CMMC Ch-Ch-Changes: Turn and Face the Revised Cybersecurity Maturity Model


Posted on in Presentations

The Cybersecurity Maturity Model Certification (CMMC) program has changed. CMMC Accreditation Body CEO Matthew Travis, Department of Defense Principal Deputy CIO Dr. Kelly Fletcher and representatives from the Defense Industrial Base will discuss the new changes to the CMMC model, the rationale behind the policy and technical changes, and a preview of how these adjustments will be implemented and affect the evolution of the conformance regime.


Video Transcript

>> ANNOUNCER: Please welcome Lauren C. Williams.

>> LAUREN C. WILLIAMS: Awesome. How's everybody doing? Are you having a good show?

(applause)

Yeah. We made it. So, thank you so much for joining us this afternoon. My name is Lauren Williams. I'm the senior editor for Defense Systems in FCW where I cover defense technology and cybersecurity, which is basically what this panel is about.

And we have a whole -- like everybody up here is an expert, and what we're going to be talking about is the Defense Department's effort to basically shore up the cybersecurity of the companies that it works with. So, if you want to do business with the Department of Defense, you're going to have to eventually comply with what's called the CMMC certification program. It stands for the Cybersecurity Maturity Model Certification program. I know it's a lot, but welcome to the world of bad government acronyms. But for those who may not know, it's basically just like getting a blue check from Twitter verifying to the DoD that you've met a baseline of cyber requirements and that they can trust you with controlled unclassified information.

So, I want to introduce my panelists. So, here we have Matt Travis who is the CEO of the Cyber AB or accreditation body. They just had a rename. He's basically the head of the organization that's responsible for building up the ecosystem that will be assessing the hundreds of thousands of companies that the Defense Department works with. We have Stacy High‑Brinkley who is also part of that ecosystem as the Vice President of Cyber Compliance at Cask government. And we also -- we have here Dr. Kelly Fletcher who is the principal deputy CIO for the Department of Defense. And last but not least, Michael Baker who just started a new job, and you are the VP ‑‑

>> MICHAEL BAKER: VP in IT CISO at DXE Technology. But before that, I had seven years as the CISO of GDIT where I was heavily involved in all compliance DoD regulations.

>> LAUREN C. WILLIAMS: Awesome. But you're in good hands. And before we start off the discussion, I do want to say, I'm going to be taking questions from you all throughout the 50 minutes that we're here today. Just please tweet at me, and I go through them and punt them to our panelists as we continue the conversation.

I want to start with Kelly, and kind of just get a baseline of where CMMC is today. It is June 9th, 2022. This has been in progress for some years, and the target to have this certification in all contracts, what is it, about 2026, that's what we're looking at, the timeline? So, I want to get where we are right now today. Can you tell me what the status is?

>> KELLY FLETCHER: Yeah. Absolutely. So, we are in CMMC 2.0. And for folks who haven't been watching this closely, you can just sort of ignore what was 1.0, what was 2.0. For folks who have been following this really closely, 1.0 had five levels and was a little bit more complicated. And since then, we've looked really hard at 1.0 and decided to go with CMMC 2.0. That has three levels of compliance. It's a streamlined process, and we think it's a little bit easier to understand. So, it's not that the cybersecurity controls aren't as robust. It's just that the process is more understandable.

So, we're looking at CMMC 2.0. And where we are on that is that it's in rulemaking. And rulemaking is intentionally very opaque. Until I inherited CMMC and the CIO role, I didn't know anything about it. But basically, very smart people sit quietly in a dark room, don't talk to anyone, and they write a rule. That's what's happening right now. So, that should be opaque to you all. That rule will go to OMB, and it will be out for public comment in March 2023. So, I really want everyone here, I want you to look at the rule, and we really want your comments. So, I think some folks might think it's too onerous. Some might think that it's not onerous enough. We really want public comment.

And then CMMC 2.0 will first hit contracts in the summer of 2023. It's not going to be backwards compatible. If you do business with DoD today, it's not going to -- we're not going to say, oh, you already have a contract, now you have to do CMMC. And you will know if it's a CMMC requirement by looking at the RFI or RFP. One thing I would note, and I think it's really important, is that if you're doing work with DoD already, you should look at your contract at the cybersecurity requirements you have because a lot of the requirements that are in contracts today are the same as what CMMC will have.

>> LAUREN C. WILLIAMS: So, I want to kind of ask what companies should be doing now, because we're here in San Francisco, Silicon Valley, there's probably somebody out here who has an algorithm or something that they might not even think that DoD may be interested in but could be. How is this relevant to them?

>> KELLY FLETCHER: Yeah, that's a great question. I will say frequently I talk to companies that are not cyber experts, and to those companies, I say, look hard at your cybersecurity posture and get help.

I think that this audience is really different. So, I think folks in this audience might want to provide cybersecurity services to small or medium companies. There's about 300,000 defense industrial based companies that are going to need help. So, what I would say is, if I were a vendor, I would look to see how I can provide cybersecurity as a service or even provide an environment to help these small/medium companies be successful.

>> LAUREN C. WILLIAMS: Matt, I want to turn to you. And since you're part of the organization that's really getting CMMC up and going, can you tell me where the Cyber AB is in getting that established?

