Podcast Episode 3 – Details Of CMMC

Podcast Episode 3 – Details of CMMC

February 07, 2020 | BY: Neosystems

Share This

Join host Erin Keating and expert Eric Crusius as they discuss the headlines out of the CMMC version 0.4 that was released in early September. NeoSystems’ own Ed Bassett also joins.

Transcript

Erin Keating: Welcome to NeoCast. Join our experts each week as we discuss strategies and solutions for your businesses in manage IT, cybersecurity, government contracting, and much, much more. Sharing is caring and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.

Erin Keating: Hello and welcome to our third episode in the thing that we are calling season one. We’re discussing in the season new ruling, the third party cybersecurity certification now required for contractors to do business with the federal government. And we are excited to have back once again our lead expert, Eric Crusius, partner with Holland and Knight. Thank you very much for being here.

Eric Crusius: Sure, great to be here.

Erin Keating: Yes, we appreciate it. And we talked in the first episode, we talked a little bit about what some of the current cybersecurity requirements for contractors are and in that discussion we opened the door to the future of cybersecurity certification. So, this last episode we actually delve a little bit deeper into the fact that there are no current certification requirements, but the government is in the midst of, or the department of defense is in the midst of handing down various versions of the new CMMC which will be the certification requirements moving forward.

Erin Keating: As we discussed a little bit about the timeline for that last episode and got into some details, but this is when we really want to spend our time today talking about the details of the proposed certification requirements. So Eric, from your perspective, what are some of the headlines out of the version 0.4 that was released earlier this month, September?

Eric Crusius: So probably the biggest headline is that there is a real divide between the different levels of certification. So level one through five, of course, where one is the least stringent and five is the most, level one’s a lot easier to comply with. And I think there was a recognition kind of how we talked about in the last episode. There’s really a recognition by the government that there needs to be some flexibility here, especially for small businesses that allows small businesses to do business with DOD still on projects that don’t require a high level of cybersecurity robust compliance.

Erin Keating: Right. Within any of the… As we talked about last week, it’s going to be broken down in domains which as you explained, it’s more like an outline of document domains, which means that we then have capabilities under those which then have processes and plans underneath those. Were any of them out of character or surprised you from all of your years of looking into this type of work?

Eric Crusius: That part was not surprising at all. I think it’s really based on the kind of the well-tread NIST 800-171, if you look at the domains they really match up well with 800-171 which has been out for a long time. It’s been subject to a lot of public scrutiny, so I think they took a path that was not altogether surprising and fairly smart by going down the well-worn path. That seemed to work pretty well so far.

Eric Crusius: So, I’d say the overall structure is not surprising at all. And I think I still remain the most surprised by how smaller companies can get certified in level one, I think fairly easily. And we can talk about some of the requirements there, but it’s not as laborious as maybe folks initially feared. At least at this point. This is just 0.4. The government may look at this and get feedback from around the government and say, “You know what? This is just too easy. We don’t want to leave ourselves exposed.” So, kind of essentially level one is a new level two, like they always say 50’s the new 40 which I’m really hoping for. They may just kind of shift that forward one.

Erin Keating: So, you mentioned the NIST 800-171. Can you take just a brief moment in case people didn’t listen to the first episode or maybe you’re just brand new ears to this type of world, brief moment to tell us what the NIST 800-171 is, and what role does it play with the CMMC requirement?

Eric Crusius: Sure. So NIST 800-171 is a document that talks about best practices in cybersecurity for government contractors. And it lists out around a hundred requirements that, or I shouldn’t say requirements, recommendations that contractors should follow to really ensure that they are good stewards of the government contract, the government’s information. And by doing that, they really will protect the information that is in their possession from hacking and from being spilled out to our geopolitical foes.

Eric Crusius: That being said, even if you’re compliant with 800-171, that doesn’t mean that you’re immune from a successful attack. So, the government put 800-171 out there a few years back. Subsequently, the DOD through the DFARS, incorporated 800-171 which up to that point had just been a recommendation or best practices is now a requirement. So, they brought 800-171 into the regulation and said, “Okay, this best practice that’s over here, we have now incorporated this and it’s now a requirement as of December 31st, 2017.”

Erin Keating: Right.

Eric Crusius: These best practices have been out there for a while and contractors doing business with the federal government or at least with DOD, have really had to be compliant with them for a long time. And the nice thing is that the CMMC really incorporates a lot of 800-171 as opposed to other sources. Which there are other sources that are out there in this new model, but 800-171 is really the base of it. And if you look at the different levels specifically for levels one through three, it’s almost all 800-171 with some exceptions. But if you’ve already been compliant with 800-171 there’s not much else to do.

