Podcast Episode 2 – Current Certification Requirements
In this episode, join Eric Crusius and Erin Keating as they discuss the current environment for certification in the cybersecurity space and where the CMMC is going in the future.
Transcript
Erin Keating: Hello and welcome to another episode of GovCon Rules season one. We’re talking about the new ruling, third party cyber security certification now required for contractors to do business with the federal government. Last week we talked about the current cybersecurity requirements for contractors. And this week we bring back our expert Eric Crusius with Holland & Knight and we’re talking about where the certification requirements are now and what to expect in the near future. Let’s go ahead and get this started.
Erin Keating: So first and foremost, I would love to ask you, Eric, the Cybersecurity Maturity Model Certification, CMMC, is this a common acronym that people will have heard by this point? Is this something that bears repeating right now? And going into a little bit about where that nomenclature came from and what it stands for.
Eric Crusius: I think generally at this point, anybody who’s kind of involved in this industry should know what CMMC stands for.
Erin Keating: Great.
Eric Crusius: So I don’t think it’ll be a mystery to folks who are tuning in. And if it is, we can help them along.
Erin Keating: Okay, great. Yes, I was a little thrown off by the word maturity. I was curious as to why they chose that word.
Eric Crusius: Maybe they feel like a lot of us are not mature enough to do business with the government. But it talks about how robust your cybersecurity system is. That’s the word. They use the word maturity in place of that.
Erin Keating: Ah. Okay. You learn something new in the industry. Great. Thank you for clarifying that for me then. And maybe for some of our listeners who don’t know that. So can you explain what the current certification requirements are?
Eric Crusius: Sure, yeah. So there are actually no certification requirements as we speak today prior to 2020. What they’re doing now, though, is they’re standing up these new certification requirements. So this will be something that’s completely different and something that DOD contractors will have to do for the first time.
Erin Keating: Gotcha. So now I see that they’re on version or revision 0.4. I’m assuming that means that there have been plenty of others. Just out of curiosity, who is it that’s invited to provide their feedback on these?
Eric Crusius: They’ll take feedback from anybody.
Erin Keating: Okay. So all of our listeners have time right now to go and look this up.
Eric Crusius: So revision 0.4 was released in early September. 0.6 is or was coming out in November 2019. And then they’ll go with revision 1.0 early next year.
Erin Keating: Okay.
Eric Crusius: Or version.
Erin Keating: And so, is there a final one that they’re going to get to or is this an iterative process? Should people be expecting to see 1.2, 1.6, or so on and so forth? Is it sort of something that happens over time?
Eric Crusius: So the answer’s yes. So to both. So 1.0 will be essentially the initial final. That’s the plan as of now. And that’ll be released in January 2020. And included in RFIs mid year next year, and then RFPs in the fall. That being said, I’m sure there will be revisions beyond 1.0 that will be then incorporated in requests for information and requests for proposals down the road.
Erin Keating: And by them being included in RFIs and RFPs by that point, it’s meaning that it’s pointing to a requirement now that you really have to meet in order to do business with the government.
Eric Crusius: Exactly.
Erin Keating: Gotcha. So we just laid out the timeline for the new certification. So it sounds like it will start appearing in RFIs, as you said, in January, RFPs in June of next year. What does that mean for all of their listeners who now need to become compliant with this certification?
Eric Crusius: So for the RFP requirement in fall 2020, that means by that time, a contractor will have to be cybersecurity certified essentially by that time in order to submit a proposal to do business with the federal government. The RFI is not really … It’s probably to respond to RFIs in June 2020. And there are different types of RFIs. There are some times an RFI is out there where the government puts out and they just want to fish for information, like how many contractors can do X? Occasionally, you see an RFI that’s slightly mislabeled where it’s kind of a narrowing down process where they say, “If you want to submit this RFP, you have to respond to this RFI.” So I don’t know this yet or not, but whether that June 2020 RFI deadline will be essentially a deadline that requires a winnowing process for certain contracts. So you may have to be certified by June then. Although I would say really the deadline is in fall of next year.
