Unlocking the Mysteries of the Fed’s New CMMC Requirement

There’s a lot of uncertainty around the Cybersecurity Maturity Model Certification (CMMC). In this episode of Security on Cloud, Tony Bai, Director of Federal Practice Lead at A-LIGN, joined us to explain the CMMC framework, its importance, and why it’s being introduced. Tony shares insight on how CMMC applies to Controlled Unclassified Information (CUI) and the requirements by the Department of Defense (DoD). Learn about the various levels of CMMC the assessment process for certification. Tune in as we discuss what CMMC compliance is, what the requirements are, how it compares to NIST 800-171, who needs to obtain CMMC certification, and so much more.  

More Ways to Listen: iHeart Radio | PandoraApple Podcasts | Spotify | View All

Episode Transcript

John Vecchi: Welcome everybody! You’re listening to the Security on Cloud Podcast live on Anitian Radio. I’m your host, John Vecchi. 

Scott Emo: And I’m Scott Emo. 

John Vecchi: Today we’re going to talk about the theft of intellectual property and sensitive data across things like the Defense Industrial Base and the supply chain at the Department of Defense (DOD). This represents one of the biggest threats to national security. And the new Cybersecurity Maturity Model Certification — what we call CMMC — was created by the DOD to actually combat these threats. 

Scott Emo: That’s right. In this episode, we want to talk about this new cyber certification model, which has been a hot topic for over a year now. And, given the latest SolarWinds attack which affected multiple federal agencies, including the Department of Homeland Security and the DOD, there’s never been a more perfect time to discuss the security requirements for federal agencies. 

John Vecchi: It’s definitely true. So, let’s get some perspective on this. To help us break it all down, I’d like to introduce our guest for this week. He’s a cybersecurity professional with over 27 years of IT and IT security experience. He’s also a Certified Information Systems Security Professional and project management professional.

His extensive background includes providing risk assessments, security tests and evaluation, vulnerability assessments, security reviews, and audits for government agencies and commercial clients, most notably, the Defense Health Agency, US Air Force, and various Fortune 500 companies spanning multiple industries. He brings an impressive blend of knowledge of security controls and technical aspects of cybersecurity and IT operations. He joins us from A-LIGN where he’s the Federal Practice Lead. It’s our pleasure to have with us today, Mr. Tony Bai. Welcome, Tony! 

Tony Bai: Thank you. Thank you for having me here! This is my first podcast. 

Scott Emo: Oh, that’s awesome Tony, no pressure. But you know what? As John mentioned, you are the Federal Practice Lead over at A-LIGN. Can you start by telling our listeners: what is A-LIGN and what do you do there? 

Tony Bai: So, A-LIGN is a cybersecurity partner to our various clients, right? So what we are primarily is a cybersecurity compliance and auditing firm. We’re one of a few worldwide that offers the breadth of cybersecurity certification assessments and audits in the industry. We handle PCI, we handle SOC 1 and 2, we handle high trust, we do privacy. And then the entire federal‘s framework gambit, whether it’s FISMA RMF, FedRAMP, CMMC, NIST 800-171, the whole bit. 

John Vecchi: And for those listeners, you can see we’re in an industry that we call the alphabet soup, right? Whether you’re hearing all these acronyms and there’s a lot to keep track of. But specifically, the Cybersecurity Maturity Model Certification or CMMC. I’m guessing many of our listeners, Tony, probably haven’t heard of CMMC before, maybe they have. So, let’s start there. Can you tell us what it is and why this is being introduced? 

Tony Bai: Sure. So, this is particular to DOD, right? It’s being looked at by other agencies in all of the US federal government. It’s even being looked at by some US allies to being adopted in some form or fashion. But what it’s an outgrowth of the NIST 800-171 requirements, which is the protection of controlled unclassified information in non-federal systems.

When you talk about non-federal systems, you’re talking about those systems that don’t have a system accreditation by the government, whether it’s RMF or FedRAMP or something like that. It’s about, essentially, your corporate systems that may house sensitive government information that the government wants to be protected. And that’s how they do it.

171 allows for self-attestation when you’re doing business with the federal government. What the DOD found in some IG inspections or Inspector General inspections regarding this is the fact that a lot of companies may say they were 171-compliant, but they truly weren’t. So the CMMC is a group to address that, where it implements 171 protection of CUI, but having a trusted third-party vendor validates that, right. And the issue of certification to demonstrate that validation.  