Erin Keating: Right. And I believe in the first episode we talked about 800-171 and you mentioned that most people even in the civilian world are very familiar with those best practices that they shouldn’t… Nothing in there should truly feel like it’s hampering any kind of competition.

Eric Crusius: That’s correct. And I would say that there are a lot of companies, especially larger companies that look at 800-171 and try to comply with it. And specifically technology companies even by accident are compliant with 800-171 because these are best practices that you probably see in most technology companies any way of any size. Certainly the big ones like Google and Amazon and those folks are going to be compliant with 800-171 even if they never heard of 800-171 because they’d be operating with these best practices.

Erin Keating: Right. Now as a lawyer working with a lot of these organizations where you’re helping them really weed through the contractual obligations that they might have. Have you seen any cases, this is just now my own curiosity, where something has gone sideways due to ignoring 800-171 or any sort of blatant or glare… You said that this new certification level one through three for the most part adheres to 800-171, so I guess, let me rephrase the question to mean, you said with a few exceptions. Were those exceptions born out of seeing loopholes or ways in which people were vulnerable to attacks because 800-171 was not entirely comprehensive?

Eric Crusius: That’s a really good question. And I would say that probably most of the exceptions are really born out of… What the government did is they went outside of itself and outside of kind of the 800-171 realm and really looked to see what other organizations have, what they do. And are there better practices that we haven’t adopted yet or even seen? And if there are, should we incorporate them into this and that’s really the genesis of this, what it is.

Erin Keating: Now, I’m just curious, given all that was going on in the news about GDPR over in Europe and so forth, are there other countries practices that they’re also borrowing from? Or is it mainly looking at corporations that already exist in the civilian market or the commercial market, I guess?

Ed Bassett: Yeah. DOD said that they were going to look at practices around the world. I’ll be honest, I haven’t looked through every one of the recommendations or the entirety of the spreadsheet to see whether other countries were used or not, but they certainly reserved the right to do that where they found out that other countries had a recommendation that they thought would work well. Certainly and the majority of it is stuff that the government’s well familiar with. I wouldn’t be surprised if during the commentary period folks do suggest European or other country requirements and that those subsequently get incorporated into this.

Erin Keating: Right, right. I mean, as you see with other industries, the car industry being one of them, automotive industry. Where when you don’t equalize what the regulations are, it makes it very difficult for multinational companies to be able to keep up with all the different regulations across the borders. So, I would imagine that it would be helpful or you can imagine a multinational company might come forward to say, “Hey, can we incorporate a few more of these?” Or, “Can you reduce this so that we’re dealing with one standard across the board as opposed to managing multiple standards.”

Eric Crusius: Absolutely. Companies like standardization and certainty, and that’s what makes this-

Erin Keating: Sure. Don’t we all?

Eric Crusius: Yeah, it’s true. I guess it’s not just companies, it’s all of us. That’s something when you have a dramatic change like we’re going to have now, and I don’t think anybody is saying otherwise, it’s definitely a dramatic change. And while it’s dramatic now may not seem like a big deal down the road, but still companies want that certainty and to understand how is my business going to change? Am I going to still have a business when this is all done? And are you pulling out these requirements randomly from the air and if you are, how am I going to comply with them? So, certainly companies that are around the world will want to see kind of a standard requirement and also they’d probably be comforted if we adopt requirements from their home country that they’re already complying with.

Erin Keating: Sure. So, we know that FedRAMP is out there. For those of us, including myself, who don’t know what FedRAMP stands for or what it means, would you just very briefly, because most people will know what that is, touch on what Fed Ramp is, and then talk a little bit about how this in particular compares to FedRAMP.

Eric Crusius: Sure. So FedRAMP, much like this is going to be is a certification that’s required of companies. If they want to provide cloud services to the government, they have to be FedRAMP certified. So, essentially that’s what FedRAMP is. It’s a way that companies can be certified to provide cloud services. So, it’s FedRAMP for short, and it’s known as the Federal Risk and Authorization Management Program. So again, we’re an acronym city here, in Washington, DC. Even the name of the city itself is an acronym.

Erin Keating: Right.

Eric Crusius: And it allows the government kind of comfort that it knows that if stuff is been hosted in the cloud, that these companies have essentially met some minimum standard. And this is very similar to what we’re going to see with CMMC. I almost liken it to a FedRAMP 2.0 and just because it’s kind of the same idea, just a different kind of venue. FedRAMP is more limited because it deals with cloud services, but it’s certainly an important part of the government’s program to keep its information secure. But there was this weak link, the contractor systems, that they’re trying to kind of tidy up with the same kind of certification requirement.

