Dave Bailey, SVP of Security Consulting Services at Clearwater sits down with Rob Teague, from the Redspin team to discuss all things CMMC, including what it means to be hand selected as a Provisional Assessor and Registered Practitioner, the ins and outs of CMMC certification covering who needs it and what certification means, and how Redspin’s unique capability as one of the Country’s first 20 organizations accredited as a C3PAO for the DoD, Redspin can help Defense Industrial Base (DIB) suppliers achieve or maintain their requirements to do business with the DoD.
Dave Bailey: To begin, tell us a little bit about your role, what your credentials mean, and what training was involved.
Robert Teague: I am a CMMC Provisional Assessor (PA), at Redspin, a division of Clearwater. I have more than 30 years of operational and strategic leadership experience in the fields of information technology and cyber security from the United States Army and am also 1 of many CMMC Registered Practitioners (RP) within Redspin.
It’s all provisional because CMMC is still developing. I help do the assessments. An “R” provides advice, consulting, and recommendation to our clients. We don’t do the certified assessments, that’s the Certified Provisional Assessor’s job. The main thing clients need to know about the RPs is we’re focused on CMMC, we have a basic understanding of its requirements because we’ve gone through their basic training if you will, and we follow and practice the Cyber-AB code of professional conduct.
As for the Certified Provisional Assessors, this means I have gone through the basic training level that I completed, as well as training that goes all the way through encompassing NIST, the Federal Acquisition Regulation (FAR), and other kinds of requirements that they need to know and understand to provide these assessments.
The DoD realized the scope was so big for the Certified Provisional Assessors, they needed some assistance, but they didn’t want to open the full, Certified Provisional Assessor Program. So, what they did was hand-pick a few of us, as Registered Practitioners to come out, go through the basic training, and just kind of stop there to assist the Certified Provisional Assessors in this beginning phase of the CMMC, because it’s still a pilot program and will develop further once CMMC rulemaking is complete.
Q: What does it mean to be a C3PAO?
A: It means an organization is a Certified Third-Party Assessment Organization (C3PAO) and was formed by the Cyber Accreditation Body (Cyber-AB), to model alongside the FedRAMP Program.
So, when you hear C3PAO I know, it sounds like Star Wars and there will probably be an R2D2 coming down the road, because, you know the DoD loves acronyms, you’ll understand that the C3PAO means they’re certified to conduct formal CMMC assessments on third-party contractors.
Redspin’s parent company, Clearwater (CTEK) has been doing assessments in highly regulated industries and most of us both in Redspin and Clearwater come with years and years of experience from military, Department of Defense backgrounds, or other industries such as, finance, healthcare, and energy. When the announcement came out about this certification requirement for any supplier that was doing business with the federal government, we were very excited about the opportunity to help secure DIB suppliers because it was already in line with what we do daily and our team can scale as the CMMC program scales.
Q: We’ve already thrown out a lot of acronyms, we’ve thrown out CMMC, we’ve thrown out C3PAO, let’s maybe throw out a few more and ask what is CMMC, and how did it come along?
A: CMMC is an extension of the FedRAMP program that was started in 2017 where defense contractors were required to conduct a self-assessment based on the NIST SP 800-171. Well, what the DoD has noted, was that the contractors were not following through on those self-assessments and that they were very, very hollow and they didn’t have much meaning to them. The requirement was, to provide an SSP (System Security Plan) and a POAM (Plan of Action and Milestones) to the DoD, but as stated, the results were hollow…
And now we’re seeing adversaries targeting the defense supply chain. It’s a very lucrative target. For example, the SolarWinds attack, which affected 18,000 businesses/entities. You can rest assured that many of those are probably third-party contractors, that have probably been infiltrated, and that’s a large concern because the defense supply chain is a rich target. New weapons systems, new IT technologies, and very advanced research is going on, and threat agents are active today. They are actively succeeding, as we’re seeing in the news, and the DoD realized that something needed to be done to ensure that the third-party contractors are taking this threat very seriously and securing at least their portion of the overall defense supply chain.
The DoD has taken it upon itself to build the CMMC Framework with a model that ensures or attempts to ensure that the defense contractors are taking cybersecurity seriously. As of 2019, the Cyber AB was formed to set up a third-party assessment capability. And that’s where you start hearing about C3PAOs, and Provisional Assessors. We will provide third-party certification assessments for these third-party contractors.