Erin Keating: Right, okay. Because if the 1.0 version is set to be released, you think, around January of next year, it’s from that point forward then that people have to begin to meet those requirements.
Eric Crusius: Right.
Erin Keating: Albeit, they’ve seen revisions so they can at least expect what’s coming.
Eric Crusius: Yeah. So I’m sure there’ll be plenty of certification companies lining up to certify contractors starting in January 2020. That being said, it’s never too early to start looking internally and seeing what you can do to become more compliant. So that way when the certification opportunity comes around in January of 2020, contractors are ready to go and have all their ducks in a line.
Erin Keating: Right. It seems right around the corner if you ask me.
Eric Crusius: That’s because it is.
Erin Keating: So Eric, I noticed that this is open for public comment right now. We’re at version 0.4 and you just mentioned that 0.6 will be coming out presumably in November. Are there time periods that people need to keep to and adhere to in this response and feedback period?
Eric Crusius: Yes, there is a deadline for comment on 0.4 for September 25th of 2019. So to the extent you’re listening to this before September 25th, 2019, you have an opportunity to comment on 0.4. And they have a specific chart they want you to populate on their website in order to do that. I would say this though, if you’re listening to this after September 25th, 2019, there’ll be an ongoing probably ability to comment on the different versions as they come out. So I’d certainly take that opportunity if you have it.
Erin Keating: Good. So what do you think the new certification requirements will be and include?
Eric Crusius: That’s really interesting question. They’ve released a, essentially, a 58 page spreadsheet, which kind of goes through all the requirements. And the requirements are divided up into different levels. So different levels will be required depending on the kind of contract that a contractor wants. So level five is the most robust cybersecurity prevention hacking prevention system. And level one is the least robust. And the government makes a point to say in their requests for feedback and a PowerPoint that they released with all this information that they really aim for a level one to be easy to obtain for small businesses. They call it kind of basic cybersecurity with limited resilience and limited resistance against data leaking out. And the government says for level one practices are performed at least in an ad hoc manner. A manner, it probably should say. So I do think that your … What the requirements are are going to vary drastically depending on what level that you’re in. So it goes one through five, like I said, five being the most stringent, one being the most loose. But a contractor who can probably fairly easily get certified in level one, but based on the spreadsheet that they released.
Erin Keating: Now for future contracts, do you think that there will be or do you know that there is then some contracts that will exclude anyone that’s say level one or two? Like you’d have to be a certain level in order to be eligible to bid on certain contracts.
Eric Crusius: I think that’s definitely the case. So what DOD will probably do is they’ll look at the kind of data that a contractor is going to have and decide what level is necessary to protect that data. If it’s something that’s … If the data the contractor is going to work with is generally publicly available for the most part, then you could see a level one only being required. Or if they’re building something that is commercial in nature. So if a contractor is going to build a bridge but it’s the same bridge they build for a municipality or a private entity, then that might be level one. If the bridge has some certain kind of included technology that will stop any non-DOD vehicle from going over, right? And it’s this proprietary and highly sensitive, maybe that’s level five. And then everything in between there. So I think they’ll certainly be a bunch of contracts that are not obtainable if you don’t have those higher level clearances. That being said, there may be some contractors who know they’ll never need a level five unless they change their business model. So they’ll just go for level three right now.
Erin Keating: Right, okay. So last week we talked a little bit about the nature of being a subcontractor under a main contractor to the government and how everyone, all the down the chain, needs to make sure that they’re keeping compliant. Do you foresee in the future where a subcontractor might be able to have a level one even if the general contract requires a level five or something like that?
Eric Crusius: That’s a really good question. I guess I could see that happening. I think it will depend on how the RFP is written. And if the government is good at segregating the work itself and saying, “All right, here’s work that is level five, here’s work that’s level three, and here’s work that’s level two or one.” If the work is segregable enough, I could see that happening. And certainly that’s a good idea because it will open the contract process to more companies.
