If you are scrambling to figure out CMMC, you aren’t alone.
It’s perhaps the most sweeping information security change for DoD contractors in history…
And that comes with an assessment program dwarfing any other.
As Member of the Board of Directors for CMMC AB, the accreditation body for CMMC, Ben Tchoubineh is one of the minds behind these assessments… just don’t call it an audit :).
Ben came on the show to demystify the CMMC assessment and certification process.
- The challenge of assessments and training
- How competition will help with scalability of getting qualified people in the market
- Types of certifications and careers
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey, there, and welcome another episode of the Virtual CISO Podcast. I’m your host, John Verry. And with me, as always, [inaudible 00:00:32] Jeremy Sporn. Hey, Jeremy.
Jeremy Sporn (00:36):
Hey, John. Did you know that seven times 13 is 28?
John Verry (00:40):
Unfortunately, I’m old enough to actually understand that reference. I will absolutely tell you that that is one of the most remarkable bits ever. You actually will believe seven times 13 equals 28, if you ever watch that.
Jeremy Sporn (00:51):
Yeah. He proves it like three or four different ways.
John Verry (00:54):
Three ways, yeah. Yeah, it’s nuts. [crosstalk 00:00:57]. Yeah. People are going to look for that on YouTube, I don’t think they want to hear us yap about it. What’d you think of my conversation with Ben?
Jeremy Sporn (01:04):
There is nothing like getting information right from the source. Ben Tchoubineh which I believe I pronounced that correctly-
John Verry (01:11):
Good luck with that one.
Jeremy Sporn (01:15):
Being a director on the CMMC Accreditation body, being the chair of the training committee, he is just a wealth of knowledge when it comes to how CMMC training, accreditation, and assessments will be handled in the coming weeks, months, and years.
John Verry (01:31):
Yeah. My thought process was you’re talking about a super, super smart guy. I think the CMMC-AB made a really good choice with them. I love the podcast. You really got me excited about what they’ve got going on. I can really hardly wait to see the registered practitioner and certified assessor programs that they’re developing.
Jeremy Sporn (01:52):
Agreed. What I love most about really the whole CMMC crew, anyone that’s heavily involved with CMMC is just their desire to what I consider to be righting some wrongs. The amount of theft that occurs due to a lack of security is one of the largest transfers of wealth in human history. Ben, he’s a volunteer that is just in that fight against this injustice.
John Verry (02:17):
Yeah. That’s an interesting perspective. It sounds corny. What I’m about to say sounds a little bit corny, but I really don’t think it’s a stretch to refer to all the folks that are involved in this effort all the way from like Katie Arrington and the folks at the office. I always screw this up. The Office of the Under Secretary of Defense for Acquisition and Sustainment, I think, is the right term all the way down through these people that are the directors of the CMMC-AB. I think they’re patriots. I know that sounds crazy, but I think they view themselves as the same way. Like you said, Ben is taken off from doing his three full-time jobs to work full-time as a volunteer on this. They’ve structured these programs in such a way that he can’t take advantage of the work he’s doing.
John Verry (03:02):
I got to be honest with you, I don’t think it’s crazy to refer to them in the way that you did. I do think they’re patriots.
Jeremy Sporn (03:07):
Agree. All right. Well, this one is simple if you’re still with us. If you do any work with the United States Federal Government especially the DOD, but pushing it even further beyond that, this is a wise listen. There is a great chance the assessments and programs Ben talks about will directly affect you and your business.
John Verry (03:26):
Yeah. Before Jeremy yaps any further, let’s get to the show. Ben, good morning. How are you, sir?
Ben Tchoubineh (03:36):
Hey, John. How are you doing?
John Verry (03:38):
Good. Good to catch up again.
Ben Tchoubineh (03:39):
I’m excited to be here, man.
John Verry (03:41):
All right. As I just joked around in our preparation, how do you pronounce your last name?
Ben Tchoubineh (03:48):
It’s a kind of interesting story. I’m Iranian born. This is a Persian last name, but it is actually not even typical in Iran. If you were like, “What is this last name?” Even in Iran. Then, but I immigrated when I was a kid to France. This is the French spelling of the last name, not the English spelling. As such, the T is silent. When we came to America, we kept the French Latin spelling. The T is silent. You’d say Tchoubineh.
John Verry (04:16):
That’s good because as I’ve referred to you in chatting with somebody, I’ve said Ben, [inaudible 00:04:22].
Ben Tchoubineh (04:24):
Yeah. Ben [inaudible 00:04:25].
John Verry (04:25):
All right. Well now, that I know that T is silent, I can probably figure it out. Cool. Now, that we know your name, tell us a little bit about who you are and what it is that you do. That’ll explain to people why we’ve got you on the podcast.
Ben Tchoubineh (04:37):
Okay. Currently although I have several day jobs, I’m not doing any of those because this thing is taking up so much of my time. I love it. I really do. I am a director on the board of directors of the CMMC Accreditation Body. CMMC standing for Cyber Security Maturity Model Certification. There’s about 15 of us who were volunteer. We just basically have spent the last six to seven months standing up an accreditation body that’s going to help organize and get everybody up to speed on the CMMC model.
