As a candidate C3PAO undergoing our own Level 3 assessment by the Defense Industrial Base…
Dave Bailey, Director of Security Services at CTEK sits down with CMMC Provisional Assessor Tony Buenger and Registered Practitioner Robert Teague of Redspin (a division of CynergisTek) one of the Country’s first 20 organizations accredited as a C3PAO for the DoD.
Together, they discuss all things CMMC, including what it means to be hand selected as a Provisional Assessor and Registered Practitioner, the ins and outs of CMMC certification covering who needs it and what certification means, and how Redspin’s unique capability as a C3PAO can help Defense Industrial Base (DIB) suppliers achieve or maintain their requirements to do business with the DoD.
To begin, tell us a little bit about your roles, what they mean, and what training was involved.
Buenger: I am one of the first 100 CMMC Provisional Assessors, at Redspin, and we are one of the first 20 certified C3PAO’s for CMMC.
I have over 20 years, of experience in the information technology and cybersecurity industry. Over 15 of those years, I spent working with FISMA compliance for federal agencies. I’ve worked extensively on the NIST CSF and RMF frameworks with many U.S. federal agencies like the DoD, USDA, USGS, and RRB, to name a few. I’ve also led a team planning and implementing NIST RMF at the Pentagon and have performed risk-based security assessments that have provided major Air Force IT systems to make risk mitigation decisions in a responsible and repeatable manner.
So, I have a heavy background working with the Defense Industrial base.
Teague: I have more than 30 years of operational and strategic leadership experience in the fields of information technology and cyber security from the United States Army and am now 1 of 7 Registered Practitioners within Redspin
It’s all provisional, obviously, because CMMC is still growing but mainly I’m Tony’s assistant for Redspin. I help him do the assessments. You’ll hear us referred to as “RPs”. We provide advice, consulting, and recommendation to our clients. We don’t do the certified assessments, that’s Tony job, he is the Certified Provisional Assessor. The main thing clients need to know about the RPs is we’re focused on CMMC, we have a basic understanding of its requirements because we’ve gone through their basic training, if you will, and we follow and practice the CMMC-AB code of professional conduct.
As Tony mentioned earlier, he is currently 1 of 100 selected to be The Certified Provisional Assessors. Meaning he has gone through with the basic training level that I completed, as well as training that goes all the way through encompassing NIST, the Federal Acquisition Regulation (FAR) and other kinds of requirements that they need to know and understand in order to provide these assessments.
The DoD realized the scope was so big for the Certified Provisional Assessors, they needed some assistance, but they didn’t want to open the full, Certified Provisional Assessor Program. So, what they did was hand-pick a few of us, as Registered Practitioners to come out, go through the basic training, and just kind of stop there to assist the Certified Provisional Assessors in this beginning phase of the CMMC, because it’s still a pilot program, if you will. Once we start doing some assessments and Tony and the other Certified Provisional Assessors start turning in documents and what they found while they were doing the assessments, the process will improve. Then, the Registered Practitioners will be available to move into the other training programs to join Tony and the other Certified Provisional Accessors.
What does it mean to be a C3PAO?
Buenger: It means an organization is a Certified Third-Party Assessment Organization (C3PAO) and was formed by the CMMC Accreditation Body (CMMC-AB), to model alongside the FedRAMP Program.
So, when you hear C3PAO I know, it sounds like Star Wars and there will probably be an R2D2 coming down the road, because, you know the DoD loves acronyms, you’ll understand that the C3PAO means they’re certified to conduct formal CMMC assessments on third party contractors.
Redspin’s parent company, CynergisTek (CTEK) has been doing assessments in highly regulated industries and most of us both in Redspin and CTEK come with years and years of experience from military, Department of Defense backgrounds, or other industries such as, finance, healthcare, and energy. When the announcement came out about this certification requirement for any supplier that was doing business with the federal government, we were very excited about the opportunity to help secure DIB suppliers because it was already in line with what we do on a daily basis and our team has the capacity to scale as the CMMC program scales.
We’ve already thrown out a lot of acronyms, we’ve thrown out CMMC, we’ve thrown out C3PAO, lets maybe throw out a few more and ask what really is CMMC, and how did it come along?
