If you want a glimpse into what one of your future CMMC audits will be like, this is the show for you.

On this episode of The Virtual CISO Podcast, we welcome Thomas Price, Client Manager/IT and Information Security Auditor/Quality Management Professional at BSI.

Working with clients to determine strategic direction, achieve objectives, and improve quality and service delivery, Thomas is one of the most accomplished and respected auditors in the security industry.

What we talked about:

  • The differences between ISO 27001 and CMMC
  • CMMC requirements – an in depth look
  • Insights from an auditor’s perspective on how to prepare for certification
  • Real life examples of how to leverage ISO 27001 to nail CMMC certification

 

Check out these resources we mentioned during the podcast:

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Audio (00:06):

You’re listening to The Virtual CISO Podcast. A frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no-B.S. answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there, and welcome to another episode of The Virtual CISO Podcast. I’m your host John Verry and with me as always, the pepper to my salt, Jeremy Sporn. Hey, Jeremy. How many people did we lose right at that moment?

Jeremy Sporn (00:45):

John, you’ve got to give the people what they want. And that is-

John Verry (00:48):

It’s less of you.

Jeremy Sporn (00:49):

Yeah. And more of Salt-N-Pepa, come on.

John Verry (00:53):

All right. So, what did you think of my conversation with Thomas?

Jeremy Sporn (00:56):

So, very interesting conversation. You guys played that consultant/auditor dynamic really well. You know, kind of tossing him those scenarios on how you would handle leveraging ISO 27001 to meet CMMC requirements. And then letting him, from that auditor’s perspective weigh in on it that would even pass muster.

John Verry (01:17):

Yeah, it was a different conversation. And in a weird way it’s an awful lot like being audited, which is sort of what it felt like.

Jeremy Sporn (01:24):

Yeah, which is not surprising at all. Thomas is a crazy accomplished auditor. He has experience in ISO 9001, 20000, 27001, 27017, NIST 800-171, NIST CSF. I truly believe he will be one of the first auditors to be certified to complete a CMMC certification.

John Verry (01:45):

Yeah, he’s definitely always in the list, that’s for sure.

Jeremy Sporn (01:49):

Absolutely.

John Verry (01:50):

Anything else you’d like to chat about before we get to the conversation?

Jeremy Sporn (01:55):

Yeah. So, if you really want that glimpse into what one of your future CMMC audits will be like, this is the show for you. And if you hire BSI to perform your CMMC certification audit, you may even have Thomas or someone he trains to show up at your facility. So this is as real as it gets. Thomas knows his stuff. If you can convince him, you’re in really, really good standing.

John Verry (02:18):

Yeah, I would agree with that ascertain. No further ado, let’s get to the show.

John Verry (02:25):

Thomas. Thank you for joining us today, how are you?

Thomas Price (02:28):

I’m doing good today.

John Verry (02:30):

I always like to start off simple. Tell us a little bit about who you are, and what is it that you do.

Thomas Price (02:36):

Yes. I’m a plant manager and auditor with BSI. I’ve been with BSI for four and a half years, and doing ISO 9001 AND ISO 20000 assessments, as well as ISO 27000. I’m also a member of the BSI CMMC team, took it and look at the new DoD CMMC model, and figuring out how we can provide services to our clients related to that. I have over 20 years experience implementing management systems with different companies in the Virginia, Washington, DC and Maryland area.

John Verry (03:15):

So that probably means that you know a bit or two about the defense industry.

Thomas Price (03:21):

Oh yes. And-

John Verry (03:21):

So you sound like the… I was going to say, you sound like a great person, and we sound very intelligent for having you on the podcast, right? Because you’ve got exactly the kind of experience that we want to talk about. You know, this idea of, could somebody leverage ISO 27001 to address their CMMC requirement. So, awesome, thank you for joining the podcast, I look forward to chatting with you.

Thomas Price (03:43):

Great.

John Verry (03:44):

Before we get going, we have a tradition to ask, what’s your drink of choice? Get to know you a little bit.

Thomas Price (03:51):

Well, it’s either bourbon or single malt scotch. Any one of the Glens is good with me.