John Verry (05:14):
Excellent. Excellent. We’re going to drill all the way down to tech because there’s an awful lot to chew on there. Quick question before we get down to business, what’s your drink of choice?
Ben Tchoubineh (05:24):
Oh, man. It’s almost like if there’s rum in the house, I won’t drink anything else.
John Verry (05:30):
Ben Tchoubineh (05:31):
I might have whiskey and third is wine, and Captain and Coke is my go-to drink.
John Verry (05:41):
Got you. [crosstalk 00:05:41] You’re into the dark. Did you get into any… A friend of mine brought home a seven-year aged rum from Cuba, I think it was. I’m not an aged rum guy, but I got to tell you. I was super impressed. I was like, “Yeah. I could drink that.” You tend to go towards the dorks.
Ben Tchoubineh (06:00):
John Verry (06:01):
Ben Tchoubineh (06:01):
I love that. And spiced darker, those kinds of things and honestly like the good quality rums, I mean I love it. It’s a great great experience.
John Verry (06:12):
Yeah. It’s funny because there was a restaurant in St. John. Unfortunately, it’s probably not still there, something called [Assalair 00:06:19]. It’s this beautiful restaurant. I can remember whenever I would go there, they did a smoked rum aged smoke rum drink. What they would do is they would be served literally with something an ember of oak actually smoking within the glass. You’d have to pull the cover off. As you pull the cover off and they encourage you to take that first drink of it so that you got the smoke with it.
Ben Tchoubineh (06:44):
Yeah. Oh my goodness, John [crosstalk 00:06:46].
John Verry (06:46):
[crosstalk 00:06:46] every year, I’d order that same drink.
Ben Tchoubineh (06:47):
John Verry (06:50):
Ben Tchoubineh (06:51):
My wife and I love St. John. We love that place, but the restaurant you told me, I’ve never been there which is horrible.
John Verry (06:58):
Actually, that was our favorite for years we’ve been… We used to go a lot to St. John almost every year. Then, we haven’t been. Have you been since the bad hurricanes?
Ben Tchoubineh (07:09):
John Verry (07:11):
A friend, a guy who’s in the forensic space was just down there this past year. He said that it’s recovering quite a bit. He encouraged me to go. I think next trip, hopefully, we’ll get a chance to go back to St. John because I just love that island.
Ben Tchoubineh (07:24):
Love it. It’s beautiful.
John Verry (07:26):
All right. Let’s get to why you’re really here, CMMC. Big picture, when do you think we’re going to be at a point where meaningful and more widespread CMMC auditing is actually going to take place?
Ben Tchoubineh (07:38):
Okay. One thing we don’t call it auditing, we call it assessment.
John Verry (07:44):
Thank you for the correction.
Ben Tchoubineh (07:47):
Yeah. We’re pretty serious about that.
John Verry (07:51):
Just out of curiosity, most people, I think, would look at those words as being fairly analogous. Why do you differentiate so significantly?
John Verry (08:03):
It’s really just the perception of the word audit being a more significant event.
Ben Tchoubineh (08:09):
Well, I mean I think people obviously can use the word-
John Verry (08:12):
Or adversarial event maybe is a good one.
Ben Tchoubineh (08:15):
Yeah, but I think it’s also because we use it everywhere. We’re trying to be using the same term everywhere. For example, we have certified assessors, not certified auditors. It’s just semantic, but to be consistent. I think that’s a great question. I think it’s a great place to start. Our accreditation body is split into different committees. We have a training committee. I’m the chair of the training committee. Really, my experience in my lifetime has been really focused on training. I believe it’s a really important part of this effort.
Ben Tchoubineh (08:55):
CMMC was just an idea in December. Then, we came together in January. It’s going to take some time because we have to train several different stakeholders. The first is we have to get assessors up and running. We have to get assessors certified and trained. Then, we have to train the organizations that are going to manage these assessors, the C3PAOs. We also have to train consultants. We’re going to help the organizations. We have to train what we’re calling the registered practitioners right now, but later on, hopefully, the certified professionals who are going to go out and help organizations get ready.
Ben Tchoubineh (09:39):
In the end, we also have to train people who work at these organizations what we call the OSCs, Organizations Seeking Certification. They have to be trained. They have to know what they’re doing. That’s the first problem is the training. The second is the scalability of things. I mean we’re looking at over 300,000 contractors just in the DOD space. We’re hoping that CMMC broadens its reach past DOD hopefully at some point. Scaling this out is going to be taking a long time.
Ben Tchoubineh (10:09):
Then, number three and probably most important thing factor in figuring this out is that we have to do this carefully and slowly. We don’t want to go out the gate without real preparation, without having really gone through some exercises knowing what we’re doing, having really thought out. This is important stuff. At this point, what the DOD is saying is we’re not going to renew your contract if you’re not CMMC certified.
Ben Tchoubineh (10:37):
This could be life or death for organizations. We have to have a slow rollout and a careful and methodical rollout where we learn from some mistakes using some pilot programs. It’s going to take some time. I believe, based on all these different factors, we’re not going to see some real assessments occurring for score at a small scale until either late this year or early probably first quarter of 2021. Then, the scale will slowly grow.