>> MATTHEW TRAVIS: Sure. Good to be with you, Lauren. Good to be back at RSA conference. There's always two things I usually say before I speak publicly. One is a disclaimer and a clarification that we are not -- we never speak on behalf of the Department of Defense, but some people early on get us confused that our logo is very much the same as DoD's. We've changed that. As Lauren announced, we rebranded this week at RSA, the Cyber AB. But we're the independent accreditation body that's an exclusive partner of the Pentagon to help oversee, implement, and accredit the ecosystem that ultimately assesses for certification those defense industrial based companies. That's the one thing I always say.

The second thing I always say, and Dr. Fletcher alluded, if you haven't been following CMMC, or you're still a bit confused by it, don't be. It's nothing to be ashamed by. When I first took this job a year ago, someone remarked to me that explaining CMMC to a colleague is more challenging than explaining blockchain and bitcoin to your grandparents. And so, it's not the most -- you know, it's not the most intuitive conformance regime in terms of terminology. But that said, Lauren, where we are is that ecosystem continues to be built. What I mean by ecosystem, those CMMC third-party assessment organizations that are going to be doing the assessments of the defense contractors, they and their employees have been going through their own authorization process to meet all the requirements to do that, and those teams are made up of individuals, and Stacy will talk about this because her company is one of them, so it's individual assessors, and then someone needs to teach those assessors and certify them as professional assessors. So, they're instructors, those companies that provide the training. So, it's not just -- and then there are the what we call the consultants who advise. We call them registered practitioners or registered practitioner organizations. These are the companies who are in the business of advising the clients on how to implement CMMC, how to architect security environments, and they are a crucial part of the ecosystem.

So, we're building the ecosystem. And even though rulemaking is going to take another year, the department is poised to allow voluntary assessments to start here a little bit later this summer, so we're excited about that.

>> LAUREN C. WILLIAMS: Stacy, I want to hear from you and your role in the ecosystem.

>> STACY HIGH‑BRINKLEY: So, yes. Hi, everyone. This is my first time at RSA ever, so a little under pressure here. Anyhow. Thanks, anyway, for coming.

So, we are an authorized C3PAO Cask, a very small DIB company, woman-owned, 50 -- 51 folks, and we have had to comply with NIST 800-171, which Dr. Fletcher alluded to. It's been out since we were supposed to be compliant by December 2017. So, now what we're doing is making sure that folks out there, small, medium, large, are coming in and they're prepped and they're ready to go. On the other side of the coin, because we can't do both things, we can't console to be assessors, we have a line of folks in queue to be assessed to the CMMC 2.0, which lines up right with the NIST 800-171. So, we're really excited to secure the DIB and get going. It's a long time coming.

>> LAUREN C. WILLIAMS: I want to do a quick acronym check. So, C3PAO, these are third-party organizations that are going to be -- help be in charge of assessing the defense industry base, which is what DIB is. Michael, I want to go to you and you talk about your role.

>> MICHAEL BAKER: So, I play two roles in the ecosystem. The first role I play that I'm really proud of is I'm part of the industry advisory group as part of the CMMC AB. In that role, we directly give feedback to Matt. And I should say the Cyber AB, sorry. It's very new. We give direct feedback to him, which is oftentimes highly critical directly from industry in terms of the challenges that industry is having in adopting the standards, the challenges we're having in pushing this down to our small business partners and things like that. That's one of my roles directly with CMMC.

And then, as I mentioned, in my previous job as CISO of GDIT, I went through seven years of this entire maturation from the DFAR 70-12, which was the initial requirement to implement NIST 171, all the way through the CMMC 1.0 and 2.0 journey. So, part of those responsibilities is making sure that we were secure and that we had implemented those standards accordingly, but I think the bigger responsibility of that is part of a large crime was really making sure our supply chain was coming along with us. Right?

And that was the biggest challenge, right, the small and medium sized businesses that don't have dedicated cyberteams, that don't have a CISO leading the way, right, that maybe don't have that visibility. That's really the biggest challenge. And working with those small businesses was one of the things I really focused on, and, as you mentioned, a really big opportunity in the market to deliver services to those in more of a turnkey fashion, right, in conjunction with a large partner like that.

So, that's the role I play in the ecosystem. And in my new role, I'm still in it, right? I told Matt backstage that as far as I run, CMMC is still going to suck me in. So, from a DXE technology standpoint, you know, we deliver services to large primes, right, whether that's infrastructure or hosted services. So, CMMC is the requirement to do business with DoD, so that's something that we all have to pay attention to wherever you fit in the ecosystem.

>> LAUREN C. WILLIAMS: I want to start with you, Kelly, and then everyone else can chime in. We're here at a cyberconference, and, you know, we've learned over the course of the week that the threat is always changing. And how is a standard like CMMC going to account for those changes that we don't even know exist yet?

>> KELLY FLETCHER: That's a great question. And so, this is something that we have struggled with, how to make CMMC achievable, but then also to make it agile. So, something that we're working on in DoD is moving to continuous monitoring. And right now, something I've heard a lot of folks talk about is that CMMC is an annual self‑assessment. And then in the case of needing a third-party or a government assessment, that's every three years. We're absolutely moving away from this sort of like moment in time check at DoD and moving towards more continuous processes. That said, that's what we're starting with, with CMMC. And I'm really hopeful that as folks buy cybersecurity as a service from true cyber experts, this is a chance for those experts to change what they provide to them, or to make sure that the most current threats are accounted for and what is being provisioned as this turnkey service that we talked a little bit about.

