Podcast Bonus Episode to Review CMMC v1.0
Ed Crusius and Ed Bassett join us to review the latest version of the CMMC details.
Transcript
Erin Keating: Welcome to NeoCast. Join our experts each week as we discuss strategies and solutions for your businesses in managed IT, cyber security, government contracting, and much, much more. Sharing is caring, and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it. Today on NeoCast we are featuring a bonus episode for season one in a conversation with Eric Crusius and Ed Bassett about the current version of the CMMC certification 1.0. Join us now.
Erin Keating: We are here with Ed Bassett, with NeoSystems and Eric Crusius with Holland and Knight. Thank you both for joining us again to have a conversation about broad topics on this CMMC certification programs and how we can help our contractors get a little bit up to date on where we are with the certification, as well as how they can start to adjust the timeline that’s to come for when the certification goes into play.
Erin Keating: Let’s talk a little bit about what the landscape looks like for the CMMC certification. Tell me a little bit about when it comes to version one, which will be put out in January, which we know is just an evolution of the rest of what’s been going on. When do we expect the government is going to say to all contractors they must be ready?
Eric Crusius: The expectation is as of now, it’s a very aggressive schedule, is that RFPs will have this requirement in it starting September, 2020. In advance of that, there is decision process where DOD is ramping up building blocks on top of each other, so 0.4, 0.6, 1.0 which is coming out in January.
Eric Crusius: Really, the thing is, is that contractors really need to start preparing now. When that auditor comes in the door, you should already know whether you’re going to pass your audit, because you should know if you’re 800-171 compliant, and if you have any kind of faults in your systems and starting to address them, because nobody really knows that, if an order comes in and there’s an issue with the audit, when do they come back? Do you miss the train then until the next go round? You go to the back of the waiting list for these auditors, because they have to certify 300,000 prime and subcontractors for DOD. Invariably, even if they are very successful, there are going to be some left behind. Are you going to be one of those companies left behind, if you don’t have a perfect audit on the first go round?
Erin Keating: You mentioned the 300,000. We believe, in 2020, 300,000, about 300,000 contractors, specifically with the DOD I you’re saying, will be coming on board to get certified. How long do you think that that timeline will take and how are our civilian contractors supposed to think about that?
Ed Bassett: So the government has said that they’re going to phase this in as contracts renew, right? People who are on existing contracts, they’re saying that they’re not going to modify those contracts. They’re going to let them go to their natural renewal or expiration date. And then when the contract comes up for recompete, or renewal, extension, as the case may be that they’ll add the requirement at that time.
Ed Bassett: Contractors who have some longterm contracts they’re working on may have some leeway before they have to have the certification for their existing contracts. Then the question is, what about new contracts they want to bid on to grow their business? What about new things that are coming out? They see and RFP, they want to be ready for that. So I think the plan is that new bids, new contracts, starting soon, I guess, right? In the same timeframe, that September timeframe, are intended to have all new contracts should have that requirement for CMMC already in there. I think people who are in a growth mode that are looking at bidding multiple contracts on their radar in the 2020, 2021, timeframe, they’re going to want to have that certification in place early.
Ed Bassett: The question is, how do they get to the front of the line? How do they become ready for some of the early audits? If they have a major contract renewal coming up, then obviously that’s going to give them some status there. Simply wanting to bid something new, we don’t know yet how they’re going to prioritize that in terms of getting access to an auditor. The market’s limited. We’ve got 300,000, nominally 300,000 people who need to get audited. Right now there are zero auditors certified, so there’s going to be a very big rush to get auditors on board, in the program, ready to perform these audits. I think there’s going to be a scarcity of those.
