the minimally required three assessors per assessment for CMMCs space.
John Verry (20:58):
Again, the prep people, when I think of similar audits. FedRAMP [inaudible 00:21:04] and SOC 2. Yeah. There’s certainly conversations with a broad cross reference of the organization, human resources, physical security network, security, application, same type of broad expectation. I mean, we’re going to be chatting with an awful lot of the people that work inside of the company.
Caleb Leidy (21:18):
Yeah. And it depends on the skill, like you said, there’s going to be interviews. There’s going to be reading documentation. There’s going to be observations. So obviously for your security tools and things where you’ve got to check settings and Hey, we do this, this way, we’ve got our minimum password length is 15 characters. You need, whoever’s managing your active directory or whatever it is for password management to log in and show you that setting. But it spans across all the families. So you have personnel security where you might be getting into speaking to HR folks, you have physical security you get to start talking to the facilities folks. So yeah, it spans across the organization. It depends on the size of the organization. How many people they have that broken out into. Sometimes you have one it person who needs to answer to all of it.
Caleb Leidy (22:09):
Sometimes you have management that doesn’t want any of their folks talking to people without them present. Which kind of fosters that environment where you’re all in the one room kind of space. But that’s another thing that the DIBCAC has kind of worked out being that they’ve had the time to do so. And it will probably come with time for the C3PAOs as well to line that up in a way where, you know, certain types of people from the other parts of the organization are going to be answering to the specific control families. And then you can line those up that way, say, Hey, you know what? These interview times we want to get HR and get facilities in here because we know we can span these questions over the course of four hours, and then we’ll be done with those folks who don’t need to talk to them anymore.
George Perezdiaz (22:58):
Yeah, John, so it can be very demanding on an organization, of course, because depending on the size, like Caleb said, it can become quite complex. And of course there’s operations going on. The show must go on. So there’s flexibility on both sides. The DIBCAC, as I recall, were flexible enough. And of course the OSC has to be flexible as well. And remember that the DIBCAC it’s essentially their client. So when you invite someone to your home, you have to be kind, you had to treat them with respect and make sure that they’re welcome. It’s not the opposite. They’re not working for us. We’re working essentially for them. And then validating the government requirements are being met.
John Verry (23:36):
So I know that a specific, let’s say a CMMC auditor has an obligation to identify two forms of evidence across three types. I believe they’re interview examine and test. Talk a little bit about that, how they choose what they’re going to do, how likely it is that they’re going to actually test things.
Caleb Leidy (23:55):
Yeah. So that goes back to something that George and I both brought up earlier. That high confidence, that level of assuredness, that what is being said is what’s actually true that level of comfortability. So if I talk to someone and they tell me that, yes, we have a policy that we can’t use USBs. And then I see in policy that that is there, we can’t use USBs. And somebody else in that whole process has also said again, oh yeah we actually have the USB usage disabled in our systems. If you’re telling me, because it’s not a prescriptive framework, and you’re saying, this is how we do it, I want to see that you’re doing what you said you’re doing.
Caleb Leidy (24:43):
So I may see examine a policy interview someone, and then still go test it, which is going to be an interesting aspect from, it wasn’t so much for the DIBCAC perspective because those, those weren’t in play for the 171. Those guidelines, weren’t there two forms of objective evidence. But I could see some kickback on that. If an assessor is not necessarily comfortable and they say, well I’d still like to test that. How many organizations are you going to say? Well, you’ve already interviewed someone and examined a document. Do you not trust us? It starts getting into possible combative situation, so to speak. But George, I know you can probably speak to how some of those situations work out.
George Perezdiaz (25:32):
Absolutely. If I feel that I am giving you everything that I have. And you still don’t understand it, it comes back to that flexibility. What else can I show you? But to Caleb’s point on being combative and having that disagreement again, we have to remember DFAR 7020, that’s exactly what he’s saying. Then you will make your personnel and your systems and your organization facility available to an assessment. Be it the C2PAO, be it, the DIBCAC, that’s it. If you want to continue doing business with the government, we have to understand and respect those requirements. If the assessor is difficult, that’s a different story, but there’s always a path now, especially with the CMMC, there’s a path to make those complaints in a formal way.
John Verry (26:17):
Good I was going to ask that question.
