Navigating New Horizons: CMMC, NIST 800-171 Updates

August 31, 2023

In this episode of the “Virtual CISO Podcast,” your host John Verry speaks with guest Warren Hylton, a FedRisk consultant at CBIZ Pivot Point Security, to explore recent updates in cybersecurity regulations. The conversation revolves around the Cybersecurity Maturity Model Certification (CMMC) and the updated NIST Special Publication 800-171 (R2 to R3).

Join us in this week’s episode as we discuss

The potential outcomes of the DOD’s rules package submission to OMB
NIST 800-171’s Revision 3 updates
The transition from DoD-led to commercial-led assessments regarding CMMC
And more!

To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast.

Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here.

To stay updated with the newest podcast releases, follow us on LinkedIn here.

Transcription:

Speaker 1 (00:05):

Listening to The Virtual CISO Podcast, providing the best insight on information security and security IT advice to business leaders everywhere.

John Verry (00:17):

Hey there, and welcome to yet another episode of The Virtual CISO Podcast, with you as always, John Verry, your host. And with me today, Warren Hylton. Hey, Warren.

Warren Hylton (00:27):

Hello, everybody.

John Verry (00:31):

How are you today?

Warren Hylton (00:31):

Good, good. Glad to be here.

John Verry (00:33):

I’m glad to have you. We’re talking about one of my favorite subjects. So let’s start simple. Tell us a little bit about who you are and what is it you do every day?

Warren Hylton (00:41):

Sure. So again, my name is Warren Hylton, and I am a fed risk consultant here at Pivot Point Security. So on a regular basis it seems to be I’m either helping folks implement controls relating to CMMC and 800-171, or I am doing more of sort of assessing controls that are already implemented, and just giving organizations confidence and verification that they’ve done what they’re supposed to do.

(01:06):

So I’m dealing with the federal contractors, primarily defense contractors at this point in time, and also doing business continuity work, running tabletop exercises and doing testing of business continuity program. So those are the two things that I’m doing here with Pivot Point Security, and I really like working with the defense contractor space. And I think that the CMMC mission of trying to get some accountability in the space for the security controls is extremely valuable. I think that it is a very important thing to do, and so I’m excited to be a part of it with everybody that I get to work with.

John Verry (01:43):

Before we get down to business, I usually ask, what’s your drink of choice?

Warren Hylton (01:48):

Well, I myself am a Manhattan kind of guy. I love a Manhattan cocktail. So pretty much anything with brown alcohol and mix it with some vermouth, then I’m a happy guy.

John Verry (01:48):

So do you-

Warren Hylton (01:58):

So that would be a good choice.

John Verry (01:59):

So in your Manhattan, is it a rye or a bourbon?

Warren Hylton (02:03):

Whatever is closest available. But rye whiskey is great. Bourbon’s great too. But, I mean, I’m serious. Any brown liquor in there, and I’m happy.

John Verry (02:12):

Do you make Manhattans at home by any chance at all?

Warren Hylton (02:15):

That would be something that I could make you. Yeah. That and margaritas, those are kind of the two things that you’re going to get out of my bar.

John Verry (02:22):

All right. Your sweet vermouth of choice, do you-

Warren Hylton (02:26):

No preference really on that. I don’t know. Maybe I should get to know more about that, but not really.

John Verry (02:31):

All right. So I will tell you I will take Carpano Antica.

Warren Hylton (02:35):

Okay.

John Verry (02:38):

I mean, it is a noticeably better… It’s the best sweet vermouth for a Manhattan that you can find.

Warren Hylton (02:45):

Well, I appreciate that tip. I will definitely have to try that.

John Verry (02:47):

All right. All right. So let’s get down to business. So thanks for jumping on.

(02:53):

The long and winding path associated with CMMC continues. Today is August 7th, 2023. We have certainly had a lot of news in the last few weeks, and that’s what we’re here to talk about.

Warren Hylton (03:14):

Sure.

John Verry (03:14):

So we’ll talk about the news, we’ll talk about where we think things are going because there’s still a little bit of uncertainty, and have some fun, and kind of gives people some idea of what’s going on.