What they also did is added some flexibility to it because it’s not a one size fits all. 171 is a one size fits all, right? You have to meet all 110 control aspects and document that. Where with CMMC, based on the type of information that is being shared with you by the government or what you’re producing on behalf of the government, some have higher priority, some have lower priority based on the criticality. So they offer varying levels of certification Level 1 one through Level 5. So those are the, I guess you’d say the major milestones or differences between 171 and CMMC. 

John Vecchi: Got it. Well, it’s interesting, right? And as Scott mentioned at the top of the podcast, right now we’re in real-time, we’ve been living probably one of the most prolific cyber-attacks and breaches in a long time with the SolarWinds attack and the compromise of Orion with the SUNBURST malware. Given we’re talking to you today about CMMC and this is very much focused on the DOD which, by the way, was potentially one of the agencies compromised by the SolarWinds attack, does that affect CMMC, Tony? Or does it put any more importance or focus on it in any way? 

Tony Bai: I think it calls attention to the fact that we need to concentrate on supply chain risk management, which CMMC is really applying, right? Supply chain risk management. Because it’s about protecting the government information with their prime contractors and then the flow down requirements from the primes to their subs and the subs to their subs type thing, right? Now, would CMMC have really protected against a backdoor into security, into a toolset that was used by various companies that caused this event, right?

Honestly, I don’t think so. Because CMMC is constantly protecting that government information, not necessarily secure engineering practices and DevSecOps that really I think plays a greater role in what happened with the SolarWinds attack. Because it was introducing a weakness into the source code of a tool that was leveraged by other vendors, right? Like SolarWinds. That’s not necessarily protecting government information, right? 

John Vecchi: That makes sense. 

Tony Bai: It’s more of a security engineering aspect. 

John Vecchi: Yeah. That totally makes sense. Well, Tony, then who needs to meet CMMC? And how would they do it? Who needs to worry about this? 

Tony Bai: Well, CMMC right now is only a requirement when it’s in the specific contract that a company has with the government, right? Or with the DOD specifically. So basically, if you want to do business with the DOD, you need to worry about becoming CMMC-certified when it starts up. It’s mandatory for the primes, the ones that directly hold the contracts with the DOD. Again, the caveat is that the CMMC requirements are within the contract with them. Now it should because it’s the DFARS 7012 clause. 

Any sub to that prime will have to abide by it based upon the CUI that is shared from the prime to the sub. So if the prime says they have to be CMMC Level 3 Certified because they’re getting CUI or producing CUI for the DOD if they don’t share that same information to their subs, then the subs don’t necessarily have to be CMMC Level 3, they could be CMMC Level 1, which is the federal contract information, that’s more like the accounting practice, that sort of stuff, right? So, it all depends from one tier to the next of what is being shared that will determine the level that’s required. Now, ultimate responsibility is still with the prime contract holder that has a contract with the DOD. 

John Vecchi: Got it. So there are multiple levels, right?  

Tony Bai: CMMC is divided into Levels 1 through 5, right? Level 1 really only applies the FARs cause, security requirements, they’re like 17, basic cybersecurity hygiene type stuff, right?  

Level 2 you hear talked about, it’s not likely to ever be actually implemented or required by the federal government or DOD. It’s more of a… I guess what I’ve been told is like a stepping stone that shows how a company can go from Level 1 to Level 3. 

Level 3 outlines the equivalent of 171. In fact, it incorporates all 110 controls that 171 outlines plus an additional 20 that the DOD created with their work group that developed the CMMC framework.  

Levels 4 and 5 add in additional controls that are really designed for the protection of data that they’re worried about advanced persistent threats. Like from nation state actors, that sort of stuff. And the controls that they derive those from are from like the draft NIST Special Publication, 800-172. 

John Vecchi: Got it. 

Tony Bai: Just more of a tracking or progression to get to that Level 3 status. 

John Vecchi: Got it, got it. So, given we talk cloud on this program and, as we know, the government has been really building this cloud-first approach. And today, if you’re, say, a cloud-based software vendor or Independent Software Vendor (ISV) building cloud applications that the government wants and needs, they’ll be meeting what we call FedRAMP, right? Some might know that, but that’s the Federal Risk and Authorization Management Program, and very specifically, cloud-based software vendors, right? So a couple of questions there. 

I’m assuming if someone’s listening to us today and they work for a cloud-based software vendor meeting FedRAMP, I’m assuming they will need to meet this, yes? And will the CMMC encompass more than just cloud-based provided solutions, will it be everything or? 

Tony Bai: Yes. So CMMC is designed for everything. It’s protecting government info. 

John Vecchi: Got it. 