Ben Tchoubineh (11:10):
I really feel like the program will be in full, full operation with all kinds of OSCs, Organizations Seeking Certification, the [inaudible 00:11:19], being able to hire assessors to come out and assess them to get their certifications. We’re not going to really be there until late 2021 or early 2022.
John Verry (11:31):
Yeah. That’s interesting. That aligns with there’s some buzz that I hear. I don’t know how accurate it really will end up being, but a lot of the primes are going to want their capture team members to be CMMC certified by the end of 2021. That seems to align with where you’re talking about. Those early adopters will probably be by mid late 2021, you’ll see a fair number of folks there and then broader adoption through 2022 through 2024.
Ben Tchoubineh (12:06):
Yeah. Really, the DOD itself and Katie Arrington herself who was running this for the DOD, she has said that, “Look. It’s not going to be an immediate thing.” These requirements are going to be slowly rolled out into contracts until 2026. I think it’s important to understand that it’s going to be a slow rollout, and people have time, but what I would recommend is you want to prepare right now.
Ben Tchoubineh (12:37):
Really, contracts have clauses already requiring people preparing, but it’s self-certification. You just want to make sure that if someone else, a third party, comes in to check your environment that you’d be fine. If you haven’t done that before, I think there are a lot of organizations and consultants and so forth that can help you do that right away.
John Verry (13:00):
Yeah. I always try to tell people that even if you’re not going to end up, let’s say, that you have a D4, 252.204 clause, that’s encumbered you with 800.171 conformance anyway which in theory if you’ve sent that letter and you’re doing everything that you’re supposed to be doing and if you’re not, we’ve seen False Claims Acts and things of that nature starting to occur. Either way, and if you think about it, 171 is 85%, 110, 130 [inaudible 00:13:26] of CMMC level three anyway.
John Verry (13:29):
There is no get out of jail free card if you turn around and say, “Hey, I’m not going to need to be CMMC level three for three years.” No, but you still need to be provably 800-171 confirming, and that needs to be now.
Ben Tchoubineh (13:40):
Right now. That’s right. I think if you have a contract with the Department of Defense, it’s part of the DFARS, most likely, you have some kind of requirement on cyber security. If you don’t know how to spell cyber security right now, you need to start thinking about it.
John Verry (13:56):
Yeah. That would be a good time. You mentioned, you used the term pilot. I’m assuming that that ties into the provisional program that I’ve seen you guys talking about. What’s the objective of the provisional program? How long will that be in effect? How many folks do you think auditors or audit organizations do you think would be part of that? What is the gate for somebody to participate in that program, if they’re listening and they are interested in participating in that program?
Ben Tchoubineh (14:21):
I love your question, John. I think it’s a great question. The provisional program is the one where we’re going to use a limited number of assessors, going to train them and work with them directly to learn from based on what we’ve already developed. We have processes and methodologies that we’ve developed in draft form that are not publicized yet, but there’s a lot that’s been developed, a lot of amazing documents. I looked through some of the documentation that is currently not public at all, but that is internal to the AB about the support to assessors in terms of all kinds of criteria and methodologies, and so forth.
Ben Tchoubineh (15:09):
There’s a lot that’s been developed. I’m just amazed. I’m just a training guy, but I’m just amazed that how much work has been done by 15 people who are doing this as volunteers and also industry working groups that work with them. I’m in awe of how much commitment there is. However, they’re all in draft form. We then need to take these documents that are practices, methodologies, and actually put them to use and use them in the real world using these pilot programs. That’s really what this provisional program is about and hopefully learn from them. There’s also the rulemaking that’s happening in the DOD, and they’re really kind of right now spending a lot of time really integrating CMMC into their processes and creating some rules and DFARS rules about that. Those are going to come out.
Ben Tchoubineh (16:02):
Those details, once they can come out along with us testing our methodology and our criteria documentation, I think all of that come hopefully will be done through the provisional program. We’re going to use a select number of assessors that we train. Then, we use pilot programs and pilot contracts that the DOD selects. We would go through these assessments and, hopefully, learn from them. That will take us through to late this year, early next year time frame where we will have better understanding of our documents. That’s the goal of the provisional program.
Ben Tchoubineh (16:47):
At the end of that, we will have a better understanding of our documents and ensure that they work in the real world. The DOD will have completed their rulemaking process and integrate CMMC into the DFARS, which by the way, your listeners may not notice that DOD, Federal Acquisition Regulations. I don’t know what the S stands for. On the other side, we’ll come out wiser, more experienced and ready for the large-scale program that would ensue.
John Verry (17:22):
Got you. I might be asking a question. I know there’s a ton of moving parts at this point in time. But if you had to venture guess and if you can, I totally understand. You’re talking about there’s going to be 50, 500, 5000 of these provisional orders, five, any idea how many assessors?
Ben Tchoubineh (17:39):
John Verry (17:40):
I used the wrong word, assessors. Any idea how many you think there would be?
Ben Tchoubineh (17:44):
I’ve given up on you.
John Verry (17:48):
You have that in common with my wife.