Warren Hylton (03:26):

Sounds great.

John Verry (03:27):

So let’s talk about what happened. So as I understand it, the DoD rules package has gone to OMB. What does that mean?

Warren Hylton (03:41):

Well, that kind of means that, simply put, the rules themselves are outside of the Department of Defense’s hands for writing. So I think the simple way to look at it is that this is just part of our general federal rulemaking process. There’s a lot of different agencies involved, a lot of different offices that take part in that process for a lot of different reasons. But one of the very key things that happened here is, again, the rules themselves, what we’re going to see in black and white in the new DFARS clause, DoD said in July that they feel good with where they’re at on that. So they were comfortable turning that over to the next step and the next level. So now it’s going through the rulemaking review and that’s where it’s at right now with OIRA and OMB.

John Verry (04:26):

Right. And my understanding is they’ve got 90 days to go through the review process?

Warren Hylton (04:33):

Yeah. So interestingly, in one of the last CyberAB town halls, there was a great presentation and a great sort of crowdsourcing of data related to these rules, and it works out to be right about 60 to 90 average business days to get through one of these processes. So there is requirement that OMB at this point in time follow the procedure that they’re supposed to on their end of things, but in all actuality, yeah, we’re looking like 60 to 90 business days of time before we get the update from them that they need to add in now.

John Verry (05:09):

Gotcha. And as I understand it, there are two likely outcomes, right?

Warren Hylton (05:16):

Yes.

John Verry (05:17):

So that concept of an interim final rule and the concepts of a notice of proposed final rule. Can you tell us a little bit about what the difference is between those two and what the implications would be?

Warren Hylton (05:29):

Yeah, definitely. So what those are is that is kind of the next procedural step as far as what the OMB is to do now with the rules package that could end up being the new DFARS clause. And they both revolve around the concept of this is a final rule, this is changes, this is again from the Department of Defense’s standpoint, language that they’re comfortable seeing in contracts. And so what has to happen now is the way this will be rolled out, we’ll either have one more opportunity for public comment, and that’s the notice of proposed final rule. Essentially at that point, it is a final rule action, but it’s just saying to the general public at large, you have one more opportunity to weigh in comments on this. It does add some time before that movement to actual contract clause is changed.

(06:20):

The alternative is that they don’t think that we need one more round of public comments, which to be fair, they have done public comments on these proposed rules over the past few years. So if they decide that they’ve heard all the comments, they don’t need any more, then they could pass that as an interim final rule. And if they do that, then we’re looking… Like it’s a 90-day timer until we start having this new DFARS clause floating around. So really it kind of comes down to does OMB believe that they need to have another round of public comments? If there is, then we’ll get some more time in this process. If there’s not, well, then we’ll kind of head straight to the finish line.

John Verry (06:58):

So interim final rule, we could see CMMC requirements after 90 days. So January 2024 roughly. If we go the proposed final rule, that would extend it a year?

Warren Hylton (07:16):

That would be most likely. So then we’re looking at January 2025.

John Verry (07:23):

Would it be January 2025 or would it be, being that they’d be coming out of this in October, would it be October of 2024?

Warren Hylton (07:31):

Yeah, that’s great point. That’s a great question. I mean, I think really what it comes down to is this is… We do have a lot more certainty about timeframes because we know where we’re at in the rulemaking process, but it’s not an exact science. I mean, there’s still going to be some leeway here and there.

John Verry (07:48):

So late 2025, somewhere in that window. Okay.

Warren Hylton (07:51):

Yeah. Yeah. And that’s also assuming that we have exactly in October the rule. If we get it pushed into November because they’re taking more towards the higher end of the 90 days, then that also is going to push things back. So it’s kind of a little up in the air on that, but not by much at this point.

John Verry (08:09):

So the good news is that we know that there’s some certainty that we’re going to see CMMC. It’s just a matter of we don’t know exactly when.

(08:21):

I’ve seen a lot of conjecturing… Is that the right word? On the internet of people who are smarter than I. It seems like if there was a Vegas bookmakers on this that it would be… I think most people kind of leaning towards the proposed final rule.