Erin Keating: That’s what I was thinking, take care of the little guys.
Eric Crusius: Well certainly, I mean, that’s a risk of this whole thing is that you’re going to exclude a lot of small businesses who currently do business with the government now. And once that happens, first of all, the government loses a lot of innovation because a lot of the innovation does come from small businesses. Not saying that it doesn’t come from larges too because it does, but these small businesses are really incubators for new technologies that might spread across the government. And if you’re cutting all of them out, that’s opposite of what the government’s trying to do otherwise. They had the whole Section 809 Panel which was a way to kind of, “How do we open up the government to kind of Silicon Valley for instance, but just technology companies as a whole?” And if you’re going to require companies, small businesses to be level five to do business at all with the federal government, then that’s going to be a mistake.
Erin Keating: Right, right. So the DOD released more information about the new certification requirement on just this past Friday. What was in there that you found interesting or surprising?
Eric Crusius: I was surprised that they noted that certain like level one would be achievable for small companies. I’ve been concerned, let me step back for a second. This is a necessary thing that the government is doing. We need to protect our assets. If we don’t, why protect anything at all? I mean, just, let’s give everything over to our geopolitical foes and just let them have it. So this is obviously a necessary step in order for us to be protected. But I was heartened to see that the government or DOD understands that small companies could be excluded from this process. And they carve out this level one, I think, specifically for small companies and note that it is achievable for small companies. And when you look at what is required under level one, which we could talk about a little bit more, it should mostly be achievable for small companies who want to do business with the government. Obviously, there’ll be some that fall off. It’s just inevitable in something like this. But I would hope that if companies want to do business with the government for minimal investment, they can be level one certified. So I think that was the biggest surprise I saw is the government’s acknowledgement that the small businesses matter and they should be part of this process.
Erin Keating: That’s good. As a layman looking at this, I certainly was a little overwhelmed by the domains and the capabilities and the processes and so on and so forth. So it seems like quite a lot of different areas. And as you said, that there’s an enormous spreadsheet that sort of outlines everything level one through five, but then within each domain and each capability and what level you need to have and so on and so forth. So seems quite complex. How do you think organizations can best tackle weeding through all of that to make some good decisions for their business on what level they want to try to attain?
Eric Crusius: It certainly seems complex and this is what happens inside the beltway a lot where it’s not only acronym city, but we substitute in words that means something that much more basic. So if you look at this, you have domains on the top, which is like the header of an outline. And then within a domain, you maybe have multiple capabilities. And within each capability, you may have multiple processes and practices, practices and processes as they say. So it’s really just like kind of an outline form. And it’s a way that they have outlined it and if you look at it like that where there are a few domains, there’s capabilities under each domain, and this practices and processes under each capability, you kind of get the sense of how they’ve outlined it. So if I were a company looking at this, that’s where I would start.
Erin Keating: Right. So 18 domains, but it seems like simple ones that you’d be going through that checklist anyway as you’re looking at evaluating your cybersecurity.
Eric Crusius: Right.
Erin Keating: So it doesn’t need to be that daunting just because they’re calling them domains. They’re things that you would rightfully check off on your list.
Eric Crusius: Exactly. So if you look at the first domain, it’s called access control. And within that, there are one, two, three … At least five or six capabilities, five, it looks like. So there’s your five separate. And within each capability there are practices, multiple practices, and they also are broken up by the level. If you’re aiming for level three, you just know you look down the level three column and those are the things you have to do. You may also want to look at the level one and level two to the extent that those are subsumed within the level three.
Erin Keating: So I’m looking at the CMMC model revision 0.4 levels by the numbers. And is that the chart that you’re referring to that people … We’ll provide the links for these locations where you can find these in the show notes. But it looks like that’s a nice graph or I-chart there for you to look through and figure out, okay, how many do I need to meet in order to be at specific levels under specific domains?
Eric Crusius: Right. So yeah, I was looking at the 0.4 source document. But I think what you pointed out is even better for people to look at to get a kind of a holistic view, overview. 50,000 foot level, as we like to say. So yeah, for that spreadsheet, I believe it’s on page 13.