Erin Keating: Right. Okay. Gotcha. So a contractor who’s going after these types of businesses might likely be certified in FedRAMP, but then also need to be certified in CMMC. One does not cover the other.

Eric Crusius: Correct. Good question. I would be interested to see if there is a contract that has some hosting services and some things are not hosting. One will cover the other and vice versa. But I would imagine just based on the differences in the certification requirements that it’s going to have to be both.

Erin Keating: That’s exactly right.

Erin Keating: Right. Or maybe if you were like level one you could get the pass if you are already FedRAMP certified. Level one would just put you at that level or something like that. So, and speaking about the levels, we did talk about this in some detail in the last episode, but there are five levels of certification. Wondering if you could help us think through what they are and what they mean?

Eric Crusius: Okay, so go ahead.

Eric Crusius: Sure. So, there are five levels as you mentioned and the levels are dependent on how much is required of the contractor to keep its information safe. So, as we mentioned before, level one is the least stringent, level five is the most. Level one they talk about it’s just for basic security. It’s easily achievable. Hopefully for small companies it really contains universally accepted common practices as they say in their spreadsheet, and it only offers limited resistance to cyber attacks.

Eric Crusius: And then that changes with level four, of course, which has a reference to DIB, which refers to the Defense Industrial Base. And that’s always been a more kind of more sophisticated program because it deals with the larger core contractors that the government relies on, so level four, the organization comprehensively applies lease privilege and separation of duties to identities, processes, networks, and interfaces across the enterprise.

Eric Crusius: And if you look at the more detailed spreadsheet when you look at the different domains, which are the kind of the headers, you’ll find that there aren’t a lot of level one requirements. It’s probably something slightly less than 800-171 because you don’t see all of 800-171 in here. That being said, the DFARS clause with the 800-171 requirement is not going away.

Eric Crusius: In my mind, this wraps up level one through three together. If you’re doing one through three robustly, you’re probably doing four in a more comprehensive fashion. But it’s playing lease privilege, which is what we were talking about. Don’t give people more access than they need to do their job. Separation, talked about level two already, and then talks about across the enterprise. So having kind of a look at it from the 50,000 foot level and just making it part of your cybersecurity program.

Eric Crusius: So, I would say that if you’re already complying with 800-171 probably a level one CMMC certification is really pretty easily attainable. So, that’s kind of level one. If you then go up the ladder and I’ll just briefly talk about each one.

Erin Keating: But, I would say if you’re doing one through three, levels one through three, you’re probably doing four. Level five, network hosts and software access management is context aware, adapting the security posture to the most restrictive viable settings based on the physical location, network connection, state, time of day, and measured properties of the current user enrollment. So, this is almost like a system that is adaptable based on the surrounding circumstances and environment. So, if it knows that I work between nine and five, maybe it won’t let me in at eight o’clock at night unless I get special privileges to do so. Or, if I always sign in from Tysons Corner, Virginia, now known as Tysons, Virginia, and all of a sudden I sign in from Alaska, maybe it won’t let me in because it knows I’m in Alaska. It’s almost like artificial intelligence built into the system I would say.

Erin Keating: Sure.

Eric Crusius: It’s a little bit like your credit card company letting you know that you’re charging in Mexico and you’re actually not on a trip there.

Eric Crusius: So we have level two which includes all of the cyber security best practices, where as level one was a subset. And there is some resiliency, but the resiliency that they expect in level two is against unskilled threats. So, less sophisticated threats with some minor resistance to hacking instead of limited. Now, the definition of minor versus limited, I’m not really sure, but I guess minor is more than limited.

Erin Keating: Right. If only.

Erin Keating: Right.

Eric Crusius: Yes. Something to note though, that these are cumulative. Right? So, what you have to do in level one you obviously also have to do in level two, level three, level four, but with each level you’re sort of gaining more requirements.

Eric Crusius: And then if you go up to level three, they specifically say that level three includes all of NIST 800-171. So, because of that, if you look at one and two you can probably assume that it does not include, even without looking at the detailed spreadsheet, does not include all of 800-171. So then besides that, you have additional best practices and you have some resiliency against moderately skilled threat hackers and some moderate resistance to cyber attacks, which is more than minor, I guess. And comprehensive. They say comprehensive knowledge of cyber assets. So knowing everything that you have out there.