Warren Hylton (08:39):

Mm-hmm. I could see the logic behind that. The last times that they’ve gone through rulemaking with the 7019 and 7020 clauses, those one were released public proposed final rules. So it would match the pattern of how they’ve been doing these rules as of late.

John Verry (08:56):

The only thing which is weird is that isn’t the idea behind the proposed final rule is another comment period and… I mean, how many more comments do we need by the CMMC. I feel like comment that could be made has been made a hundred times.

Warren Hylton (09:09):

And I think, to that point, I think what we’re going to see is we’ll see a lot of comments made that are addressed by referencing previous answers to comments. Because we even saw that in the last round of comments.

(09:21):

People need to realize and remember that this has been, from a rulemaking process, a saga that goes back 10 plus years now of getting the CUI protections and DFARS. So again, it’s been a long time coming from the rulemaking process, and I think people forget about all the times that these conversations have occurred and all the comments that have been put back and yet here we are still today. So obviously they’re hearing the comments, but they’re not in enough way that they are changing course on anything. So that’s something to keep in mind of course.

John Verry (09:56):

Yep. And at the same time that we’re getting this clarification on the CMMC, to complicate things a little bit, we’ve got the 800-171 guidance, which is at the heart of CMMC is being updated from release two to R3. Tell us a little bit about what’s going on there.

Warren Hylton (10:22):

Well, yeah, it sure is a coincidence that these timeframes here are aligning at this time. But yeah, essentially what’s happening is NIST of course is responsible for all their special publications, and the actual security controls that are defined as meeting the requirements for protecting CUI in a non-federal system. They have the authority to define what that is. So they have of course the publication here, 171, that was tailored to fit the contractors that are holding and using CUI. And in revision, and like any I should say, like any other special publication, they’re open to revision and new drafts. So what we’re seeing is that we are now in that third cycle of things where this has already happened previously, and this happened in Revision 2, from 1 to 2, but now it’s just a time where the requirements themselves are doing update. And again, that’s something that’s operating entirely independently from the Department of Defense and CMMC for that matter. This is just NIST doing their job and making sure their publications are timely and up to date, and changing technology, they have to visit them every now and then and revise them.

(11:32):

So fortunately, unfortunately, whichever way you want to look at it, these timeframes are lining up now where back in May of this year, 2023, that Draft Revision 3 was released for 800-171. In fact, public comments in the 10 days prior to DoD sending over the rule to OMB that says, “We’re ready for this, and this is the CMMC languages that we like.” So they really did similarly are happening in a similar time.

(12:00):

But we can say though that there is one major difference, which is that NIST does not need to go through public comments and the same way that the federal rules does. So at this point with public comments being closed for that revision, it would be shocking if we did not have these NIST moving faster at this point than OMB and whatever CMMC clause we’re looking to see. So they don’t need to go back and get more comments on the final. They don’t have to go and modify any sort of federal code. They can just release an update to a publication that they hold and maintain. So that’s what’s happening right now is we are in that sort of cycle of updating and revising to the Revision 3, and public comments again are done. And so now NIST is digesting all of those and going to respond accordingly, and then factor that into their final edition of what will be Revision 3.

John Verry (12:56):

Okay. Let’s talk about how both of these two things happening at similar times potentially impact. But first, whether it’s CMMC, whether it’s 800-171 R2 or whether it’s 800-171 R3, I think there has been a general acknowledgement, in fact, I think multiple entities come out and said that the average implementation time is between 12 and 18 months for most organizations to move from a noncompliant to a fully compliant state. Let’s say less mature to fully mature environment.

Warren Hylton (13:34):

Right.

John Verry (13:35):

So what that basically means is that if you’ve been waiting to this point, congratulations, maybe, but you can’t wait any longer. What are your thoughts there?

Warren Hylton (13:50):

Well, I’m a bit of kind of a smart alec, so yeah, I would say the same, congratulations. Because I think for the longest time, and I’ve been watching this since 2019, there’s been a solid holdout within this ecosystem that are defense contractors, but just basically say, “Until I see it on a contract, I will not be responding, I will not be preparing, I will not be acknowledging,” in a lot of cases, “that this is here.” So there’s a lot of folks that push back saying, “I need to see it on a contract before I follow it up as something to do.”