Buenger: CMMC is an extension of the FedRAMP program that was started in 2017 where defense contractors were required to conduct a self-assessment based on the NIST SP 800-171. Well, what the DoD has noted, was that the contractors were not following through on those self-assessments and that they were very, very hollow and they really didn’t have much meaning to them. The requirement was, to provide an SSP (System Security Plan) and a POAM (Plan of Action and Milestones) to the DoD, but as I stated, results were really hollow…
And now we’re seeing adversaries are targeting the defense supply chain. It’s a very lucrative target. For example, the SolarWinds attack, which affected 18,000 businesses/entities. You can be rest assured that many of those are probably third-party contractors, that have probably been infiltrated, and that’s a large concern because the defense supply chain is a rich target. New weapons systems, new IT technologies, very advanced research is going on, and threat agents are active today. They are actively succeeding, as we’re seeing in the news, and the DoD realized that something needed to be done to ensure that the third-party contractors are taking this threat very seriously and securing at least their portion of the overall defense supply chain.
The DoD has taken it upon themselves to build the CMMC Framework with a model that ensures or attempts to ensure that the defense contractors are taking cybersecurity seriously. As of 2019 the CMMC Accreditation Body, known as the CMMC-AB, was formed to set up a third-party assessment capability. And that’s where you start hearing about C3PAO’s, and Provisional Assessors. We will provide third party certification assessments for these third-party contractors.
From a company standpoint, does everyone have to get the same level of certification? Or are there different levels inside the CMMC model?
Buenger: That’s a very good question. There are different levels. If you really break out the CMMC term, ‘maturity’ is based on the stringency of your cybersecurity posture. The CMMC model is based on the traditional Capability Maturity Model Integration (CMMI). So right now, there are only 2 levels that will be assessed for certification, Level 1 and Level 3. There are five levels defined, but for this first year, in 2021, there’s going to be 2 certifications, a Level 1 certification and a Level 3 certification.
A Level 1 certification is based on the 15 basic cybersecurity hygiene requirements. They are pretty much your basic, some of your basic, technical controls. Level 1 is there to protect what’s called Federal Contract Information. So, if you’re involved with DoD contracts and that type of information, you’re going to need to get the Level 1 certification.
Teague: If I could jump in really quick. The Level 1 assessment is really defined as a performing level, which means you’re doing the practices, and the practices that are encompassed with Level 1 are the typical practices that most organizations are following right now. An expected 300,000 to 350,000 organizations out there will require this Level 1 certification.
Buenger: The very important one, the one that’s more time intensive is the Level 3 which is defined as managed, so you have to prove that you’re managing – in a proactive way – your cybersecurity and that consists of all the NIST SP 800-171 controls in addition to CMMC specific controls that you have to meet to become Level 3 certified.
The important point there, the difference between Level 1 and Level 3 is that Level 3 is for those contractors who are processing, storing, and transmitting or exchanging Controlled Unclassified Information, also known as CUI (another acronym for you to remember). So, if you’re a contractor who is processing, storing, transmitting/exchanging CUI, then you will need to get that Level 3 CMMC certification.
There’s about an estimate of 1,500 subcontractors that need to be certified in 2021. The majority will more than likely be Level 1 certifications, while the remaining will be Level 3.
Now, an example of a Level 1 are those working with Federal Contract Information (FCI). Many times, those are your outliers. Those are the folks, the contractors, who are supplying food to the troops for example. They’re not necessarily processing, storing, or transmitting CUI. They are under contract to supply the troops in the field (for the example I’m using here) and need to keep that information protected because that could let the adversary know whether we have certain uptick in Military Operations.
I wanted to elaborate on Level 2, which we seem to have forgotten about. I want to point out, that this is accumulative. So, to become Level 3 compliant you do have to meet Level 1 and Level 2 compliance. Level 2 is based on “do you document, do you have documentation, have you documented your policies and procedures?”. As Robert mentioned, at Level 1 you’re just performing. It doesn’t mean that you have your procedures, or anything really documented, but you’re proving that you’re actually performing those controls.
What, does that certification look like and how do organizations get started?
Teague: That’s a great question, because that’s probably a question a lot of CISOs have in mind is “Do I have to meet all of the controls in each level?” and the simple answer is yes.
