CMMC is coming…
But that doesn’t mean 800-171 compliance is out the window.
In this episode, I catch up with John Ellis, Director of the Software Division at DCMA.
- How DCMA is conducting assessments
- Why 800-171 compliance doesn’t just go away until CMMC
- Why CMMC is so needed
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator: You’re listening to the Virtual CISO Podcast. A frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
Jeremy Sporn: Hello and welcome to another episode of the Virtual CISO Podcast. [00:00:30] I’m your host for today, Jeremy Sporn. We let John take yet another episode off. I know, I know. Very nice of us. But was able to get a chance to listen to the conversation John Verry had with John Ellis. John Ellis is yet another person we have spoken to who is heavily involved in the creation, implementation, monitoring, and continuous improvement of CMMC that is just extremely impressive. He is the DCMA’s director [00:01:00] of software, 30 year army vet, experienced auditor, self-proclaimed geek, and in my very humble opinion, there really might not be anyone else in the world who understands the DFARS 7012 clause, or even NIST 801-71 better than John Ellis.
Listening to John and John riff on this stuff was super cool. If you know that a CMMC audit is in your future, there is no one better to give you a glimpse into what that future [00:01:30] audit will look like. John Ellis has conducted NIST 801-71 audits himself, and has helped lead a team that does that work also, he is super plugged into the details of the transition to CMMC. There is just no better source than John for practical advice on how to be ready for your CMMC audit. As a quick teaser as well, John Ellis clarifies a hotly debated subject of how CMMC level three certified orgs [00:02:00] will need to manage their supply chain risk. You do not want to miss this, let’s get to the show.
John Verry: John, good afternoon sir. Thanks for joining us.
John Ellis: It’s good to be here. Thank you for having me.
John Verry: Cool. So I always like to start super simple, tell us a little bit about who you are, and what is it that you do.
John Ellis: So I’m John Ellis, I am DCMA’s director for software. I am also the guy responsible from an agency perspective for coordinating cyber [00:02:30] security policy, amongst ADIB, and across the contracts that DCMA manages on behalf of the department. I’m a retired Army officer. I was in for 30 years, a former 06 level commander. I was an acquisition professional, for approximately 20 years of my 30 year stint. And have been with DCMA in this career capacity since January of 2016.
John Verry: Cool. Thank you. So before we get down to business, I always [00:03:00] like to ask, what’s your drink of choice?
John Ellis: Beer.
John Verry: All beer? Or you an IPA guy, you a stout guy? Where do you fall.
John Ellis: So I’m a lager/pilsner kind of guy.
John Verry: Ah. So Pilsner Urquell?
John Ellis: Yep, I’ve had it, enjoy it.
John Verry: Had it. That’s a great one. Well what’s your favorite?
John Ellis: My favorite beer is from a little place in Germany, from when I used to live there that you can’t get in the United States. It’s called Zirndorfer. And they’ve been making the same beer [00:03:30] in the same place since the 15, 1600s. It’s the same recipe.
John Verry: Oh that’s cool.
John Ellis: And I miss that kind of good beer in Germany.
John Verry: Have you been back just to have a beer? Because I mean, if it’s that good, it’s one of those places that might actually be worth visiting just for a beer, right?
John Ellis: I will never admit such a thing.
John Verry: All right. So let’s get down to business. So you threw out a couple buzzwords there that people might not be familiar with. So do me a favor real quick, what is the DCMA? And then, what is the DIBCAC?
John Ellis: [00:04:00] So the Defense Contract Management Agency is a fourth estate agency that has the responsibility of managing a certain subset of, if you will, of major defense contracts on behalf of the Department of Defense. So contracts get delegate to DCMA, not all contracts. And those contracts, we serve the other services and agencies to ensure that those contractual means are, or excuse [00:04:30] me, contractual requirements are met, and that the companies actually provide the things that are required to the war fighter and meet requirements and standards.
The DIBCAC, the Defense Industrial Base Cybersecurity Assessment Center, is an organization we formed a little more than a year ago, to perform the DOD standard methodology assessments that everybody knows, that came out of [00:05:00] the Ms. Lord memos from last year.
John Verry: Gotcha.
John Ellis: They were actually a series of memos, the latest one from November, describes the methodology. It was shared with industry, DMCA has the responsibility of performing the assessments outlined in that document, as well as training and coordinating with the other services and agencies for consistency across the DOD workforce.