(14:25):

And so a lot of CMMC skeptics and a lot of skeptics to 800-171 protections in the first place, they kind of found a nice place in the 800-171 [inaudible 00:14:36] of self-attestation and the last page of the contract saying that you got to do all these things. That worked out really well for them. And that’s why I say congratulations, because up until this point, that’s been basically the norm. And the reason why we’re talking about all this, the reason why CMMC exists is because everybody knows that that norm is broken, that contractors are not following the clause as they’re being prescribed, and the department knows that they don’t have accountability and to checking to see if a contractor is following the clause that they wanted to see.

(15:09):

So all of that being aside, if you’ve been a person that’s been waiting for this thing to become more solid, with your timeframe that you just gave, which I agree with, 12 to 18 months of remediation, it was about June then this year that that flipped where even in a best case scenario, you have… The largest amount of time between now and final rulemaking being over and having CMMC certifications showing up on a contract, that timeframe is now less than the average 12 to 18 months there. So you’re in the danger zone if you haven’t started already or if you’re not anticipating to start as response to this thing happening back at the end of July.

(15:52):

Big congratulations as until this point you’ve been able to hold out and not have those timeframes, so obviously not possible. But now we are in the world of your timeframes, if you’re that person and you’re holding out like that, you’re losing very valuable time now, and you don’t have time to lose at this point.

John Verry (16:14):

So where are we at now… As far as I understand, we’re still in the voluntary assessment phase where you need to have… The DIBCAC has to approve you through the process. When will we get out of that? So if I’m sitting here and I’m a manufacturer and I want to get tested, certified, when will I be able to do that does it look like? Do we know?

Warren Hylton (16:42):

I mean, well, kind of two things to consider is, first of all, if you are ready and you feel like you could go and pass the CMMC assessment, then that’s what the Joint Surveillance program is there for. So it’s always important to remember that those assessments are available. It’s just like you indicated, they’re scheduled by DIBCAC, which is the DoD’s assessors. And of course we’re still kind of in this bridge mode of all the assessments being done by DoD personnel and assessments being done by third-party external auditors, or assessors.

(17:16):

And so at this point in time, DIBCAC is DoD’s leading the scheduling of those assessments, but they are available. In fact, if you tune into the monthly town halls, that is a very, very big topic of discussion month in and month out is the updates from… or organizations that are going through assessment today. So it’s important to know that that is a path available to contractors now.

(17:42):

But you touch on a great point that there will be a change here where we’ll go more so to commercial contractors, the C3PAOs, the commercial assessors being the ones that schedule the assessments. And we should all be very thankful and happy when that day comes because it’ll make assessments easier to schedule, because again, we’ve got many organizations that can schedule them rather than just one central organization. And the other thing too is, again, there’s a lot of folks out there that have gotten by without having the DIBCAC DoD led assessment, and having the commercial assessor be the first person into their environment may be a really good thing for that company in that organization.

(18:23):

So there is a little bit of uncertainty right now with when does that schedule, or when does that shift happen to where, say, today you go and get an assessment, you’re going to be DoD-led as far as how to schedule that, to you want an assessment, and now it’s more C3PAO and the ecosystem led that would tell you when you can get an assessment who you need to talk to. There’s still a little uncertainty about when that happens, but that is part of this final rulemaking is that we’re giving the authority to have those assessments done by the commercial organizations, not the DIBCAC led assessments. So we’re kind of in that pivot now, actually, and it’ll be determined when rules are finalized, when actually that switch occurs.

John Verry (19:09):

Okay. So in theory, anyone who has been complying with NIST guidance since late 2016, early 2017, which means that you’re pretty well-aligned at this point or should be pretty well-aligned with 171 R2. 171 R3, considerably different. Is there a strategy for that transition? In other words, is there value to becoming certified to R2 because you’re close to ready and avoiding R3 for a longer period of time?