>> MATTHEW TRAVIS: I just want to follow up on that. The threat landscape is such a dynamic environment. I saw this. Before I came to CMMC, I was the Deputy Director at CISA, the Deputy to Chris Krebs up until the point that he got fired by Tweet. But when I was in DHS, you saw just how sophisticated the threats -- cyberthreat actors were evolving. And so, I think it's a mistake for anyone to think that the NIST 800-171 is chiseled in granite forever. I think when you look at OT, when you look at zero trust, and even some of the things that 2.0 pulled back from the model, just aligning directly to 800-171, there had been some additional maturity processes and some additional bespoke CMMC practices. They are no longer in play. But I think looking over the horizon, we could expect that the Department -- again, not speaking for them -- is going to want to see this conformance framework evolve as threats and attack vectors continue to evolve as well.

>> MICHAEL BAKER: I have to pile on here a little bit as well. And there's two themes there. One is there's a lot of criticism of CMMC because it's not the perfect compliance standard. It doesn't fully account for Cloud or some other things, right? But it is a standard, and it is a baseline, right? And you had mentioned continuous monitoring, and one of the things I did in my previous role was I always took a cue based on what DoD's expectations were, and one of those things is continuous monitoring is something you have to do. You have to do it as a large prime. You have to do it if you have a large supplier base.

So, looking at that and getting ahead of your expectations, I think, is key, right? So, if you're not looking at your supply chain now, your critical subcontractors, the ones that have the flow-downs of 70‑12, 70‑19, 70‑20 at this point in time, I would really prioritize that if you have the resources to get ahead of it and make sure that you're fulfilling your obligations, because not only is it the right thing to do, but it's also the right thing to do for business because you don't want to be -- you don't want to have a vulnerability in your supply chain that then you have to answer to the DoD for in the long run because you weren't doing what you needed to do.

>> KELLY FLETCHER: I really, if I could, I really appreciate that, and I think -- I think this audience is really unique from who I normally talk to about CMMC. I think both of you hit on this. Which, normally, I talk to folks who -- I actually had a guy say to me that his cyber person was also in charge of his payroll. These really small companies, I think even level one, which is sort of the least rigorous level of CMMC, it feels overwhelming. It's 15 controls. They are not experts in this space. And so, I think getting them up to just clear this small hurdle is, you know, that's an important achievement.

>> LAUREN C. WILLIAMS: And I want to go back to the self‑assessment, or maybe not back to, but you brought up level one, which means that there's like a self‑assessment part of that that companies are going to have to be able to kind of certify or to say, yes, I've done these 15 controls. But where is the check and balance there? And what should companies know about that?

>> KELLY FLETCHER: Yeah, that's a great question. So, these companies have -- they don't even have classified ‑‑ or they don't even have unclassified information. They have FCI, so it's unclassified, but it's only federal contract information, so not even controlled unclassified information.

So, if you have FCI, right now, according to the FAR, which is the Federal Acquisition Regulation, I think, or requirement -- I think regulation -- but according to the FAR, you have to meet these 15 controls. So, that's in your contracts today. So, right now, we're just counting on folks to do that. We're not even asking them to like give it a hard look and sign off annually that they are meeting them.

>> LAUREN C. WILLIAMS: It's ‑‑ go ahead.

>> MATTHEW TRAVIS: I'll just add to that. Yesterday here at RSA conference, there was a great session on legal risk from False Claims Act and CMMC. So, I think when you look at -- again, not speaking for the department -- but if you kind of read between the lines of some of the lawyers who follow CMMC, that self‑attestation is going to be under greater scrutiny than probably heretofore had been the case. So, the rulemaking is still going on, but I think a more senior company official is going to have to do that attestation, whether it's a board member, CFO. It can't be the junior IT administrator logging in and saying, yeah, we're good.

So, what's the best insurance policy against, you know, whistleblower or False Claims Act? It's to go ahead and get certified. That's what we're really -- again, that's a self‑serving comment from where I sit. But we really want to see the DIB go ahead and implement these 110 controls at level two, go ahead and get certified, not because it's required in your contract, but because it's the right thing to do as a member of the defense industrial base.

>> MICHAEL BAKER: And protecting CUI is a team sport, right? And I think a lot of people, you're given the gift of the prioritization of the requirements and the DoD assessment methodology. They have a scoring mechanism. Right? Use it. Use it to your advantage. And honestly, if your score is low, ask for help. Right? And I think that's the thing that's missing is, in the cyberworld, we're like a little bit more of a blame game. You get breached and you point a finger and say, aha. Right? In this, we're all going to win together. We have to win together to protect the critical CUI of our nation. So, reach out to your technology partners, reach out to C3POs, or reach out to your prime contractors and ask for help. That was one of the things that dawned on me when in my previous role is most people hid those scores. Don't hide them. Right? Bring them to the front and let's solve it together.

>> LAUREN C. WILLIAMS: Stacy, we were talking before the panel about how some people didn't even know that they hadn't been meeting the standard. Can you talk about your experience there and what you've been seeing?