John Verry: Gotcha. So I know the scale of the DCMA is huge. And [00:05:30] anyone listening probably has no idea. It’s one of those, I didn’t know who the DCMA was until I started doing work at the DIB. How big is the DCMA in terms of dollars, in terms of contracts, I mean, because, give people some perspective, because it’s a lot bigger than most people probably think.
John Ellis: So it’s an interesting measure, it depends how you look at it. So DCMA is around 12,000 personnel. We’re located literally, around the globe. We manage, depending on how you do the math, somewhere around 8 trillion dollars [00:06:00] in contracts. But we don’t actually administer all contracts from the Department of Defense. The DIB, if you will, the Defense Industrial Base, is considered roughly 300,000 plus or minus, companies. DCMA only administers contracts with somewhere in the 15, 16,000 range. So there are a lot of companies out there that DCMA does not have a relationship with.
The other thing is, we typically only [00:06:30] interact with prime contractors. From a contract administration perspective, that doesn’t mean we don’t also work with companies that happen to be subs at some times. Because often subs are primes, primes are subs, depending on the relationship of a particular contractual mechanism. But DCMA administers those delegated contracts from the services and agencies to perform those functions on their behalf. A notable area that we don’t do is Navy ship building [00:07:00] for example. However, we work very closely with the Navy to support their lead, if you will, in that regard.
John Verry: Gotcha. So I know that DIBCAC, if I remember correctly, was started about a year ago, correct? And I know their original charge was to “ensure contractor compliance and safeguarding information about the web and it’s equipment and systems they build.” So I know in practicality, right, DIBCAC launched. It does what I would were to think of as being NIST 800- [00:07:30] 171, auditing verification. Do they do anything beyond that?
John Ellis: No. Their sole purpose… Well, let me take that back. From a mission execution perspective, they do focus on performing the 800-171 assessments, that the 7012 requires. However, they also train other services and agencies to ensure that those elements within, whether it’s the Army, the Navy, the Air Force, NBA, [00:08:00] so that their assessors are consistent with the methodology, and can perform a consistent operation across DOD boundaries. So our guys actually train the other services and agencies to a large extent, to ensure that consistency.
John Verry: Gotcha. So when I chat with people, there’s some misconception that if you already have a contract that includes 47012, and you’re not going to bid anything else until 2025 that requires CMMC, [00:08:30] that you really have nothing to do for the next five years from a security perspective. I think your entity is the reason why that’s not really quite true, right? I mean, organizations, if they’ve got an existing contract, they really need to be demonstrably compliant with 800-171, correct?
John Ellis: Absolutely. So this question comes up fairly often. And it’s interesting because, the 7012 clause has been around for a while. It’s on [00:09:00] well over a million contracts.
John Verry: Wow.
John Ellis: It’s a mandatory requirement for practically everything that we do, with the exception of [inaudible 00:09:09] contracts. So 7012 does not go away, and that need to implement 800-171 level of requirements does not go away while we wait for CMMC to come along. The beautiful thing is, at the core of CMMC, particular for those companies that will need to achieve CMMC level three, [00:09:30] it’s the same 800-171 standard between the current requirements and what the CMMC level three requirements are going to dictate.
In addition to those additional process and maturity oriented requirements that follow your CMMC. So the work you do today builds on the work you’re going to do in the future.
John Verry: Right, yeah. I mean, practically, you could argue that 800-171 is about 85% or so of CMMC level, right?
John Ellis: Yeah.
John Verry: It’s 110 out of the 130 [00:10:00] controls. And then, I know that the processes, people make a big deal out of those being an additional 51 characteristics. But if you were implementing 800-171 right, most of those processes, if not all those processes are going to be there anyway, right?
John Ellis: Right.
John Verry: And that would be something you’d almost be looking at anyway. Cool.
John Ellis: Yeah. It’s going to be very similar between the two requirement sets. If it gets right down to it. And for those companies that have fully implemented, they’re not going to have an issue transitioning to those couple additional things that’s required [00:10:30] under CMMC level three.
John Verry: That’s right.
John Ellis: That’s assuming they actually eat their own dog food, do the things that they say they are doing in the full limitation of 800-171.
John Verry: Mm-hmm (affirmative). So that’s the DIBCAC’s job, isn’t it? You’re the guys that go out and make sure that they actually are doing what they said they were going to do.
John Ellis: Yes.
John Verry: So what’s the audit scope, call it extent, call it rigor, of a typical 800-171 review that’s done by the DIBCAC?