Warren Hylton (19:49):

Yeah, absolutely. There is definitely a strategy in that, because right now, if you go out and get one of these joint surveillance assessments, they’re assessing to the current standard, which is Revision 2, they have made an indication that those DIBCAC joint surveillance assessments will yield you a three-year CMMC certification. So if you’re getting assessed right now on Revision 2, then your three-year certification window will overlap when Revision 3 is the law of the land.

(20:18):

So yeah, there absolutely is a strategy. If you felt like you were right on the cusp and you were ready, but you were holding out because you wanted to maybe see more of a definite timeframe of when you’d be required to go through that assessment, those folks that are very much ready, if they haven’t already had the conversations regarding these joint surveillance assessments, really should reconsider that. Because again, there is definitely a strategy to get assessed by the standard as it is today, which would be Revision 2, and then hold on to certification for three years, so you wouldn’t actually have an external audit of that Revision 3 controls for three years.

(20:55):

If you don’t do that, if you’re not in available position to do that and have that done in the very near future, then you need to consider the risk of Revision 3 being law of the land when you go through your assessments. So yeah, there’s a strategy to getting it done today and getting Revision 2 assessment in the books for sure.

John Verry (21:17):

So let’s briefly touch on, for people that are not familiar with it, why I think it would be valuable to not have the deal with R3, right? So just talk a little bit about the domains that have been added, a little bit about the new requirements that come into R3, a little bit about the changes to the existing requirements. Just give us a summary. And if you have any way to estimate the level of effort or how much change there would be, let’s chat about that briefly.

Warren Hylton (21:50):

Yeah. So, I mean, first off, I just want to kind of remind everybody that from a high level, Revision 2 is years old at this point. So as anybody in the cybersecurity world knows, change is the constant. So it only makes sense that after enough years going by, that there will be new ways of thinking about security controls and how they’re implemented, what’s important. So it’s not that NIST all of a sudden decided that it’s just, “Hey, it’s scheduled, it’s time. We got to do an update.” There’s again, a sense to why these rules are updated, why these requirements change. And anybody that’s anything close to technology would understand why these things have to change over time.

(22:36):

So that’s from a high level, what we’re doing here is we’re making changes because the controls that as they were written in Revision 2, don’t speak to the environment that we’re protecting when Revision 3 will be the law of the land. So change is a constant. Change is a must.

(22:52):

You can go right now into the draft information that was released by NIST, and they have a great spreadsheet that talks about the differences between these two controls, these sets of controls, but there are some numbers I can share as far as what to expect in the three new domains, for example. So actually, new security families that did not show themselves in 800-171 Revision 2, we’ve got 26 new requirements that are entirely written new into the baseline. Again, the determination there was when Revision 2 was released, these are just not controls that were effective in protecting the confidentiality of CUI, and now they are, and that is to be expected over time.

(23:37):

There are a number of controls that are just getting minor changes, 18 according to NIST. So things like that may affect slightly how you maybe write out a procedure or write out a requirement, but it’s not going to change the intent of the practice. And then we’ve got 49 additional ones that do have significant changes, either because we had requirements withdrawn, which is essentially saying that rather than having three requirements for remote access, we’re just going to have one requirement with three different objectives that meet those controls. So we’re seeing a little bit of shuffling like that. And then we’re also seeing new assessment objectives, which if you’ve been preparing for CMMC and 800-171 assessments, you know very well and you know that they’re more important than the practices themselves.

(24:26):

So we are seeing significant changes, but it’s been five, six, seven years since we’ve last talked about what are appropriate security controls. And so it is to be expected. But by and large, we’re looking at a difference of 110 controls on Revision 2, and 138 as of now in the draft of Revision 3.

John Verry (24:45):

Right.

Warren Hylton (24:47):

You did ask too, yeah, it is a significant lift because again, it just hasn’t been addressed in a number of years. And to what organizations can do to get through this, it’s actually a really straightforward process. As an organization that’s implemented 800-171 Revision 2, you have security assessment and risk assessment capabilities as part of your controls. You’re required to have those.