If you are going for a Level 1 certification you must meet the 17 practices that are required. And it’s not just meeting, because when Tony comes out and along with us, the RPs, you have to show us that you’re meeting it, so you have to attest with some type of evidence. we have to witness screenshots or the actual systems performing those particular practices. Level 3, (the managed level) that’s going to encompass the 17 practices from Level 1 along with the 55 from Level 2, and then another 58. So, you can see where it’s 130 practices total, to be Level 3 certified. You can see how it builds, in order to protect the information, you’re storing.
I do want to point out, we’ve been planning this for a year. We started a year ago, and we’re just now getting our feet off the ground. So, you can see how long it takes to plan for this. That is important for folks to know because it also means don’t wait to get certified.
There are 2 things you can do. If you’re not sure that you can pass those certifications that you have to (the 17 for Level 1 and 130 Level 3), have an assessment team like Redspin come out. We’ll come out and do a comprehensive CMMC pre-assessment for you, and let you see where you sit. Then you have time to build that program, and then when it’s time to actually certify, Tony can come out. This way, you’re much more postured, as well as being able to sleep better at night knowing you’re going to be able to pass those certification practices.
If you really look at the companies that we’re talking about here who need certification, these are critical companies, and many have been providing services for a long time. What’s your take of the industry, is it ready?
Buenger: That’s a very good question, and it’s not easy to answer or, put in quantifiable terms right now because no one has actually been through a CMMC assessment to be certified at this time. We kind of have to make an educated guess on who is ready and who is not.
What the DoD has done in the meantime, you may have seen that the D-FARs interim rule, that was effective November 30, 2020 mandated all DoD Contractors upload their self-assessment based on NIST SP 800-177 to the system called Supplier Performance Risk System (SPRS) to get to some sense of a baseline to see how ready they may be for a CMMC certification.
Basically, I think the level of readiness is going to be on the level of CMMC maturity that they need. They are required based on what their contract will stipulate. It’s going to be a Level 1 or Level 3 for 2021. Also, it’s going to determine what their level of readiness is at that given point for that level certification and the resources they have at their disposal to get ready for that certification. And as was mentioned previously, a Level 3 certification is very extensive and it’s very resource intensive. And it’s all going to be based on the level of readiness and the resources that an organization can put into it.
I happen to believe a lot of companies have very good programs, are abiding by cybersecurity frameworks, have the right level of expertise, and the right technologies to do this. However, just because you’re doing something doesn’t always mean that it’s formal, that you can prove it, that you can demonstrate it, and that you can ultimately show the effectiveness of it you have some third party come in. It’s not a checklist approach is it?
Buenger: That’s a very good point. I’m glad you mentioned that because there’s 3 security controls on the Level 3 certification and this is amplifying the point that the DoD’s CISO Kate Arrington has said: “It’s not a checklist approach”. So, to really, pass the Level 3, you’re going to have 3 sets of processes that need to be documented and prove, that your organization has institutionalized these processes. And now, what are these processes? These processes are looking at to ensure that you’ve implemented your policies, that you’ve resourced the plan to ensure that you have a solid cybersecurity program in place and have had it in place for a while.
The key point here is, if we come out to assess your organization for Level 3 certification and it looks like you’ve just set up your processes a month ago, that may not pass. That may not meet the criteria for Level 3 to prove that you actually do have managed processes in place and had them in place for a while.
Teague: And that’s a very important thing that you bring up there, Tony, because the same runs on the technical side. You know we talk about playbooks. Playbooks, or run books are very popular in the military. We utilize those across the organization.
If you’re doing a Level 3 assessment and we come out and the playbook, looks like it was just built a month ago and the tech team, the engineers, and all the security guys do not understand how to operate that book. You’re probably not going to pass. It has to be in place, and fully understood across the organization. They need to understand what that book does for them, and how to use it.
Bailey: I’ll go the other way too. I cannot tell you how many organizations we’ve gone into from an assessment standpoint and when we focus on incident response playbooks, they may have a playbook, but maybe it was something that was developed three years ago and in three years there hasn’t been one revision to it (usually playbooks, have to be exercised, changed, it’s a living document).
You’re both bringing up very good points when it comes to this isn’t a checklist, it’s not “hey, do you have a plan?” “Yup, I have the plan”, it’s “Yup, I have the plan, and I can demonstrate to you what we’re doing, what the plan lays out, and we’re able to be effective”.