John Ellis: So, [00:11:00] I’m going to keep it in pretty broad, general terms. A coordination for an assessment starts anywhere from 30 to 45 days prior to the assessment. The associated contracting officer will reach out to the intended company and ask them to participate in an assessment with DCMA. Once the company says yes, there’ll be some meetings talk about the preparations and the type of documents, and [00:11:30] sort of the administrative coordination prior to the actual event. It’s one of the key things to point out with the assessment.
We understand that system security plans, one of the key elements of an assessment can be very sensitive. So prior to the COVID-19 impacts that we’re currently facing, and we can address that separately if you’d like, we were very careful not to ask companies to send SSPs to us. We would actually ask that those be made available [00:12:00] to us when our assessors showed up on site. The week of the assessment typically starts on a Monday, the assessment takes place by starting with an in-brief, followed by a careful document review.
So for those companies that have not been through a DIBCAC assessment, or one with the other services and agencies following the same methodology, I want to let you know, if you give us documentation, we will review your documentation. Which [00:12:30] does come in handy when you’re not sure where the policy may be. Because our guys will help you find it. But at the end of the day, at the end of that first day, that first day is all about preparation.
The real assessment begins on the Tuesday morning typically. It’s scheduled to go through Friday. The length of the assessment really depends on how well the company is prepared, how well they know how to touch all the things that need to be touched, and have the [00:13:00] personnel available to demonstrate the things that have to be demonstrated. We’ve seen assessments go as fast as one and a half days, we’ve seen them take the full week to get it done. The weekend generally ends with an out-brief. During the out-brief there are no surprises, it’s a complete open kimono sort of assessment.
I would be remiss if I didn’t mention that each day there’s a hot wash between the assessors and the company, to ensure, answer any questions, look for any do [00:13:30] outs that may be part of the assessment. A missing document, a missing artifact, something that’s needed to demonstrate that a requirement is being met. So there’s no mystery involved in the entire process. It’s very transparent, it’s very collegial. And it’s not intended to be a gotcha.
In fact, we prefer it if companies are fully compliant with the things they’re supposed to be compliant with. We’re not there to rain on anybody’s parade and tell anybody that they’re not doing good things for the nation. [00:14:00] Our intent is to ensure that the company’s doing the things that it’s supposed to do. At the end of the week, there’s an out-brief that goes over the tentative score so that all that is shared very, very directly with the company. And then, in the event that it’s needed, there’s a reclama period. There’s just some artifact, some document, some piece of work that was not able to be accomplished during a review. And that could take up to 30 days after the assessment to clear [00:14:30] those items, dot those Is, and cross those Ts.
The final report is shared back to the company, approximately 30 to 45 days later, and those scores, once they’re settled, get entered into the Supplier Performance Risk System, SPRS. A website that’s laid out in the Ms. Lord November ’19 memo. That the government can use to share that scoring information across the Department of Defense.
John Verry: Gotcha. So [00:15:00] if indeed you’ve got, let’s call it a finding, I don’t know what you guys would refer to it as, but would there be an expectation that they would produce a POAM to address any particular issues that you did identify?
John Ellis: So during the contact of the assessment, we’re actually expecting to see the POAMs identified via the company’s self assessment. So part of the preparation for an assessment is for the company to perform a self assessment. And in areas where they believe they have not fully implemented a requirement, they should have a [00:15:30] POAM to demonstrate that they’re aware of the issue, and they understand the scope and the magnitude of what they need to do to get it right.
John Verry: Right. But if you identify something that they’re still doing wrong during your audit. How do they address that? Is that through a POAM?
John Ellis: So it would be through a POAM. But technically, at that point… So here’s when we get into the DFARSs of an assessment. So, under the current DFARS rule, what is required [00:16:00] is a system security plan, and a POAM for any deficient areas. So if a company has a SSP, and actually, they have POAMs for the things they may not have implemented fully, then they’re actually compliant with the DFARS clause. They may not receive a full score in credit, obviously-
John Verry: Oh, okay, that’s how you handle it.
John Ellis: So we adjudicate there. But every now and then, we find where a company just got it wrong. And in that case, that would be a deficiency, and we allow [00:16:30] the company to either get the POAM together while we’re on site, or get it to us during the reclama period. That’s usually what happens sometime in that timeframe. Any deficient POAMs are identified and put together. In the few cases where that’s not been the case, that’s when you start getting into what DCMA calls a corrective action request. Which is an administrative procedure that a contracting officer notifies the contractor of your [00:17:00] deficient in a particular area, and now you got to fix it.
John Verry: Gotcha. Now the one thing you said right at the very beginning of that, you said, “When they say yes, or if they say yes.” You almost implied that they had a choice.