>> STACY HIGH‑BRINKLEY: Exactly. The last two years I've been involved, but about a year and a half ago is when we started talking to different companies, and they had no clue because they didn't have any cyber folks, like Dr. Fletcher mentioned. They were IT or logistics companies or fence companies for DoD. They had no idea just the level one control/practices that are there. They had no idea. Still, to this day, I'm talking to people that had no idea they had it in the contract. That's why it's so important to look at the RFP and to talk to your contractor, talk to your contracts manager, and make sure that they understand and reach out and get cyber help. A lot of companies offer it. We do, of course. Cyber compliance is a service. We're here to help, and there's a plethora of folks you can get to through this panel, and I hope that everyone reaches out because it's of the utmost importance. It's just every single solid day, things are happening. Every second, really.

>> LAUREN C. WILLIAMS: We have an audience question about continuous monitoring, and I want to bring that up now. So, you mentioned continuous monitoring when it comes to CMMC 2.0. Will this cover Cloud-hosted applications, software as a service, and how is that being approached?

>> KELLY FLETCHER: Yeah, that's a great question. So, for software as a service -- and I think -- what I don't want to do is get down into like a bureaucratic web of doom here, but I do think it's important to say that we have fed ramp certification and also IL4 and IL5 certification. That's very distinct from CMMC. But if you're going to sell DoD something that we're going to have on our networks or I'm going to, for example, procure a Cloud service, that needs to be at IL5 certification level, and that is for things that are like living on our network that we're using regularly. CMMC is if you're one of our industrial‑based partners who is building things on your own network. So, it's a little bit of a distinction. But it's part of IL4 and IL5. It is -- again, you're getting sort of a moment in time where you fill out a lot of paperwork and then we certify you, but part of that continuous monitoring is an important part of what you're doing in that domain.

>> LAUREN C. WILLIAMS: Awesome. So, want to -- I'm going to pick on you just a little bit.

>> KELLY FLETCHER: Great.

>> LAUREN C. WILLIAMS: There was a government accountability office report recently that found that DoD wasn't meeting its own CMMC standards, so what are you doing about that?

>> KELLY FLETCHER: I love that you brought this up. So, I actually, I think the really important thing about this is that DoD -- the CMMC requirements are not for DoD internally. They're for our defense industrial‑based partners. Within DoD, we have a lot of capabilities that the industrial base doesn't have. So, just one example is joint forces headquarters, DoD and defense, DoD, are basically our internal internet. So, we have cybercommand. We have all these teams of individuals who are providing us just an incredible amount of enhanced security. So, the CMMC standards are not -- it's a little bit like an apples and orange situation. CMMC is designed for folks that don't have the robust monitoring and hunting that we at DoD have. So, in no way do we plan on having DoD internally meet CMMC standards. We have more robust and different standards.

>> MICHAEL BAKER: And that deflection is as old as FISMA itself, right? Oh, you do this and no one else does this. I would say you have to mind your environments, right? You have to be responsible for your environments just like anything else in your life, right, and not worry too much about that other stuff. As you mentioned, it's apples and oranges, but I see that as a deflection from the primary message, right?

>> STACY HIGH‑BRINKLEY: To add on that, I'm a DoD validator, also, for the Marine Corps and the Navy, and we go as high as CNSS 1253, which is above 853, so I can attest to that, that these networks are ready to go when we deploy out into theater. So, just to add in thta they're very stringent.

>> LAUREN C. WILLIAMS: Okay. Fair enough. Matt, I want to go back to an earlier point of the voluntary assessments. I feel like that kind of slipped in there. So, what's the status there?

>> MATTHEW TRAVIS: Yeah, I'll clarify that. CMMC has been being developed here for the past couple of years. And last spring, when the administration came in, they looked at CMMC and said, okay, we still need to do this, but I think there's a way to improve it. So, essentially, there was a hit pause as 2.0 was developed and then released. But when 2.0 was announced, the Department recognized the investment that not only that the industrial base had made in many cases, but that the ecosystem had already started to grow. And so, as I understand it, the, you know, the particulars are still being worked out, but we do expect that for those DIB companies who have implemented NIST 800-171, who are confident that they are ready to get certified, they can go ahead and hire a C3PAO and get a voluntary certification prior to the completion of rulemaking. That, again, is for the Department to speak to how that's all going to work, but we've been working very closely with the CMMC program management office to get voluntary assessment started, and there are 15 right now, C3PAOs, like Stacy's company. So, obviously, that's not enough. But there are more coming, essentially now, with the pace is coming -- we've got more coming into the marketplace each month, and we know that those 15 companies have clients who have actually signed contracts to get started. So, when the department is ready to authorize voluntary certifications to begin, there will be companies who will go ahead and get started. And that's going to be a big milestone for CMMC. It's not unreasonable for many of you to say,oh, is this thing ever going to happen? You're kind of looking at your watch. What's going on? We're at the point now that when certification started, that's a real signal to this thing that life is being breathed into this program and it's off to the races after that.

>> MICHAEL BAKER: That's a tradeoff there for primes, right, who have been through the DIB CAP program, and that's acronym Defense Industrial Base Cybersecurity Assessment Program. Right? So, if they've assessed you to 800-171 and you have a score with high confidence in SPRS, there's going to be a tradeoff there. For me, personally, I would always want to shout from the mountain tops with a public assessment that I'm doing the right thing, but that's going to be a business decision for people who have been through the DIB CAP program of whether that public attestation is worth it. Personally, I do, but maybe not everyone will do that, right, because isn't there a reciprocity element to an existing DIB CAP high -- a perfect score?