Eric Crusius: And I think to Ed’s point is that according to DOD’s schedule and what they’re telling us now, if you’re not certified in September of 2020 you’re not going to be able to bid on new contracts. So, if you’re in a growth mode or you have a renewal coming up and you’re not certified, according to DOD, as of now, you’re going to be out of luck. That’s why it’s so important to address these issues right now, to start thinking about it right now if you haven’t already started thinking about it. Because otherwise, it could be somewhat catastrophic for the business. It could be essentially a de facto debarment where you can’t do business with DOD. It’ll be really interesting to see how different companies are prioritized. Can you pay extra to be audited first? Maybe that’ll be a thing that happens.
Erin Keating: What’s the time period between when the final certification is out and when you need to be certified by? Basically, what’s the period of time auditors have to work with to certify?
Eric Crusius: Not much. I mean from what I’ve heard from DOD is that they’re going to have auditors up and running in the spring of 2020. And then, less than six months later, you’ll have to be certified to do business with DOD. Like Ed said, there are zero auditors right now.
Ed Bassett: We should have the final guidelines in terms of what the requirements are going to be by January in version 1.0 that’s coming out. We won’t yet have a lot of indication of exactly what the audit process is going to be until they start certifying auditors and training auditors and publish those guidelines. The auditors nor the people who are subject to the audits are going to know exactly how they’re going to go down. That makes it a little challenging to get ready and prepare for that.
Ed Bassett: I think the best readiness suggestion I would make is, if you’re trying to get to CMMC level three that’s nominally equivalent to NIST 800-71, which all these contractors are, for the most part, are all subject to today under the DFARS clause. In theory, they’re already compliant. Now, the reality is the government knows, we all know, that they’re not, and that’s why CMMC has come into being, because the overall compliance rate with self-attestation that’s happening today is fairly low.
Ed Bassett: If you’re one of those contractors who feels that you are ready, intending to be ready, you want to be at the front of the audit train, if you will, then focusing on NIST 800-171 compliance right now should get you at least to a successful level three audit. If you feel like based on your business and the types of contracts you bid, you may go after lower levels, that should be even easier bar. Levels four and five, if you’re one of the few contractors that needs to be at those higher levels, much less defined.
Ed Bassett: We have a hint of what the criteria might be. It’s been published in a draft NIST 800-171B. But it’s far from clear how those are going to shake into the specific guidelines that are going to come out in January. That’s going to be a little harder to prepare for. But, January is not very far away. Once we have those, I think those preparations could be underway as well.
Eric Crusius: I think those are really good points, and I think that reminds me of something. It’s really interesting, there is some contractors who say, “I just clean X for the DOD, so I don’t need to worry about this.” DOD is being very clear. No matter what you do for DOD, you have to be certified. You don’t have to have data, you don’t have to store data of any kind. You have to be certified. If you’re cleaning the barracks at a DOD facility, you have to at least have a level one certification.
Erin Keating: That’s where we get to the 300,000.
Eric Crusius: That’s right.
Erin Keating: My goodness.
Ed Bassett: And, that level one certification is nominally a fairly simple bar. But as you point out, Eric, some of these contractors have not previously felt any security compliance burden. Maybe they don’t feel like they have any sensitive data or anything to worry about, so the state of their cybersecurity program may be essentially nil at this point. So, it’s starting from scratch.
Eric Crusius: Exactly.
Erin Keating: That sounds like a huge burden for a lot of different companies. I would imagine those will also be the companies that’ll be deprioritized in the running. If you’re looking at the way that they’ll be certifying them, a company that perhaps is cleaning the barracks might be deprioritized as far as getting certified, but would that have an adverse impact on them getting business?
Eric Crusius: Possibly. If they’re a cleaning company and they bid on contracts nationwide for cleaning services on basis, when those are contracts that do actually happen. I mean, what’s going to happen is DOD is going to see their supply chain or their pool of contractors that they can pull from really be marginalized, a lot smaller than they’re expecting. Prices will go higher. Competition will be less fierce. Now, I’m not saying that everything that they’re doing is not required. I think [inaudible 00:08:50] recognizes as it does everybody that we have a cybersecurity problem and this is a great way to solve it. It’s the timeline I think that is concerning for, if there is a concern, that’s what’s concerning people.