(25:15):

So what both of those are doing, kind of working hand in hand is making you aware of the risks that you face your system faces, including compliance risks. So changes to what you’re required to do, which is namely what we’re talking about. You’re required to be aware of those using risk assessment activities. And then on a security control assessment, you’re also responsible to ensure that the controls you put in place to mitigate the risks that you’ve identified are actively working.

(25:44):

So what I would recommend to anybody that’s trying to figure out how to do this is the next time you’re doing your annual risk or your security assessment, you need to include the Revision 3 controls as something that need to be risk-assessed and security-assessed.

(26:01):

And if you’re, again, a mature organization that’s implemented 800-171 and been rocking and rolling for years, this is not news to you because this is just part of your internal audit or whatever you want to call that, that you’re doing to meet the 800-171 requirements. So here’s the new controls, here’s the new risks, follow your own procedures, and assess your environment against these revisions.

(26:23):

And I would say too, if we’re talking timeframe, even May of 2023, you realize, “Hey, this new revision’s on the horizon,” if you within the next 12 months do this security and this risk assessment, so if this is not something you’ve thought about until you’ve heard this and you say, “That’s what we’re going to do, and we’re going to do it over our next annual assessment, internal,” then your timeframe allows you the time to do that assessment and then implement remediation before we see the final revision and say an external assessor saying, “I need you to be up to Revision 3 standards.”

(27:01):

So you do have time, but you need to get moving on that because what you don’t want to do is you don’t want to do your security or your risk assessment next month and not look at this stuff and think that this is somehow like a next year thing. This is something you can start diving into, and I would just recommend organizations to use their existing security and risk assessment procedures to account for these changes.

John Verry (27:26):

Yep. One of the things which was interesting to me, and I don’t know if this… So there was a new scoping guide and a new assessment guides that came out as well. And either I missed it or there was a little bit more of a point or clarity on this, but it looked like that a managed service provider that is processing, quote, unquote, “security data,” which basically [inaudible 00:27:55] an example of SIEM or SOC, is considered under the ESP as an external service provider or external security provider, ESP asset I think is the term that they use.

Warren Hylton (28:07):

Mm-hmm.

John Verry (28:07):

And it looked like they said that they would be required to have an L2 certification, which I had not heard prior. Is that your understanding? Am I catching that right that that’s relatively new or new clarification?

Warren Hylton (28:21):

So let’s first start off by saying those documents that you’re referencing, here at the beginning of August ’23, there was documents that leaked out of the OMB website, the actual public-facing search engine that they use, because one of the reasons why they do all this rulemaking process is because they’re required to let the public know things that are going to affect them. And so there is a public search engine that they have on their website, and a number of the CMMC related documents to this final rules package were visible and present. But interestingly enough, here on August the 7th, those links no longer work. So there’s been a little bit of a back and forth regarding the documents that were pushed out there.

(29:06):

But if you were able to kind of catch that blip and see that, what you would see in what you’re referencing are the documents that were attached to the rules package submitted by DoD. So these look very much like the DoD documentation that you would find on their CMMC website today, it’s just now the next edition, what would be needed if they were to have all the rules as they want them written.

(29:29):

And yes, one thing that has come up in just initial review of that is that the level two scoping guide has a lot more clarity on managed service providers, which has been a big question this whole time. There’s been a lot of conversation about cloud service providers and FedRAMP, which was kind of the initial reading of a managed service provider. There was a sort of initial reaction to group them as some sort of cloud service provider. And then when you hear cloud service provider and CUI, you got to think FedRAMP. And so that was incorrect because not every managed service provider is giving any sort of cloud environment. In fact, many managed service providers, they’re not giving you any infrastructure, they’re helping you manage and maintain the infrastructure that you own. So it’s the exact opposite of a cloud provider. They really are working with your equipment.

(30:18):

And so there’s been a big question, how does that service party, how do those people that would be responsible to the security controls that we’re looking at, how do they show up in the assessment? And so there’s been a lot of conversation about this. There’s been some back and forth whether they would need to have this certification themselves, so they could say, “As a service provider, I am certified internally that we are following these practices. Therefore, the clients that I work for and that I choose to have a contract with, they are inheriting the controls that we’ve put in place.” Similar to the cloud responsibility with shared responsibility matrices, which again, is kind of why that went that way in that direction was managed service providers are just another cloud service provider.