Ben Tchoubineh (17:53):
We’re going to initially train 60 assessors.
John Verry (17:58):
Ben Tchoubineh (17:58):
We’re saying between 60 and 70 depending on how many we decide to use in the program, but it’ll be somewhere between 60 and 70. Those are going to be our initial. If we see that we need more, we could train more later, but initially, we’re going to go with assessors. That’s a lot of assessors, honestly, when you think about it-
John Verry (18:19):
Ben Tchoubineh (18:20):
BENTCHOUBINEH:… for this kind of program.
John Verry (18:22):
Yeah. And even just getting all those people on the same page dealing with all that. Any audit program, so much of it is about how do we scope the audit. What’s the right sampling? What criteria are we holding? What’s a system security plan? What does it explicitly need to include, not include? What variability are we going to allow because I think one of the challenges you’re going to have with this program is ensuring that there’s especially at some point if you’re talking 300,000 entities and it went broader than that, hundreds of thousands more. One ne of the things you want to make sure is that there’s a consistency in the assessment, that everyone is being held to the same criteria, the same standard. Everyone is using the same benchmark, of course, with an ability an auditor’s discretion understand that there’s a scale based on risk or based on a particular context.
Ben Tchoubineh (19:12):
That’s a great observation. We live and breathe and dream this stuff all the time. I lose sleep thinking about how do we make this consistent. I think CMMC, and this is why it’s created so much buzz as a standard, it has an assessment model, will dwarf anything else that has come before it.
John Verry (19:35):
This is a staggering program. I don’t think people understand. I don’t know what the exact number, but you look at ISO 27001. I’m an ISO 27001 certified lead auditor. We live and breathe ISO 27001 with our clients every single day.
Ben Tchoubineh (19:48):
John Verry (19:48):
What is there, 30,000 organizations that are ISO 27001 certified over the history of ISO? You’re talking about over 15 years is 25, 30, 40… The exact number is not easily validated. That being said, you guys are going to blow that number away in a two-year period.
Ben Tchoubineh (20:12):
Think about this. The DOD, there’s several things to think about here in terms of the scale of this program. The DOD has come out with somewhere between 290 and 310,000 contractors that they’ve said they have identified, but think about this. Just on that primes and maybe first-level subcontractors, well, those subcontractors are contracting with other subcontractors. [crosstalk 00:20:40]. When you think about the depth of the supply chain, we’re talking about millions of companies.
Ben Tchoubineh (20:48):
When you think about it, you can’t come up with a number. It’s just beyond comprehension right now. Nobody knows. That’s number one. The other is the other federal government organizations are watching us. Hopefully when this program is successful, they’re going to create their own. They believe they see cyber security as an important part of their acquisition ecosystem. What does that mean? They’re going to hopefully use the CMMC and get under the CMMC umbrella. Besides that, other nations are interested as well.
Ben Tchoubineh (21:29):
We’ve talked to a Canadian contingent. I’m emailing back and forth with a Japanese organization that wants to help grow this in Japan. The Singaporean government is interested. The Europeans are… The scale of the standard were just so nascent right now, but it’s just beyond belief. This is the challenge. How do we build an infrastructure, an ecosystem that drives consistency at this scale? It’s a big challenge.
John Verry (21:57):
Huge challenge. Listen. I’m excited by it. I find the whole process intriguing. I’m going to enjoy both participating and watching what happens. When we talk about this, can you talk about a little bit about, let’s say, the credentialing itself? My understanding and maybe you can fill in some gaps, we’re going to credential the assessors themselves. Will there be requirements for those people in order to be a credentialed assessor? Will I need a certain level of experience? Will I need previously existing certifications? Are there any criteria that I need to meet? I guess we know that there’s 60 or 70 in the initial tranche under the provisional program. I would imagine there’s probably thousands beyond that.
John Verry (22:40):
I don’t know if you’d have any way to take a logical guess about that. Will an assessor need to be employed by a C3PAO or Certified Third-Party Assessor Organization to take the training? Do we have any idea on training costs, exam costs, things of that nature yet?
Ben Tchoubineh (22:57):
That’s a lot of questions. You might have to repeat some of those questions because I’m pretty long-winded.
John Verry (23:03):
We have that in common as well. Let’s start with the assessors themselves. Is there a requirement for them to enter into it? Do you have to be a CISO? Do you have to get certain experience or anything?
Ben Tchoubineh (23:23):
One of the main goals that Katie Arrington put on the table at the very beginning of this thing was, “Look. I want this to also be an opportunity for…” We believe that as well. We want this to be an opportunity for anyone who wants to get into this as a profession. We’re going to start with experienced people as our initial 60, but in the long run, we have to have a way for anyone to get into this as a job in a profession.
Ben Tchoubineh (23:58):
The start of the process is called the certified professional certification. For anyone to get training to become a certified professional, honestly, you don’t really need much. You can start as a kid out of college or even in college take classes to become a certified professional. That training, that certification will teach candidates and students everything about the model and, hopefully, inculcate candidates into that consistency that we were just talking about, thinking the right way about the model and also, of course, all the details. It’s going to be probably the initial, but also the longest training because it’s foundational.
