February 2, 2024

In this episode of the Virtual CISO Podcast, John Verry talks with Warren Hylton and Jeff Carden about the CMMC final rule update. Key points include:

  • Industry Reaction: Relief as the CMMC timeline is clarified, with full implementation expected in 2025.
  • Program Clarity: New acronyms and a focus on external service providers (ESPs) highlight third-party risk management.
  • Preparation: Companies should start now with 800-171 gap assessments to be ready for certification.
  • Third-Party Risk: Increased attention on ensuring third-party service providers handling CUI are compliant.

 

John Verry (00:00.986)
I won’t get into the what do we all drink? I’ll just make mention of something I’m drinking right now just in case You know just for consistency Besides I want to talk about it is that anything else you guys are or we ready to roll?

Warren Hylton (00:16.2)
I’m ready.

John Verry (00:17.286)
Alright, give me two seconds. You know, Warren is so good at golf, he actually needs two golf bags, not one. That’s pretty good.

Jeff Carden (00:17.355)
Ready.

Warren Hylton (00:25.192)
Oh man.

John Verry (00:27.026)
He has left-handed clubs and right-handed clubs, depending upon who he’s playing. He gives them… Yeah, exactly. Actually, you see that there is a professional golfer now that’s an amateur. For some reason, he plays his mid-irons through drivers. He hits righty, and he hits his seven through sand wedge lefty, and putts lefty.

Jeff Carden (00:29.759)
Hahaha

Warren Hylton (00:30.952)
just to tell how I feel for the day.

Jeff Carden (00:34.251)
Shit.

Jeff Carden (00:54.191)
Really? One of those guys, huh?

Warren Hylton (00:55.24)
No, I hadn’t heard that, but interesting. It could definitely come in handy in a pinch. I’ve thought about that before, like just being able to switch up one time.

John Verry (00:58.254)
How crazy.

Jeff Carden (00:58.3)
ambidextrous.

Jeff Carden (01:05.582)
There was a professional golfer back in the day who could play both sides. He didn’t do it, he didn’t switch in between rounds, but he was almost as good. He’s scratch obviously both ways, so. Yeah.

John Verry (01:10.698)
Really?

John Verry (01:17.986)
Wow, that’s insane. All right. Yeah, no, God, Jeff. All right, I’ll do a quick intro and then we’ll be ready real ready. Hey there, and welcome to yet another episode of the Virtual CSUN Podcast. With you is always your host, John Berry. And with me today, two faces that probably look a little familiar, Warren Hilton and Jeff Carton. Hey, gentlemen.

Warren Hylton (01:21.128)
Can’t even do it one way.

Jeff Carden (01:22.142)
it.

Warren Hylton (01:41.512)
Hello?

Jeff Carden (01:41.867)
Hello.

John Verry (01:42.986)
And I did use that term loosely. So, despite the fact you guys are multi-time welcome and congratulations for being multi-time guests, tell us, why don’t you each tell us just a brief amount about who you are and what it is you do every day.

Jeff Carden (02:01.247)
Sure. So I’m Jeff Carden. I work as a compliance consultant. I’m primarily focused on businesses that are subject to FAR, DFARs, NIST and CMMC requirements, which is in the hundreds of thousands as we know. I’ve got 20 plus years background working with the Dib commercial manufacturing spaces as an IT infrastructure manager. And I also do a little bit of ISO work.

And my goal is pretty simple when it comes to interactions with companies. It’s to help them navigate all the intricacies and vague language that we’re familiar with when it comes to the US government.

John Verry (02:41.658)
Okay.

Warren Hylton (02:43.784)
Yeah. Well, my name is Warren Hilton. I come out of the managed IT service provider space. That was where I first found out about cybersecurity compliance and the whole world of federal contracting, really. And so I’ve been working with NIST 800171 and CMMC implementations for a number of years now. Enjoy the time that we’re in now where I get to do a lot more readiness reviews, as we call them, kind of mock CMMC assessments. So.

While it is very enjoyable to implement these controls and implement a security program, it’s really nice now that we get an opportunity to work with folks that say, here it is and how do we do? So all spectrums of the CMMC program and assessment, very enjoyable. And other things I like to do are our exercises for business continuity and incident response. So tabletop exercises, should really enjoy leading those. So those are a lot of fun. Getting involved with.

different companies other than defense contractors or federal contractors. So yeah, that’s kind of a little bit about me and my background here.

John Verry (03:44.386)
Cool, thank you. So this is where I usually ask you what you drink and we’ve already been through that. I will just throw something out there. For Christmas, my daughter and son got me a collection of bourbon barrel aged stouts from a brewery out in New York that I think is just outstanding called Finback. I would highly recommend to anyone out there if you ever see a Finback, any of their BQA series. They are outrageously good. Expensive, maybe a 16 ounce bottles in the 25, 30 buck range.

but some of the best beers you’ve ever had. I mean, if you guys use Untapped at all, they’re around four or five, which is, yeah, you see anything above four, you’re in pretty good shape. Four or two, anything above four or two is usually just, wow, this is ridiculously good. Four or five is legendary, and their beers are. So if you get a chance. All right, so that’s not why we’re here, right? That’s why I’m here maybe to talk about Finback and beer, but that’s not what you guys are here. You guys are here to talk about

Jeff Carden (04:22.619)
Awesome.