John Verry (03:57):

Okay. So, I’m half with you. I am an anti-scotch person, I’m just not a peat guy, but I’m a huge bourbon guy. So, you’re in Virginia if I recall correctly. There are some Virginia-specific bourbons. One of them is actually pretty good, and I have a bottle of it on my shelf. I believe it’s called John J. Bowman. Have you had that before?

Thomas Price (04:16):

No, I have not. But I did go to a bourbon tasting session one time, and that was very interesting. And got to learn beyond Jack Daniels, and some of the top shelf stuff.

John Verry (04:32):

Yeah, yeah. Knob Creek is my kind of go-to, especially they’ve got a 25th Anniversary that’s ridiculously good. So, you and I are both ISO 27001 certified lead auditors, and I know I’m a raving fan of 27001, I think you are as well. That being said, you and I often approach it from a different side. Despite the fact that I’m a lead auditor, I tend to live on the consultative side of the equation. So we’re more about building it, where you’re more about assessing it. So this is going to be fun to have a conversation with you. Because I think we look at things a little bit different. And I think our clients, mutual clients of course, they’ll get some perspective on the implementation side, and also the audit side. So, if I asked you from your perspective, how are 27001 and CMMC the same, or similar?

Thomas Price (05:23):

All right. So, first off ISO 27001 as you know, it helps you to build a great foundation for implementing an information security management system. Helps you to do is to, build a program where you can identify your information and put in safeguards and protections to protect those information assets and the information that you brand your organization with. And protect it in terms of confidentiality, integrity and availability. CMMC is designed specifically for, is safeguarding and controlling classified… I mean, controlled and classified information to CUI. And this is a result of the fact that, with the NIST 800-171 companies were doing self-assessment. And the government felt that wasn’t going far enough, that they were lacking confidence that the controls were being implemented adequately. So they came up with the CMMC model, to do is to prescribe specific practices that they want to see implemented to control and safeguard CUI that resides either in your systems or in the federal systems that you may work with.

John Verry (06:44):

Got you. Would you agree that, when I look at it at a really super simplistic level, they both have a significant collection of good security practices that should help you be, “secure,” right? In ISO we have the 114 explicit controls in Annex A plus the 70 odd, or whatever you would like to call it, controls that could be implied from the causes within the management system. And then within CMMC, if we’re talking about Level 3, we’ve got 130 controls. So in both cases we’ve got a collection of controls that should be implemented, and if we do, they’ll probably end up in a good spot. And then the second thing is that they both have certification programs. So they’re both, independent objective auditors come in and certify that the controls have been implemented in accordance with their requirements. Is that fair?

Thomas Price (07:37):

That is correct. And the thing is this, with the ISO 27001, you select those controls based on risk, while in the CMMC model, the practices that you have to implement are based on the level of CMMC that you need to achieve that is specified within your contract. So if you are at Level 2, you have a set number of practices that are expected to demonstrate compliance to. If your contract says you need to be at Level 3, then what you need to do is implement all those practices, basically it’s achieve compliance at a NIST 800-171, and any additional practices that are specified within the CMMC model.

John Verry (08:27):

Yeah, that’s a good point. And I think that comes down to the fundamental difference between NIST FISMA guidance and ISO guidance. And with NIST FISMA ultimately we’ve got three risk levels, right? We’ve got low moderate or high, and we have prescriptive risk treatments or semi-prescriptive risk treatments that are associated with each level. With ISO we have an infinite level of risk, it’s a self-defined level of risk. And then we implement controls based on our acceptance risk criteria.

Thomas Price (08:58):

Yes, that is correct. So, then what you might do is look through a control and decide that, “You know, this may not be applicable to my organization, and then you assume the risk associated with that. With the CMMC model, there is no choice. If you want to achieve that level of certification, you have to implement all the practices that are specified for that level.

John Verry (09:17):

Cool. So I think we covered how they’re the same. If I ask you the question, how are they different?

Thomas Price (09:25):

Okay. Well, like we said, the ISO 27001 is an international standard, and it’s accepted across different countries. While the CMMC is a DoD and sponsored modeled by the office of the Undersecretary of Defense acquisition. The CMMC model certification process is a process that’s used to rank a company’s ability to protect CUI information and data, as well as the infrastructure in the system where it resides. While the ISO 27001 is any information that an organization used to run it’s operations or information that belongs to their clients. So, in the CMMC model, it’s specific to a contract, and it’s specific to safeguarding controlling CUI. And also the other thing is this, is the CMMC entails determining process maturity levels and the implementation of prescribed practices for each level of the model.