Eric Crusius: Right. I would say that that’s the case. My sense is that they have tried to pull in levels one through four for instance, until the level five requirement, but it’s not always that smooth. It’s not always a square peg in a square hole. Sometimes it’s a round peg in a square hole. So, I don’t know exactly how the certification process will work and if they will need to actually check the box on one, two, three, four or five, or if they’ll just look at five and say, “All right, if you’re doing five you’re naturally doing one through four.” It’ll be interesting to see how that happens, how that develops, but I would say that those folks who are looking at level five would probably also want to just at least glance at levels one through four to make sure that there’s nothing specific to levels one through four.

Erin Keating: This is a best practice, when stepping back for a second. This is the best practice, anyway. You really want to have comprehensive knowledge of what you have. Maybe not a computer that’s not connected to the internet because it’s sitting in an office somewhere and unhooked and things like that. Although you’d probably want to know that too. But if you have something that’s public facing or even intranet private facing, you probably want to know those assets, and have them mapped properly, and have IT aware of them.

Eric Crusius: Now, for this certification, is it a self-publishing or will there actually be a body of individuals or people or a department that will be checking to be sure that you’ve actually been compliant?

Eric Crusius: You don’t know what you don’t know. And that can be a big problem. That might be the very way that a hacker gets in. So, it’s kind of level three. And I would say you’re probably going to see a majority of DOD Becurements coming out through level one through three, just based on what I’m seeing as far as what’s required. When you get to level four and five, you’re going to have the big metal benders who are building F-35’s. You’re going to have folks deploying sophisticated cyber security systems, those kinds of contracts. And it could even be a contract who’s a small business that’s doing something that’s very sensitive in the intelligence area, but level four and level five are probably reserved for those types of things.

Eric Crusius: So there’ll certainly be a third party company or there’ll be many third party companies probably that will come in and be willing to certify a contractor. How the DOD gets the trust in those companies I’m not sure at this point. Because there’s certainly going to be folks out there who will want to do this, who will be qualified to do this. But how does DOD know that? So, I don’t know if they’re going to be going through a separate certification process themselves.

Erin Keating: So, I would say to most companies, at least as we sit now, don’t worry too much about getting level four or level five unless those are the kinds of contracts that you’re going for. If you’re going for contracts that are outside of high technology, cybersecurity, sophisticated weapons systems, airplanes, things like that, you could probably not worry about level four and level five, but if you’re getting those kinds of contracts you probably have revenue to support going through and getting the certification. Level four and level five, looking at four specifically. You have advanced and sophisticated practices, resiliency against advanced threat actors.

Eric Crusius: Right, right. Out born’s another industry that we can all think of.

Eric Crusius: You have continuous and complete knowledge of cyber assets. So level three just you’re required to have comprehensive knowledge. Level four requires kind of updating that knowledge on an ongoing basis. And then if you go to level five, which is the ultimate level, you have highly advanced practices. It’s reserved for the most critical systems as they say. And resilient against the most advanced threat actors. And it goes on and on, but you get the idea. It’s really the keys to the kingdom as far as the federal government’s concern will be with contractors that are level five certified.

Erin Keating: There’s a lot of ways to make money in the government contracts field.

Erin Keating: I mean, even in the language, when I’m looking here on pages, I think it’s 15 and 16 of the CMMC document, you can tell in one through three it’s somewhat… I dare to call it passive, but more passive requirements that you just need to make sure that you’re protected. Like put in the gates, put in the barriers that you need to put in. But the language gets decidedly more poignant in levels four and five even threat hunting, detonation chambers. I’m sure all of these things are relatively innocuous, but to me an outsider, they sound very proactive. That is not a passive level to be at. They’re looking for people to be sure that you’re actually on the lookout for hackers and for cybersecurity breaches and things like that.

Eric Crusius: Exactly. Well, I think that helps us wrap up the details of this proposed certification requirement. Is there any parting thoughts you’d like to give our audience about things that they might want to be on the lookout for?

Eric Crusius: Absolutely. And DOD has not been shy in saying that we’re in a cyber war right now. And these are war kind of words. Hunting, detonation, all those kinds of words are not by accident, I’m sure.

Erin Keating: Yeah, I would say if you’re a DOD contractor here, right now, and you’re listening to this podcast and you’re kind of wondering what to do next, the very first thing I would do is pull up this spreadsheet and start reading it and try to figure out what level you would want to go for when that opportunity arises. And see what you need to do to kind of close that gap.

Erin Keating: Right. I just have to ask, what is a detonation chamber?

Eric Crusius: Right.