>> MATTHEW TRAVIS: I'll let Kelly speak to that.

>> KELLY FLETCHER: Yeah. As I understand it, the highest assessment will be done by DIB CAP. It is a little bit distinct, I think from the DIB CAP high, and we are still working out reciprocity overall. But I would say if you have a DIB CAP high, you're in great shape. You know what I mean? That's time to sort of high-five and make sure that your subs are also in a similar posture.

But to get to your point, I do think getting a third-party assessment is wise.  So, I think no one in this audience is like, cyber what? Folks in this audience know what's going on. If they want to be vendors, obviously, you're not going to be at level one. I would encourage you to look at level two. And for level two, at a minimum, you need a third-party assessment. So, that's just a way to make sure that all your I's are dotted and all your T's are crossed.

>> MICHAEL BAKER: And who wouldn't want extra time to close a POAM if you have one before the contract hits, right? I think it just makes perfect business sense, it makes perfect preparatory sense to get the assessment out of the way and have a little extra time if you need to fix some things before it officially hits the contracts next year.

>> KELLY FLETCHER: Yeah. Also, that's a great point, which is that I do think when these first hit contracts, which is summer of next year, I think that -- I think, in the end, we're going to get everybody over the line. I think everybody who wants to pursue CMMC certification is going to get there. But I do think there might be a little bit of time where not everyone is there, and so those companies that do have that certification done, I think they're going to be with -- in a little bit less competition.

>> LAUREN C. WILLIAMS: In that same vein, assessors are a big part of this. Do you think that there are going to be enough assessors by the time -- by 2023 when this starts hitting contracts, and what is DoD's role there in making sure that there are? I know it's the AB's responsibility, but what is DoD's role in making sure that there are assessors there?

>> KELLY FLETCHER: Yeah, so that's a great question because I was going to immediately punt to the AB, but I like how you prevented that.

(laughter)

So, I would say, I really appreciate the sort of clear dialogue. This is the first time that we've actually done this together, so I'm happy that we're so well in alignment. I do think our main venue for understanding do we have enough assessors is through the AB. So, I think, truthfully, I'm hopeful that the majority of companies that are interested in being CMMC certified, they reach out to the AB. I think that those folks who want to be assessors or have assessment companies, the AB. So, I see the AB as really having their finger on the pulse of this.

>> MATTHEW TRAVIS: Thank you for that. And I'll answer Lauren's question by saying this is what we're working on every day to make sure that the scale of the ecosystem is sufficient to meet the demand signal after rulemaking.

I think it's important to note that the PMO has said the day after rulemaking, the Pentagon is not going to flip the switch and every contract is going to be infused with requirements. If you go back, I think a lot of people decided that CMMC was always designed, even back at one point, not to be fully implemented until the beginning of fiscal year 2026, so we still have a few years. That said, there is, you know, I can say that the cyberthreat actors are not sitting around waiting for rulemaking to be over before they start attacking, right? So, we can't just wait for that. We need to have a sense of urgency, and we certainly do.

So, just brief. The ecosystem, Stacy's company, there are over 400 like hers who have applied to be those third-party assessment organizations. Only 15 have met the requirements yet, but we're excited that as the other companies get through, we'll have enough companies who are in the business of conducting certification assessments. The real X factor is, especially in the cyber market, will there be enough individuals who want to work for companies like Stacy's? And so, that gets to recruiting assessors. And I suspect next year, we're going to have a greater presence here because our role is to promote individuals to get into the CMMC ecosystem, whether it's a full‑time profession or a side hustle. If you look at some comparable performance regimes like CMMI, the appraisers there, my understanding is they get pretty good coin doing that, right? It's a flexible lifestyle. You can kind of pick your own schedule, go around the country assessing companies. But we need more people. We have over, you know, 70 companies who are providing the classes to train the assessors. We've got Scantron as a national partner to administer the high-stakes professional certification exams. This is a -- this is a professional certification, right? There's a lot at stake for these companies. If you do not get certified, you're not bidding on contracts. That can put businesses out of -- out of business. So, we've got to make sure that those assessors go through rigorous training and take an ISO certified professional exam.

Right now, we've got only 300 what we call provisional assessors, and these are the individuals that we have been training for the past two years on our own. There are over 2,000 assessor candidates in the pipeline, but we need a lot more. You'll be seeing us at the Cyber AB launching a promotional campaign this summer to recruit, literally a recruiting campaign, to get folks interested in becoming assessors.

>> MICHAEL BAKER: But like what a cool way to start a career, right? I spent 14 years as a consultant before jumping into kind of the official CISO side of things. The ability to be trained up, right, the ability to see companies in a rapid fashion, how they implement cyber-processes against one of the best standards, best cyber-standards we have, imagine the experience you're going to gain in such a short amount of time doing that. I just think there's huge advantages for someone who wants to start their career there. I look on LinkedIn all the time and I see open to work, open to work, waiting for an opportunity, I want an opportunity. I mean, this is an opportunity, right, from my perspective.

>> MATTHEW TRAVIS: I'll be interested in how Stacy sees the labor market these days because you're the one who has to hire these folks.