Jeff Carden (04:32.671)
I’m gonna go.

Warren Hylton (04:38.056)
Mm-hmm.

John Verry (04:44.466)
your favorite subject, CMMC. So on 12-26, it finally happened. The DoD published the much anticipated rule for the, as they refer it, the Cybersecurity and Maturity Model Certification Program. Your thoughts, right, working every day, how did the industry and your clients react? Was it relief? Was it excitement? Was it…

And then I would also ask is, did it differ for those organizations that are seeking certification versus other people in the ecosystem that you interact with?

Warren Hylton (05:23.08)
Hmm. Jeff, would you like to?

Jeff Carden (05:26.775)
Yeah, so first and foremost, me personally was very happy that we got the final rule. So we’ve been in this kind of CMMC ready state both with version one and version two for a couple of years, if not longer. And so now we have that kind of target date for implementation. And I think across the spectrum of the businesses that I work with,

was relief because there was not a 0% chance that the program was gonna fall through leading up until that announcement. There was talk that they could just fold it up into something else. But across the board with the clients that I’m dealing with, it’s relief. Again, we have that target date, we have the clarification date. And the folks that we’re dealing with mostly have taken this thing very seriously, right? So…

They’re well along the journey and they’re not up against these kind of ridiculous timeframes that a company or entity that hasn’t really gotten serious about it is now up against. So I think the reaction was very positive. They’re very happy about it even though we know with some of the language that there’s a little bit of uncertainty and we have some additional questions that have now popped. The reaction has been very good.

Warren Hylton (06:49.064)
Yeah, I think that that also is in the people that are helping companies implement these controls and also the C3 PAOs that are going to do the assessments. I mean, there was a possibility that this thing could have been dropped in an interim final rule and we got 90 days. And I mean, thinking about tens of thousands of assessments in this calendar year, I think really gave pause to a lot of C3 PAOs. So the idea that this is coming out in more of a methodical.

timeframe that actually gives a ramp up period for assessments. I can say that C3 PAOs definitely have relief to as well. That it’s not something that’s just being jammed on them, but it’s something that they get to kind of scale up to as we head towards 2025. So relief all across the board.

John Verry (07:37.278)
You know, you guys live in it every day. I live in it sometimes. So from my review of the documentation, I thought the good news was it’s pretty much what we expected. It hasn’t varied that much. It’s been pretty consistent. I thought it was interesting. They went into a little bit more detail about the overall structure of the program. I’ve seen the term now used by people called the CMMC assessment and certification ecosystem.

which I thought was interesting and actually well stated, right, because it is truly an ecosystem. The other thing which was amazing was that they have the 68 new acronyms that they defined in the proposed rule. When you guys kind of reviewed it, did you see anything that you found surprising?

Jeff Carden (08:16.767)
Yeah

Jeff Carden (08:25.235)
Right, so we live in a TLA, FLA world, right? Three letter acronym, four letter acronym. So more acronyms is just par for the course, to use a golf analogy.

John Verry (08:34.489)
I think they get paid by the acronym down there.

Jeff Carden (08:37.391)
I think they do. And you know, it’s interesting that now CUI is called CUI, which for me is another head-scratching moment. So, but yeah, you know, when it comes to this particular facet of the announcement, one thing that kind of struck me when it comes to this new nomenclature was this notion of an ESP. And it did intrigue me. This external service provider.

Warren Hylton (08:38.696)
That lines up.

Jeff Carden (09:05.095)
that kind of popped out. So it’s not a cloud service provider. It’s not necessarily a managed service or managed security services provider, but it is now a, it’s an attribute for an entity that a company is doing business with that now they have to rationalize this interaction with. Is it a third party risk management type of thing that they have to look at? And

I found that language was very intriguing and I believe too looking at some of the comments and questions that I’ve entertained with our clients and also anecdotally in the ecosystem is very much percolating up to the top of one of the things that they’re wanting more clarification on.

Warren Hylton (09:51.208)
Yeah, I would say too that it kind of reminded me of the CMMC 1.0 days, because when that was originally announced, it was very much this ecosystem, this program, and here’s going to be these people doing these things and these organizations doing these things. And they’re all working together for this common objective. And then 2.0 came out and 2.0 is more like a, Hey, we got it. We got to do something right now. Mid-flight. It was kind of, um, it didn’t feel like it had the full, um, organization of the original. This is the model. This is how things will go.

And then now we’re kind of back to that original where everything is very clear. Like Jeff said, acronyms galore, but they’re not really acronyms that we shouldn’t be completely unfamiliar with. But I do like to see kind of the complete picture that we see here now in the final rule because it does remind me a lot of how this thing kind of rolled out where there would be an ecosystem and there would be this part doing that and this part doing this. So I think we’re kind of like full circle back to that. But I really liked the fullness of the final picture here.

John Verry (10:49.854)
Yeah, I think one was the ecosystem. Two was, you know, revisiting the standard, if you will, and just saying, hey guys, dial this back. Maybe we got out a little over our ski tips. You know, we already have 800-171. Let’s just use that, right? And the associated documents. So, so yeah, I agree with that. And that’s actually a good lead into the next question I had for you guys. You know, speaking about 171 and 172, 171A and all those wonderful documents, I thought it was interesting that the rule

explicitly listed 16 other cyber publications, standards, guidelines, whatever you want to call them, to be used and quote unquote understood by contractors. So I was curious as to when you looked at that list, were there any surprises and does that open the door for a little bit more auditor discretion of interpreting a particular requirement?