John Verry (10:32):

Yeah, I think that’s all well said. I mean, I think you cut to the core of it, is that where they’re very, very similar, CMMC has a specific use case. Where ISO is a framework that can be used in any use case. So now that leads us to the next great question. So, this idea of because ISO can be used in any use case, does that mean we can use ISO from a CMMC perspective? So let me ask it this way. If you are getting ISO 27001 certified, or you’re considering it, and you know that CMMC is something that you need to achieve, and as you are constructing your ISMS, you are considering the CMMC requirements as part of your interested parties in your ISMS scope. Then from my perspective, I would think that the resultant ISMS should essentially be ready for CMMC certification assuming we do it right. Thoughts? Got yous? Anything you would look differently as an auditor than I just said?

Thomas Price (11:38):

Well, the thing is this, is, ISO 27001 is about putting in place a management system, which by definition requires ownership and involvement of top management to ensure the provision of the resources for planning, implementing and managing your controls. Things that are needed to identify and mitigate risk that might affect the organization’s information and information assets. The ISO 27000 certification can provide a foundation for implementing key components and practices of the CMMC. Many of the domains that are in the CMMC model are also within the controls of the ISO 27001. The only exceptions are, is that there’s two areas which are not covered. But the thing is this is, the ISO 27 controls are less prescriptive, and they do not delve into some of the technical aspects of the securing data that CMMC practices do.

Thomas Price (12:42):

So the thing is, is, the ISO 27000, one helps you raise awareness about the need to safeguard and protect information and information assets, and it produces a concept of having risk assessments, and also is implementing controls. But the thing is this, is, the CMMC model has more domains, more practices and more technical practices at that. So the thing is this, is, there are things you can do to satisfy the 27000 requirement, but are not yet enough to satisfy the CMMC practices. You may need more resources and additional technology and tools to satisfy those CMMC requirements.

John Verry (13:27):

Got you. So I think what you’re saying, and please correct me if I’m wrong, is that because the CMMC has some more prescriptive guidance, that as long as we’re implementing our ISO 27001 controls in consideration of that guidance, which we would, right? If that was something that was documented in our system security plan, it was reflected in our statement of applicability, if it was reflected in our risk assessment. That would mean that we’d ensure that we implement those controls in a way that would conform with CMMC. So if we architect an ISMS with CMMC fully considered, we should end up in a place where we can both be ISO 27001 certified, and CMMC certified.

Thomas Price (14:13):

That is correct.

John Verry (14:14):

Cool.

Thomas Price (14:14):

And the thing is, it’s like I said earlier, the two domain areas that are not covered that are part of the CMMC model are situational awareness and maintenance. Those two domains are not part of the ISO 27000 standard.

John Verry (14:28):

Yeah. There’s the one… and I don’t recall it off the top of my head, but there’s one area of ISO, the standardized operating procedures portion, that I think you could make an argument part of that… you know, that’s sort of those old school run books, and that should cover that maintenance pretty well. But good point, and I think that’s a good… for anyone that is going to use that approach, I think that’s two good things to make sure that we provide some additional coverage for it to cover it well. The other thing, here’s a good question for you. So, I’m curious as to your thought on this. So you know about what a system security plan, and I believe the NIST standard on is 800-18. How would you compare and contrast a system security plan versus an ISO 27001 ISMS?

Thomas Price (15:15):

Okay. Well, first off is, a systems security plan is a document that identifies the functions and features of a system including all the hardware and software that is installed on it’s system. An SSP is a comprehensive summary of all the security practices and policies that will be used to protect data for a specific contract. And an SSP often needs to be submitted to the government as a deliverable contract award. Now, the scope of an information security management system can be designed to assess the risk and implement controls for information belonging both to the organization and all it’s customers, and not just a specific contract. An ISMS management which most people put together when they implement a program is a plan or internal document that’s maintained by the organization, and demonstration of the ISMS conformity is conformity to the ISO 27000 standard, and a copy of the certificate may be provided to the government or prime contract to demonstrate that you have an information security system in place. CMMC requires that you have a third-party assessment and attain that level and a certification for that.