Q: From a company standpoint, does everyone have to get the same level of certification? Or are there different levels inside the CMMC model?
A: That’s a very good question. There are different levels. If you break out the CMMC term, ‘maturity’ is based on the stringency of your cybersecurity posture. The CMMC model is based on the traditional Capability Maturity Model Integration (CMMI).
A Level 1 certification is based on 17 basic cybersecurity hygiene practices. They are pretty much your basic, some of your basic, technical controls. Level 1 is there to protect what’s called Federal Contract Information. So, if you’re involved with DoD contracts and that type of information, you’re going to need to get the Level 1 certification. The Level 1 assessment is defined as a performing level, which means you’re doing the practices, and the practices that are encompassed with Level 1 are the typical practices that most organizations are following right now. An expected 300,000 to 350,000 organizations out there will require this Level 1 certification.
A Level 2 certification is based on 110 intermediate cyber hygiene practices. and Applies to contractors who store, process, and exchange FCI, and Controlled Unclassified Information (CUI). The majority of the DIB and research institutions will need to comply with this Level.
Level 3 Assessment – Yet to be defined, but is based on NIST 171 and 172.
JSVAP Assessment – Until the CMMC rulemaking process is final (expected early 2024), Organizations Seeking Certification (OSCs) can volunteer to participate in the Joint Surveillance Voluntary Assessment Program (JSVAP). The JSVAP is conducted by a C3PAO and the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The assessment evaluates OSC’s NIST 800-171 practices, and successful organizations receive a DIBCAC High certificate that will later be replaced by a CMMC Certificate when the rule is in place.
There are an estimated 1,500 subcontractors that need to be certified under CMMC 2.0 requirements. The majority will more than likely be Level 2 certifications.
Q: What, does that certification look like and how do organizations get started?
A: That’s a great question because that’s probably a question a lot of CISOs have in mind “Do I have to meet all of the controls in each level?” and the simple answer is yes.
If you are going for a Level 1 certification you must meet the 17 practices that are required. And it’s not just meeting, because when PAs and RPs assess you, you have to show us that you’re meeting it, so you have to attest with some type of evidence. We have to witness screenshots of the actual systems performing those particular practices.
I do want to point out that when Redspin underwent a CMMC Level 3 assessment (CMMC 1.0), we planned it for over a year. We started a year ahead of time. It takes a long time to plan and prepare for this. That is important for folks to know because it also means don’t wait to get certified.
There are 2 things you can do. If you’re not sure that you can pass those certifications that you have (the 17 for Level 1 and 110 for Level 2), have an assessment team like Redspin come out. We’ll come out and do a comprehensive CMMC pre-assessment for you, and let you see where you sit. Then you have time to build that program, and then when it’s time to certify, we can help get you started with that too. This way, you’re much more postured, as well as able to sleep better at night knowing you’re going to be able to pass those certification practices.
Q: If you look at the companies that we’re talking about here who need certification, these are critical companies, and many have been providing services for a long time. What’s your take on the industry, is it ready?
A: That’s a very good question, and it’s not easy to answer or, put in quantifiable terms right now because no one has actually gone through a CMMC assessment to be certified at this time. We have conducted a few Joint Surveillance Assessments also referred to as JSVAPs. Most organizations tapped to do a JSVAP assessment are ready, but we have had some who think they are, and actually are the DoD has done in the meantime, you may have seen that the D-FARs interim rule, that was effective November 30, 2020, mandated all DoD Contractors upload their self-assessment based on NIST SP 800-177 to the system called Supplier Performance Risk System (SPRS) to get to some sense of a baseline to see how ready they may be for a CMMC certification.
The level of readiness is going to be on the level of CMMC maturity that they need. They are required based on what their contract will stipulate. It’s going to be a Level 1 or Level 2 for now. Also, it’s going to determine what their level of readiness is at that given point for that level of certification and the resources they have at their disposal to get ready for that certification. And as was mentioned previously, any level after Level 1 certification is very extensive and it’s very resource intensive. And it’s all going to be based on the level of readiness and the resources that an organization can put into it.