Caleb Leidy (26:17):
And that actually-
John Verry (26:18):
Right. Is that what happens if I do disagree with an auditor? What happens then? Do I have the[crosstalk 00:26:23]
George Perezdiaz (26:22):
You have an argument, you have an argument for 45 minutes with Caleb and his team, and then you go have a beer.
John Verry (26:30):
Right. Because we won the argument?
George Perezdiaz (26:33):
Exactly. Well, you are free to argue. The one thing that I remember clearly with Caleb and his team was that they’re not there to defend NIST 800-171. So whatever the regulatory or security control is specified in NIST 800-171 alpha, that’s not what they’re there to do. If I don’t have the ability to show explicit explicitly what that 1800-171 or even the assessment guide is asking for, then I probably don’t have a choice other than going through that either formal process or just creating that form for NIST 800-171.
John Verry (27:09):
Caleb Leidy (27:10):
Yeah. And I’d say a majority of the time it can be worked out internally. And again, that comes down to the situation of how it’s all being laid out during the assessment. If you’ve got multiple people in multiple rooms, I know for the DIBCAC we had 50 folks from various backgrounds in life and various walks of technology experience. And those were not always necessarily the folks we didn’t always have a network person assessing network controls.
Caleb Leidy (27:39):
So going back to what George said earlier, be ready to do that, explaining, be ready to do that training and work with your assessors. I don’t imagine it’ll be much different. Everyone on the CMMC side, who is an assessor is not going to be an expert in every technology. So there might be some explaining to do there might have to walk through it a little bit.
Caleb Leidy (28:01):
They do have it set up to where you have to have an assessment lead that is certified at the whatever level of assessment you’re going for. And then you can have just certified professionals as your other assessors for your three person team. So those folks might not be the most highly trained and skilled not to down anybody. But maybe they’ve not gotten to that level of training or had that level of experience in assessment yet.
Caleb Leidy (28:27):
So we have the assessment lead, which is usually going to be your first step. You can’t hash it out directly with your assessor, bring it up with the assessment lead, have the conversation there. I’d say 95% of the time you can work it out at that level. And then if not, you’ve got your formal process for, going through to the AB and other entities.
John Verry (28:50):
We get through a roughly week long audit, lots of time spent in meeting rooms, lots of times with an auditor following us around and asking us to see things. So what happens if we have some findings? What happens if there’s some recommendations? They use the term, I believe satisfied versus other than satisfied. If I have some other than satisfied, am I done? Do I have to undergo a new audit? You know, do I not get CMMC certified if I have remedy time built in and what’s that timeframe? What does that process look like?
George Perezdiaz (29:18):
Interesting. And Caleb I’ll answer the 171 and then I’ll give you the opportunity to correct me as you’d like to do so, so often. But yeah, John, if you don’t have everything in place, your documentation, your evidence, and anything to convince the assessor that you’re doing, the right thing likely you’ll end up with a POAM with a POAM and you have the opportunity to reply. I can remember what you call it Caleb, I think his rebuttal time, which is about five days, and then you have 30 days to close those POAMs for NIST 800-171.
Caleb Leidy (29:51):
Yeah. So actually for the 171 DIBCAC process, I will correct you, George. I said 50% of my job. I don’t feel like I’ve done it 50% of the time we’ve been on here. So having POAM and actually is POAs plans, plans of action are going to be different depending on if you’re in the CMMC or if you’re go for 171. 171 you can have plans of action and you can have a date for what you expect to be compliant. Your storage score will still go in SPRs. The same there’ll be considered if you meet the rest of the outlined requirements, compliant with the DFAR 7012, by having a score and by having been assessed. And then you can work on those things.
Caleb Leidy (30:36):
As far as the DIBCAC is concerned, we have a process that whatever your ending date of your last plan of action was slated for, we’ll contact you back and say, Hey, just wanted to double check. Did you guys get all these things in place? Okay, let’s look at them again. And if everything’s good to go, a spot check, then you can fix this core update that score. CMMC is a bit different. Once you get done, if there are findings in place, it is a, of course an all or nothing.
Caleb Leidy (31:07):
So you don’t have that score and that compliance, you don’t get your certification. You get your 90 days following the assessment to fix things. George, you could probably help me out actually on the backend of that, the 90 days, do you know how that all works out with the C3PAOs and the AB for when that 90 day period is up?