John Verry (16:37):

Yeah. What was interesting to me, a couple years ago when 800-171 started to become more part of the vernacular in the defense industrial base, I was struggling with this idea of, do we need to develop a really formal SP 800-18, fed ramp ATO-ish style system security plan for 171? Because we had a client that was ISO certified. And my argument was that I thought that the documentation in toto met that requirement. And I did reach out to one of the authors of the NIST 800-171, and she confirmed in email that the formality of an 800-18 wouldn’t be required, and that an ISO 27001 management system and the documentation produced by it should be sufficient to meet the SSP requirement. It will be interesting to see what CMMC-AB determines in that particular case. So, it’ll be fun to see.

Thomas Price (17:38):

Yes. The accreditation body is… they need to provide some additional information on this topic. There has been word that’s come out from the defense acquisition office that there may be some reciprocity between the CMMC model and other standards such as ISO 27001, the NIST CSF, the cybersecurity framework. So we’re waiting to see what information flows from the accreditation body on that.

John Verry (18:09):

Oh, that would be cool. I had not heard that. So now you got me curious. I want to hang up the phone with you Thomas and go look at it. But I’m going to journey on here. So, we talked about the idea of ISO if you were getting certified, and you fully considered CMMC that we’d end up in a good spot. So now let’s talk about another case. So like, we’ve got clients that are already ISO 27001 certified. But at the time that we constructed that, 800-171 or CMMC were not a requirement. So, my thought process, a consultant if I was phone with them is I’d say, “You know, you’re likely meeting many of the requirements of CMMC, but certainly not all of them.” So as an example, if you only needed to be L1 or L2, Level 1 or Level 2, we’re probably in pretty good shape. If you need to get up to three, four and five, you probably have a pretty fair amount of work to do. Your thoughts as an auditor?

Thomas Price (19:03):

Well, the most important thing is, from an auditor’s perspective, is that you need objective evidence. Whether you are doing ISO 27001 or the CMMC, you’re going to have to provide objective evidence that you’ve implemented… you have documentation, records, or systems that demonstrate compliance to either the ISO 27000 requirement or in the case of the CMMC, is you have the ability to demonstrate you have implemented those practices. One of the biggest challenges for doing CMMC, is that because many of the practices have a technical focus, people may have the tendency to ignore the administrative side. That is not having policies for each of the domains, not having plans that specify what is your approach and the resources that you’re going to use and apply to ensure that you implement, monitor and maintain each of those practices.

Thomas Price (20:09):

So for instance if you say, “Hey, great. I can show you that I’ve got the screensavers and all these things, the timing issues resolved, all the technical issues resolved when you walk away from your computer.” But if you don’t have a documented procedure that specifies, well hey, make sure that that’s implemented and provides the resources for it, you may have a shortfall there.

John Verry (20:35):

Got you. So let’s talk about that. So, let’s talk through what it would take. So you’re ISO certified, now you’re going to layer CMMC in. If I’m just kind of spit balling this. From my perspective, the first thing we’d have to do is update our ISMS scope statement to reflect the CUI explicitly and any of the particular interested parties. Including CMMC-AB and my contractors and people of that nature, on any of the specific systems that are different or that weren’t part of that critical interfaces and boundaries, things of that nature. We might have to update our… I would want to update the risk assessment to make sure we’re looking at that. And that risk assessment would probably drive potentially some changes to the statement of applicability. I’d probably want a gap assess the implementation of our controls versus the more prescriptive requirements of CMMC. And then assuming that all went swimmingly, I’d probably want to validate that it all worked the way that I thought doing my ISMS internal audit. If I had done that, and you came in to audit me, thoughts?

Thomas Price (21:41):

I would say that yes, if you updated your ISMS, your documentation, and you did the risk assessment, that you are on a good footing.

John Verry (21:52):

Okay.

Thomas Price (21:52):

But, before you do that, and most important in this is, is you need to identify what CIU you have, and what resides in your environment or under your control. You need to review your contracts and work with your contracting officer to identify and understand the CUI requirements, and also the CMMC requirements that are for your organization and the contracts that you have. You need to have a good handle on that before you get too far into this documentation, because you need to know is [inaudible 00:22:29] where is it, and how much big of the impact it is. And then you’re going to be able to do as this is, figure out where you’re going to need to apply and update your procedures.