(31:04):

But I think it’s really good that we’re seeing more clarity on what an external service provider is. And in that level two assessment guide, they are called out as those that would handle CUI or provide a platform that would handle CUI. That makes sense as you’re now applicable to these practices and these requirements. But what they added in and what I felt was very interesting to pick on was the security data that you mentioned. They say that a external service provider may not be actually handling CUI or have access even to CUI, but they may have access to the security data or the security protection information relating to the environment where the CUI hosts. And that’s more common than folks having a CUI platform that they’re giving out.

(31:51):

Again, more so in that industry, you’re looking at more of the managed service provider being the IT department for the equipment that is owned by the company. It’s not the equipment and the service, it’s just the service that they already have the equipment. So I think it was very important they pointed that out.

(32:09):

If we take that angle on things, then anybody that’s involved in the security work for a defense contractor that has to go through a CMMC certification, the assessor is going to look at their service providers, is going to look at their external service providers, and they will see that they have a managed service provider providing controls relating to CMMC. And as soon as they see that, by the written assessment guide for a level two assessment, they will then need to have some sort of certification for them to be able to work with that type of client.

John Verry (32:44):

It could create a little bit of a catch-22.

Warren Hylton (32:47):

Definitely. Which who gets their certification first?

John Verry (32:51):

[inaudible 00:32:51] are going to need to get certified before the actual DoD entities can. So it’ll be interesting if there’s a little bit of wiggle row at the beginning there.

Warren Hylton (32:59):

Yeah, I’m not sure how that’s going to work out. That is definitely something I have a question. I’d love to see there be a fast track for managed service providers that know they work… Because they also work for a lot of these defense contractors, and if they have been realizing that the CMMC and 800-171 requirements strengthen their existing relations with their clients, they’ve probably taken on new defense contractors because they now know that language.

(33:24):

So we’re going to see a lot of one-to-many in that space, and so I would love to see a fast track where if a company, they themselves are not a defense contractor, they don’t have a government contractor, but they have contracts with a number of defense contractors, that somehow they’re put at high priority for getting an assessment.

John Verry (33:41):

Yeah, they’re going to have to be. They’re going to have to be prioritized, or it’s not going to work.

Warren Hylton (33:41):

Absolutely.

John Verry (33:48):

The other thing which I picked up on in looking at that was something that I don’t recall on the previous versions, and it was, I thought a flaw, if you will, in CMMC was this idea of get certified once and then have three years off. And I’d like to think that people are going to keep the program up, but I would like to have thought that people who said they were complying with 800-171, we’re actually compliant with it. So I don’t think we can trust that people are going to keep it up.

(34:17):

So it looks like they’ve got a self-assessment requirement in year three, and it’ll be interesting if they require, let’s say, senior management sign off on that, sort of allow Sarbanes-Oxley or something of that nature with some type of liability if you don’t have a basis for that opinion. I think that’s going to be an interesting development as well.

Warren Hylton (34:42):

Yeah, I think so. I mean, at a minimum we’re going to see some form, probably literally a form, but something new that needs to be attested to between these certification years. Because to your point, 800-171 is not… Although it’s security controls, it’s a security program that you’re ultimately implementing. So if you don’t have that upkeep, you don’t have that maintenance of the program, which to tie into what I said earlier, if you have that going on, then Revision 3 800-171 is business as usual. It’s obviously something different. You don’t have a revision all the time, but you have processes and procedures to address when these things happen.

(35:21):

So all of those things that need to happen on regular basis, there at a minimum has to be a different way that you say you’re doing that year in and year out. And if it’s something that an executive has to sign and attest to between certification years, that may be what we end up seeing.