George Perezdiaz (31:29):
Yeah. So you resubmit all the evidence from review. But one thing there John, to mention those that you referenced recommendations. There’s no recommendations out of the 800-171 or the CMMC assessment. You will get a pass or fail. DIBCAC is not allowed to give you suggestions on how to fix your life if you will, you essentially on your own fix it.
John Verry (31:53):
Yeah. I always look at other than satisfied, is it recommendation.
Caleb Leidy (31:59):
George Perezdiaz (32:00):
The other argument that I often like to make with anybody that lends me an ear is that if you’re managing your NIST 800-171-53 or CMNC program, how you’re supposed to. It is okay to have a POAM a plan of actions and milestones to make things better, not to fulfill a gap or develop a control that you’re missing, but to make your life or your particular environment a little better. So that, that’s one thing that perhaps is misunderstood and misjudge part of that constant monitoring inevitably will be for you to have a finding and the recommendation on how you can improve your environment, your operational environment. And therefore that should be a plan of action and milestone.
John Verry (32:39):
Caleb Leidy (32:39):
And it’s actually a requirement, George right?
George Perezdiaz (32:41):
Caleb Leidy (32:42):
There just literally one of the requirements spells out. Do you have plans of action in place? So it’s expected. You’re going to have deficiencies here and there, do you address those and fix your deficiencies?
George Perezdiaz (32:58):
Yep. And the other thing that we recommend to our clients is don’t share that with the DIBCAC. If they find it in something you can say, yes, I was aware of that deficiency. I have a POAM already in place or whatever the case may be. But if you go and present all that information with your SSPs and your evidence, now you’re clouding their judgment automatically. They’re going to get confused. They’re probably going to go down a rabbit hole. You don’t want that. So keep those to yourself. And if you’re asked to present any of your POAMs, show them one that has been closed.
John Verry (33:26):
Got you. Yeah. That’s good guidance. All right. So here’s the good news, right? So we did everything, right. We danced our way through the audit. We had one minor, other than satisfied. We resolved it very quickly without certified and we celebrate and we’re able to continue doing business with the DOD. Do we yet know what our full obligations will be? Post certification?
George Perezdiaz (33:49):
No, I don’t know. Do you know Caleb?
Caleb Leidy (33:52):
Yeah. From what I understand, I don’t think there’s a continuous monitoring piece or anything like that. Like you would see with the Fed Ramp and frameworks of that nature. But before that which might change actually for level four, level five, I think they’d throw some of that stuff in there. But up for level three, I don’t think it is, it would be just the three year. You have to be assessed every three years I believe so.
George Perezdiaz (34:18):
And we call that-
John Verry (34:20):
I find that lightly surprising to be honest with you only because of the fact that we have an industry, especially for the DIB, where folks didn’t really do what they said they were going to do. And now we’re trusting that they’re going to continue to do things and we’ve got a two year exposure window. Yeah. I find that interesting. I mean, no other standard that I know of has a, Hey, you got a certificate for three years with no check-ins so I wonder if that’s going to change.
George Perezdiaz (34:44):
And that’s for the CMMC. There’s nothing to say that DIBCAC is now going to come visit you. So that’s the one thing that always should be in the back of your mind, continue to do the right things, continue to do what you have in your policy. That periodic review quarterly once a year, whatever the case may be. Do those things, collect those as evidence and just do what you’re saying to the government that you’re going to do and be able to present that evidence that you’re doing it.
John Verry (35:09):
Yeah. One question for you then, George. Are you saying, and I didn’t remember this about 7021, I guess it would be. If you have a 7021 clause, which requires you to become CMMC certified and you get certified on a 7020 or 7019, does the DIBCAC still reserve the right to come in and audit you and you have to let them in on a 7021?
George Perezdiaz (35:30):
John Verry (35:31):
Well, I didn’t know that. Oh, thank you.
Caleb Leidy (35:33):
Yeah. Yeah. So that’s what the 7020. And then even looking back to the rest of the DFARs 7019, 20 and 21, doesn’t make 7012 go away. You still have the 7012 clause. So you start to have 800-171. DIBCAC I think is not coming behind and doing CMMC assessments. That’s not their function. Their function is DFARs compliance. Your deforest compliance for those later ones are going to be having your assessments and SPRs having your CMMC certification and allowing assessments to be done. 7012 is still going to operate for the 800-171 so they can come and do those assessments when they want to.
John Verry (36:19):
Got you. And one core question for you there does that. I never even thought to ask this one as well. If I get CMMC certified, should I still put a score in SPRs?