John Verry (22:40):

Mm-hmm (affirmative). Yeah, so what you’re speaking to is the concept within ISO scope or context, and ensuring that we’re doing a good job or really understanding all of that, and then everything logically flows from there.

Thomas Price (22:53):

Yes. You need to scope the CUI and how the CMMC affects your organization, your systems, and then put together a plan of attack on how you’re going to update your SMS and your current controls and practices to meet the CMMC level of requirements that are specified within your contract. Whether it be a Level 1, Level 2, or a Level 3. And also to is this, is those requirements may change. You may initially have a requirement that you only need to have a Level 1 or 2. But later on in the life of the contract, the government may come back and say, “You know what? We’re increasing the scope of the work. Or guess what? We’re going to just pass over more information to you to control.” And some of this is going to be CUI. And you’re going to need to do, is make adjustments. You may have to start off initially with a Level 2. But then later on in your contract you may be expected to rise up to a Level 3.

John Verry (23:50):

It would be interesting to see how they’re going to handle that. That’s an interesting thought.

Thomas Price (23:53):

Yes. Contract modifications are a fact of life working with the government.

John Verry (23:58):

Yeah, I know that. The question is going to be is, so let’s say for sake of argument mid-year, they reclassified you from CMMC Level 2 to Level 3. Are they going to accept your environment for that… You know, I wonder how that’s going to work. Are you going to be given a pass for the six months until… Because if you think about it logically, actually, I take that back. So, CMMC as far as what I’ve heard and understood, is that it’s going to be a three year certification cycle.

Thomas Price (24:25):

Correct.

John Verry (24:27):

And then you’re going to have interim reporting which is necessary to do, which is still to be defined. So if you think about it, how would they do that? I mean, they would have to pay you for another audit? Because you will not be able to… If that happened in six months into your one, you’re two and a half years from your next CMMC audit.

Thomas Price (24:43):

Well, the thing is this, if they change the requirements, like in government contracting, anytime they change the requirements you need to ask for a modification.

John Verry (24:52):

Mm-hmm (affirmative). Got you. Interesting. I hadn’t thought about that. One more interesting thing that we’re going to see over the next couple years. So, speaking about this whole audit process and the fact that the CMMC-AB as of the time of this recording, which is May 8, 2020, that audit program has not yet been published. I’m curious, I know it’s an auditor and I had opinion, we actually blogged about it. Any conjecture or thoughts on what you think the level of effort to conduct a typical CMMC Level 3 audit will be?

Thomas Price (25:24):

Well, from past experience, we worked with the NIST cybersecurity framework, which is very similar to the CMMC, it’s a maturity model. And it also has a large number of practices, like the CMMC. And many of those practices are technically oriented. And with the cybersecurity framework assessment, we need at least three days to do that. Likewise I would think it would be the same thing with the CMMC assessment. Also it my require additional audit days based on the scope, the size and the complexity of the organization, or the site being assessed. Also, the number of contracts and systems involved may affect the duration in all we do in the CMMC assessment on a specific contract or specific contract site, or what we do in a CMMC or the entire organizations and the collection of contracts it has.

John Verry (26:17):

Right. Yeah. And there’s certainly a lot of got yous, right? I mean the CUI scope even. Because you could have a large organization with a small CUI scope, or you could have a moderate size organization with a large CUI scope.

Thomas Price (26:30):

And as you said, we’re still awaiting guidance from the CMMC accreditation body on that.

John Verry (26:36):

Yep. Yeah, I agree. Quick question for you. When you said that, you have a three day guess, was that three days worth of, let’s call it on-site, or true audit work with some preparatory time and some reporting time on the back end? Or was that three days all in from your perspective?

Thomas Price (26:51):

That’s three days on-site.

John Verry (26:53):

I thought so. Okay, cool. So you know, if you wrap in… You’re landing and it’s probably about five days plus worth of work would be a good guess?

Thomas Price (27:01):

Yes.