Warren Hylton (11:44.616)
Well, I would say that I think it definitely does open the door for what the auditors can tap into. Because I think to date, when you look at NIS 800-171, it is, you know, we got to remember that that’s the tailored version of what the security baseline should be. So a lot was removed to get to 800-171. So if you saw 800-171 as this like standalone document and it just kind of was this random thing that lived on its own, then you kind of missed the picture anyways from the beginning.

So all these other special publications in that series, 800 series, are very helpful when you’re trying to interpret what an 800-170 control is really getting at. So I do like that they’ve introduced those and specify them. That way, an OSC will be able to see that before an assessor says, well, let’s open up another special publication to answer some specific questions we’re talking about. So I think that was great. And then the other thing that I really found interesting was the ISO.

standards that were called out because they were ones relating to accreditation body and sort of certification process and that was something that Again going back years ago. That was something that the CM MC AB the now cyber AB always knew they had to do Certain things that way they could be an accredited Accreditation body and so the fact that those standards are also called out I think it’s really interesting because that to me means that the accreditation body is aligning around a Standard as well as far as how they will go through the cert

process. So it’s a lot of talk about reciprocity between standards and certifications and information security space. And I think the fact that the accreditation body is, is going full on with the ISO standards for the accreditation body and certifications themselves, I think is hopefully over the long haul could actually do a lot to allow reciprocity between that standard and others. So I’m very happy to see those three called out to as well.

John Verry (13:35.482)
Yeah, I think that the argument for reciprocity and the conversations that have already taken place about that, I think we all look at this naturally and think one of the most logical reciprocities would be FedRAMP. If you’re already FedRAMP ATO’d, I think we would all agree that a FedRAMP ATO, especially to moderate or high, is a little bit more exacting than just an S801.71 level 2. So it would logically be that.

reciprocity or at least some formula for integration, if you will, between ISO and CMMC makes a lot of sense, right? So a lot of the companies that we’re working currently, right, have traditionally been ISO 27001 certified at the request of either a government agency or from a commercial space. They need to maintain that commercial ISO 27001 certification, but now based on this new requirement they’re trying to do CMMC.

And this idea of running these two programs concurrently, as an example, maybe you’re running your ISO 27001 ISMS with a CMMC as an input into it. I think, like you said, they’re opening the door to that, which I think is important and necessary, right?

Warren Hylton (14:46.824)
Absolutely.

Jeff Carden (14:47.335)
Absolutely, absolutely.

John Verry (14:51.35)
Jeff, what are your thoughts on looking at the standards and the guidelines? Anything jump out at you?

Jeff Carden (14:57.435)
Yeah, so I think Warren hit the nail on the head there, you know. So we’re adding to the specificity of the program. You know, the more information that we have, whether it’s spread out over multiple documents or kind of condensed down into one is not really the point. It’s the fact that we have this library of information that helps us paint the picture of what the requirement is asking for and how to assess against it.

how to scope, all of the questions around the whole process. And yes, you may have to go to different documents to get the answer, but it’s there. And they’re providing that in the context of having a clearer picture of it. And as far as that kind of crosswalk of the standards, absolutely, it’s important because if you look at ISO and you read some of the language, it’s very similar language. And having assessed both sides of that,

you know, ISO and CMMC in this, you know, the assessment process is very similar. So why wouldn’t you give some credit or, you know, leverage that overlap to the betterment of not only the company, but also the ecosystems that each one is representing. ISO, which has its benefits, CMMC has its, you know, and basically, you know, provide.

I hate to use the term the synergy between the two, but that’s essentially what you’re doing is you’re piggybacking off of one versus the other and you’re providing you’re reducing that duplicative work sometimes that can be a little you know taxing on organizations.

John Verry (16:33.814)
Yeah, the other thing too is that, you know, I find that when you look at where well run cybersecurity programs occasionally break down, you know, it’s in that operational component, right? And anything we can do to simplify and automate operations is better. So not having disparate forms of guidance or not needing to implement a control with a with a tweak for one versus the other, right? The more they can be homogenized, I think the easier it is to run your cybersecurity

which yields a net effect of more secure organization.

Jeff Carden (17:08.203)
Absolutely.

Warren Hylton (17:08.296)
Yep.

John Verry (17:10.154)
Oh, interesting. So getting down to a little bit of breast tacks here, right? So were there any changes to the requirements for the three levels or the attestation approach for each of them? And then, yeah, I’ll ask that question and then I’ll ask you a question about level three as well.

Warren Hylton (17:33.096)
I mean, yeah, so I did not see that. I think that that was the 2.0 update. The 2.0 update righted that shift. And then now with the final rule here, we’re just kind of building on what should have really been followed from the beginning. So 801.71 is the law of the land. I did find it interesting that revision two of 801.71 is called out here. So it’s not just, you know, special publication or 171 specified revision two in the final rule, which is.

really helpful for contractors looking for guidance on the revision three that’s coming. But by and large, I think they just kind of continued the right step that they took when the 2.0 walked things back to just using the NIST standards.