Ben Tchoubineh (24:49):
That foundational training will be available. The training is going to happen through partners. That’s the other thing. We are going to create learning objectives and put them in a body of knowledge. That’s another way that we’re hoping to standardize the process, is all those learning objectives are going to come out of a body of knowledge, are going to be storing the body of knowledge that’s going to come out of our organization.
Ben Tchoubineh (25:14):
A lot of those learning objectives will be factual things, but also a lot about the culture and how to treat different stakeholders. What kind of culture, what kind of ethics do we want to put in place? Those objectives will be publicized by us. We will have a certification exam that we will have developed, and people will take the exam through us. But the training can occur at partner training organizations around the globe whether they’re online training organizations or schools or universities, professional schools and so forth.
Ben Tchoubineh (25:49):
The the training content, of course, will be developed by partner publishers. That creates this huge scalability we’re going to need. Different people are going to want to training differently whether they’re going to want to sit through a college course or whether they’re going to go online and sit through an online course and so forth, but we will ensure that all of the partner publishers create content that is high quality and consistent with what we want to teach in any case.
Ben Tchoubineh (26:17):
The CP, the Certified Professional Program, will be the foundational program. It’s going to be a whole lot more involved. Now, the other thing to keep in mind is that after that, things start to get a little bit more interesting in terms of who can get into the assessor program because the CP, the certified professional, anyone could take that class.
John Verry (26:38):
Right. Someone who’s trying to implement it within their company [crosstalk 00:26:44] like us.
Ben Tchoubineh (26:44):
All kind of people, cyber security professionals, IT people and, of course, consultants could take it and assessors. Then, the next level training will be the certified assessor level one. Those guys, they’re going to be learning about how to do… now that they have the foundational knowledge, then, they can go in and learn about how to do an assessment for level one organizations. Why do we want to specify level one, focus on level one? Because most of those 300,000 companies really don’t need more than level one training and assessments. They don’t need to be certified further than just level one which is very basic.
Ben Tchoubineh (27:32):
We are gonna need considerably more level one assessors than level three or level five assessors in any case. Those guys, they will have some basic prerequisites, some knowledge of cyber security, some experience that they can prove to us and also, obviously, the certified professional certification will have to be a prerequisite.
John Verry (27:56):
Ben Tchoubineh (27:58):
The assessors at level three which is the next level, those guys would be able to assess organizations at level one, two, or three in the CMMC model. Those guys are going to have most likely proven cybersecurity requirements. We’re not quite sure where that’s going to end up and how that’s going to happen. We don’t want to depend on other certifications, but there might be a requirement whereby we say, “Look, somehow prove to us that you have cyber security knowledge along with some assessment experience at level one or other kinds of assessment experience.”
John Verry (28:34):
Ben Tchoubineh (28:35):
Then, level five will have the hardest requirements, the most specific expansive requirements because level five organizations are going to be just a whole lot more difficult to assess. That’s going to require more experience.
John Verry (28:49):
I know you may or may not have an estimate. If were going to look at if there’s 300,000, let’s use that to make the math easy or 10, 20, 50% of them level one, 30% level three, 10% level… How do you think that’ll break out?
Ben Tchoubineh (29:09):
There’s different numbers.
John Verry (29:11):
I’ve heard different numbers which is why I ask because I’m sure you know more than I do.
Ben Tchoubineh (29:16):
Honestly, who knows? But I think it’s going to be more 80%, somewhere between 60 and 80% is level one, is what we’re thinking about. Then, let’s say, if we go with 80%, then another maybe 15% at level three, another 0.5% at level five. Level two and level four are levels that are really more transitional, is what we call them. Someone who wants to get to a more secure environment will want to go from level one to level three, but they’ll need to maybe take it slow and get to a level two before they get to a level three.
Ben Tchoubineh (29:57):
Level four, not so much. There might be organizations that are at level four, but if they’re putting all the expense and effort to get to level four, might as well get to level five. That’s why we really focus on the odd numbers, levels one, three, and five.
John Verry (30:14):
That makes sense. I’ve heard the number that I’ve generally heard was roughly 65 or 66%, two-thirds in that in that level one bucket. Yeah. It sounds like we’re all hearing similar numbers. Like you said, the crazy thing about it is we don’t know.
Ben Tchoubineh (30:32):
Think about it-
John Verry (30:32):
Even yourself, in your position, you don’t know.
Ben Tchoubineh (30:36):
Yeah. It could be a whole lot more organizations. Remember, the 300,000 is just what the DOD has put out, but I really believe there’s a lot of contractors to contractors to subcontractors, those guys who just cannot be counted. However, through a recursive model, all of them, if they’re touching data that needs to be protected would need to be certified.
John Verry (30:57):
Got you. The great thing is you answered a lot of other questions that I had with regards to who was going to the training, how is it going to be instructor-led video based, college, et cetera. I guess for that reason, it would be hard for you to venture any type of a guess for how much that training might cost because different delivery vehicles, different companies are going to price it differently.
Ben Tchoubineh (31:18):
John Verry (31:19):
From your perspective, you probably would hope that it’s as inexpensive as possible. It gets to the broadest mass as quick as possible as long as it meets your common body and knowledge criteria.