Erin Keating: 13 and 14, yeah.
Eric Crusius: And 14. Right.
Erin Keating: And you’re right, the level one for instance, access control is five for level one, eleven for level three. So you start to see that they really are trying to ease up in the smaller categories.
Eric Crusius: Right. And yeah, and I would say if level three is eleven and level two is nine and level one has five, you had that together and it’s I think 25. Math is not my strongest suit.
Erin Keating: It is 25, yes, you’re correct.
Eric Crusius: That’s why I went into law.
Erin Keating: Good fast math.
Eric Crusius: Yeah, thanks. So I would definitely say yeah, as you get up higher and you see some level fives don’t have any. So for a level five, there’s no additional requirements. But they’re responsible for being compliant with level one through four.
Erin Keating: Sure. And the bridge was an interesting example. I hadn’t thought about that before. But having grown up in the area and the Woodrow Wilson Bridge used to be a drawbridge. You know, you would imagine that that is actually a technology within the makeup of the bridge and the construction of the bridge that you’d want to make sure someone can’t hack or break into and alter or change. Is that what some of this cybersecurity also encapsulates? It’s not just about people being able to get data. Is it about people being able to hack into systems and things like that? Or does this not cover that?
Eric Crusius: No, absolutely. It’s part of that. To give you kind of a real life example, there was a dam that was in upstate New York or that is in upstate New York. And that was controlled remotely by a computer. And some folks overseas tried to hack into it to open the dam and flood the town that was near the dam. But thankfully, our own lack of good infrastructure helped us because the dam computer was offline. Yeah.
Erin Keating: Oh, goodness.
Eric Crusius: So they couldn’t do it. Yeah. So there are things like … So having a bridge that can be hacked is not actually out of the realm of possibility. And I’ve heard Woodrow Wilson Bridge is a big improvement. I moved to the area right after it was finished so I had really good timing.
Erin Keating: Yes, it was crazy. If you think about the fact that that was one of the major arteries to get in and out of DC and Virginia and Maryland, it was insane that we lived by a drawbridge there.
Eric Crusius: Yes, I can’t imagine. Luckily I didn’t have to.
Erin Keating: Exactly. So how will these new requirements impact civilian contractors versus DOD contractors?
Eric Crusius: So right as of now, this is really a DOD requirement. But what often happens is that things are tried out at DOD and they’re moved over to the civilian world. So I would not be surprised at all if the civilian agencies as a whole or one by one started requiring this as well. So to folks who only do civilian work, you don’t have to go out and get certified on January 1st, 2020. What I’d say is to really keep a close eye on it and try to, as you’re redoing your internal IT systems, keep an eye out towards this model and try to fashion what you’re doing with this model so that way you don’t have to worry about redoing it again a year later.
Erin Keating: So now just to follow up on our conversation last week and to be sure that we’re all on the same page here, this is a new certification that has not previously existed but will be required in the future to do business with the government?
Eric Crusius: That’s correct. And at least, we know with DOD, which is about half the contracting out there. And then we suspect with civilian contractors eventually. How eventually that is, I’m not sure. But I think they’re going to wait to see how this pans out and how it plays out over the next year or two and then kind of move in on it.
Erin Keating: Right. And this being an easier way, A, to understand whether your vendors are not just including these terms in their contracts as we talked about a little bit last week where you’re sort of going by faith that just by mere fact of someone adding it into their terms doesn’t necessarily mean that they’ve got a plan in place for that type of security. This is really equalizing the playing field of as far as being able to ascertain from the government’s perspective that someone is in fact in compliance with the needs.
Eric Crusius: That’s exactly right. Yeah. The government wants some kind of assurance that the contractors are doing what they say they’re going to do. I think they have found very often that is not the case with cybersecurity and they want a way to verify it.
Erin Keating: Sure. And do you see a benefit, from the contractor side, is there a benefit for the contractor to see this type of requirement come into play?