John Ellis: They do.
John Verry: If DIBCAC says we want to come visit you can somebody say no?
John Ellis: Yes.
John Verry: Really? Oh.
John Ellis: They can. Now, I would ask that you not-
John Verry: You wouldn’t recommend it.
John Ellis: I wouldn’t recommend it. But we typically have a [00:17:30] reason for why we want to visit particular companies. So from a DOD prioritization perspective, I talked a minute ago about how many companies DCMA administers contracts with. And it’s that 15, 16,000. Obviously, we don’t have the resources to go assess all of them. So we use DOD priorities to pick and choose the companies that do the work that we’re most interested in. And if you’re one of those companies, you tend to know that you are one of those companies.
So those [00:18:00] companies, when we send out an invitation, we’re wanting to go there for a reason. And it’s generally because of a DOD priority. So saying no just means, we’re going to come back later when it may not be optional.
John Verry: Okay. And then, that DOD priority, I’m assuming that that’s sort of like a special sauce, right? Like you said, you’re going to do a sampling of entities, it’s going to be based on some internal prioritization. Someone can’t figure [00:18:30] out if they’re going to get audited correct?
John Ellis: I mean, if you’re a company that’s working on a major ACAP program, or you’re working on those sorts of technologies that have national interest, chances are you’re going to see a DTMA assessment in your future, if you haven’t already seen one. And I think it’s really important to understand that those companies generally know who they are. Now, if you’re making bootlaces, or galvanized steel washers, typically [00:19:00] we’re probably not showing up. That’s not to say that we won’t, I mean, we’ve had a couple of instances where small companies had reported cyber incidents and we actually asked those companies to work with us as a follow on to see what progress they had made.
And in particular, it was a small company in the Midwest that had had a reported incident. They had spent a lot of money to try to shore up their defenses, and quite honestly, we wanted to get [00:19:30] a feel for how well they had spent that money, just to see, sort of do a check of the pulse if you will, of what’s going on in the Defense Industrial Base. What we found was sort of a mixed bag. Some of the advice they had gotten was pretty good, some of it was not so good. But that’s consistent with any consultancy, any service that companies can acquire in the conduct of their business.
John Verry: Right. Yeah, listen, I mean, it’s like anything else, right? 50% of the doctors finish [00:20:00] in the bottom half of their class. You could make the same argument for consultants as well.
John Ellis: Yes.
John Verry: Cool. So quick question on that, so we talked about 800-171 review. Do you guys… There are some additional requirements, if you will, if you look at the full DFAR clause, 71-02. So when you’re going out, are you looking at the DFAR clause which includes 800-171, or just 800-171?
John Ellis: So the emphasis of the assessment is on the implementation of those 110 requirements that are laid out in [00:20:30] 800-171. So, and this is part of the good part of the assessment methodology. If you go look at that November 2019 memo that Ms. Lord put out, it seems like forever ago but, it was only November. It basically lays out the entire assessment. If you want to know how the homework is going to be graded, all you have to do is go look at the 800-171 Alpha Assessment Guide that goes with 800-171.
So not only do we tell you what we’re going to look at, but we tell you how [00:21:00] we’re going to grade you, by going through the assessment guide. There’s no mystery, there’s no vague references of any sort. Of course, being able to report an incident, which is a 7012 requirement, that’s actually part of the assessment methodology, if you want to get right down to it. But for the most part, it really does focus on the technical implementation of those requirements defined by 800-171.
John Verry: Cool. Because, and the reason I ask that is that, one of the things that I’ve seen [00:21:30] a misconception, and I wonder if you could comment on it. I know you’re not a CMMC, that’s not your job, CMMC. But, you guys are tip of the spear if you will, in terms of doing these audits. The DFAR 7012 clause includes in it, I think it’s clause M, where it obligates them to include that clause in the requirement to protect CUI, in accordance with the DFAR requirement, which includes 800-171 for their subcontractors, [00:22:00] right? Or at least the first level of subcontractor.
So, one of the things I’ve seen is, people look at CMMC, and if you look at the supply chain requirement, it doesn’t happen to level four. So I’ve had clients actually say to me, “I don’t need to worry about vendor risk management.” And to me, that’s illogical, right? I mean, it would make no sense that I would hold you to CMMC level three, but then you’d have unfettered ability to hand that CUI to somebody else and not have any attestation that they’re doing the right thing with it. Am I reading those tea [00:22:30] leaves right from your perspective?