George Perezdiaz (36:30):
Yeah. That’s a completely different requirement. So yes. And I believe that’s what Caleb was alluding to that the SPRs, the 7020 I’m sorry, 7019 still says that you have to have a score not older than three years.
John Verry (36:43):
Okay. So does that mean that a 7021 requirement includes a 7019 requirement?
George Perezdiaz (36:48):
Ooh, good question. Caleb?
John Verry (36:49):
Or it is 7020 or does a 7021 specifically actually, I don’t remember the 7021 specifically requiring as SPRS so that’s why I was asking.
George Perezdiaz (36:57):
Yeah, it doesn’t. And the way I interpret that John is 7012 is included when you mention 7019, when you mentioned 7020, 7020 includes 19 and 12 and 21 includes those too.
John Verry (37:08):
Okay. Yeah, they stashed. Okay. I was never clear on that. That’s cool stuff. Cool. All right. So we beat this up pretty good. Anything we didn’t cover any last thoughts?
Caleb Leidy (37:19):
Yeah, I will. When we kicked back that I forgot to mention a moment ago when you said that the continuous monitoring and the surprising. One thing to consider there, it’s just the investments that are made upfront to get your CMMC level three certification. So organizations are going to have a pretty high level of understanding and investment and dedication into it to get to that level. It would be equally surprising to see them just let that lapse as opposed to keeping up on it, given everything that they have to do to get there in the first place.
Caleb Leidy (37:56):
And then also, like I said, the understanding piece, once you’ve gotten to that level, and now you actually know what all these words that are in these requirements mean from the various folks that rate these things. I know one of the big complaints early on was that the language is vague. It can mean so many different things, so on and so forth. So I think just getting to that level where you’re actually certified and you have that understanding is going to make things a lot easier. I don’t see people letting it lapse once they get to that level.
George Perezdiaz (38:27):
Yeah. John is like your CPEs, right? You don’t want to go back and take those four hours tests to get re-certified. It’s similar to that. Also, don’t forget about the resource planning, where you are saying that you are going to have that 12 months, three years, five years strategy to maintain that ecosystem that you invested on. It’s not going to be cheap. It’s not going to be easy. So why let it go?
John Verry (38:49):
Yeah. I’ll be honest with you. I don’t share your optimism there. I’ve been doing this long enough and seen it. Look, I can tell you a client that had 853 requirements through a flow down from Lockheed. We went in and they spent six figures. We built out the whole program and three years later, they came back to us and said, Hey, what’s about this 800-171. Well, if you’re running your current program, we should have been pretty good shape. Oh no, we didn’t do anything with that. And they spent a lot of money to get there. And my concern is that most organizations do not realize the other of operationalizing a program is robust to CMMC. It takes a lot of resources. And I think a lot of organizations we use are using consulting firms like us to help them get there.
John Verry (39:31):
And then if we leave right, then their team’s got to be able to operate all that stuff. And unless they’re actually giving them the time or giving them additional staffing to do that, I think you’re going to see stuff fall on the floor. I pray I’m wrong, but I think it’s human nature. And the reality is, I don’t know, it’s not going to be less expensive to let it lapse a little bit and then get a refresher right before your certification then to actually keep it going. I mean, look I pray that people would do it for the right reasons, National security, the security of their company, the livelihood of their employees. I just worry about it a bit.
George Perezdiaz (40:07):
I don’t disagree, John.
John Verry (40:10):
We as done gentlemen. Thank you. I appreciate it. If folks want to get in touch with you guys individually, you want to just throw out your contact information.
George Perezdiaz (40:19):
Oh boy. My email is gigantic. Is GeorgedadperezDiaz@pivotpointsecurity.com or you can just email John Verry.
Caleb Leidy (40:21):
You want my email or?
John Verry (40:22):
Info@pivotpointsecurity.com and say, pass this to George.
Caleb Leidy (40:29):
Do you want my Instagram, my Tinder or just email?
John Verry (40:31):
Yeah. Let’s stay away from Tinder for sure. The Instagram I don’t know what kind of pictures are up there. So why don’t we just stay with email for now?
Caleb Leidy (40:52):
All right. That’s fine. Caleb.email@example.com.
Speaker 1 (40:58):
You’ve been listening to the Virtual CISO Podcast as you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at infoatpivotpointsecurity.com. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.