Tony Bai: Whether it’s on-prem, to the DOD, whether it’s a web application, or it’s a full cloud service offering, right? Everyone that does business with DOD will eventually need to do this. There is a transition plan that’s outlined in the Interim Rule, the DFARS 7012 Interim Rule that was finalized at the end of November of last year that introduces what that transition plan looks like. 

So, like this first year, they’re only going to designate 15 contracts, that’ll have the CMMC requirement, and then it essentially kind of doubles each year for five years, and at the end of five years, all DOD contracts will have this CMMC requirement rather than just the 171 requirement. So that’s the plan. Obviously, there could be changes and tweaks to that rule as this rolls out, but right now it’s something to prep for and the best way to prep is making sure that you’re compliant with the 171. 

John Vecchi: And if they’re FedRAMP-compliant today, in your view kind of everything you’re looking at with CMMC and ramping up for it, will it be a difficult task for those guys? 

Tony Bai: It shouldn’t be. I don’t see it being too difficult. The thing to remember is FedRAMP and a lot of the other cybersecurity frameworks are system-specific. FedRAMP is about a cloud service offering, a cloud service solution that you offer to the government, right? The difference is that CMMC is about protecting CUI wherever it’s stored, wherever it’s processed, or wherever it’s transmitted. 

So if your data flow — understand the data flow of CUI that’s coming in or coming into the company or being generated by a company — resides within the same boundary as FedRAMP, a lot of your work will be done for you because you already have a lot of those policies, procedures, and controls implemented because of FedRAMP. 

But the minute that you see that CUI is outside of that boundary, you still have to apply those CMMC controls or 171 controls to the information that’s protected outside the boundary because your FedRAMP only covers within the boundary. So that’s why you’re always going to depend on — whether you need to redo the work or apply that work to outside your boundary — each company and how they’ve been able to restrict that government information. 

John Vecchi: Got it. And again, for our listeners, the CUI is specifically the Controlled Unclassified Information, right?  

Tony Bai: Yes, yes. 

John Vecchi: That’s what everyone’s really focused on there, yes? 

Tony Bai: Yep. And sorry for using all the acronyms. It’s just second nature to me now.  

Scott Emo: We love our acronyms, don’t we? Tony, you’ve been talking about the DOD specifically, and this is in contracts that the DOD puts would put in CMMC. Do you see CMMC rolling out to other agencies, federal agencies as well? Or do you think it’s only going to be companies that are focused on selling to the DOD that are going to be affected by this? 

Tony Bai: Honestly, I think it will roll out to the rest. Katie Arrington, who’s essentially the creator of this, is the one who had Grove CMMC created and is always in the news about CMMC. She’s been pushing this over and over again, working with the CMMC Accreditation Body, all of that. Various talks that she has given have said that they are in talks with other federal agencies about adopting this.

My personal opinion? I think it will eventually happen because it offers a trust but verify mechanism that 171 currently just does not have. 171 is self-attestation. It’s just more of the government saying, “Are you compliant with 171?” And the company’s going, “Yep, yep, yep, yes we are.” But who’s doing that independent validation of verification of it, right? 

That’s why DOD did it because they found a lot of companies were are saying, “Yep! Yes we are,” but either through an unintentional misunderstanding of how that framework is supposed to be implemented, they truly weren’t protected. And that’s why you have so much of that concern, at least with DOD, about the exfiltration of data. You’ve seen some of these briefings where you look at the new latest Chinese advanced strike fighter or whatever, the last fighter jet, right, and compared to the F23. It looks very familiar. They developed theirs in five years. I wonder how they did that. 

John Vecchi: Right. It’s so true. And it’s interesting, right? Because as you’re talking about this now, we’ll have a third-party validation, again at Anitian and I think our two companies have worked together and in full disclosure, right? We automate a lot of this process to really accelerate this FedRAMP today and obviously, we’re all looking at CMMC, but what does the assessment look like? Because it’s third-party validation, what does the assessment and the process look like for companies now looking to have to get certified to this? 

Tony Bai: Well, the actual assessment process is pretty much the same. All of these assessment processes are essentially the same, right? You have a pre-assessment phase where the assessor or auditor is gaining knowledge and information about what they’re going to look at, right? Whether it’s documentation, architectural drawings, and then you set up these interviews.

And then from that, we look at what are the findings or non-conformities, and we notify the company to let them mitigate or remediate those findings. We take that into consideration, write our report, and submit that to whoever it needs to be submitted to. Obviously, with the federal government, we are a third-party assessment organization under CMMC. Actually, last month, we got notified that we were officially designated as an official CMMC Third-Party Assessment Organization, one of the first 20. 