Erin Keating: You mentioned that we’re talking a lot about DOD, so therefore you’re thinking about 300,000 contractors that are specifically dealing with DOD contracts. What about civilian contractors? What do you think their timeline looks like?
Ed Bassett: Longer. I think, there’s been talk of a new FAR clause. I think, Eric, you may be able to shed more light on that than I can about new FAR clause that is going to take some of the standards established in the DOD and bring those government wide. That rulemaking has been in discussion for a couple of years now. We kept thinking it was going to come out. Now, it appears it’s probably going to be on hold until CMMC is implemented and rolled out by the DOD with the civil agencies following along, very likely adopting the same security criteria and applying it in a way that’s applicable for them. I think that’s going to happen after CMMC. I doubt we’re going to see any motion from the current standards in the civil agencies prior.
Ed Bassett: Keep in mind, out of that 300,000 DOD contractors, a large number of them are companies that bid on civil agency contracts as well as DOD contracts. Certainly, there are some companies that are only dealing with civil agencies that don’t do any defense work, and those companies I think are largely sitting on the sidelines watching this unfold, but with the expectation that the government is likely to set expectations for all their contractors around cybersecurity. It’s a risk that is not specific to defense.
Eric Crusius: To Ed’s point, the civil agencies have been further behind DOD as far as cybersecurity requirements. There’s that FAR clause which most contractors should be compliant with in their sleep, because it’s all very basic and it gives contractors extreme amount of flexibility about what security controls they’ll have in place to comply with it. There has been a FAR case in the works for some time now on beefing up the civilian side of cybersecurity, but it does sound like that the civilian agencies are going to wait to see how CMMC pans out.
Eric Crusius: If it is successful, it would not be surprising at all to see the civilian agencies jump in on this next year, or 2021, in 2021 to enable them to catch up, because all civilian agencies will want to see is some kind of breach. Congress will start questioning them, why aren’t you doing CMMC, and why don’t you have these controls in place? I expect the civilian agencies will come in, hopefully there’s a sufficient up ramp of auditors that they could support also the civilian agencies when they want to. Of course, that remains to be seen. We don’t even know if it’s going to work on the DOD side yet.
Erin Keating: Both of you come at this work from very different perspectives, but a lot of our listeners are thinking about what the timeline looks like and what they need to do between now and certification. What kind of advice do you have for contractors, and what can they do now? What types of things that they can do in the short term? What types of things do they need to be thinking about in the longterm? Ed, I’ll turn to you briefly, first, to tell us a little bit about what you think about the timeline for contractors.
Ed Bassett: I mean, as we’ve been out talking to contractors that are looking at CMMC and trying to think about what does it mean to them, the number one thing we’re seeing is that there’s companies who have been under the DFAR’s clause for some time. They’ve done some basic work around security controls, but it’s not very well organized. It’s not very well documented. They’re pretty convinced that they’re not going to be able to pass an audit with that. So while they may be comfortable self attesting that they’ve could hit all the points, they think that they may not have the evidence or the consistency that they need to pass an audit. So, they’re looking for folks that they can partner with that are going to bring that level of rigor they feel’s needed for an audit.
Ed Bassett: I would say that’s number one is, in house or with a security services firm, find someone who’s going to be in charge of that, who’s going to be your security officer, be it, like I say, an employee or a service contractor. We’ll take responsibility for maintaining all the evidence that’s needed, designing that evidence specifically to be looked at by a third party auditor. It’s just a different mindset versus, are we okay? Can you convince your boss that you’re okay versus can you convince some external third party that you’re doing this the same way every time. Having that evidence lined out on a per control basis, so you have a really good understanding of exactly what the story is on each control.