John Verry (27:03):

Yeah. That’s exactly my thought as well. To us it’s very similar to, if you look at an ISO audit, then that amount of controls that you’re looking at, and then due diligence that you would do there. You know, typically when we scope an audit in that nature it’s five, six, seven days, something like that. So yeah, you and I are right on the same page there. So, this has been great. You’ve really done a good job of answering every question I had. Anything else you specifically think we should address or would like to address?

Thomas Price (27:30):

Okay. Well, the thing is this, is, I would like to say is that, any organization that currently has NIST 800-171 requirements, they need to focus on completing their plans of actions and demonstrating compliance to those requirements. You need to demonstrate conformance to those current requirements you have before we start venturing into the CMMC journey. I mean, because that’s the first thing they’re going to ask you. Is this okay? They’re going to look at you. You have the requirement but you haven’t demonstrated this requirement. How are you going to get to the next level of requirements? That is how we can say-

John Verry (28:04):

One quick thing there. Because I like what you’re saying there. And I think that’s especially important. Because CMMC is going to age in over what, five years I think it is, through 2025?

Thomas Price (28:16):

Yes.

John Verry (28:19):

And they’ve gotten serious, what I’ve heard, I don’t know if you’ve heard similarly, is that the [inaudible 00:28:24] who is responsible for enforcing 800-171 recently expanded their… I heard they quadrupled their number of auditors. And my understanding is that if you don’t need to be CMMC for a couple years still, you’re still going to need to be provably compliant with 800-171. There’s no longer going to be the, oh just take a piece of crayon and write X on a paper and send it to us and we’re going to accept it. There’s going to be more enforcement. In fact, they’ve even filed some false claims acts against some organizations that did things like that. So I think that’s a really good point that you just brought up.

Thomas Price (29:00):

Right. They’re going to be looking at the self-assessments of the companies that have NIST 800 requirements. They’re also going to be going back to those companies and say, “All right, let’s look at the plan of actions that you submitted to us for the shortcomings of your NIST 800-171 compliance, and show us that you’ve implemented those plans of actions.” And if you come up short with that, you’re going to be a world of [inaudible 00:29:24] just meeting today’s requirements. And the thing is this, is, the CMMC is going to be more stringent, because the stakes are higher. Because the 800, if you don’t achieve that level, and you don’t have that level certification, you may not be able to compete on contracts.

John Verry (29:40):

Mm-hmm (affirmative). Yeah, I agree.

Thomas Price (29:42):

The other thing I want to bring up that’s important, is that there are mappings that are available and useful tools to help you in figuring out how the CMMC requirements play into other schemes. There’s mapping models for ISO 27000 requirements to the NIST 800-171. There’s ISO 27000 to the NIST CSF, and there’s also mappings of the NIST CSF to the CMMC that are available through the various government sites. And also is this, is, anybody looking for news and updates do look at the CMMC accreditation body website for the official information regarding the roll-out of the CMMC. The news is changing all the time. I mean there’s things such as questions about, okay, do auditors need to have a security clearance? Well, to find the answer you need to go there. Also is, beware of false claims. No one is a CMMC expert, and no one is licensed to do CMMC third-party assessments. So anybody claiming to be, “I’m already a CMMC Level 3,” that’s a false statement. Because how could they get assessed if nobody has license to do an assessment?

John Verry (31:02):

Yeah. That situation is so bad. I don’t know if you saw, but Miss Lord, I apologize, I can’t remember her first name, Eileen, or Ellen, or something to that nature is at the head of this. To give-

Thomas Price (31:12):

Katie [crosstalk 00:31:12]?

John Verry (31:13):

Not Katie, I think it’s her boss though, a Miss Lord. She actually put a blog on the front page of their site, it’s something to this extent. Because too many people out there are already advertising a CMMC Level 3 audits. And I agree with you, no one is a CMMC expert. That’s the first thing I say to anybody is that, look, these are all highly educated guesses, but they are still guesses at this point. Until we have the guidance, and even once we have the guidance, no guidance is ever perfect in year one or year two. There’s always clarifications, there’s always interpretation. So I mean, I think we’re really two or three years away from someone being able to definitively say, “I’m an expert. Any question you can ask me, I know what the answer is, because there’s been enough adjudication of it.”