>> STACY HIGH‑BRINKLEY: Yeah, exactly. You know, it's amazing. There are so many folks out there that are interested in coming to this realm. For me, myself, as a provisional assessor, my background was psychology and sociology. I never took a computer course in my life, but the Pentagon helped me. In '83, I fixed a computer or something. But they just come out of the woodwork, you know. All of us C3PAOs and all of our provisional assessors out in the market, we're a team, and we're all helping each other, so we're helping prepare for the influx as a team, but everyone is coming out of the woodwork wanting to do this. We have an intern program and we're really excited to see what's going on. It can be anyone who's been out there in the cyberworld, which is everybody in the last, what, 25-30 years, right?

>> MATTHEW TRAVIS: But I also think it's a great entry. It’s a gateway to get into cybersecurity. There's such a -- I saw this at CISO because we had challenges trying to recruit more individuals into government cybersecurity. I'm sure many of the companies here have a tough time finding the people. But CMMC, it's a great entry point to get into cybersecurity. You don't need to know how to code. If all you've been doing is writing poetry or doing things like that, you might -- you need some technical understanding, but it's a great way to get into cyber, and we're going to be stressing that.

>> LAUREN C. WILLIAMS: I want to put a question to you, Stacy, and you, Michael, about the implementation. There's been a lot of very DC like politics about getting CMMC up and running. So, what are you seeing about the implementation, what maybe has been lacking there, particularly maybe with communication with the Defense Department? And then, Kelly, you can respond, obviously.

>> STACY HIGH‑BRINKLEY: As far as implementing CMMC?

>> LAUREN C. WILLIAMS: Yes.

>> STACY HIGH-BRINKLEY: You know, I've worked with DoD since I started -- I just mentioned that -- and it's a big organization, right? It's what protects our country. And there's always going to be red tape. There's always going to be a lot of things that you have to get through, but basically, the requirement's been there. So, we're just trying to say to those folks that have been self‑attesting since 2017 to come and show us. And oh, wait a minute, this person is going to help you. So, I understand because I come kind of from that arena of things that can happen, bumps in the road. Other people don't because they don't understand the ins and outs and everything that these folks that work for our government, our government workers have to go through to get things done. So, that's how I quell my folks that are in line going, come on, when with can we get assessed? And they are there.

>> MICHAEL BAKER: I have a two‑fold answer to that question. One is, remember what we're doing. We're protecting, at least at level 2, controlled unclassified information, right? I'll put FCI to the side for now and the 17 requirements. I think the first thing you have to do is gain an understanding of what that data is, what it looks like, what it feels like, and where is it flowing in your environment from DoD and into your subcontractors, and that is an essential component. And people who have been in this ecosystem for a while, I can hear you from here saying, they don't always mark CUI, or it's not marked consistently, or so on and so forth. But, in the end, if you look at yourself in the mirror, there's a DoD CUI registry, we know what it looks like, we know what it feels like. You have to start with that, and you have to focus on the data. Once you focus on the data, then you can determine where you have to implement these requirements or these controls. And you can take an enclave approach or you can do a whole of enterprise approach, whatever makes the most sense for the investment that you have. So, I think focusing on CUI is number one. If you don't know it, talk to DoD, talk to your contracting officer, have those conversations and say, maybe this is marked, but it feels like it, right, because it's all our responsibility to protect this data whether it's marked or not. At least that's my perspective, right? That's number one.

And number two is just start, right? There's a lot of academic discussions about this control or that control or the nuance of FIPS encryption or the nuance of multi‑factor authentication. You have, again, a treasure map from the DoD assessment methodology that says, these are the most important requirements to put in place, the ones that are measured five. Just start, right? Just start with one, then get to two, then get to three. Start practicing the conversations with the Board level or the CEO saying, we have to do this. Let's do the hardest ones first that are most expensive. And I think once you start to do that, you're going to find yourself on a path to doing the right thing, which is getting where you need to be.

>> KELLY FLETCHER: Yeah, I would agree with that. And I do. I take your point, though. Like I can -- what I wanted to do in response to this was give you a long and very bureaucratic description of what happened inside the Pentagon, which is not interesting. It's not interesting or useful. I think you all really hit the nail on the head, which is we've got to do this.

So, and I'll just say a couple of things on the we've got to do this front. One is, it's probably in your contract already, and what we want to do is even the playing field. So, there are some vendors that are compliant with what is in their contract right now and they're competing against folks who are not taking cybersecurity seriously, and that's not fair. We're going to stop doing that. The other thing I would say about this is we need to do it for the country, right? This is important information. The defense industrial base has a lot of our national assets, and we know that they are under attack by our adversaries. We know that.

The third thing I would say is if I were a vendor, I'd think about like my personal home security. I don't know anything about home security, but I have the basics, right? I figured out what the basics are. My windows lock. My door locks. When I'm gone for a couple weeks, I tell my neighbor, you know, maybe turn a light on and off. I do some basic things, and I do that so that if somebody is going to rob a house on my street, they don't choose my house because my windows are closed, and they're locked.

So, I would say like as we look at the threat landscape and we look at what's happening in the cyber domain, even just with cybercriminals, you might want to get up to this basic standard, and that's really what we're recommending.

>> LAUREN C. WILLIAMS: We talked a little bit ‑‑ oh ‑‑

>> MATTHEW TRAVIS: I was going to -- I think Kelly was spot on with what she's saying. The way I look at it is if you take like a physical analog, that if DoD has a contract with a commercial warehouse to store Army Jeeps, and the warehouse leaves the gates open and doesn't lock the door, and people steal the Jeeps, DoD would not do business with them. Same thing with data. DoD is giving its data to commercial partners. And if the commercial partners are not going to lock the door and protect it, why would the Pentagon want to do business with these companies?