We act as that trusted party, that trusted independent third agent on behalf of the government to make a recommendation, one way or the other, good or bad, right? Given that we’re not trying to play “got you!” with the companies either. We want to be fully upfront, it’s an open book test, it’s just more of, if something’s wrong, we’ve got to be honest about it and provide that information to them because it’s all about risk management, it’s all about the government having the information to make a fully informed decision on whether they’re willing to accept that risk or not based on the pros and cons of the capability that the company’s offering. 

Scott Emo: So, when does all this CMMC stuff start? We’ve been seeing this talked about for over a year. 

Tony Bai: We’re waiting for bated breath, right? This thing is being pushed very fast. To be fair, there’s a lot of criticism about the CMMC and about the implementation of this, right? And how fast they are and whether the information is coming out in an official or unofficial manner, that sort of stuff, right? To be fair, with the CMMC, this is going very quickly.

It’s almost [the] wild wild west. They’re trying to do their best. Is there room for criticism? Probably. Is some of it unjustified? I would say so. It depends on the situation. The latest information that I have, or I’ve seen, is a lot of it is based on the Town Hall they just did last month, that CMMC-AB did. To those parties that are already registered and notified of whether they are professional C3POs, they’re professional assessors, they’ve signed up to be certified assessors, and all that stuff. 

So, my personal opinion about when the CMMC certifications are actually going to start is probably going to be July of this year. This is based on the information that we got from the CMMC Town Hall that the Accreditation Body (AB) held last month. A lot of it is going to be based on the Certified Assessors (CA) becoming available. They’ve already designated C3POs or the organizations that will do the assessments and from the DOD FAQs that just got updated this month, we may actually be issuing the certifications, I’m not sure about that yet. I’m going to see better clarification on that from our aspect on that. 

But for the Certified Assessors, the reason why I say July is the fact that per the Accreditation Body, the training won’t even be available until probably around April through their license training partners that they have in the Marketplace. So that’s where the Certified Assessors will go to get trained on CMMC. And then the beta exams to be certified as a CMMC assessor won’t be available until around May or June at the earliest is what the Accreditation Body is saying. So then if you basically give them a month for potential CAs to test and then get actual officially certified by the AB to conduct these, it probably won’t be happening until July. So that’s just my personal opinion on that. 

Now, again, there’s going to be a huge rush on this. What I would urge companies to really look at is what’s happening because CMMC again isn’t required by the government itself unless you’re bidding on a contract that has that CMMC requirement or you’re a sub to a company that is bidding on it, right? 

Now, that’s not to say that if a company has a lot of subs and they’re just telling all their subs for ease of vendor risk management saying, “All of you have to be CMMC-certified,” that’s a different story, right? But the availability of those assessments is going to be very limited in the beginning because those certified assessors have to be trained. And there’s just only so much capacity to do that especially when they’re just starting the program. 

John Vecchi: Got it. So right now, all of you, those that are going to be assessors, I know Anitian, to partner with you guys on this and others, we’ve just become a certified and a registered provider organization and there are all of these things happening. I think we’d love to hear from you, for providers that are in the supply chain, what do they need to do as next steps? But first, I’m sure what’s kind of interesting is, this isn’t free, right? Is this expensive to do if you find yourself either a main provider or in the supply chain? What should organize organizations think relative to cost for all this? 

Tony Bai: I mentioned the Interim Rule, the DFARS Interim Rule that they finalized on November 30th of last year. It gave the government assumptions on the cost to the economy and to the players in this, right? How much do they estimate the cost based on labor categories or roles, a senior assessor versus staff type stuff? Frankly, I think those were a little bit low. Is this going to be inexpensive? It depends on the level.

If you’re talking like a Level 1, it should be fairly inexpensive. If you’re talking about a Level 3 or higher certification assessment, it’s going to depend. Because again, this is about where the CUI resides. If it’s very pervasive in a corporate infrastructure where it’s everywhere and they haven’t really corralled it properly, just think about it, you have a team of one to three assessors having to look at the entire infrastructure and all the various systems in the corporation and interview all the people that are in charge of implementing security controls for those systems. 

There’s a difference between two or three systems interviewing 20 or 30 people which could be fairly inexpensive to, say, an enterprise-level where you kind of worry about, say, three or 400 people that are in charge of various aspects of security controls, and then it covers about 20 or 30 systems. You’re talking a matter of a couple of weeks of assessment time versus six to eight weeks of assessment time. 