Ben Tchoubineh (31:30):
You just put it perfectly. Can you write that down and send it to me?
John Verry (31:35):
Well, here’s the good news, Ben. This is being recorded.
Ben Tchoubineh (31:36):
John Verry (31:38):
You can snip it out of the video. When you get to that point your conversations, you can just play it.
Ben Tchoubineh (31:47):
Our committee came up with this framework. What we’re hoping to achieve through develop having created this framework of many private organizations helping us, partners helping us do this, is one, obviously, the scale of it. But second, there’s going to be competition. That competition will create, hopefully, a higher quality experience and better quality content. If the AB itself was doing all the training, there would be no drive to create good educational content. Good means a lot of things.
Ben Tchoubineh (32:22):
Then, of course, in terms of price, there will be pressure hopefully to provide the training at a reasonable price, that competition, and also will create innovation. What we think of as an educational experience, I mean, I grew up in the 70s and 80s. I’m thinking I’m going to go to a room somewhere and sit with others and get [crosstalk 00:32:45].
John Verry (32:45):
Yeah, not anymore.
Ben Tchoubineh (32:46):
Yeah. There’s just so much that’s happening now. Who knows in 20 years what education is going to look like. Hopefully, through these partners, we will have an innovative, scalable, and high quality and competitively priced educational experience for all the stakeholders.
John Verry (33:03):
Got you. I think it’s easier on the training side to let the market decide the pricing because we can establish criteria by which we know if the education was successful. Someone’s able to pass an exam. That means that we know de facto the program was effective.
John Verry (33:24):
On the audit side, that’s going to be a little bit different. Question for you, do we think that there’s going to be a set price for audits because I wouldn’t think we’d want to race to the bottom on cost because that’s going to encourage auditors to not deliver this consistency and deliver it consistent with the objectives and ideals of the program? Any idea how you guys [crosstalk 00:33:52]. Here’s the good news, is that we have these video editors. I’m sure they’re going to get rid of every mistake that [inaudible 00:34:00] back in. You’re going to see my lipstick is going to go, “Assessors. Assessors.”
Ben Tchoubineh (34:03):
Fell like those Chinese movies. I think that’s a great consideration to think about. Again, we live and breathe the stuff on a daily basis. You would not believe the kinds of conversations we get into on the board about these very important matters. We cannot set the price. This is going to be a free market environment. Also, remember, and I think this goes back to one of your questions I didn’t answer earlier, do assessors need to be employed by C3PAOs? They don’t necessarily need to be employed by C3PAOs. They could be the W2 employees or they could be 1099 contractors with C3PAOs. An assessor could go from C3PAO to C3PAO.
John Verry (34:46):
But just to be clear there, but an assessor will have to deliver the service through a C3PAO in-
Ben Tchoubineh (34:55):
John Verry (34:55):
Okay. Good. Okay. That is the same model that ISO, as an example, uses. You can be a W2, but you need a certified lead auditor who’s delivering the service through a registrar. You’re using the same model.
Ben Tchoubineh (35:08):
Right. But I just believe with the scale of this thing, first of all, you’re going to get a lot of C3PAOs. That’s the competitive thing will occur, but we are creating an environment in our organization at the AB whereby we will be watching, and we will be looking at the assessments and auditing them.
John Verry (35:35):
Okay. You’re going to do the same model as the accreditation body in ISO is UKAS or ANAB. ANAB conducts annual audits of their registrars. You’re going to conduct some level of review of your C3PAOs to make sure that the work product that they’re delivering and basing their opinions on meets an established set of criteria.
Ben Tchoubineh (35:57):
Yeah. I think you can’t do it in other way. You got to have a body watching over this thing because, otherwise, it could go out of control. It’s a great model. We have to be able to scale it effectively. That’s going to be a challenge because of just the sheer number, but that’s what we’re talking about all the time. How do we scale this thing? How do we make sure that the quality is consistent? How do we make sure that the experience of the OSC is consistent and high quality?
Ben Tchoubineh (36:27):
The other thing is they’re going to have a choice because we are going to create a marketplace on our website whereby the C3PAOs are listed. It’s not like OSCs are going to be stuck with one or two C3PAOs. We’ll also be able to see their history and how well they’ve done it. The other thing is that if OSCs have problems with a C3PAO consistently or a particular assessor, we’re going to look at that. We’re going to be making sure that these are high quality, fairly priced experiences for everyone.
John Verry (37:05):
Good. The one thought process I have there is that in ISO, they have a document called ISO 27006 which sets out the requirements for an auditor and how to scope an audit. I think one thing ISO needs to do a better job of is tightening that document up a little bit because I think there’s a little too much room for interpretation. I think that’s what leads to, I think, different audit levels that do occur. I don’t think there’s quite the level of consistency ISO should have as an example. I would encourage you to kind of really… As you guys are thinking that through, that’s the cautionary tale like.
John Verry (37:39):
As an example, they have a concept within the audit program of people within scope and the auditors. There’s a level of audit that needs to occur per person in scope, but some registrars will interpret that as all employees in the organization which might be 300 and then another auditor will say, “Well, that’s only the people that are involved in the construct and operation of the information security management system or program which is only 20.”