Ed Bassett: The other thing we’ve seen is that often the story is somewhat incomplete. Some parts of the NIST 800-171 control family are very easy to meet with a technical control. We bought a product, we have a firewall, we have this active directory, we have certain technology that in and of itself will meet that control. And then, other things are a little softer. It’s a little harder to tell if you really met it. Maybe the story is not quite together.
Ed Bassett: My advice at this point would be going through every single one of those controls. You could look at NIST 800-171, the 110 controls. You could look at version 0.6. It is draft, but it’s unlikely that that’s going to change dramatically in the sense of the technical administrative content of what those controls have to be. Go through each one of those and make sure that there’s a strong story for those.
Ed Bassett: That includes understanding the requirement. What are the options for meeting that requirement? Understanding what you have in place now and then thinking about what kind of technologies, services, you need to fill in those gaps.
Erin Keating: Eric, what would you have for contractors looking at this from a longterm and short term?
Eric Crusius: Contractors should look at their contracts. I know it sounds kind of basic, but look at your contracts, see what kind of information you have. Think about what level you’re going to want to try to aim for. Is it going to be a level one, because you just, not just, but doing cleaning services? You don’t have any CUI or CDI or anything that DOD would be worried about. You’re just physically on the base. Think about what contracts you have, when they’re coming up for renewal, as Ed mentioned before, what levels they’ll be, and where you want your business to go in the future. Is your business going to go in a place where you’re going to be housing data for the government? Maybe it’s time to think about, maybe I need to be a level four to compete, because the contracting agency, the DOD agency, is going to decide what level each opportunity is going to be.
Eric Crusius: If it’s at a level that you don’t have a certification at, if you’re a level three in DOD thinks it’s a level four, you’re not bidding on it. That would be obviously a problem for your growth strategies. Try to take a jaundice look at the contracts you have and where you want to take your company, and try to think about what level do I think this is going to be. To Ed’s point, is my company ready for that? Do I need to bring in a professional to help me get there? Because, the time to discover whether you’re there or not is not when the auditor walks in the door. It’s way before that.
Erin Keating: Speaking to that, is there a way that people have an early indication as to what contracts will be which level? So you said, anyone who’s compliant with 800-171 to this point is up to a level three, and therefore they might be able to in tune say these general contracts will be a level three or below. Is there an easy way for people to think about level four and level five?
Eric Crusius: I mean, my concern is that contracting officers, even unintentionally, or folks putting out RFPs, will be very conservative about what level they want to use to ensure. They’re going to go a level or two higher than they need to go, maybe a level higher than they need to go, in order to make sure that they don’t get called onto the carpet if there’s some kind of cybersecurity breach on the contractor who’s on that contract. The contracting agency says it’s a level two, contractor performs, there’s a major breach of some kind, bad press, and then all of a sudden folks start looking at it like, well this should have been a level three or level four. What are you doing level two here? That’s why you had this breach. All of a sudden, that reflects poorly on the folks who put out the procurement. I’m a little bit concerned, even unintentionally, that they’ll be uber conservative about what level they’re going to put opportunities out at. And contractors who are well qualified, who are at the correct level, won’t have the opportunity to bid on that work.
Ed Bassett: There’s been no specific guidance published that lets people know this. So, they could try to talk to their contracting officers. In most cases, I would say the contracting officers are going to say they’re also waiting to see where things go. Definitive answers are going to be very hard to come by. If you are in a position where you feel like you definitely could stay with those lower levels and you could hold back your investment and not worry about level three, I would suggest you should only do that if you really have a feel for not working with any sensitive data. That’s probably a conversation you could have with contracting officers now and say, we think we’re not doing anything sensitive work. We’re cleaning barracks we’re we’re making shoe islets. We believe we’re going to be at a level one, maybe a level two. Do you agree with that? Try to get some feel whether that’s going to keep you competitive in your space.
