Getting CMMC Right: Scope, Budget, and Certification Tips

Tom Greco: There's spreadsheets you can download from the DOD and other private companies that give you a little gap assessment. You can set your status on each item, and chart it out, and do all those good things that you do in any other gap assessment. Do that now and at least start prepping for closing gaps. Regulations and compliance efforts are tied, they all overlap significantly.

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host Jara Rowe giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Hey, friend, you know on The Tea on Cybersecurity, we really like to break down these confusing cybersecurity topics. On this episode, we're going to dive into something that's especially critical if you would like to work with the federal government, CMMC. Is this something you've heard of before? If not, or even if you have, we are definitely going to dive into that on this episode. We'll talk about what CMMC actually means for your business, how to get prepared, and why waiting may potentially cost you. Let's dive into it with our expert Tom.

Tom Greco: Thanks, Jara. Hi, everybody. Tom Greco. I've been in infosec, cybersecurity for a long time, 20- plus years. Interestingly, when we're here today talking about CMMC, which is a DOD regulation, and I started with the DOD actually, way back in the mid- 90s, working for the Department of the Navy in Information Warfare Center in Norfolk. It was fun times back then, the'90s were a little bit more wild. Didn't have a lot of regulation on these things back then and nobody knew a whole lot about it to tell you the truth. It's interesting to see how far we've come. Over the years, I've had the fortune or misfortune to work in several regulated industries. Obviously, the government. I've worked also in financial services, healthcare, and just public companies in general. Being in regulatory environments is not foreign to me. This is the new frontier with CMMC.

Jara Rowe: Yeah, I'm so excited. I'm assuming everyone here has heard CMMC at some way, shape, or form. But for those that are new to this topic, what does CMMC stand for and why was it created?

Tom Greco: Well, CMMC, we got to go back. Let's do some history. There's this concept or the framework called the NIST 800- 171, which is about protecting controlled or classified information in non- federal systems, so contractors. That has been enforceable, compliance with the NIST 800- 171 has been enforceable actually since December 2017. And it's evolved over time. First, it was appliance. Then in around 2020, they added the requirement that you had to self- assess and put your assessment scores into the SPRS, that was 2020- ish. Now we fast- forward now, we have CMC, which is cybersecurity maturity model, capability model, it's really putting teeth behind the NIST 800-171 compliance by upping the compliance requirements and the attestation requirements. At the various levels, there's different assessments that you have to do, as well as you have to get third party audits on top of that. It's not just self- assessment anymore. The evolution is natural, with the evolution of the threats and risks that we face today, especially in cybersecurity. It's certainly not going backwards. It's an arms race that's just going to keep getting worse and worse I think. CMMC was developed for that reason. The CMMC is the cybersecurity maturity model certification.

Jara Rowe: Okay.

Tom Greco: It's the NIST 800- 171 into a program that bolsters the compliance by not only requiring the SPRS assessment and score, but the third party attestations.

Jara Rowe: Okay, perfect. All right, let's go ahead and move into trying to clear the confusion a little bit more. I know you were mentioning how CMMC is definitely buzz- worthy right now. What are some common misconceptions about CMMC that you encounter, or how do you address them?

Tom Greco: Well, I don't call them misconceptions.

Jara Rowe: Okay.

Tom Greco: I think the attitude towards CMMC has been, up until now, a wait and see. I think there are a lot of folks who thought it wasn't going to come to fruition. Or if it did, it was going to be watered down because how could they really do these, and pass all these laws, and have everybody do all these things? Completely losing their entire supply chain. But it's not, it's there now. Also, I think compliance with the NIST 800-171 has been enforceable since 2017 is something that people didn't I think take seriously, because there was no teeth behind it. I think that's one way to look at it. People have to look at it from two perspectives. One is in June, when the requirements are going to go down to the contracts, it's not going to require certification at that point, but you need to be prepared for that. I think don't pump the brakes on going for certification even now. Because one, it's going to come up quicker than you think. It always does because everybody always has conflicting priorities. Getting through your own self- assessment as well and certification audit, it takes time, and effort, and money. But also, the other thing is you could actually have a certification requirement flow down to you if you are a subcontractor to a higher level contractor. They could require you to become certified earlier than what the government says because that's their business. They're a private business, they can do whatever they want.

Jara Rowe: Right.

Tom Greco: They can require one from their subcontractors. Make sure you understand those contracts you have, relationships, especially if you're a subcontractor, but don't wait.

Jara Rowe: If a company is starting from scratch, what's a realistic timeline for getting ready?