John Ellis: So, yes. So, but there is some ambiguity, and I understand where it’s coming from. So let me try to clarify it. So, under the current construct, the DIBCAC does not look at that particular flow down of requirements that you’re referring to. There is guidance, however, for those companies that are subject to purchasing system reviews. Purchasing system reviews do require that 7012 be flowed down to the first tier [00:23:00] of suppliers, and that the primes gather information, some sort of self-attestation, or attestation document. It could be even using the results that a company has performed a self assessment of themselves if they have not undergone a DIBCAC assessment.
But there is part of the flow down process, there’s a look for evidence that the first year supplier meets 801-71 requirements. So there is a flow down aspect of 7012, [00:23:30] that the DIBCAC works closely with the purchasing system review folks that look at that, but the DICAC themselves do not do that flow down assessment. So it’s a different part of DCMA that does the purchasing system reviews. But our guys work closely with them to ensure consistency across the missionaries.
That will not change, that should not change as 7012 goes forward. Eventually [00:24:00] CMMC will come out of rule making, any revisions to 7012, that may or may not happen, I would assume will account for that. But there will be a flow down requirement. And quite honestly, companies should want to know about the other companies they do business with, to ensure that not only is the government’s information protected, but any of that proprietary information from the prime to the sub would be protected as well. It’s the same networks [00:24:30] and systems that all that information resides in. So there is a vested interest, if you’re a prime, that the subs that you’re going to use, your suppliers, can actually protect the information that you share with them, whether or not it’s the government’s information or not.
John Verry: Right. And just to be clear, because of a lot of the people that would probably be listening to this are not going to be primes, they’re going to be subcontractors to the primes. That subcontractor’s should logically have that same level of obligation, that their first level of people [00:25:00] that they’re contracting with need to treat this CUI to the same level that they’re treating it to, correct?
John Ellis: Absolutely.
John Verry: Cool. Yeah, it just made so much… And even if you think about it, right? And I think there’s even an indirect obligation, right? Because we have the concept of a risk assessment. And if I looked at a risk assessment, that risk assessment didn’t consider third party risk, I would question whether or not they did a good risk assessment. So now I have a third party risk. If I didn’t cover that adequately, then I didn’t [00:25:30] achieve the standard either. So I do think that there’s… People say there’s no explicit supply chain, and I agree with that, but I think there’s an implicit when you look at the risk assessment requirement anyway.
John Ellis: I agree. I will tell you though, when we first started doing the assessments last summer, particularly during the pilot phase, we did have some out of assessment conversations with, particularly, some of the big primes, to understand how they vetted suppliers. Because quite honestly, this supply chain issue is [00:26:00] a rather sensitive subject. A couple things we learned in that discussion. A lot of primes, they have a lot of supply chain insight, sometimes only four, or five, six levels deep. When we all know that the chain runs much deeper than that.
John Verry: Does it?
John Ellis: That’s a concern.
John Verry: Really? You think it actually runs that many levels deep?
John Ellis: Sometimes.
John Verry: Wow.
John Ellis: And in other cases, some companies have very robust supply chain assessment mechanisms, where others, [00:26:30] really don’t. And it really depends on the company and how much risk assessment, and how much work they put into it. Because it is a large undertaking. If you go and look at, not particularly anything that’s command control related, where do all the components for computers, and circuit boards, and those integrated circuits comes from? They typically don’t come from the US. And those parts are buried so far deep in a [00:27:00] supply chain as individual components get added to devices. And it rolls all the way up to eventually show up on the deck of a ship, or it’s in the back of an armored command post, or it’s flying around in an airborne command post.
So there’s a lot of interesting stuff that comes from a lot of interesting places. And companies do not always have full insight into where all of that stuff came from.
John Verry: [00:27:30] Yeah. It’s interesting you should point that out because I think this morning, there was a big article that came out where, I believe it was somebody in that DOD hierarchy, if you will, was suggesting how America needs to do a better job of maintaining it’s manufacturing of those levels of components that are going into its supply chain. So your timing on that comment was pretty interesting given what I read this morning on it.
So you guys are the experts I would say, right? [00:28:00] In terms of auditing against 800-171. I would assume it’s logical to assume that you guys have been working with the CMMCAB to help them kind of put their thoughts together about how they’re going to do the audits?
John Ellis: Yeah. So DCMA has been involved in the establishment of CMMC since day one. One of the things that we’ve been very cognizant of was that, because we went through the assessment process and figured out how to really work [00:28:30] through the methodology, and how to improve it as we went along. We modified our training along the way to ensure that we actually applied those lessons learned. I know that’s a radical thing to say in the government. But we really did endeavor to do that. And we believe we’ve done a pretty good job.