Ed Bassett: Unless you’re clearly in that category, I think level three is the default. It’s the level that people should be planning for in the near term. If you are part of that smaller subset that knows you’re involved in sensitive data and likely to be held to four or five, you probably already know that based on the nature of the work you do, and it’s probably going to be less of a surprise when that happens. I would say that, so far, I’ve not seen contractors planning for level four and five in terms of making investments. Maybe planning it out, thinking about what the gaps look like and understanding what level of commitment or investment would take to get them there. For most companies, that’s a move from current status. A lot of companies are at level two, maybe level three, already, but there’s a few that are at four or five in their current state. All going to have some gaps. So, understanding what those are, but maybe holding back the investment until the specifics are out on the table.
Erin Keating: And so, speaking to that, tell me a little bit about how a company like NeoSystems then. Do you see your role coming in a lot more with more contractors these days that are level three that are potentially starting to plan out four and five but may not be making that step yet? Is that something that you could easily step in and help a company bridge the gap to four and five?
Ed Bassett: Definitely. Our security services are all designed around federal government compliance. That’s about 95% of our workload is helping government contractors be compliant with those standards. Whether you need to be level one up to level five, we’ve designed our security services to map specifically to those requirements. As I mentioned, four and five still a little bit nebulous in terms of who’s going to need to meet it and what those requirements will be, but that’s our goal is to be able to take people down the path, successfully pass the audit on the first try, is our measure of success.
Erin Keating: Yeah. This brought up another question for me, Eric. A little off the topic of how to be prepared for it, but a little bit more in the lawyer space if you will. Speaking to contract officers that are potentially going to be conservative and set contracts at four and five, which would be prohibitive in one of our previous conversations, you were saying how you were surprised and happy to see that the government had levels one through three being fairly easy to reach, therefore not negating the opportunity for small businesses to compete. But, if we see a run of contracting officers who are being conservative and are setting things at four and five that may really not need to be there, do you see there being any recourse or ability for smaller businesses to fight those statuses?
Eric Crusius: Yes. Like with any other provision and in an opportunity, there’s an opportunity to protest it before the opportunity is due. For instance, if you’re a contractor and you see that something is a level four and you think it should only be a level two, you could file what’s called a pre-award protest and say the government doesn’t have a basis for making something a level four. It should really be level two. When you follow that protest, it’s not up to GAO, or the court of federal claims, or whoever’s looking at it to substitute their own judgment for that of the contracting officer. They look to see whether there was a basis for the government to do what it’s doing. That’s certainly an option that folks have if it goes down that path.
Eric Crusius: I mean, if you think a little bit more nefariously, contracting officer knows that the contractor I want is level four, even though this is level two work, I’m going to make this level four and and see what happens. Maybe there’ll be prewar protest, maybe there won’t be, there’s a lot of deference given to the contracting agency to do that. I don’t think that’ll really happen, hopefully. I really think it’s more of folks just trying to be careful and maybe being overly cautious about what they’re doing.
Eric Crusius: I mean, being level four or five, if you have the resources to do it and the ability and the wherewithal, can be a real competitive advantage now. Even if you’re going to be mostly bidding on level two or three work, the pool of contractors who are going to be eligible to bid on that level four and five work, which is much larger now, will be smaller after the certification happens because of the difficulty of maintaining that level of certification.
Ed Bassett: Thinking about how small businesses can meet these requirements, one of the things that has been talked about and asked for is some relief for small businesses that they really maybe should have a different standard, be held to a different standard than larger businesses that have bigger budgets. We’ve seen this in other industries. HITRUST, for example, in the healthcare industry, segregates or sets different standards based on the size of the operation, the scale of the operation. That notion has been rejected by the DOD. They’ve said that they’re not going to do it, that they’re not going to provide exceptions or some kind of a lower bar for smaller businesses. That says, okay, we’re going to hold these businesses to the same standard. Can they realistically do it? Can you have a small 8(a) business, for example, and realistically meet level three, four, five?