(35:41):

But I think the bigger question to be and the bigger sort of we’ll eventually have to have an answer is when we are doing second rounds of CMMC certification assessments. And I’ve kind of always wondered that from the beginning. The maturity model concept kind of made me wonder from the beginning of all of this, would there be maturity expected to be seen between year one and year four if you were just getting your first two certifications? And we don’t have a lot of… Obviously we have no experience in that we’re getting through the first certifications, but I don’t see how you can get through a second certification without it being obvious that you as an organization either upkept the controls or neglected the controls during the interim period. I just don’t see how that’s possible getting through there the second go around with an assessor asking the questions that they will have to ask, you not doing well without that evidence.

(36:39):

So what happens when you pass your first certification but you fail miserably your second in year four? Those are questions to be determined. That’d be interesting to see what does happen there. But regardless of what new form comes up or new annual attestation that an organization has to do, we all should be very mindful that there are a number of other frameworks where going between external audits like that with issues will cause you to fail an audit, and that’s just the bottom line.

(37:11):

So you can’t neglect these things. And even if you were able to somehow still sidestep the form or whatever the minimum sort of requirement’s going to be, it’s only a matter of time until an assessor comes in. And if you think that, well, just, we can tell them what we need to tell them at the time, they’re coming in with the question list that they know they have to ask in order to determine that you’ve done the things that you need to do. So I don’t see how, again, you’re going to avoid their questions in year four if you were not prepared for that. It’s going to be obvious. And then what does the assessor do? We’ll find out.

John Verry (37:45):

Look, the thing you have to be concerned about is do they start to turn examples with using the False Claims Act, right? Because in theory, if you’ve been certified, you’re basically asserting that you’re going to maintain the program. It would be interesting. Imagine an auditor walking in and asking you for log data from year two and year three, and if you can’t produce that year two, that data that’s in the interim period, what is that saying?

Warren Hylton (38:16):

Absolutely. Absolutely.

John Verry (38:19):

We beat this up pretty good. Don’t want people’s ears to be bleeding.

Warren Hylton (38:24):

Mm-hmm. Hope not.

John Verry (38:27):

No. No, this was good.

(38:28):

Give me a real world or fictional character that would make a great CISO and why?

Warren Hylton (38:37):

Real world character or fictional character that would make a good CISO and why. Oh man. I mean, which of the cartoon characters are out there saying no to everything? That would be a good one. Just some caricature of a cartoon just saying no to everything. I feel like that is, a lot of times people think of a CISO, they’re the guy that has to say no.

(39:05):

But I don’t know. I mean, I guess for me, actually, my mind would gravitate more towards a fictional character of a Wild West sheriff who’s coming into town. Especially if you’re a new CISO and you’ve never been, your organization hasn’t had that role before, you really are the Wild West, you really are the sheriff. And you might feel like it’s just you, your gun and your badge out there on your own. I think there’s some parallels there with the sheriff rolling in and a new CISO rolling in.

John Verry (39:35):

Going with Wyatt Earp? Is that what we’re going with?

Warren Hylton (39:36):

Yeah. Wild West sheriff. Yeah. Good luck to you.

John Verry (39:40):

All right. We’ll go with Wyatt Earp.

(39:42):

All right. If somebody wanted to get in touch, what’s the easiest way to do that?

Warren Hylton (39:46):

Well, I don’t know if we’d put our email in here. Email is always great. You can always call me here at the Pivot Point phone number. But yeah, email is what I would prefer.

John Verry (39:57):

Sure. And that would be warren.hylton@-

Warren Hylton (40:00):

Pivotpoint.

John Verry (40:01):

… either cbis.com or pivotpointsecurity.com.

Warren Hylton (40:06):

Exactly. Warren.hylton, and H-Y-L-T-O-N.

John Verry (40:10):

Gotcha. Awesome. Thanks, man. This was fun.

Warren Hylton (40:12):

Yeah. Thanks, John.

Pivot Point is now part of CBIZ. Click Here for more information.

Navigating New Horizons: CMMC, NIST 800-171 Updates, and Compliance Insights

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What are the 5 Key DevOps Research & Assessment (DORA) Metrics and Why Should I Care?

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How can we help you?

Services

Compliance

Insights

Pivot Point Security