So as CMMC has been standing up, we wanted to ensure that they had the benefit of all of that training, all of those lessons learned, all of those hard knocks that we had [00:29:00] to figure out the hard way in some ways. So our DIBCAC is very much a part of that development team on the CMMC side of things, to ensure that there is that training leverage is what we have put together, including the actual assessment methodology itself. So there is a ton of collaboration.
DCMA’s been involved in all aspects of the training, in aspects of the mock assessments, in all of those activities that will eventually lead up to the full implementation [00:29:30] of CMMC.
John Verry: I’m starting to melt. I came into the office today, man I’m sitting here and I closed my eyes and I just realized that the AC must not be on. So all of a sudden I’m feeling like, man, it suddenly got hot in here. So-
John Ellis: Well don’t go start having hot flashes, man, I can’t help you.
John Verry: Yeah. So obviously, with 800-171 being a viable and important standard until full CMMC roll out, [00:30:00] I assume that DIBCAC is going to continue to execute these 800-171 assessments for the next, let’s say five years or plus. I mean, is that the plan at this point?
John Ellis: I mean, we are going to continue to conduct assessments up until some transition period. So until CMMC is kind of up and running, we will continue to perform those standard methodology assessments, that is still the requirement. Once the rules, assuming those rules change and we actually get CMMC up and running, [00:30:30] there will be a transition. Now, one of the things I want to make sure folks understand though, is that CMMC is not going to do away with the government assessing programs. So yes, there will be CMMC assessments, but if you guys recall, prior to the standard assessment methodology we started last year, the whole 800-171, 7012 clause was based on a trust need model.
Nobody was really looking. [00:31:00] There was a few folks looking here and there, the Navy in particular was doing a good job of assessing compliance with the cyber requirements. But quite honestly, there was a lack of consistency across the board, and there was a lack of government involvement. And we’ve all seen the press, we all are aware of some of the incidents that occur. So we don’t need to go into that. Even once CMMC rolls out, we the government will maintain an ability to independently assess [00:31:30] things that are of sufficient priority or are of particular interest to the government. I think that’s a good, honest broker approach to ensuring that we’re all on the same sheet of music in terms of priorities. And importance of why CMMC and the 7012 requirements are there.
John Verry: So-
John Ellis: So there will be assessments that are outside of CMMC, based on those DOD priorities.
John Verry: Gotcha. So we are 30 odd [00:32:00] years later, and Mr. Reagan’s trust, but verify is still the best model, right?
John Ellis: It’s a good model, it works.
John Verry: Gotcha. So, and I know that it’s hard to prognosticate, especially in the government business. So I’m assuming that DCMA and DIBCAC’s role, like you said, is going to evolve as CMMC replaces 800-171. Any last thoughts on that topic?
John Ellis: DCMA will continue to be a part of the valued [00:32:30] member team that is known as the umbrella of CMMC. So if you think about it, we will always be there. We’re kind of like a bad penny. We just keep turning up.
John Verry: Well I mean, your job is to manage contracts. And validating that people are conforming with the contract requirement. So obviously, you’re definitely the umbrella, for sure. And it’ll be, and I think the interesting one will be is, what is DIBCAC’s role? How does DIBCAC’s role evolve a little bit? [00:33:00] It’s going to be fun to see.
John Ellis: I agree. I want to foot stomp something really, and I can’t say this strongly enough, CMMC brings a lot of value to the table. And it’s something that has been needed from day one. We talked a little bit about 70-12 earlier. It started out as this, yes it was a mandatory requirement, but really, nobody was checking it. There was no hammer, there was no meat, there was nothing to really force compliance. [00:33:30] Even though it’s a mandatory requirement, I actually had a company one time in a public forum tell me that, “Hey, we know this requirement’s on our contract so we have absolutely no interest in doing anything with it until we no somebody’s going to come look at us.” At which point-
John Verry: They said that to the DCMA?
John Ellis: They said that point blank to my face.
John Verry: Wow.
John Ellis: It became an interesting conversation at that point.
John Verry: Yeah. I would not have liked to have been the person who was dumb enough to say that.
John Ellis: But [00:34:00] there are companies that, I mean, I’m not trying to cast dispersion.
John Verry: No, we’ve seen it. Listen, we see it as well.
John Ellis: But it’s a reality. It’s a reality.