Eric Crusius: There sure is. For one, it puts everyone on a level playing field. So you have some contractors who are spending the money and time to be as cybersecurity compliant as they can, comply with NIST 800-171. And then you have other contractors who are not. And the ones who are not have a competitive advantage because they don’t have this expense of being cybersecurity compliant. So for the companies that are doing the right thing and being compliant with 800-171, this is a good thing because it will put them on a level playing with the contractors who are not. It’s very similar to there’s an act in service contracting called the Service Contract Act that requires minimum wages and benefits to be paid to contractor employees in certain circumstances. And what that does is it levels the playing field because what was happening was contractors were undercutting each other to bid, to win work. And they were doing it by cutting, slashing wages that the workers on the contract were going to earn. And these are mostly blue collar folks who didn’t have a lot of say in what their wages were going to be.
Eric Crusius: So then 30, 40 years ago, the government came back and said, “We don’t want to be the lowest. We don’t want to reward somebody who’s just going to pay their workers nothing. So this is a way we can do it.” Then this is kind of a similar, the cyber is kind of a similar situation where you’re creating a baseline so everyone is on the same playing field, which is a really good thing.
Erin Keating: Right. That’s good. I would imagine people find these types of requirements cumbersome. It means that they have to do more on the back end in order to make themselves ready to win contracts. But at the end of the day, if this is allowing us all to have a little bit more of a playing field, an even playing field, but then the low bid situation that a lot of people are put in, when you are bidding on contracts with the government, cost is an issue. You now at least are also making sure that there is a baseline for where that low cost starts.
Eric Crusius: Yeah. And I would say that the government kind of did this to itself. I’m going to say something a little controversial. But with the advent of Lowest Price Technically Acceptable, LPTA is something that was very attractive for the government for awhile and it’s become a lot less attractive now because you get what you pay for. The government was almost encouraging people to cut corners, for contractors to cut as many corners as possible to get that low bid in and win the work. Because in the end, most contractors, just being a lawyer for a lot of contractors, I see this, their margins are pretty small. 2%, 3%, 4% in a lot of contracts. It’s very hard to maintain expenses and comply with all these new requirements that are coming out and still … Maybe you make more money just by playing golf and not putting in the bid for work instead.
Eric Crusius: So in a way, I think the government sort of did this to itself by encouraging LPTA. Governments become a lot smarter now because what it’s doing, it’s recognizing, first of all, that LPTA is not the end all be all, that you want to give yourself the flexibility of getting a better company a contract, even if it’s one penny higher cost. And it’s recognizing that it needs to kind of level the playing field with cybersecurity. And that’s an advantage to contractors who are compliant. But it’s also an advantage to all contractors because you’re cutting off the ability to have these False Claims Act violations because of the lack of cybersecurity compliance.
Erin Keating: Sure. And as the world grows more and more towards technology, I don’t think this is anything someone would argue over not wanting to be more secure, especially within our government and defense.
Eric Crusius: Right. I think we’ll look at this 20 years from now, probably even five years from now, and this is just the standard of how we do business. It’s like going and getting a business license, right? Or registering with the state to do business. So I think this’ll be kind of like that.
Erin Keating: Thank you so much, Eric Crusius, for being with us once again as our lead expert on all of these interesting things around cybersecurity certification that’s now going to become a requirement. I think we’ve wrapped up this episode on where the certification requirements are now. Any last parting words that you have for our audience before we close out today?
Eric Crusius: Sure. This is going to be a very interesting field to watch over the next number of months, so I’d encourage everyone to kind of keep an eye out for it. Like I said, even if you’re a civilian contractor, go ahead and keep an eye out for it and see what’s going on.
Erin Keating: Great. And of course, we at NeoSystems with NeoCast, we’ll be back at you offering any more information that you might need as it comes available to us as well. So please feel free to check back with our episodes. And next week, we will have an episode featuring the details of the proposed certification requirement with our lead expert. Eric, thank you so much for joining us today.
Eric Crusius: Thank you.