Eric Crusius: That’s a really good question. NIST has actually a publication about it or it’s within 800-53, the fourth revision. They talk about what they are and they described them and I think they’ll say it better than I ever could say it. So, “They are dynamic execution environments that allow organizations to open email attachments and execute un-trusted, suspicious applications.” So, it’s kind of a safe place, I guess-

Erin Keating: What do you need to make sure… Maybe you’ve done everything in levels one through three except for two things. Well, go ahead and tackle those two things now. Don’t wait for a third party certifier to come in and tell you to do it and that certification process will be a lot quicker.

Erin Keating: To run your spam or-

Eric Crusius: Great. Well, thank you so much for taking us through all of the new cybersecurity certification that’s now going to be required for contractors. We really covered a lot of ground in these last three episodes and I look forward to our next season where we’re going to be covering FAR part nine, contracting qualifications, and how contractors should handle cybersecurity compliance. Thanks so much, Eric.

Eric Crusius: Yeah, to open something that you don’t think… You know this email attachment is not right. Right? Because it says, “Here’s a list of everyone’s salary in your organization. You should open it to take a look,” and you know it’s fake. The 1% chance it might be real, maybe you really want to open that. And the detonation chambers, I guess that’s where they get to open all those things. So, it sounds kind of fun in a way.

Erin Keating: Thank you.

Erin Keating: Right. Yeah. I kind of want to be in that room to figure out, because I assume they need a place in order to open those things so they can discover where the breaches are happening. And who’s actually providing, who’s doing that work so that they can track them down.

Eric Crusius: This part of the episode, we’re going to welcome Ed Bassett, the chief information security officer for NeoSystems to talk a little bit about how Neo Systems might be there to help prepare individual contractors working with the government in advance of this cybersecurity maturity model certification. CMMC that we’ve been speaking with Eric Crusius about. So Ed, let’s jump into other services that you provide. You’ve mentioned managed security. Can you talk to us a little bit about that and why that matters to those individual contractors who are looking to get certified in the cybersecurity maturity model?

Ed Bassett: Right. I’m sure it helps forensically to kind of figure out what the latest and greatest that these hackers are up to.

Erin Keating: Well, the CMMC and even the predecessor requirements that are out there require a security program that covers a lot of different topics, requires a lot of different technologies, all to be managed with very consistent processes, requires documentation, requires continuous monitoring. Basically the oversight of those security controls to make sure that they’re operating in an effective manner at all times. So, these security programs take a pretty broad spectrum of technology and skill sets. And as you can get from the security maturity model certification title, it’s about maturity, process maturity. Making sure that these things happen, not just once at contract award, but in a consistent, repeatable way throughout the life of the contract. So, that’s what the government’s looking to assess is that maturity.

Ed Bassett: Right. Who’s uncle really is stranded in Nigeria and needs my dollars. Ask a detonation chamber manager.

Eric Crusius: So as companies look to very quickly get access to these things that require, again, complex technologies, complex skill sets, the managed service model is an easy way for them to purchase those capabilities. We bring the people, the process, the technology altogether in a managed service bundle that customers can adopt and use and pay for on a monthly fee basis. So, it avoids the sort of long curve of capital investment, recruiting, hiring, training, all those things it takes to build a security program from scratch or to improve an existing security program. You can very quickly get to the results you need to pass the certification with a managed service model.

Erin Keating: You can never be too safe. [crosstalk 00:19:22] Maybe my uncle’s there and I don’t even realize it.

Erin Keating: So, a focus that Eric mentioned when he was looking at the CMMC guidelines, I think it was version 0.4 that we were discussing on the day. He was talking about how he was a little bit surprised and pleasantly surprised by the fact that government really did open the door for small contractors to be able to reach certain levels, at least level one if not level two of the CMMC. It sounds like using a service, whether it’s NeoSystems cloud, or if it’s the managed security, all of these things are things that would absolutely open the door for those smaller contractors working with NeoSystems to be able to tackle some of those certification issues. Is that what I’m understanding?

Ed Bassett: Exactly right.

Eric Crusius: Yes. The CMMC levels are designed to correlate to the kind of data you’re working on, not necessarily the size of the company. Right? So if a company that’s very small is working on things that are not very sensitive, level one is a fairly easy, achievable step. But if that same small company wants to go bid on contracts involving sensitive data, they may be required to get to level three, even higher, even though they are a small company with limited resources. So for those companies to achieve that on their own, it’s very, very difficult.

Ed Bassett: You have to be careful.