John Verry: And not only that John, and not only was it a reality with the people, right? Because I’ve had people literally say, “I’d rather go out of business then spend the money. Or I would go out of business. So I’m just going to sign the letter.” And they’ve sent the letter in that says that they’re attesting. And I’ve literally had other people tell me that the prime said to them, “Just send us a letter that says you’re doing it, whether or not you are or not.” We need to paper our file.
So yeah, [00:34:30] I absolutely have seen it many times, myself. So yeah. But I think it’s been the guilt of both parties, right? It’s the people that are willing to sign something that they didn’t do. And then I think you’ve got some of the primes who have not done a good job of really, any level of diligence.
John Ellis: I would agree. Here’s the one thing I will tell you, and this is the part that I find relatively amusing with this whole conversation. So I’m a geek, I don’t know if you can see behind me, my home server, it’s sitting right behind. You [00:35:00] can’t see it, but the other work stations around me. The equivalent of 800-171 is all around me. It cost me, well it’s downstairs, my UB key is downstairs. The requirements that 800-171 puts on the table are so minimal. Now granted, if you’re a big company and you’ve got to buy a lot of cat cards, if you’ve got to buy a lot of security tokens, it does get expensive. And it becomes complicated [00:35:30] in how you manage it.
But if you compare that to the work that you’re performing, that you’re trying to protect, and you’re trying to ensure that you’re not sharing your information with your competitors, whether they’re good guys or bad guys is irrelevant. Those requirements represent the bare basic things that you would hope a company is doing to protect its own proprietary information, let alone the CUI information that the government is interested in.
John Verry: I agree. I agree.
John Ellis: So when I hear companies complain [00:36:00] about these arduous requirements, I just ask them, “Hey, so when are you going to disconnect from the internet?” Because that’s the only way, if you don’t do these basic things, that you’re going to protect yourselves.
John Verry: No, I agree with you.
John Ellis: And of course, nobody wants to do that.
John Verry: Yeah, no, if you look at… I mean, I always tell people. If you look at 800-171, or if you look at CMMC level three, I’m a fan of it. And the reason I’m a fan of it is, it follows good, basic, fundamental information security paradigm, right?
John Ellis: Yes.
John Verry: It’s understand your scope, understand your risks, and put controls in place that are proportional [00:36:30] to risk. And I don’t think there’s anything in there that a company that was protecting intellectual property wouldn’t have logically put in place that you’re asking for to protect CUI.
In fact, we do a lot of work with ISO 27001 at [inaudible 00:36:46] and high trust and favor. I mean yeah, all of those requirements largely, require the same level of due diligence, right?
John Ellis: Yes.
John Verry: Authenticate and authorize users. Generate logs so you can identify and respond to incidents. I mean, fundamentally, it’s great security, [00:37:00] so I agree with you, I don’t think you’ve created a… I think the bar is appropriate.
John Ellis: I do to. And I think that the CMMC is the logical evolution of that baseline. Because what CMMC allows us to do is hold companies more accountable in advance to awarding contracts. The basic 7012 clause was based on a trust me self attestation. We’ve made some adjustments, we’re conducting some assessments. Quite honestly, [00:37:30] from a resource perspective, even if I had unlimited time and dollars, I could hire every cyber professional in the US government. I still wouldn’t have enough resources to go out and look at 300,000 companies in a normal life span.
So having this methodology where it’s a contractual requirement just to do the work, that helps address a serious shortcoming of the previous implementation. The CMMC team [00:38:00] that Katie Arrington, Stacy Bostjanick, and all of the folks on the AB, and the government service and agency partners that have worked together to put that together. That has been a massive undertaking. It’s been highly successful. It’s something that is needed. We need that ability to ensure that companies take this stuff seriously.
Because we all see the headlines. You see them, I see them, everybody in TV land sees them. It is real. Everyday stuff is walking [00:38:30] out the door that we intend. I mean, we have seen companies doing really, really great work. We’ve seen companies doing real, really not so great work. And CMMC should help us with that going forward, because it raises the bar to a point where companies need to certify that they’re able to do the work before they ever ordered those contracts. We don’t have that means right now. And I look forward to having that additional oomph, if you will, behind the standard.
John Verry: [00:39:00] Yeah. I agree completely. I mean, and look, it’s a matter of national defense, and it’s a matter of our economy. I mean, when you’re talking about eight trillion dollars, I don’t know what percentage of the GDP it is, but it’s a pretty big percentage, right? So it’s critical to us.
So we’ve done a pretty good job here of covering a lot of ground. Is there any questions that you get asked all the time that we didn’t cover yet?