Q: I happen to believe a lot of companies have very good programs, are abiding by cybersecurity frameworks, have the right level of expertise, and have the right technologies to do this. However, just because you’re doing something doesn’t always mean that it’s formal, that you can prove it, that you can demonstrate it, and that you can ultimately show the effectiveness of it if you have some third party come in. It’s not a checklist approach is it?
A: That’s a very good point. we’re glad you mentioned that and this is amplifying the point that the DoD’s CISO Kate Arrington has said: “It’s not a checklist approach”. So, to, pass Level 2, you’re going to have 3 sets of processes that need to be documented and prove, that your organization has institutionalized these processes. And now, what are these processes? These processes are looking to ensure that you’ve implemented your policies, that you’ve resourced the plan to ensure that you have a solid cybersecurity program in place and have had it in place for a while.
The key point here is, if we come out to assess your organization for Level 2 certification and it looks like you’ve just set up your processes a month ago, that may not pass. That may not meet the criteria for Level 2 to prove that you have managed processes in place and had them in place for a while. The same runs on the technical side. You know we talk about playbooks. Playbooks, or run books are very popular in the military. We utilize those across the organization. If you’re doing a Level 2 assessment and we come out and the playbook, looks like that e it was just built a month ago and the tech team, the engineers, and all the security guys do not understand how to operate that book. You’re probably not going to pass. It has to be in place, and fully understood across the organization. They need to understand what that book does for them, and how to use it.
This isn’t a checklist, it’s not “Hey, do you have a plan? Yup, I have the plan”, it’s “Yup, I have the plan, and I can demonstrate to you what we’re doing, what the plan lays out, and we’re able to be effective”.
Q: I think everyone would like to believe that they’re ready to go, they can be certified tomorrow, but what about those who don’t necessarily think that they are ready? If you were the CISO in that company what are the things that you could tell another CISO, these are the things that you can be doing right now because this is coming.
A: Great question. The first thing is called Redspin.
Bailey: Ha, Bring in the experts, for sure.
A: So, that’s number one. The way folks can start preparing now is to go out and look at the Federal Acquisition Regulation or the FAR clause 52.204-21. It’s important to familiarize yourself with NIST 800-171, and understand this is real. It’s going to be a requirement, and it’s certainly not going to be something in the future that is just a checklist. It is going to require a third party like Redspin to be able to come in and not only help you prepare but to educate and certify as well.
Q: A lot of things are happening, I think everyone is excited about getting into the finalization of CMMC. So knowing CMMC’s final rulemaking is coming down the pipe, what are the next steps and your recommendations to prepare?
A: The time to assess it now. At Redspin, we’re ensuring that we’re postured to be ready to do the best possible job for DoD contractors out there, whether they need the pre-assessment, they need Level 1 certification, Level 2 certification, or someone to provide complete Managed Security Services! We’re ensuring that we’re ready to go on our end.
What we recommend for those, DoD contractors who the rule applies to is, first of all, learn the CMMC model and the standards that you need to adhere to. You must get that correct. We’ve talked to some contractors who, believe it’s kind of a let’s start with Level 1 because it’s easy. Well, if you’re processing the CUI period, you have to be a Level 2. It isn’t an easy-to-hard scale, it’s based on the type of data you store, handle, and transmit,
Second, understand your scope. What is in scope within your organization? That’s going to make it very difficult. If you want to keep your entire corporate enterprise in scope, then you’re going to have to make sure that you’re protecting everything in your environment to that CUI level. So, it’s very important to define your scope segmenting, developing a secure enclave is a good idea.
Then, once you do that, do your self-assessment. We are finding out, so far, a lot of the contractors are opting to go with the pre-assessment to identify gaps. This is where a Registered Provider Organization, (an RPO) can help you. And once they help you identify your gaps; you can remediate those gaps. Then it’s time to find a C3PAO to conduct your formal assessment.
Do your homework and get those things done. And if you’re 1 of those 1,500 contractors needing certification, do what you can to get ready to succeed with your Level 1 or Level 2 certification.
Redspin is certainly excited about being selected as a C3PAO, and a RPO to do pre-assessment and remediation work. We’ve been involved and engaged in this for a while and building out a practice that we’re excited to launch and excited that we can provide this service to an extremely critical point.
How Redspin can help >>
If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.