John Verry (38:07):
You can have a situation where what you’re getting is one auditor scoping it at seven days, and the other auditor is scoping it at 11. They both have a mechanism by which they can look at the standard that you’ve established for them and say, “Yes, we’re doing it.” That’ll be the only concern that I have there. Good luck with that. I’m sure [crosstalk 00:38:30] It’s really hard to do that.
Ben Tchoubineh (38:31):
Hey, look. It’s going to take some time, I think, for us to become mature. We’re going to see a lot of issues. We’re just getting started. We’re crawling right now. We’re not even walking. I feel like the running part is a few years away. We’re going to have different versions and improvements as we go along, and again through a scalable education infrastructure as well as a scalable quality infrastructure and hopefully one day soon, we’re going to have professional staff. We’re actually doing this full time. It has a long way to go. That is for sure.
John Verry (39:07):
I’m sure your other companies would CMMC [crosstalk 00:39:13].
Ben Tchoubineh (39:13):
It’s interesting that you say that because, actually, I can’t play in the space at least not now and [crosstalk 00:39:19] for a while. I’m just doing this out of the goodness of my heart at this point.
John Verry (39:22):
I know. I know. I know you have two or three other companies. I’m sure they would like you to come back to work for them.
Ben Tchoubineh (39:29):
Yeah. Maybe not.
John Verry (39:32):
Maybe that is true.
Ben Tchoubineh (39:33):
They like me away. They can do whatever they want. I have great CEOs that are doing a wonderful job. I’m very lucky in that way.
John Verry (39:44):
You are extremely lucky that you’ve been able to step away for the period of time that you have especially in such challenging times. We’re recording this in still in the peak of COVID and everything else going on. If your companies are still doing well, God bless you. You have some really good people working for you.
Ben Tchoubineh (39:57):
I do. I’m so amazed at the hard work that all of the employees put in and the leaders that are working really hard. These organizations are doing all right. They’re not blowing it out of the park [crosstalk 00:40:12]. They’re doing all right. I’m very proud of them. That’s why I can give this time to this very, very important effort. I’m glad to be here. Then, man, I am meeting some amazing people. I’m working with some incredible, incredible…. The motivation on the part of all the members on the board is just to help protect the country.
John Verry (40:40):
I think you need to have that level if you’re going to keep up with Katie Arrington.
Ben Tchoubineh (40:47):
She’s such a great motivator. She really is. It’s wonderful for her.
John Verry (40:51):
That energy level probably is a bit infectious. I think we covered everything that I had on the list of things that we were hoping to cover. Anything we missed? Any last thoughts with regards to CMMC?
Ben Tchoubineh (41:04):
This education framework that we talked about, it’s going to take some time to be developed. We have a long way to go to build our partnership network and create the exams, implement the delivery mechanisms and so forth. Until then, however, we do have some learning experiences that we are going to make available pretty quickly and some credentialing efforts that we’re doing immediately. The one that comes to mind is the registered practitioner program. That’s something that’s out there now. It is for people who want to help others prepare for the CMMC.
John Verry (41:44):
When you say that’s out there now, I mean literally someone can sign up for it?
Ben Tchoubineh (41:47):
Yes. Right now-
John Verry (41:49):
When did that go live? I mean that had to be in the last week.
Ben Tchoubineh (41:52):
Two, three weeks ago maybe. [crosstalk 00:41:54] losing track of time. There is the RPO and the RP program. The RP program is for individuals, registered practitioners who want to, one, there’s three parts to it. They want to create a relationship with the CMMC-AB, say, “We’re here,” and then be informed of what’s happening and become an insider. Number two for RPs is that they will sign the code of professional ethics that were Code of Professional Conduct, COPC, the ethics code. They’re saying they’re going to live by that which then allows us to enforce that. That creates a certain level of trust for the people that work with them.
Ben Tchoubineh (42:44):
Number three, they’re going to sit through the training which should be available. We have our LMss going live very soon. We’re implementing it now. Then once that goes live, we’ll have the training. We’re building the plane while we’re flying it.
John Verry (43:02):
Painting a moving bus is the analogy I was thinking of, but I think we’re on the same page.
Ben Tchoubineh (43:09):
Once the LMS goes live, then those who registered as registered practitioners will be able to sit through the training which will have… There won’t be an exam, but will have quizzes and so forth, and we’ll make sure that they’ve been through the whole training and so forth. All of that means that these RPs will hopefully at a certain level have a consistent perspective that we’re going to provide to them. We’re developing the training.
Ben Tchoubineh (43:36):
The training is pretty much developed just kind of putting the final touches on that. It’s just that the LMS has got to go live. We have to, of course, be careful about security because we’re enforcing security everywhere else. We better be secure. There’s a lot of that happening, but you can sign up as RP right now.
John Verry (43:51):
Good. I will shortly after as will some other folks on our team shortly after this podcast ends.