Ed Bassett: As Eric mentioned, level one and two are pretty straightforward and most businesses can get there without a big change to how they do business, with a change to how they do their IT. Level three on the edge. Level four and five, I would say, requires a sense of maturity that most small businesses don’t have any commercial need to get there. Things around configuration management, other things that require IT process discipline, that’s simply not something that’s necessary for businesses at that scale, for any other reason other than cybersecurity.
Ed Bassett: I think, what we’re seeing in the marketplace, what we’re bringing to market, is managed services that make those fairly complex security controls attainable by small and midsize businesses. The reason that works is that they don’t necessarily need to make a big technology investment. They don’t need to make a skills investment hiring highly specialized skills. They can buy those things as a service only paying for what they need. The combination of the managed services model and the cloud computing model let us take those services and scale them down so that they scale down to small businesses appropriately. We think it’s very achievable to meet these standards even for fairly small businesses.
Erin Keating: Right. I would argue that that’s exactly what a company like NeoSystems can help small and medium businesses, as you’re saying, is offering those services between managed security services, managed IT services, cloud computing. All of these things help small and medium sized businesses compete for the-
Ed Bassett: That’s right. Large businesses tend to have a fairly well established security program. They have a dedicated staff. Most of the clients that we work with have zero staff is fully dedicated to security. In some cases, they have no staff dedicated to IT on a full time basis. They need partners who can bring those services and bring the expertise, the technology, the process maturity to them in a way that they can consume it, keep it affordable for a small business.
Erin Keating: Have you seen, again, going a little bit on a tangent, but just to flush this out a little bit, have you seen what some of the barriers of small to medium size businesses are to renting the capacity? Is there a reason why a smaller, medium, business in the past may have not pursued services like the ones that NeoSystems provides? And, how do you feel about how this certification may change that desire?
Ed Bassett: I think the number one barrier is process discipline. Small businesses tend to make decisions on the fly. They don’t need a lot of process maturity or repeatability just because their businesses operate on a small scale. It’s okay to do things perhaps different every time they do it. They don’t generate a lot of documentation, because there’s not a need to pass that knowledge around amongst a big staff. It’s a small compact staff that can work very efficiently by word of mouth, tribal knowledge, those sorts of things, very effective for small businesses. Those things don’t tend to meet security requirements. They don’t generate the proper evidence that you need to show an auditor that you’re doing it, the security control, on a consistent basis. So yeah, process discipline, probably the number one barrier. Beyond that, are things more commonly thought of things like the technology is expensive, the skills are hard to come by and hard to retain people with appropriate expertise to run those tools. There’s some technical challenges there. Yeah, number one is just how disciplined are you around IT operations, those kinds of things.
Erin Keating: Given that the certification is now coming and signaling a pretty significant charge for the government to be a lot more cracked down on how contractors are complying, would you see that, that desire supersedes, I guess, the lack of discipline or process that a small business might have now in order to be able to do business period, given what the future might hold for cybersecurity risks? Do you see that more small, medium sized businesses really do need to consider either partnering with a company like NeoSystems or starting to investigate bringing resources in house to be able to comply with these types of things?
Ed Bassett: Need to do one or the other. The controls are very specific. You have to do things the way dictated by the control. There’s not a lot of latitude to do it a different way and still pass the audit. The auditors are going to be looking for a very specific outcome. The government has put out a notion that these audits are going to be very streamlined with some automated support, fairly low cost. They put some numbers out around $3,500, I think, as an estimate of what the average audit is going to cost. To keep things in that cost range and make it scalable across 300,000 contractors, these are going to be a fairly standardized thing. To try to pass that audit by doing things a different way than specified by the controls, I think it’s going to be challenging. It’s going to be challenging to protest it or ask for exceptions. It’s going to be harder than just meeting the requirement.
Erin Keating: Well, that wraps up our bonus episode for season one featuring the comprehensive look at the CMMC certification version 1.0. We look forward to having you join us for season two. Until then, take care.