Thomas Price (32:03):

Right. And if you’re looking to see how your security system measures up, the two best ways to do it is this, is, to doing as either a NIST cybersecurity framework assessment, or doing a CMMC gap analysis with the understanding that you’re not receiving certification, and this in no way is something that’s going to demonstrate that you’re a Level 1, Level 3 organization. So it’s just something in preparatory to see how do you compare to the requirements? And the accreditation body has said, and the acquisition office has said that’s acceptable.

John Verry (32:41):

Yep. I think the other one that you could make an argument to do would be an 800-171 assessment. Because I think for many organizations, it’s going to be a few years before they need to be CMMC specifically. So that 800-171 is something though, if they already have a DFARS requirement in their contract, they are liable for 800-171. So if you don’t if you did a good job, if you did use crayon, or Magic Marker, or signed off on some stuff you’re not sure of, then I think a 800-171 gap assessment would also be a good idea at this point.

Thomas Price (33:14):

Yeah. An independent assessment is always much better than having a self-assessment for the objectivity. And the thing is this, you may think you have reached NIST 800-171 compliance, but if you have an independent assessor come in and look at you, you may find out that, you know what? I didn’t quite understand the requirements and you may not fully have reached that compliant level. So maybe it’s good to have an outside expert come in, an auditor with that independent view to look at that stuff.

John Verry (33:49):

Mm-hmm (affirmative). I agree completely. All right. One last question. S you deal with a lot of CISOs, and I always like to ask a fun question to finish off. So, I’ll ask you, what fictional character, or if you prefer a real person, do you think would make either a really good or a really horrible CISO and why?

Thomas Price (34:05):

The Invisible Man.

John Verry (34:07):

Okay, I’ll bite.

Thomas Price (34:09):

I see you laugh and chuckling. But you know, in all sincerity it this, is, you know, you want somebody who’s going to be the flag carrier for this. You know it could be is, welling the troops and making sure that everybody understands this is important. The worst thing you want is an Invisible Man. You know, the trouble with the Invisible Man is, nobody knows what he or she is doing. There’s potentially no accountability. They may do more harm than good. And they may wind up leaving the room at the most inopportune time. That is, I’ve seen it where, just before we’re going to be doing an ISO 27000 audit, we’ll get a call saying, “Guess what? Our quality manager or our information security officer left, and we got our assessment next week. What do we do?”

John Verry (34:57):

Pray? Is that your answer.

Thomas Price (35:02):

Well, we either reschedule or we work with them on how we can get it done.

John Verry (35:06):

Yeah, you know, I have to smile. Because I’m always amazed at the ingenuity and inventiveness of people when I ask that question. All right. So I’m going to as you one last question. So, you talk every day like we do to different people in the information security and the business side of those companies. Any ideas for any interesting topics for another episode?

Thomas Price (35:27):

I think it what would be good episodes would be later on is, how to engage with the government to get guidance and direction regarding CUI and the CMMC requirements as it applies to specific contract engagements.

John Verry (35:40):

I could use that one. It’s actually quite maddening. Like, I had a crazy question with regards to a client of ours that is a staffing agency. I think you and I talked about this before, a staffing agency. And they were asking for CMMC Level 3 accreditation eventually, certification. But yet they have no CUI. And I’ve reached out to a bunch of people, and no one will go on record to give me an answer. So, yes, I would like that podcast episode personally, so I love that one. I don’t know-

Thomas Price (36:11):

Well, the other thing is to-

John Verry (36:11):

… who to ask that question to though.

Thomas Price (36:14):

Well, it’s a good point. Because right now it’s this, is, I’m saying you need to go to your contracting officer. But your contracting officer may not know. And he may have to go to another person who is designated as being responsible for implementing the CUI program for the government for that agency. The DoD is use. And if you read the DoD instruction that provides guidance to the government agencies and the contracting officers, there’s a lot of responsibility and a lot of people are designated as being responsible for implementing CUI programs within each agency. And then of course it is, do those people actually talk to the contracting officers once they’ve drafted up and written a contract?

Thomas Price (37:00):

So the thing is this, the big question is, you go to your contacting officer and say, “Hey, I got the CMMC requirement now, and I need to know what CUI I have.” And he says, “Well, I don’t know.” I say, “Well, you didn’t specify it in your contract. Well, you need to go back and find out what information you’re going to flow down on me.” Because according to the DoD instruction, the government has the responsibility for identifying what CUI they’re going to flow down to their contractors, or they’re designate a CUI as being created as a result of executing a contract.