Jeff Carden (18:16.455)
Yeah, and one thing that kind of jumped out for me that, and I’ve been a part of this dynamic before in a previous life, is there was the, I think that the slight tweak to it where they’re now asking for attestation by company principal, even during those maintenance years. And that attestation and that, you know, notary type of exercise is now going into a public system of record for the US government.

So it’s putting the skin in the game, right? And I’ve been a part of those conversations where, you know, there’s question of whether or not you’re truly implementing something or you’re truly compliant to something. And then when you ask somebody to sign something, all of a sudden it’s like, I’m not signing this because there’s not a consensus among all of the parties internally that they’re actually meeting it. So this will drive those internal conversations to make sure that when you say that you’re meeting a particular controller or a compliance standard,

that you’re truly doing it before a company principal is going to sign off on that. They’re going to want to make sure that all the T’s are crossed and I’s are dotted and that they understand as well. So there’s none of this kind of gray area, I think, because again, that, now we have skin in the game. And so I like that, that approach because I think the rumblings are, we’re seeing in the, in the program that the false claim act is now, you know, that that’s being brought back into, into our

our discussion that it could be, they could be leveraging that hammer a little bit more going forward.

John Verry (19:48.214)
Did they literally, you know, I saw the signature by a senior authorizing official, or they used some official term, did they actually say that had to be a notarized statement?

Jeff Carden (19:58.899)
Well, I say no to notarize, but by virtue of the fact that it’s going into spurs, I think is kind of what I’m alluding to. It’s basically somebody’s going to sign it.

John Verry (20:07.07)
I got you. Sort of that format. Okay. Yeah, and listen, and for anyone who doesn’t think that changes things, I mean, I’d point you to Sarbanes-Oxley 404 attestation, right? You know, I mean, you know, when you got to a point where suddenly, you know, after Enron with Sarbanes-Oxley spun up and suddenly you were going to, you know, a senior, you know, chief, chief audit officer, you’re going to a CFO and you’re saying, hey, you know,

you need to sign off on the control environment around these financials, that meant something, right? Suddenly they were like, hold on a second, hold on a second, I need to see some evidence that this stuff is actually running. So that’s an interesting question. Like one of the concerns that I had with a triennial, if that’s the right way to say, every third year audit, is that you don’t have those touch points. So I think that the signatory component will help. Is your expectation that

Jeff Carden (20:38.899)
Yeah.

John Verry (21:03.23)
in order for a senior official to sign off, that they’re going to be looking for some form of evidence? Like I know if I was asked to sign off on something, I’d want to have a basis for my opinion. I’d probably want to have somebody present me the evidence. Ideally, independent objective, third party evidence. Do you think that much the same way in ISO, we do internal ISMS audits each year to validate the effectiveness and present that data to the registrar, do you think that that’s going to drive…

quote unquote, CMMC internal audit or CMMC validation assessments in the interim years.

Warren Hylton (21:36.712)
Absolutely. I

Jeff Carden (21:38.276)
I believe absolutely, yeah. Go ahead, Warren.

Warren Hylton (22:04.104)
I think anybody like you said that is thinking that through what they’re about to sign, what they’re about to attest to, they’re going to want more. They’re going to want more than just, you know, just sign here, please. So I think that example of the internal audit being done by a subjective third party, I think we’ll see a lot of that in the CMMC space in between the certification audits.

Jeff Carden (22:27.115)
Absolutely.

John Verry (22:29.654)
I remind me on level three, right? So I can’t remember whether or not we already knew What I picked up on and I didn’t remember if I forgot this that level three, you know We knew that it was going to be the 110 controls from 171 plus 24 controls from 172 but now they’ve specified those 24 controls was that done prior to this or was this new that we saw the new 24 controls

John Verry (22:59.118)
Do you remember?

Jeff Carden (23:01.728)
I believe that the 24 controls were known prior to that. But, you know, in kind of speaking to this particular point, you know, the level three obviously is for higher profile programs that are handling information that’s a little bit above and beyond what a typical CUI might be, right? The, you know, missile programs and those types of things.

John Verry (23:26.198)
weapons, command and control, communications.

Jeff Carden (23:28.711)
Yeah. So this 172 notion really is the IA part of the CIA triad, right? So the 171, 172 is effectively the 853. And I like the fact that you can see this kind of genesis back to the original DNA, which is really the 853 framework, right? So 171 is the C part of it, the confidentiality part of it. And they’re serious about

the IA part obviously because of the again those high value that high value data and information that you’re protecting but you know It’s it’s beautiful that it all kind of harkens back to the triad in the pyramid at the top there the 853

Warren Hylton (24:13.896)
Yeah, and it’s NIST setting that record too, because the 172 series, that publication is not going away. So again, it’s great that the DoD is letting NIST set the guidance on that. And I think it’s important that NIST realizes that there is CUI and there’s specified CUI or special CUI. It’s good that NIST sees that difference.

John Verry (24:13.966)
Yeah, we’ll probably.

John Verry (24:36.678)
Yeah. So we have this guidance. It came out on December 26. We know there’s a 60 day comment period. What then? Right. And when does when does this mean CMC is actually going to become effective or enforced?