It really is, if we were going to -- and I have been in the DIB in my career, and I think anyone who works in the field takes pride in supporting the war fighters and supporting the Department in its mission. You're contributing to the nation's security. But if you're going to talk the talk, you've got to walk the walk, and CMMC is walking the walk.

>> LAUREN C. WILLIAMS: Yeah. We had an audience question regarding third parties that don't have direct contracts with DoD but work with entities that do have contracts with DoD. How would that -- how would they be covered under CMMC, or maybe not at all?

>> KELLY FLETCHER: So, I would say that they're subs, and they would be covered by CMMC.

>> LAUREN C. WILLIAMS: Is there a ‑‑ I remember Ellen Lord was the former Undersecretary of Defense for Acquisition and Sustainment. She had previously said or floated the idea of some sort of CMMC IT help desk for -- that prime contractors would set up to help their subs. Is that something that DoD is still interested in? And then, Michael, I want to get your thoughts on what the prime should be doing.

>> KELLY FLETCHER: So, I think, I am really interested in this being like a group and community effort. And I think DoD is responsible for promulgating standards, right, getting this rule through, hearing the public comment. But I'll be honest with you. I am hoping that bigs, the big vendors that we have, that they are helping their subs be successful.

I am hopeful that big cybersecurity providers or infrastructure providers for IT, I hope that they're seeing this as an opportunity. And they're going to provide cybersecurity as a service or even like, IT ecosystems as a service. So, I love the idea of the IT help desk. Do I think DoD will run it? No. But I do think if I was a big vendor and I had hundreds of subs, I would right now be figuring out how am I going to cost effectively get them to be CMMC compliant.

>> MICHAEL BAKER: It's a business resiliency problem as much as it is a cyber problem when you're talking about the bigs, right? If you are knowledgeable of where your subcontractor base is in terms of ability to comply, mapped against the realities of having to do business with that subcontractor, and you're a large defense contractor, you better have some sort of virtual or remote environment ready to go as a business resiliency issue as much as a cybersecurity issue as well. So, those are where those two priorities seamlessly come together.

>> KELLY FLETCHER: Right. And I would say like from a -- if I were a big, I'm worried about my sub bringing shame to me, frankly. Like, I'm worried the data I've given them will go missing. So, I think this is -- it's a benefit not just for doing business with us, but generally.

>> LAUREN C. WILLIAMS: We have another audience question. Great. Many small companies will need help to meet CMMC level 2. Will DoD continue to fund common defensive services such as protective DNS to boost the common posture across the defense industry base?

>> KELLY FLETCHER: So, right now, that is the service that's provided. And we are really excited about provisioning these services for the small and mediums.

I don't want to speak too far into the future. I'm not going to say I guarantee in 2030, this will be available to you. But right now, it is available, and we really, really do want companies to take advantage of this.

>> LAUREN C. WILLIAMS: Are there other cybersecurity services that DoD provides for companies?

>> KELLY FLETCHER: So, we provide a couple of services, but the main way that we engage with companies is through information sharing, so there's a lot of venues to do that. One is the NSA Cybersecurity Collaboration Center. This is a great place for mostly larger vendors who are seeing things in the ecosystem and it's truly for collaboration.

We also have DC3. And I just want to encourage folks if you're a DoD vendor or part of the DIB and you're seeing something weird, I really encourage you to call DC3. For you, I think it might be very overwhelming. I think that would make sense. For DC3, it's Tuesday, right? This is what they do all day long. So, that is a requirement of being a vendor, and I just really encourage you. You know, they aren't going to get mad at you for calling them if it turns out it's nothing. But the answer is to take advantage of the service. Awesome. to call DC3.

For you, I think it might be very overwhelming and I think that would make sense. For DC3 it's Tuesday, right? This is what they do all day long.

So, that is a requirement of being a vendor and I just really encourage you they aren't going to get mad at them for calling if it turns out it's nothing but it is good to take advantage of the service.

>> LAUREN C. WILLIAMS: Awesome. So, we have just a few minutes left, and I want to kind of start a conversation that is a little bit bigger than CMMC. You know, like this is a bit niche, even though it's going to affect hundreds of thousands of companies. But with cybersecurity becoming an increasingly important topic, is there room for it to grow beyond DoD to other federal civilian contracts or maybe even to privately held companies or publicly held companies? How do you see a standard like this being applied more broadly in some way, shape, or form? And that's a jump ball for anyone.

>> KELLY FLETCHER: So, I love this question, and this is something that I was actually wondering if someone would bring up. Right now, I will tell you that we are -- this is like a cattle herd, right? There are 200,000-300,000 DIB companies that we are trying to get over the line. And this audience is the most mature from a cybersecurity perspective that I have ever spoken to about this. So, there's a lot of work to be done just from a DoD perspective.

But the one thing I will say is you reference sort of the times we're in right now and this is for DoD overall we really feel like right now we're at an inflection point where things that we used to say, like, well, it's not our priority to fix this technical debt. Right now, it is a priority for us, and that's across the board, not just for the DIB, but also for our own systems. I think that I'm seeing this throughout the federal government to some degree, but absolutely within DoD. I think the next year or two, we're going to see a big shift in how we apply resources and what we prioritize.