Tom Greco: It all depends on scope, so let me say it this way. The very first thing you need to do is go through a scoping assessment. There's a scoping guide that's available that will allow you to understand what your requirements could be. This is true for any regulation or any compliance effort, because you don't want to over- scope. Because you don't want to have to apply controls, and spend effort, and time, and money in areas that you don't need to, but you also don't want to under- scope because that has its own risks. If you go through your scoping exercise, especially with CMMC, you're going to identify all your data flows, you're going to identify there are several asset types that are defined specifically with the CMMC scope. You'll start looking at how that lays out in your current environment. I think in most cases, people realize they need to do some kind of minimization, some kind of segmentation, so they can contain the blast, contain the scope to just a certain area of their infrastructure and of their operations. Scoping is key. Once you do that, then if you've sufficiently designed they call it, the buzz term is enclave.

Jara Rowe: Okay.

Tom Greco: This area where you're going to do all your CMMC CUI work. The effort could be a lot less if that's something... There are companies that you can outsource that to these days. If you're going to build your own, build versus buy is your decision point there. So that when you go back to what's the effort, it's tough to say unless you know your scope.

Jara Rowe: Okay. When it comes to scoping though, how should a business approach this and are there any tips that you would have for them to make it feel less daunting?

Tom Greco: If you don't know what you're doing, I would definitely get help. Definitely bring in a subject matter expert. Scoping itself, it's not highly complex, but there are definitely nuances that you have to understand. Especially when you start talking about not just the specific assets, and systems, and networks that are going to be processing, storing, and transmit CUI, but getting in and out of those areas also has some implication to your scope. For example, there's this concept of the contractor risk- managed asset, that's an asset type. It's an asset type that isn't intended to process, store, or transmit CUI, but isn't prevented from doing so. It's somehow tangentially connected to the rest of the scope that is going to be fully assessed. The way the rule is written is that controls around those assets still need to be documented in your system security plan, but they aren't going to necessarily be directly assessed when the C3PAO comes in to do the audit. Unless they don't like how you documented the controls, then they can start doing some limited examination of those assets. It's those kinds of things that, if you don't really understand what those are and what the implications are, that you could under- scope, I see in this case. And maybe leave something out, and then you get to the finish line and you get your audit done, and you realize there's a whole class of things that you didn't consider. Just one example of why I say get help if you don't know what you're doing. This isn't one that you want to get wrong. Things like HIPAA for example, for the most part, unless you're going to get a letter of attestation from a third party, no one's going to come and audit you unless something bad happens. Now, that's certainly a time where you don't want to find out that you didn't do something correctly.

Jara Rowe: Right.

Tom Greco: But with CMMC, if you don't get it right, you don't make money. You're not going to be awarded contracts. Yeah, I think that's why I'd say scoping is the most important thing.

Jara Rowe: Perfect. You mentioned CUI a couple times then. What is that exactly?

Tom Greco: It's an acronym controlled unclassified information.

Jara Rowe: Okay.

Tom Greco: It's information in various types, and there's a catalog of the different types. But it's information that the government doesn't deem classified, so in the actual federal classification system, secret, top secret, et cetera. But it's inaudible enough that it warrants specific control.

Jara Rowe: You mentioned earlier about there being different levels of CMMC. You went through one, two, and three. But does scoping have anything to do with levels?

Tom Greco: Yeah, in your scoping exercise, you can determine your level. But also, the DOD contract will also specify exactly what level you will need to be compliant at based on the contract.

Jara Rowe: Perfect. Let's talk a little bit more about the preparation and everyone's favorite topic, budgeting. For companies on a tight budget, is there a secret sauce if you will to prepping for their required level?

Tom Greco: If you're on a tight budget, and I don't know, that shouldn't correlate to the size of your organization. But it's a tough one because again, because this is tied directly to contract award, or if you're a sub for a prime that's direct to the DOD contract, there's no shortcut. If you're a smaller company and you're just getting into this, and maybe your level of maturity overall on your security program is low because you just haven't been forced yet to build those kinds of capabilities, there are ways that you can phase through gap assessments and prioritization of remediation of the ways you can phase the controls in. That's really a decision for organizations to says, " Well, depending on my budget, I'm going to have these phases over this timeline." You may push your ability to be awarded contracts down the road simply because you can't do it all at the same time. Even if you have all the money in the world, it doesn't mean you can suddenly implement all the controls and close all the gaps that you need to close in a certain amount of time, unless you're really, really super focused on it and that's all you're doing. I think it's really tough in this case because it is, it depends on how quickly you need it. If it wasn't tied to being award contracts, those are different things. If you're trying to reach audit compliance or HIPAA compliance, those kinds of things. Otherwise, you're more free to set your own timeline and that then defines budget.

Jara Rowe: Right, right. You have already given us a few tips and everything, about prepping and things like that. Is there anything that you would have someone do right now to get ahead of this?