Warren Hylton (24:56.36)
Well, I think, yeah, sure. There’s a couple of timeframes to keep in mind. I mean, so with this one here, we’re setting out the CMMC program. And in fact, if you read the final rule and see it, it really lays out, like I said, the original, this is an introduction to CMMC and what are all the various components gonna be and what their roles will be. So it’s a full program that in itself is…

Jeff Carden (24:56.819)
Warren, you got that?

Warren Hylton (25:23.912)
allowing these assessments and these certifications to be awarded. So that’s moving ahead after public comments are accepted. And usually it’s going to be a 12-month process to review and respond to all these comments. So we can expect sometime in early 2025 for a lot of that to be released. We’ll get another update and it’ll just be responding to the comments that they’re currently accepting. And then at that point in time, usually when those things are released, when the comments are released,

reviewed and responded to, we have kind of like a 90 day period where we will see that now become like a final notice that this, this is what everybody needs to be aware of. This is not changing. We’re not taking comments anymore. And here’s everything that you need to know. So I think as that happens, we’re looking at maybe the second quarter of 2025 calendar year for there to actually be this full on CMMC ecosystem in CFR that says, you know, here’s the persons that are going to do the assessments.

Here’s the persons that are gonna award certification. Here’s how an organization, a contractor is gonna navigate those things. So really the timeframe for that is very straightened out. And at this point, it’s just a matter of process. I think it’s also worth noting that there’s another timeframe that we’re all watching to as well. And that’s a revision, another revision to CFR 48. And that would be the one that would actually put the contract clause into.

you know, DFARS and new and renewing contracts after a certain date. So there will be kind of a parallel track here where there’ll be a revision that establishes this program and the ability to get assessed and get a certification. And there’ll be this revision that’ll give contract language to new contracts at a certain point that allows for actually, you know, the requirement for certification. And I think it’s important to point those two things out because

What we just saw December 26 was the revision to 32 CFR, which is the program. So it’s very possible and very similar actually to 8R171 and some of the self-assessment activities that we’ve kind of been in this interim time, contractors having to do where prime contractors are going to have the ability to tap on a CMMC program, CMMC assessments and certifications before they’re necessarily as a contract requirement passed down from an official DOD contract.

Warren Hylton (27:43.112)
So it’s very possible that your prime contractor was going to push you into that faster than you were if you just were directly dealing with the DoD. And we saw that when it came to, again, 801.71 self-assessments and having to do the SPRS scores. You know, we had a lot of prime contractors that set deadlines on that, and a lot of contractors responding quickly to it. And then it was like at the very end was anybody that had direct business with the DoD, and they said, you know, this is the Monday I have to have this done by.

But prime contractors pushed on that as soon as the program, as far as this is how you do a self-assessment, this is where you go to submit a score. As soon as that was available, prime contractors immediately began to push. I think we see that again too as well. So there will be two revisions to CFR, but I think the one that’s recurrently in this revision of 32, that’s the one that’s going to open up the door to an auditor coming into your environment and doing an assessment. And as soon as that one is available.

second quarter calendar 2025, we will see prime contractors start asking their supply chains when will you schedule this assessment. So that’s the timeframe that I see and I think that’s the one that’s most important.

Jeff Carden (28:55.211)
Absolutely, very well said. I think I could just add one point to that, which is essentially that, the, and kind of re-emphasizing is this notion of the flow down, right? And you as a company need to have the situational awareness about where you fit into your supply chain. Because if you have dealings with primes or even fairly large sub primes, is that flow down is gonna catch you much quicker than

a normal these phases are. So those companies that are dealing with primes need to be ready and they probably are because my experience is that they’ve already had questionnaires and they’ve already had pressure from the primes because the primes obviously are dealing with in some instances tens of thousands of subcontractors depending on who you are and they’ve got to get out ahead of that as well. So they want to make sure that those subcontractors

have everything lined up and ready to go as soon as they can because they’re ready to push that flow down requirement. And so that flow down is kind of the catch all with the folks that think that they can kind of ride this thing out a little bit longer before they have to get certified.

John Verry (30:10.626)
So one of the things you kind of assumed there was that the comment period might extend. So once they address the comments, then you’re saying it becomes, at that point, within short order, it goes into effect. Does that period have to go a year? I mean, could the comment period close in the end of February and could we be sitting in June and suddenly they come forward and say, hey, we’ve addressed all the comments?

Warren Hylton (30:39.432)
I think that you kind of have to look at historical precedent on that and I think that actually, I don’t know if there’s going to be any new comments or I should say, you know, 90% of comments are going to be anything new compared to what’s already been discussed in these revisions of 800-171.

John Verry (30:56.395)
Let’s take a step back for a quick second, Warren, because we talked about this earlier. There were no substantial changes really to the requirements. And the requirements are the kind of thing where an organization can say, wait a second, we can’t afford to do two-factor authentication or having a SIM for my company is unrealistic. None of those comments are going to exist anymore because they’ve already been mediated before, theoretically.

So like, should it take a year to get through comments?

Warren Hylton (31:27.24)
Well, I think that we’re talking in kind of the theory and practice, because in theory they shouldn’t, but in practice they’re going to get the comments again. And so I think what the DOD will have to do is just kind of show that they’re respecting the fact that people have a say in here. And that’s how they’ve done it historically when it’s been the same comment over and over and over, the same concern over and over, you get the same answer. But I don’t think that I could see what you’re saying, that they could take a shortcut and just say address earlier, see previous answer.