I think everyone would like to believe that they’re ready to go, they can be certified tomorrow, but what about those who don’t necessarily think that they are ready? If you were the CISO in that company what are the things that you could tell another CISO, these are the things that you can be doing right now because this is coming.
Teague: Great question. First thing is call Redspin.
Bailey: Ha, Bring in the experts, for sure.
Teague: So, that’s number one. The way folks can start preparing now is go out and look at the Federal Acquisition Regulation, or the FAR clause 52.204-21.
Bailey: I think, especially for those that may be looking at this, and not knowing what 800-171 is, I think it, requires that you know, this is real. It’s a real requirement, it’s formalized, and it’s certainly not going to be something in the future that is just a checklist. It is going to require a third party like Redspin to be able to come in and not only help you prepare, but to educate and certify as well. I think that is really important.
A lot of things are happening, I think everyone is excited about putting 2020 to bed and getting into 2021. I actually saw a really crazy t-shirt and it said, “You thought, 2020 was bad, wait until it turns 21 and it starts drinking”. So, I hope that’s not the case for 2021, but knowing that 2021 is coming down the pipe, what are the next steps and your recommendations as we enter into 2021?
Buenger: Well, as a part of the Redspin team, we’re ensuring that we’re postured to be ready to ensure that we can do the best possible job for the DoD contractors out there, whether they need the pre-assessment, they need Level 1 certification, or Level 3 certification. We’re ensuring that we’re ready to go on our end.
What I recommend for those, DoD contractors is, first of all, learn the CMMC model and the standards that you need to adhere to. It’s very important that you get that correct. I’m actually talking to some contractors who, believe it’s kind of a let’s start with Level 1 because it’s easy first. Well, if you’re processing CUI period, you gotta be a Level 3. And, as you recall, in our previous discussion, that Level 3 is cumulative, so you gotta meet Level 1, and 2, and level 3 requirements for that.
Second, understand your scope. What is in scope within your organization?
That’s going to make it very difficult. If you want to keep your entire corporate enterprise in scope, then you’re going to have to make sure that you’re protecting everything in your environment to that CUI level. So, it’s very important to define your scope segmenting, developing a secure enclave is a good idea.
Then, once you do that, do your own self-assessment. I’m finding out, so far, a lot of the contractors are opting to go with the pre-assessment to identify gaps. This is where a Registered Provider Organization, an RPO can help you. And once they help you identify your gaps; you can remediate those gaps. Then it’s time to find a C3PAO to actually conduct your formal assessments.
Do your homework and get those things done. And if you’re 1 of those 1,500 contractors needing certification for 2021, do what you can to get ready to succeed with your Level 1 or Level 3 certification.
The other thing is, as Tony mentioned, there’s only 20, C3PAOs out there as of right now. So, don’t be fooled when you Google looking for a CMMC certified organization to assist you, and there’s a billion out there. Although the list is slowly growing, right now there are only 20 that are selected and certified right now, and Redspin is one of them. So, make sure you do your homework. Because you may bring somebody in that says they’re CMMC certified, come to find out they’re not in you’ve spent money and wasted time, and got nowhere.
Buenger: That’s, correct. As of right now, there’s only 20 C3PAOs and the CMMC-AB is finding out, it takes a little bit longer to get the C3PAOs certified. There’s more on the way, but right now, in 2021, CMMC-AB is not going to have all the C3PAOs that they plan for. So, it’s going to be very, very tight. When you schedule your CMMC certification, look at the availability of your C3PAO.
Bailey: Thanks so much, guys, for bringing your time and attention to this. I know it’s exciting times, Redspin is certainly excited about being selected as a C3PAO, and a RPO to do pre-assessment and remediation work. We’ve been involved and engaged in this for a while and building out a practice that we’re excited to launch and excited that we can provide this service to an extremely critical point.
Still interested in more on CMMC from a C3PAO?
Listen to our podcast All Things CMMC from a C3PAO. Dave Bailey, Tony Buenger, and Robert Teague sit down to discusses Redspin’s unique position as one of the first 20 organizations accredited as a C3PAO for the DoD, and talk all things CMMC from who needs certification, what certification means, and who can perform a CMMC certification.