Ben Tchoubineh (43:58):
Yeah. Now, that is the individual. Now, as an organization, if you want to say, “Hey, we an organization that is linked to the AB and we’ve signed our COPC and so on,” you would be an RPO, registered provider organization. The organization can sign up as an RPO. They would need to have a relationship with one or more RPs, basically. You can do that now. Now-
John Verry (44:30):
Is the RPO for assessors? [crosstalk 00:44:39]
Ben Tchoubineh (44:39):
Yeah. The certified assessor program is coming later.
John Verry (44:43):
I got you.
Ben Tchoubineh (44:43):
We’ll have live assessors. These are for people who want to say they have a relationship with us, they’ve been trained by us, they’ve found our ethics, that can be enforced by us if we get a complaint of some sort. They can go out and help OSCs today get ready for CMMC.
John Verry (45:01):
Totally makes sense. Awesome. Anything else?
Ben Tchoubineh (45:05):
I thought this was a great conversation. Thank you. It’s a wonderful [crosstalk 00:45:09].
John Verry (45:08):
You’re not getting off that easy. [crosstalk 00:45:11] that we had that tough question. I hope you’re prepared for it because up to this point, Ben, I have to be honest. It’s been a great… But don’t let me down here. You know I was going to ask you, you’re in the same business as we are, what fictional character or real person do you think would make in either amazing or horrible CISCO and why?
Ben Tchoubineh (45:31):
Wow. That is a challenging question.
John Verry (45:37):
Ben Tchoubineh (45:38):
Fictional character, you said, right?
John Verry (45:39):
Or real world. It could be real word.
Ben Tchoubineh (45:40):
Or real world [crosstalk 00:45:41]
John Verry (45:43):
Somebody said [inaudible 00:45:43]. Somebody said [inaudible 00:45:44]
Ben Tchoubineh (45:48):
I think the Hulk would be a horrible [inaudible 00:45:50]
John Verry (45:55):
Wait. Bruce Banner? Remember, there’s an alter ego right there. There is Bruce Banner. He doesn’t become the Hulk until… I don’t know what happened. He gets mad, I guess, right? [crosstalk 00:46:04].
Ben Tchoubineh (46:04):
That’s the thing about information security and cyber security. You’re always stressed out. You’re always angry. [inaudible 00:46:10] that.
John Verry (46:11):
[crosstalk 00:46:11] You’d always be that green monster guy with the ripped pants on.
Ben Tchoubineh (46:16):
You don’t want him doing your scissor work, right? Honestly, we’re going for consistency here, not the up and down waves that he would have to [crosstalk 00:46:25] That’s my answer to.
John Verry (46:28):
All right. Last question. You’re chatting with the same kind of folks we are every day. Any interesting topics for another episode of the podcast that you’d recommend?
Ben Tchoubineh (46:40):
I’m living and breathing and craziness that of the CMMC which, again, it’s a wonderful challenge. That’s all I can think about right now, but-
John Verry (46:53):
It is a bit consuming, isn’t it for you, guys? I can’t imagine.
Ben Tchoubineh (46:57):
Overly consumed right now, but I really love it. I think that these days we are dealing with an onslaught of adversaries. It just seems like for most of us, it’s still a little bit out there. We don’t have a real focus on this, but there’s people out there that are fighting adversaries left and right who are trying to get in here. CMMC is about that. It’d be great to hear about what kinds of attacks are we dealing with from our adversaries on a daily basis, what’s been successful, what hasn’t been successful, and how we can improve our security stance.
John Verry (47:46):
That’s actually a good topic. Actually, a good way to approach that might be to invite the folks who wrote the Verizon. Verizon does a study each year, the DBIR. Have you looked at that?
Ben Tchoubineh (47:57):
No, I have not.
John Verry (47:58):
Okay. Look for the Verizon 2020 data breach… DBIR, I think, therefore is Data Breach Investigations Report, but it actually breaks down exactly the kind of things that you’re talking about. They take a look at tens of thousands of breaches. They break it down. They give you a breakdown on how many action steps were necessary. What were the primary modes of initial access whether or not… What percentage were internal versus externally facing? What percentage [inaudible 00:48:26]. It’s what you’d expect. What percentage were malware, ransomware, remote access, Trojans? It breaks it down in hundreds of different ways.
John Verry (48:38):
That’s actually very, very interesting because you could almost overlay the controls that we have within CMMC against what we’re looking at in terms of current adversarial actions and make sure that you’ve got the coverage that you’re looking for.
Ben Tchoubineh (48:52):
That sounds really interesting actually.
John Verry (48:52):
Ben Tchoubineh (48:55):
I’ll have to look that up.
John Verry (48:56):
Sounds great. Well, I just want to say thank you. I genuinely appreciate it. The most important thing I learned today was not to use a certain word. Thank you for talking about the CMMC assessment program. All kidding aside, fantastic interview. Thank you for coming on. I truly, truly appreciate it. I think you said it well. This is important for an awful lot of reasons.
Ben Tchoubineh (49:22):
Yeah. Thank you. It was great. I really had a great time, and you had an amazing question. You got a fan now.
John Verry (49:29):
You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. If there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] To ensure you never miss an episode, subscribe to the show in your favorite podcast player Until next time, let’s be careful out there.