Erin Keating: Again, the capital investment is very difficult. It’s getting the right mix of skill sets when you have a small head count, is very difficult. So, in a service model you can get those skill sets and those technologies in a fractional sort of way, where you’re buying a piece of it, and you’re buying into maturity that’s already been established by Neo Systems as a service provider.

Erin Keating: Exactly right. On that note, can you give some examples of the cybersecurity controls that will be required with the different levels?

Eric Crusius: Exactly.

Ed Bassett: Yeah, so I think the easiest thing is just to kind of look at the first one, the first domain is access control, and the capability that they want to look at is control internal system access. And there are five levels. So, some of these don’t have all the levels populated, some just have level one and two populated. And then level two is where you are. And if there’s nothing better than level two.

Erin Keating: So, very good for small companies. Not to say these services don’t apply to large companies. Many, many large companies take advantage of mass security providers for similar reasons, timed results, avoiding a big capital investment, that sort of thing.

Erin Keating: Right.

Eric Crusius: Right, right. That’s great. So, you’ve also mentioned secured enclaves and how they may assist in this particular certification. Can you talk a little bit more about those?

Ed Bassett: Some of them don’t have a level one, which means the level one folks don’t have to comply with it at all.

Erin Keating: Sure. So, we have a mix of clients. Some of our clients, everything they do is federal government contracting. So that means that all of their systems, all their data involves government data. In those cases they generally just take their entire system and bring it up to the federal standards. But we have other clients where federal contracting is a small piece of what they do. Maybe it’s one division, maybe it’s only a few contracts.

Ed Bassett: Huh. Okay.

Eric Crusius: And so they have a large infrastructure of networks, workstations, security in place for that at the corporate level that may not meet the federal expectations. So rather than bringing all their systems up to meet the federal standard, it’s often a lot more cost effective to build an enclave where you can isolate the federal government data and focus your investment on getting that piece certified to process that data and not bring all your corporate systems into scope.

Ed Bassett: And some just have a level three which essentially means that three, four, and five have to comply with it.

Erin Keating: The other place that this affects a customer in their decision of where to put the federal data, and Eric touched on, is the government’s ability to oversight and audit that. If you have that data spread across all your corporate systems, they’re effectively all open to government oversight, even though those systems may not be being used for government contracting purposes. So, a lot of customers want to isolate that in a probably small enclave.

Ed Bassett: Okay.

Eric Crusius: We can do that through network segmentation. We also offer cloud hosted workstations, so basically virtual desktop infrastructure where clients can have a place that their employees can go, a virtual desktop, a virtual workstation they can go to, just to work on federal data. Store it there locally in that enclave. It never goes to their corporate networks. So the user is sitting at the same computer that they use every day, the same laptop or desktop, but instead of working on their local machine and their local corporate network, they go to the cloud and work on a virtual workstation there. So, it’s essentially a secure enclave for storing and processing the federal government data.

Erin Keating: So, I like this first one, control internal system access because it has all five levels. So, you can kind of get a sense of the differences between all of them. So for level one, that would be limit system access to the types of transactions and functions that authorized users are permitted to execute. So, in essence what they’re saying there is you don’t give people more access to your system than they need to do their job. So, that’s level one. That’s pretty basic thing that you want to do. Exceeding authorized access to something that actually is already codified in the law that employees are not permitted to do in companies. It’s called the computer fraud and abuse act.

Eric Crusius: Fantastic. Well, thank you Ed, so much for getting us up to speed on a few of the different ways that NeoSystems could really help some of those contractors out there that are looking to come into certification under the CMMC and that are already maybe working within DFARS or may not be, and are looking for good partners that can help them achieve that status. So, we appreciate you taking the time to talk through the services that NeoSystems offers and we look forward to having you back when we get back into the CMMC and talk a little bit more specific about some of the challenges that lay ahead for contractors trying to get that certification.

Ed Bassett: And for folks who are in private industry, away from the government there have been successful lawsuits against employees of companies who go through the system and go to places in the system they’re not permitted. It’s actually, there is also a criminal aspect to it, and this is kind of the government aspect, which is not towards the employee who could be exceeding their authorized access.

Eric Crusius: Thank you, Erin.

Erin Keating: But it’s just saying that you have a system that recognizes that and only gives people their authorized access. The big thing anecdotally with Edward Snowden, who is one of the most well-known hackers, of course, in our time, is that he was already in the system. He’s not necessarily, I’m not saying he isn’t, but he’s not necessarily a brilliant hacker, because the hardest thing to do is to get into the system. What he did is he exceeded his authorized access. So, what this is saying is that you give people the access that they need and that’s it. So, that’s level one.