John Ellis: No. The biggest one is, should I stop doing what I’m doing now? But I quickly covered that.
John Verry: Yeah, the answer [00:39:30] is no. Never.
John Ellis: No.
John Verry: With a capital N.
John Ellis: It’s pretty amazing how often that comes up in these sorts of forums.
John Verry: Yeah, I know, I know. So we forgot to send you over the questionnaire. So there was question on the agenda for the podcast ahead of time. So I don’t know if you remember, so we have that question, the amazing or horrible CISO. We ask the question, what fictional character or real person do you think would make an amazing or horrible information security director, a DIBCAC auditor, we could use whatever you want. [00:40:00] You want to take a stab at it or do you want to leave it out now because we didn’t get you the time to prep?
John Ellis: Well, I’m maybe dating myself, but you ever remember the cartoon character of Snidely Whiplash?
John Verry: Oh my gosh, I mean, yes. I mean, my grandparents told me about Sindely Whiplash, I couldn’t have possibly be old enough to remember that.
John Ellis: Boris and Natasha would also be a great-
John Verry: Oh I love Boris and Natasha. Yeah. That’s the Rocky and Bullwinkle.
John Ellis: Yep.
John Verry: Yeah. [00:40:30] Yeah.
John Ellis: Either of those would be fair representations of what you’re looking for.
John Verry: Yeah. I would agree completely. And why?
John Ellis: You got to-
John Verry: Let’s go with Natasha and Boris, because I like that answer the best.
John Ellis: You got to almost be an evil genius to think through how some of the stuff needs to work, and how it should be implemented, and how it should perform. And I think Boris and Natasha [00:41:00] capture that.
John Verry: You know that’s funny-
John Ellis: And you got to have a sense of humor as well, because I’m telling you, we have seen things on assessments that you just cannot imagine how humorous they can be. My personal favorite is talking about the difference between mobile devices and mobile code. Two very different things, but sometimes they get smushed together.
John Verry: Yeah. So you’re an auditor, I’m an auditor, I’ve done a lot of audits over the years. And one of my favorite stories is the same kind of [00:41:30] thing where, we were doing an audit of an organization, and the guy was floundering horribly. And just, he couldn’t answer any questions, and he really started to get all sweaty and everything. And finally I said to him, I said, “Do you guys run and IDS?” And of course, I was referring to a network intrusion detection. And he was like, “Yes. SimpliSafe.” He’s referring to…
And he was so excited. And I almost didn’t have the heart to tell him. And I finally went, “I meant network IDS.” And he’s like, “I don’t know what that is.” And I was like, “Okay.” [00:42:00] And he was back into his flop sweats. All right. So last question, if anybody had a question for the DCMA, or for the DIBCAC, what’s the right place for them to find those answers?
John Ellis: So, that’s a good question. The best answer would be to reach out to somebody like me. We don’t put our assessment information on a publicly accessible website for obvious reasons. We don’t share details of results for obvious reasons. So, [00:42:30] if anybody wants to get a hold of me, my email address is [email protected] Shoot me an email, I will respond or I will pass the question to somebody way smarter or better looking than me to answer the question. And-
John Verry: Yeah, I think you’re going to have to go a little bit to find either one of those John. So-
John Ellis: Well, I don’t know about that.
John Verry: Well, you were pretty nice to me so far today, so the least I could do is throw a couple bouquets back the other way. So listen, awesome, thank [00:43:00] you so much for coming on. I genuinely appreciate it. You addressed a couple of questions that so many of the people that we chat with everyday, and you’ve made my job easier, because now I… It’s funny, right now with so much uncertainty, people want to know that your opinions are founded, right? That you’ve got a basis for your opinions, like an auditor. So thank you for giving me a basis for my opinions.
John Ellis: Well thank you very much for having me. And as always, we’re here to serve. If anybody ever has questions, please feel free to reach [00:43:30] out to us, we will do our best to answer the question. I’m one of the guys, I’ll answer just about any question you ask me, and if I don’t know, I’ll tell you I don’t know and we’ll go find the answer and get it back to everybody because believe it or not, I’m a firm believer, we’re all in this together. And if-
John Verry: If-
John Ellis: … our partners are successful, we are as well.
John Verry: And it’s funny, because everybody preaches the same thing from the top on down with you guys, which is really great to hear. I mean, look, everybody’s really truly committed to this. So great stuff. [00:44:00] Again, thank you sir.
John Ellis: Anytime.
Narrator: You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] And, to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there. (silence).