But I think that they don’t do that because they do want to kind of paint the picture that these comments are taken very serious and and listen to and addressed so I Could see how they could do it faster But I think that it would be unwise to because it would set a bad it would just set the wrong image that this is not something they’re listening to and They could have already done that previously and they have not they’ve still taken their time So I just anticipate following precedent they take their time again

even though as we all are agreement here that there’s nothing really new under the sun when it comes to some of these concerns.

Jeff Carden (32:33.639)
Yeah, and this notion of precedent too, is kind of a double edged sword. You know, if they, again, if they do rush, not rush, but if they’re quick to close that adjudication process, then, you know, what kind of an example are they setting or precedent are they setting? And we know the government is, you know, they prefer to leverage as much of the time as they’re allotted to pretty much any process that they’re a part of. So I mean, I think, yes, there’s been a lot of clarification in that previous period. There was tons of questions that were answered.

But there were some additional questions that kind of did arise with this final rule, some of which are pretty impactful. This notion of potentially log-in event vulnerability information being treated as CUI, this notion of external service provider, FedRAMP equivalency versus FedRAMP ATO, those types of things will warrant a period where they’re going to have to answer and respond to questions.

And so, yeah, I think the process historically will play out as far as the timeline goes, pretty much the way Warren had described it. It will be a pretty decent adjudication period before we get to the final review and approval before they actually publish the final rule in the Federal Register. And that will be, you know, in 2025.

John Verry (33:53.494)
Gotcha. Okay, so what happens if I’m a OSC, right? Organization Seeking Certification, what happens between now and the time the rule comes into play? So am I at a point now where I can go to a C3PAO and I can get a CMMC certification or are there no CMMC certifications until the rule exists, right? Is this a chicken and an egg and what can we do here?

Warren Hylton (34:22.695)
Jeff, I’ll let you answer that since you’ve had some recent experience actually with that.

Jeff Carden (34:27.203)
Yeah, so I don’t think that the three PIOs have all of the pieces of the puzzle just yet. I think especially with some of that language that was introduced, they’re going to need some clarification to this. But they’re very close. And we know that there’ll be this rush to get into the queue when everything is in place. You know, there’s just a few pieces of the puzzle left. But there will be this mad rush.

to get into the queue. And we all feel like with the tens of thousands of defense contractors that are going to be required to certify, and a limited number of these assessing organizations, that it’s going to be, that those queues are going to fill up very quickly. So I think people are going to want to have those conversations very soon. And they could even be having those conversations right now. But I do not believe that the assessing organizations have everything that they need.

So they’re gonna wait for some clarification on this as well. And, but that’s not to say that there are not other tools available to them or to companies to get, you know, incremental steps towards that. And one of them is you can still do 800, 171 gap assessments. We know that 800, 171 is, you know, is the core of the program. And so you can get an assessment and essentially a picture.

of where you stand with the bulk of the program with this gap assessment. And those assessing organizations are going to give you some credit for that. They’re not going to just point blank with the CMMC assessment, give you 100% credit on that, but they will have gone through the process of review and looking at artifacts and things like that. And it’ll be a much less intense touch point for them.

to get beyond that and then to look at the gap between the 800-171 type of an assessment to the CMMC assessment. So that is one of the tools that’s kind of in the assessing organization’s kind of toolkit now to get some people a picture of where they stand, something that these companies can take to their, up their chain, to their boards to tell them, yes, we’re serious about this and we’re actually, we’re making progress, but not everything is there just yet. So I think

Jeff Carden (36:52.467)
I think it will have to wait until this comment period is closed out and at least some type of, you know, hint at the answer to some of these important questions that are still out there before the assessing organizations are going to get serious about saying, yep, we can schedule you on such and such a date and actually conduct the assessment.

John Verry (37:13.73)
So quick question here, we just had a client go through a quote unquote CMMC assessment, I know it wasn’t an official one, right, but we had a C3PA come in and do that. What was that called? What did they call that? And what did they get at that test station?

Jeff Carden (37:24.889)
It was just, it was a NIST 800-171 gap assessment. So it was an assessment against all those controls.

John Verry (37:31.382)
Okay, so it was an 8171A assessment, which is effectively CMMC.

Jeff Carden (37:40.211)
Yes, it’s the bulk of the program. Yeah, absolutely.

Warren Hylton (37:40.232)
too. Yeah.

John Verry (37:43.316)
Okay, good. Alright, good. Alright, so that will be it.

Warren Hylton (37:44.904)
I think, John, I just wanted to add to that. Oh, sorry. I was just gonna say the thing too that I think is sound advice now is tying back to your point about this new focus on the interim time period between the three-year certification assessments. If you are thinking, well, we’re not getting a C3PO assessment this year, then you should ask the question of what evidence does our CIO or CISO need to see in order to sign off for a self-assessment and an internal audit. And that’s something that

you’re not waiting on anybody to tell you what that is. That’s something that you as an organization needed to find now. And so if you want to hold off until 25 to look at the C3PAO involvement, okay, understandable. But at the same time, you should be able to answer the question sooner than later about what is your own internal threshold needed of evidence. That way you would be comfortable signing one of those things annually. And so if you’re not going to involve the external C3PAO, then you should at a minimum.

be looking at what your own internal standard of evidence would be for your own assessment that you have to do.