>> MATTHEW TRAVIS: I'll jump in there. Again, this is a self-serving perspective from where I sit. But I think we have certainly been engaged by representatives of other departments, other sectors of infrastructure, and other nations who see the value of a third-party certification informants regime, which is -- as we talked about -- it's different than self-assessment, when you have a third-party certification, it lowers risk and it gives you more Fidelity into who you're doing business with and what's in your supply chain. I think that, as Dr. Fletcher alluded, we're working feverishly to make this a success for DoD. I don't know that you need to start doing additional franchising until you get the first burger joint to operate, but I think it would be, you know, crazy talk to think that different departments are going to need -- are going to be posing different standards across the entire federal acquisition landscape. There needs to be a unifying standard for federal acquisition. You have these companies who support not only DoD, but they're supporting DoE and DHS and others. So, I think, ultimately, this is a journey, and I think there will be a confluence of smart folks who realize that the federal acquisition community needs you, if I understand. I think CMMC is it as NIST 800-171 continues to evolve, and that's what I hope to see, as well as any time we're spreading cyber security hygiene, it's good for the nation.

>> MICHAEL BAKER: And from a commercial company perspective, any framework is good, right? NIST 800-171 is a framework just like ISO 27000-1 and so on and so forth. And demonstrating that compliance, or at least that adherence to it from an independent fashion, for me, is always a good thing, because if you look at the last year and a half, it's over, right? Our worst fears have come true as it relates to the cybersecurity threats in areas that we're facing across supply chain, across zero-day exploits, across a whole slew of things, right? So, if you're sitting as a company right now and you're looking for where you want to get started, pick 800-171, pick ISO, pick something, depending on where you sit within the industry. But like I said, just get started because it is happening now, right? Our worst fears as it relates to cyberthreats are coming true and they're coming true at this very moment.

>> STACY HIGH‑BRINKLEY: Yeah. We actually do have companies that are signed up, lined up, ready to go, and have -- didn't even know what CUI was, but they actually wanted to get the certification in case, down the road, they were going to have contracts, they wanted to be ready, and those are some of my favorite ones.

>> LAUREN C. WILLIAMS: Always be prepared. Always be prepared.

I do want to do a lightning round. I like dates. I like deadlines. So, what are your priorities, each of you, for this year, leading up to CMMC hitting contracts in 2023? What can we expect to see, like concrete benchmarks?

>> MATTHEW TRAVIS: I'll start. First and foremost, we need to make sure that the ecosystem is one that has built-in trust and confidence, that there's no subjectivity, and that for DIB companies, they're having to spend considerable resources to prepare, as then well as to get certified. But the assessment they're going to get from companies like Stacy, is it partial if I was in international standards, it's accurate and it's transparent, and so that is our role to make sure that trust and confidence is in the ecosystem and that is our focus.

>> LAUREN C. WILLIAMS: Stacy, what do you plan to see because you're a C3PAO, so what are you looking at?

>> STACY HIGH‑BRINKLEY: So, we've been building our cyber compliance as a service program. We've been doing that for years anyway. And we're actually building out the team and the partners within the marketplace, within the community to make sure we're there when the folks, when it starts busting at the seams a little bit, so we're just prepping all our folks. Like I mentioned before, we have an intern program. We're getting folks in so we can start taking those kiddos right out of high school or college and getting those certifications. Like Matt said, it's a good role for them.

>> LAUREN C. WILLIAMS: Kelly, what can we expect from DoD on that front?

>> KELLY FLETCHER: March 2023, OMB is going to release this rule for public comment, and that is where we're going to really ask folks to look at the rule and see, does this make sense?

>> LAUREN C. WILLIAMS: Any chance of delay on that?

>> KELLY FLETCHER: I mean, I will tell you, we are absolutely targeting March 2023. There are a lot of moving parts in there. The rule does go to OMB. It's going to move around the federal government. It's going around the Pentagon in a sort of boring and bureaucratic way. But absolutely, we are on track right now for 2023 in March.

>> LAUREN C. WILLIAMS: Okay.

>> MICHAEL BAKER: Two weeks into my new role.

(laughter)

But no. I mean, it's really more of the same for me, right? It is do the right thing, number one, and DXE stands for delivering excellence to our customers, right? And what that means is meeting their expectations. So, I'm going to focus on the next year, making sure we're doing just that, as I know we are, but just verifying that, and leading from the front.

>> LAUREN C. WILLIAMS: Awesome. Well, Matt, Stacy, Kelly, Michael, you guys have been fantastic. And this has been a great panel. You guys had great questions. Thank you for that. And I think we can wrap up. Just 30 seconds early.

(laughter)

(applause)

>> MICHAEL BAKER: Thank you.


Participants
Lauren C. Williams

Moderator

Senior Editor, FCW and Defense Systems (publications of Government Executive Media Group)

Michael Baker

Panelist

Vice President & IT Chief Information Security Officer, DXC Technology

Dr. Kelly Fletcher

Panelist

Principal Deputy Chief Information Officer, Department of Defense

Stacy High-Brinkley

Panelist

Vice President of Cyber Compliance, Cask Government

Matthew Travis

Panelist

CEO, CMMC Accreditation Body, Inc.

Policy & Government Protecting Data & the Supply Chain Ecosystem

zero trust operational technology (OT Security)


Topic

Subtopic


Share With Your Community