John Verry (37:38):

Yeah. Well, it’s good to know that I actually gave them the right guidance. Because that’s what I did. Is I said, “Look, it doesn’t make sense to me, you’re going to have to go back to the prime,” now, whether or not the prime’s going to know the answer, or they’re going to have to go back to the original agency that the contract originates out of. I guess we’re going to find that out. Any other ideas for a topic before I let you go?

Thomas Price (37:57):

Yes. And the last thing is this, is once we do get some guidance direction from the accreditation body is, how do I identify and select a licensed CMMC third-party assessment organization? There’s going to be a big demand for a large number, and how do you pick a good one? How do you know that they are in fact licensed by the accreditation body, and that if you do pay for an assessment, that it would be accepted by the government when you hand over that copy of that report?

John Verry (38:29):

That’s actually another good one as well. Not only that, but I mean, there’s going to be an accreditation process. So in theory, we should know that all organizations, the accreditation body has vetted, validated the orgs. You know, that being said, you and I both know that the quality of the audit is directly related to the quality of the auditor. So it’s going to be interesting to me to see, not only how do I tell who my 3PAO is, but how do I know whether or not the auditor that they’re sending in is one that knows his stuff. So, another excellent idea, thank you.

Thomas Price (39:02):

And you know, you mentioned about primes and subcontractors. And what’s very important is this, is that there’s got to be communication between the primes and the scope subcontractors. If you’re a subcontractor, you need to just communicate with your prime to make sure that, okay, what are the requirements that related to CUI, that may be flowing down to you? And are you going to be expected to take action, to be able to demonstrate compliance to both the prime and the government? There’s this notion that primes are going to have to certify that their subs have their certifications in place. Also too is this, if you are a prime, what steps are you taking to do to make sure that your subcontractor is aware of CUI and the CMMC requirements? And you may even have to dedicate resources to help them. Because you know, whenever we go over a government contract, when you sell it, you’re not just selling one company. And many times it’s a team of companies that are teaming together to deliver services to the government. And if you don’t have everybody have their credentials in line, you as a team may fail.

John Verry (40:12):

Mm-hmm (affirmative). Yeah. That whole idea, I think there’s probably some people who took a deep breath when they thought, “Ah, CMMC is really not going to impact me for two, three, four, five years.” That being said, I think that, as you said, these pursuit and capture teams, they’re not going to want weak links on the team. So I do think that you’re going to see probably a proactive push by a number of entities to either get to an approval CMMC Level 3, or get to a approvable 800-171 place. Because they’re going to want to make sure that they’re not getting shut out of these teams. So, more good guidance, thank you.

Thomas Price (40:47):

But, I’ve already seen a number of large companies who have communicated to their suppliers that they have a program that’s not only for themselves, but also for the subcontractors to help them become aware of the CMMC requirements and how to handle CUI.

John Verry (41:05):

Wow. That’s actually great news. All right. So before I say farewell, how can folks get in contact with you and/or BSI?

Thomas Price (41:14):

The best way to get a hold of BSI is go through our BSI site, North America, we have is a cybersecurity pages, and we’re are providing information about the cybersecurity awareness, our training, as well as our assessment services. I’m on LinkedIn, you can look me up in LinkedIn, Thomas Price. And I’m very active in going out on LinkedIn, looking up for information about CMMC and sharing that information. And I’m welcoming anybody who wants to do is, have a LinkedIn connection. I would be more than happy to connect with you.

John Verry (41:52):

Awesome. I think I may have to take advantage of this. I don’t know that you and I are linked. And if you’re positing CMMC stuff you can save me maybe a little bit of searching. And so, listen, thank you, genuinely appreciate you taking the time to come on and chat with us about 27001 and CMMC, and this brave new world where we’re going if you’re in the defense industrial base.

Thomas Price (42:14):

Great. You have a good afternoon too.

John Verry (42:16):

All right, thanks. Have a good weekend, all right?

Audio (42:19):

You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at info@pivotpointsecurity.com. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.