Eric Crusius: The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure. From software hosting and security solutions to managed accounting services, NeoSystems, custom builds solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystemscorp.com. That’s neosystemscorp.com.
Level two is you separate the duties of individuals to reduce the risk of malevolent activity without collusion. There’s the word collusion. But what they’re essentially saying, is that you want to make sure that you don’t give somebody too much power, too much access to the system. You know that song, Keep it Separated?

Erin Keating: Right.

Eric Crusius: You want to keep it separated within here to give people their own kind of requirements so that way there’s not too much cross pollination and nobody has access to too much. So, that’s level two. This may not be relevant to some folks depending on what kind of things they have in their system but that’s that’s what they would have to do. There are related by the way practices for all these, but I’m just kind of going through the first high level one. Otherwise we could be here all day.

Erin Keating: Oh yeah. It’s a long document, people.

Eric Crusius: So then you have level three, use of non-privileged accounts or roles when accessing non-security functions. That’s another example of only giving people access to what they need. So, if there is something that’s non-privileged, non-security, only give it to those non-privileged folks or more specifically have separate counts for the privileged and the non-privileged, so there’s not cross-contamination. So, then that’s three. And then four-

Erin Keating: And I should note just really quickly in looking at the spreadsheet as we’ve been going along this, those first three are all stated as being part of 801-171.

Eric Crusius: Right, that’s a good point.

Erin Keating: So they are noting in each of these squares, so nothing so far has been a surprise. These are all best practices that happen to appear already in the NIST 801-171.

Eric Crusius: That’s exactly right.

Erin Keating: Okay, so go ahead.

Eric Crusius: But, I would say if you’re doing one through three, levels one through three, you’re probably doing four. Level five, network hosts and software access management is context aware, adapting the security posture to the most restrictive viable settings based on the physical location, network connection, state, time of day, and measured properties of the current user enrollment. So, this is almost like a system that is adaptable based on the surrounding circumstances and environment. So, if it knows that I work between nine and five, maybe it won’t let me in at eight o’clock at night unless I get special privileges to do so. Or, if I always sign in from Tysons Corner, Virginia, now known as Tysons, Virginia, and all of a sudden I sign in from Alaska, maybe it won’t let me in because it knows I’m in Alaska. It’s almost like artificial intelligence built into the system I would say.

Erin Keating: It’s a little bit like your credit card company letting you know that you’re charging in Mexico and you’re actually not on a trip there.

Eric Crusius: Right. If only.

Erin Keating: Yes. Something to note though, that these are cumulative. Right? So, what you have to do in level one you obviously also have to do in level two, level three, level four, but with each level you’re sort of gaining more requirements.

Erin Keating: Now, for this certification, is it a self-publishing or will there actually be a body of individuals or people or a department that will be checking to be sure that you’ve actually been compliant?

Erin Keating: Right, right. Out born’s another industry that we can all think of.

Eric Crusius: There’s a lot of ways to make money in the government contracts field.

Erin Keating: Exactly. Well, I think that helps us wrap up the details of this proposed certification requirement. Is there any parting thoughts you’d like to give our audience about things that they might want to be on the lookout for?

Eric Crusius: Yeah, I would say if you’re a DOD contractor here, right now, and you’re listening to this podcast and you’re kind of wondering what to do next, the very first thing I would do is pull up this spreadsheet and start reading it and try to figure out what level you would want to go for when that opportunity arises. And see what you need to do to kind of close that gap.

Erin Keating: Right.

Eric Crusius: What do you need to make sure… Maybe you’ve done everything in levels one through three except for two things. Well, go ahead and tackle those two things now. Don’t wait for a third party certifier to come in and tell you to do it and that certification process will be a lot quicker.

Erin Keating: Great. Well, thank you so much for taking us through all of the new cybersecurity certification that’s now going to be required for contractors. We really covered a lot of ground in these last three episodes and I look forward to our next season where we’re going to be covering FAR part nine, contracting qualifications, and how contractors should handle cybersecurity compliance. Thanks so much, Eric.

Eric Crusius: Thank you.

Erin Keating: This part of the episode, we’re going to welcome Ed Bassett, the chief information security officer for NeoSystems to talk a little bit about how Neo Systems might be there to help prepare individual contractors working with the government in advance of this cybersecurity maturity model certification. CMMC that we’ve been speaking with Eric Crusius about. So Ed, let’s jump into other services that you provide. You’ve mentioned managed security. Can you talk to us a little bit about that and why that matters to those individual contractors who are looking to get certified in the cybersecurity maturity model?