John Verry (38:48.974)
Gotcha. In the document, they had a kind of a table with four phases, which I thought was interesting. And the start date is the date CMMC revisions to the DFAR has become effective. So that is we’re anticipating that’s when the comment period closes, this CFR 32 goes into effect. Right. So you’re talking about let’s say that for sake of argument, that’s January of 2025. Right. So right away, then on that date, this level two self-assessment requirement.

goes into all solicitations, right? And then six months later, right? Then you get the third party C3PAO assessments for level two go into effect. And then a year later is when we see the CMMC level three stuff come into play. So I thought that was kind of interesting and I guess good in terms of, because you know, it’s gonna be, I don’t think we have enough guidance yet to really know exactly what.

what the level three stuff is. Well, I guess we do, right? Because do we have the assessment criteria for the, we have a 172A document, right?

Warren Hylton (39:58.568)
172A, yeah, that’s what I was saying.

Jeff Carden (39:59.943)
Yep, absolutely.

John Verry (40:01.554)
So we’re good there. All right, so that’s just the timeline. So I think we can agree that many companies that we deal with or talk with have waited until they knew CMMC was definitively going to happen. I mean, I’ve probably had three dozen conversations with someone saying, well, when I’m sure it’s going to happen, we’ll make the investment, but not until then. You never know with the government.

In your mind have we hit definitive?

Warren Hylton (40:33.224)
Absolutely. Yeah. Yeah. I think that that time with the final rule that we have and the idea of this is the CMMC ecosystem, the CMMC policy, I think that’s what those people really need to open up and read if they were thinking they were waiting for something more final.

Jeff Carden (40:35.724)
100% we’re there.

John Verry (40:53.27)
Okay. And, you know, I think there’s a general consensus that for an average organization, it’s going to take somewhere between nine and 18 months to not have a fire drill to put in place a CMMC or, you know, once everyone conforming management program. So, you know, from that perspective as well, we’ve sort of hit now not only is it definitive, but if we don’t start now, you will be behind the eight ball come, you know, January of 2025.

Warren Hylton (41:23.976)
Yeah, I think we’re into that time of risk of losing out on contract opportunities is a real risk a chap to consider and be aware of.

John Verry (41:35.717)
I mentioned that we just went through that 800.171 assessment with our client. Any lessons learned?

Jeff Carden (41:45.831)
Yeah, scope is very important when it comes to that understanding scope and a large portion of the initial discussion and assessment process is centered around identifying scope. Yes, they take the system security plan and what you’ve described as scope, but they almost have a high level, very quick rundown of the same scope assessment methodology to understand

in their words, what the scope is. And they do harp and they hyper focus on the boundary if you’re talking enclave and scope and ensuring the controls that are at that boundary to, they really wanna understand if CUI can traverse that boundary. And if it does, then they look at again, your scope and.

to make sure that you’ve properly defined it. And so you wanna make sure that is clearly defined and rock solid because a large portion of the demonstrations were to demonstrate that you can’t do certain things or you can do things or that you’re doing things that you say you’re doing when it comes to that boundary. And that was the key takeaway. The other things, again, we live in that 8171 world. We’ve been in that world for many years.

So there’s lots of controls that are, you know, fairly black and white and fairly well understood. But this notion of enclave, you know, that is meant to give you a smaller footprint and somewhat of a less of a lift when it comes to being compliant is a key element that they want to make sure that you’ve defined properly. So I think that was the key takeaway is that you have to ensure that boundary is very solid.

John Verry (43:37.314)
So almost in a weird way, either a deconstructive or almost like they hacked the SSP, if you will, right? Is they weren’t just looking at the SSP and saying, okay, you know, like taking a forward basis look at it, almost looking at it from the other side and saying, you know, can I figure out where you messed this up?

Jeff Carden (43:44.297)
Yeah.

Jeff Carden (43:59.488)
Right, exactly.

John Verry (44:01.618)
Interesting, interesting. How far did they drill into the supply chain, right? So, I know the client a bit, having done some of the ISO 27001 SOC 2 work there years ago. I know they have an MSP that’s involved in some of their stuff. I know they’re in the cloud. I don’t know if they’re relevant to this particular SSP. How far did they go down? Did they, into the CSPs, the ESPs, the security providers, right?

Jeff Carden (44:30.539)
So there was, I guess, a level of, they did give them, I guess, some credit for the fact that this was already in a FedRAMP high, GCC high enclave or GCC high environment. So they did ask for, and they looked at, the latest FedRAMP attestation that Microsoft had. They did, again, back to the scope and the interconnection.

You know system interconnections. They did drill down through that and made sure that was clearly defined in those instances where there was a third party in their situation. It was a SIM. You know, they look very, very closely at that offering as well. And they asked for, you know, multiple demonstrations that the things that they say that were being done by this third party.

was actually being done and that you could provide evidence as such. So, you know, reports, they wanted to see current reports, they wanted to see current logs with activity and things like that. So it was very thorough, but only in the sense of just that interconnection kind of piece. And again, some credit was given for some of the big, you know, like a cloud service provider that’s a Microsoft or Amazon, I would imagine, AWS, GovCloud, they would give some credit for.

John Verry (45:58.478)
makes complete sense.