Tom Greco: Do the gap assessment against the 800-171. The 800- 171 is very prescriptive. There are assessment tools and spreadsheets, if you're using a GRC, everybody has this framework in the GRC. If you're using a secure frame, or Drata, or Carbide, you can pull it into your GRC tool and use that as a guide. There are spreadsheets you can download from the DOD and other private companies that give you a little gap assessment. You can set your status on each item, and chart it out, and do all those good things that you do in any other gap assessment. Do that now and at least start prepping for closing gaps. Forget about CMMC at this point, just close gaps. If you have an existing certification, if you have an ISO 27001 certification, or if you have a SOC 2 certification, those things will help because you can grab those controls over to the NIST 800- 171. That's the other thing about all these frameworks, that regulations and compliance efforts are tied. They all overlap significantly. To go a step further, if you're using a GRC tool to manage that compliance, most of them, you can copy those controls over and you can add the ISO or the NIST framework, or the CMMC framework. Copy those controls over and that'll help spit out the gaps really quickly as well. But work on gaps.

Jara Rowe: Speaking of assessment, you did talk a little bit more about self- assessments and third party assessment a little bit ago. What is the difference between the two, self-assessments and third party assessments? Then when are each of those required?

Tom Greco: The self- assessment specifically against the NIST 800-171 is required at level two and up. What it means is that you are formally assessing yourself against those 320 assessment objectives that I mentioned before. If you pull down one of these gap assessment tools, spreadsheets, whatever, it'll show you explicitly. Or if you just download the specification itself, it'll say this is the control. Then this control, there may be two, three, four, five, six assessment objectives for that control. Your self- assessment is literally you going through and attesting that you cover every one of those objectives. That results, there's the SPRS which calculates a score. You have to achieve a score of 110 because that's the number of controls, the top level of controls that are in the NIST 800-171. But as you go through and you do your self- assessment, you'll strive to achieve that score. It starts out at a minus- 202, and it goes up and up and up and up, and eventually into the positive. Then it goes up to 110, when you've achieved compliance against all those things. Then a senior executive of your organization has to then go into the SPRS and make their attestation.

Jara Rowe: Okay.

Tom Greco: "We attest thatwe are compliant." That's very compliant, because management needs to take ownership of that. That helps drive prioritization as well. That's the self- assessment. Then, yeah, in most cases, level two, you're going to have to engage one of these third party assessors to come in and do the independent audit. They're essentially going to do the same thing. Go through every one of those assessment objectives and they're going to test you. They don't typically do a full operational audit, but they're definitely going to do operational testing and walkthroughs. It's not just a documentation review. They are actually going to validate that the controls are operating effectively. Depending on the result of that is how you either get your certification or you don't.

Jara Rowe: Right. Then you also mentioned the C3PAOs. I don't know if we gave what that stood for? I know it's another acronym. What does that stand for?

Tom Greco: Yeah, certified third party assessed organizations. Their organizations who have achieved the certification by the DOD to go out and do these certifications. You can't just hire anybody. There's an organization, independent organization, that manages all the directories of all the different certified people that have anything to do with CMMC. The C3PAOs are part of that. There's cyberab. org, they have a directory of all those folks who are accredited. As well as individuals who may be just considered... I'm considered a registered practitioner. That doesn't mean I can do certifications, but it means that as a consultant, I would help organizations perform their gap assessments, help them create system security plans, help them facilitate their self- assessments. I could even sit in on the audit meetings when the C3PAO comes in to test it, if they wanted. It's not that that designation is the only one, or that you have to have it for those things, but the organization, I would think you'd have a higher level of trust with the organization. There's a registry of the registered practitioners, as well as the C3PAOs out there. And a lot of other information as well.

Jara Rowe: You said that was cyberab. org?

Tom Greco: Yeah.

Jara Rowe: Okay, all right. I know how important it is for maintaining compliance and continuous cybersecurity. Once someone is CMMC certified, how can organizations maintain their compliance with CMMC over time?

Tom Greco: I'll say this and this is really independent of CMMC. You have to have a compliance program. You have to have folks that are not necessarily dedicated, but are focused on making sure that you do understand all things that you have to do and in what timeline you have to do them. If you're not implementing management controls assessments throughout the year, they have to be at least some that are there making sure that things are operating and that you're maintaining the evidence of their operation. A GRC tool can help a lot in that respect. It's what we were talking about before, because it not only gives you a framework within which to do that, but it'll help trigger you when certain things, actions have to be performed. And in a lot of cases, there are integrations between the GRC tool and the other tools, like your identity tools or your endpoint security tools, et cetera, that will monitor those things for compliance. You'll have the evidence of compliance, and also it'll help alert you if things are going south.

Jara Rowe: All right. Another thing that I have learned about cybersecurity and compliance is that it truly is a team effort, and it is top- down. But achieving compliance isn't just about checking boxes. How can organizations foster collaboration across departments to succeed in CMMC or any other framework that they would be going after?