Ed Bassett: Well, the CMMC and even the predecessor requirements that are out there require a security program that covers a lot of different topics, requires a lot of different technologies, all to be managed with very consistent processes, requires documentation, requires continuous monitoring. Basically the oversight of those security controls to make sure that they’re operating in an effective manner at all times. So, these security programs take a pretty broad spectrum of technology and skill sets. And as you can get from the security maturity model certification title, it’s about maturity, process maturity. Making sure that these things happen, not just once at contract award, but in a consistent, repeatable way throughout the life of the contract. So, that’s what the government’s looking to assess is that maturity.

Ed Bassett: So as companies look to very quickly get access to these things that require, again, complex technologies, complex skill sets, the managed service model is an easy way for them to purchase those capabilities. We bring the people, the process, the technology altogether in a managed service bundle that customers can adopt and use and pay for on a monthly fee basis. So, it avoids the sort of long curve of capital investment, recruiting, hiring, training, all those things it takes to build a security program from scratch or to improve an existing security program. You can very quickly get to the results you need to pass the certification with a managed service model.

Ed Bassett: Yes. The CMMC levels are designed to correlate to the kind of data you’re working on, not necessarily the size of the company. Right? So if a company that’s very small is working on things that are not very sensitive, level one is a fairly easy, achievable step. But if that same small company wants to go bid on contracts involving sensitive data, they may be required to get to level three, even higher, even though they are a small company with limited resources. So for those companies to achieve that on their own, it’s very, very difficult.

Ed Bassett: Again, the capital investment is very difficult. It’s getting the right mix of skill sets when you have a small head count, is very difficult. So, in a service model you can get those skill sets and those technologies in a fractional sort of way, where you’re buying a piece of it, and you’re buying into maturity that’s already been established by Neo Systems as a service provider.

Erin Keating: Exactly.

Ed Bassett: So, very good for small companies. Not to say these services don’t apply to large companies. Many, many large companies take advantage of mass security providers for similar reasons, timed results, avoiding a big capital investment, that sort of thing.

Erin Keating: Right, right. That’s great. So, you’ve also mentioned secured enclaves and how they may assist in this particular certification. Can you talk a little bit more about those?

Ed Bassett: Sure. So, we have a mix of clients. Some of our clients, everything they do is federal government contracting. So that means that all of their systems, all their data involves government data. In those cases they generally just take their entire system and bring it up to the federal standards. But we have other clients where federal contracting is a small piece of what they do. Maybe it’s one division, maybe it’s only a few contracts.

Ed Bassett: And so they have a large infrastructure of networks, workstations, security in place for that at the corporate level that may not meet the federal expectations. So rather than bringing all their systems up to meet the federal standard, it’s often a lot more cost effective to build an enclave where you can isolate the federal government data and focus your investment on getting that piece certified to process that data and not bring all your corporate systems into scope.

Ed Bassett: The other place that this affects a customer in their decision of where to put the federal data, and Eric touched on, is the government’s ability to oversight and audit that. If you have that data spread across all your corporate systems, they’re effectively all open to government oversight, even though those systems may not be being used for government contracting purposes. So, a lot of customers want to isolate that in a probably small enclave.

Ed Bassett: We can do that through network segmentation. We also offer cloud hosted workstations, so basically virtual desktop infrastructure where clients can have a place that their employees can go, a virtual desktop, a virtual workstation they can go to, just to work on federal data. Store it there locally in that enclave. It never goes to their corporate networks. So the user is sitting at the same computer that they use every day, the same laptop or desktop, but instead of working on their local machine and their local corporate network, they go to the cloud and work on a virtual workstation there. So, it’s essentially a secure enclave for storing and processing the federal government data.

Erin Keating: Fantastic. Well, thank you Ed, so much for getting us up to speed on a few of the different ways that NeoSystems could really help some of those contractors out there that are looking to come into certification under the CMMC and that are already maybe working within DFARS or may not be, and are looking for good partners that can help them achieve that status. So, we appreciate you taking the time to talk through the services that NeoSystems offers and we look forward to having you back when we get back into the CMMC and talk a little bit more specific about some of the challenges that lay ahead for contractors trying to get that certification.

Ed Bassett: Thank you, Erin.

Erin Keating: The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure. From software hosting and security solutions to managed accounting services, NeoSystems, custom builds solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystemscorp.com. That’s neosystemscorp.com.

Not Sure Where to Start?

Have a Goal in Mind?

CMMC Podcasts