John Verry (46:05.445)
I think we beat this up pretty good in terms of what we had chatted about. Anything we missed? Any last thoughts that you guys want to share?

Jeff Carden (46:18.339)
Yeah, so my takeaway is that just based on some of the questions that have popped and this notion of external service provider and then leading up to the final rule last year, I think a theme that I’m taking away is that they’re taking third party risk much more seriously in as much as you have managed service providers.

or managed security service providers or other third party relationships that may have some type of connectivity into your system. And they are focused on making sure that you have assessed the risk of those interconnections. And they’re doing that through this ESP kind of nomenclature. And they’ve called that out for a specific, in addition to a cloud service provider.

and they’re looking at solution stacks that these service providers have. So.

John Verry (47:20.814)
So he’s still recording on his side. No, it should be fine, Jeff.

Warren Hylton (47:22.984)
Do we lose yet? Oh, oh.

Jeff Carden (47:23.592)
S-

Jeff Carden (47:28.856)
Okay, are we good?

John Verry (47:31.54)
It should be because it recorded locally, so we didn’t hear what you said, but I’m sure it was brilliant.

Warren Hylton (47:38.12)
Bravo.

Jeff Carden (47:38.427)
So, let me roll back. So, what I was saying is, I think my takeaway is that they’re very focused on third-party risk, right, which we know has made headlines in recent years. You know, third-party risk was essentially what almost brought down MRRSK, and I can attest to that personally as a part of that. So, when you look at external service provider and then this notion of what the solution

Are they leveraging tools that are in your enclave? Or are they leveraging tools that’s part of their solution stack or outside of your control? They’re very much concerned about that risk and want to understand that you understand the risk and that you’ve quantified it. And they’re doing that and they’re looking at that through this notion of ESP and bringing into light that they have to be L2 certified as well. If they’re storing, processing or transmitting information that they’re gonna define as CUI.

And I think that does harken back to this idea that, you know, if you don’t have a good picture of your third party risk, you can have all of these wonderful controls and a very well defined and mature program and you have somebody who does something, you know, very bad or, you know, has a has a bad moment on a third party side and they can bring everything down.

John Verry (49:01.494)
Mr. Hilton, any last thoughts?

Warren Hylton (49:02.088)
Oh, yeah. I mean, I think I just kind of I think that was well put because I think that is something that’s getting a lot of attention right now and has been a lot of conversations about and I’m glad to see clarity on these third parties and how that supply chain is brought into these assessments. But I think for my final thoughts here today is just kind of go back to my soapbox, which is that in part of working through all of this is I get to know defense contractors, I get to know decision makers and leaders within defense contractors.

And I feel like there’s a lot of gratitude and thanks to be given out to people that have taken this seriously, been proactive, considered the risks that they face being in this space and being in this market. And unfortunately, I see a lot of other folks too that do not. This market is just another one to go into and win. And I think that that is unfortunately short-sighted and it misses the point of what this market actually is to serve and U.S. national interests.

I think a big thank you to everybody. I feel at the end here, it’s kind of that time where you say, thanks to everybody that got us to here. And it was the contractors that took this seriously, understanding their risk and the market that they served and sort of the higher picture, bigger picture of what they are a part of that we really owe a big gratitude to. If you are on the other side of that and you see this as just a dollars and cents thing, I mean, there’s a lot of dollar values in this final rule as far as how much this may cost and how much this should be and all that.

And if that’s what’s most important to you, and again, I just would challenge you to think about the space that you operate in and the customer that you serve. And if you will not do that, then you will have competition that does. So it’s here at the end of everything, I just feel like it’s the time to say, thank you to the contractors and the decision makers within contractors that took this seriously, understood that there was a problem here. And even though the solution and sort of how we solve this problem is an ongoing battle.

that has had its highs and had its lows. Anybody who understood that the problem was a problem and didn’t second guess that, I say thank you to those individuals and those companies. Very important that there was this critical mass and I do see it now in a way that I did not see it as clearly five years ago.

John Verry (51:17.118)
Yeah, you know, I think the we’re very fortunate at Pivot Point to work with a lot of clients that recognize that winning in the 2020s does equal strong security. Steven Covitz Jr. wrote a book that I like, The Speed of Trust, I think it was called. And in the book, he talks about trust being a lubricant, right? It makes it makes actions happen with less friction and quicker.

If you understand that about information security, if you can lean into an information security conversation instead of away from it, if you have attestations to prove to a concerned third-party regulator, client, etc., that you are secure and compliant, I think that you are going to win.

Warren Hylton (52:08.872)
Absolutely.

John Verry (52:10.614)
Kudos to those that are a little bit more forward thinking. Guys, this has been awesome. I appreciate you guys jumping on. If somebody wanted to get in touch with you guys, what’s the easiest way to do that? They had a question.

Jeff Carden (52:29.055)
ahead, Warren.

Warren Hylton (52:30.344)
I just, I like to give my email, Warren.Hilton, H-Y-L-T-O-N at Pivot Point Security. I’m always available there and love to get to know you and your questions.

Jeff Carden (52:40.595)
Yep, Jeffrey Cardin, jeffrey.cardin at pivo and I’m up on LinkedIn as well.

John Verry (52:47.518)
Awesome. Thanks guys.

Warren Hylton (52:50.024)
Thanks, Sean.