John Vecchi: Yeah. And to expand on that quickly, if you’re a cloud provider that today, say, has FedRAMP certification, and you make a cloud-delivered cloud-based application or software, will CMMC extend into, like you said, it covers cloud on-premise, whatever, is it safe to say for cloud providers who might have FedRAMP certification today focused on their cloud app, CMMC might extend into some kind of on-premise environment or assets that have nothing to do with their cloud app? Is that safe to say? 

Tony Bai: Yeah. Again, it’s going to be based on where CUI is. 

John Vecchi: Okay. 

Tony Bai: [With] a lot of these cloud service offerings you’re talking about, there are specific solutions you’re selling to the government, right? That’s what FedRAMP is. But what about all the ancillary data that is communicated via email or text messages? I’m just throwing stuff out of the air, right? But it’s where that government sensitive information that can classify as CUI is coming into. If it’s not directly limited to that FedRAMP boundary, then you’ve got to apply those controls to your corporate systems that may encounter that information. 

John Vecchi: So for all those software vendors out there that are FedRAMP, you can just see immediately here how the scope of CMMC right, begins to really expand from what these. 

Tony Bai: And those are a lot of questions we’re all asking, right? Because it’s a pain in the butt. It is what it is. Because of the pervasiveness, and there are always those side-channel communications, and CMMC is trying to incorporate that stuff. It’s not a trivial issue to try to tackle. There are various things. Now I know that CMMC does recognize the fact that there are security tools that could help with this and they’re trying to, from what I understand, create some sort of marketplace with pre-approved type products, right?

So if you use these, it’s known that these products will satisfy control X, Y, and Z type things, to help ease that thing. But remember, security is never just a technology solution, it’s also people and processes, and you can’t forget that. I caution companies trying to look for a silver bullet because there really is never going to be one. 

John Vecchi: Great. 

Scott Emo: Well, hey, Tony. I’m going to just switch gears here a little bit and ask, how do your customers typically engage with A-LIGN? How do they get in touch with you guys, and how does that whole engagement work? 

Tony Bai: You’re talking about how they’re just trying to acquire our services. They’ll contact us, we’ll set up those initial discovery calls to say, “Hey, what is it you need and why do you need it?” Right? Because again, we’ve always emphasized that we want to be a partner. I’ve actually had initial calls where it’s like, “…It really doesn’t sound like you need this,” or “You need something different.” And well, I’ll tell you that upfront.

Do we want your business? Yes. But we don’t also want to just do it for the sake of making a dollar. If it’s not going to be of value to you, well, I’ll tell you. If you have an idea of how it needs to work, I’ll give you the pros and cons, right? Because ultimately, it’s a business decision of how the company wants to proceed. 

But it always starts with those discovery calls to say, “What is it you need? Why do you need it? And what can we do to provide for that?” And then from there, we work on timing and resource allocation, stuff like that. Obviously, we can’t reserve people to do these assessments without a signed contract, the normal things, right? We get partner referrals, and if it’s not a right fit for us, we refer it out to various companies and partnerships like Anitian where they can provide that consulting side because we concentrate on the assessment side. 

John Vecchi: Got it, got it. So, it sounds like everybody look, Tony, you and A-LIGN, the team at A-LIGN are definitely there to help with companies that even initially might just want a discussion with you to understand the scope and how it applies to them. And so, for those listening, it sounds like a good first step is to contact Tony and the team at A-LIGN. Certainly, Anitian is involved in this as well, but we work very closely with you. Clearly, you’ve got the expertise and people should definitely take advantage of that. It’s so interesting. And with that, Tony, if any of our listeners do want to get in touch with you or the A-LIGN team, where should they go? Tell them where they should go. 

Tony Bai: Obviously they can always go to our website to www.a-lign.com. We’re out there on the web, you just do a search on CMMC, FedRAMP. We’re on the FedRAMP Marketplace, we’re also on the CMMC Marketplace, which they do have because we’re also a designated C3PO for CMMC, so the CMMC-AB has their own Marketplace on their site which is I believe cmmcab.org, so they can find our contact information out there as well. 

John Vecchi: Look, fantastic. It’s a great discussion, so interesting. This is happening in real-time, there are a lot of details to this, but really a great discussion. Tony, thanks so much for joining us today. 

Tony Bai: Oh, it’s my pleasure. 

About Our Guest

Tony Bai – Director, Federal Practice Lead, A-LIGN
Tony is a cyber professional with over 25+ years of experience and expertise in all aspects of cyber operations. He is a cyber security and cyber defense expert skilled in project management, software development, and systems engineering as well as a trusted expert used to developing policy and governance and representing cyber equities at the corporate level.

Leave a Reply