Tom Greco: It's a cliché, but the most effective tool is just someone at the top, making sure that senior leadership understands requirements. In this case, when we're talking about regulatory requirement, the legal department is the first line there. They need to understand an organization's regulatory requirements and obligations, and they should be flowing that through the organization through senior leadership to make sure that all that need to happen are happening. Now, with the CMMC, there's that extra kick that CEOs are going to care about because if they don't have their certification, they don't get contracts. That's another motivator. But still, it's someone at the top and making sure that that flows down so people have the right prioritization, budgets, et cetera, to do the things that they need to do. I've been in organizations and I've been in the specific position myself too, where you feel as though we're working really hard to do this because we know it's important. You're trying to manage your own priorities and it's tough for folks to do that, especially when you get down to the engineering level. I think just assuring that your organization has that right senior leadership direction, understanding and direction, and keeping them informed. You always need to lead up, because those are the types of things that will help you if you do need priority to get something done, if you do need that collaboration, if you need money specifically or anything else. Don't hesitate to lead up either.

Jara Rowe: That's very true. One of the tips you gave us a little bit ago was to find someone to help you, get an expert. I think it would be amiss if we did not talk about ourselves. How can Trava assist an organization from a compliance standpoint with CMMC or anything else?

Tom Greco: Yeah. Well, specifically with CMMC, we help our clients with first and foremost, that scoping engagement. We help them navigate the complexities of scoping, and then identify those opportunities for them to limit that scope. Options on how we can make it easier, and faster, and cheaper for you. Then we go right into gap assessment. We'll perform the gap assessment for you. We'll create a remediation plan with recommendations. We'll assist you in developing, there's some requirements, you have to have your system security plan. That's a fairly comprehensive document, so we'll assist in creating system security plans and managing what they call plans of action and milestones, or POA& Ms, you'll see that term thrown out there. Managing that and making sure that those things are closed as well, so helping you track and monitor those. Basically, everything up to getting you through your self- assessment for the first time. Then coordinating with the C3PAO if that is part of your requirement, so you can get that audit performed. That's really on the advisory, consulting side. Trava also has a great offering called compliance- to- service. That's really an augmented compliance department for you, with a GRC thrown in.

Jara Rowe: Yeah, that's fantastic. Okay, Tom. We've covered a lot of information. I've taken a page- and- a- half worth of notes here. But if there is anything else that you would like to hit home or stress, what would it be?

Tom Greco: Don't wait. Get your scoping done and start those gap assessments, even if you're not ready to engage third parties. There's no downside to it. NIST 800-171 is a nice comprehensive framework against which to define and measure your security program. It doesn't matter if you need to get CMMC certified or not. There are other frameworks obviously as well, but it's a good one, so use it. It does apply in a lot of cases. It applies obviously for CMMC, but it also applies, for example, in the joint certification programs. JCP is another DOD program that it's for folks who aren't necessarily working on DOD contracts, but they want to have access to DOD unclassified technical data. Like blueprints and specifications, those kinds of things. Maybe you're doing pre- contract work on something that you're developing for the Department of Defense, so you need some information or to do prototyping to collaborate with other folks. You have to do a NIST 800-171 self- assessment for that and put it in SRPS. Plus, you're already required to do it anyway. If you are handling CUI already, it's already enforceable that you do your self- assessment and get it into SPRS. Do that.

Jara Rowe: Tom, thank you so much for joining me. Your time and expertise are really valuable. I appreciate it.

Tom Greco: Fun stuff. Thank you.

Jara Rowe: Now that we've spilled the tea on CMMC, it's time to go over the receipts. It looks like CMMC has been a bit of a mystery or a wait until now just until recently, maybe the last end of 2024. Let's go ahead and get into what I took away from the conversation. Receipt one is what does CMMC even stand for? It stands for the cybersecurity maturity model certification. CMMC is a Department of Defense framework that is based off of the NIST 800- 171 framework. Another main thing that I took away is that CMMC has different levels. There's level one, level two, and level three. With level one, that focuses on the protection of federal contract information. Level two protects controlled and classified info, along with everything that level one does. And level three protects the info that has impact on national security. There are different businesses that may need different levels, and Tom also said that you figure out what level makes the most sense from you during a scoping exercise. Another receipt that I have is actually a resource that Tom talked about, which is cyberab.org. They have a lot of different information, including important things and downloads for CMMC. If this is something you are looking into, I would start with cyberab. org. And the final receipt from this episode. Tom's advice is to start now. If you want to work with the DOD, CMMC is not optional, it's mandatory. It's something that you have to do. It's important to go ahead and get all of your ducks in a row, find someone that can help you, and get things rolling. That wraps another episode of The Tea on Cybersecurity. Thank you! That's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow where you get your podcasts.