CynergisTek’s Director of Security Services, Dave Bailey sits down with Capability Maturity Model Certification (CMMC) Certified Provisional Assessor Tony Buenger, and CMMC Registered Practitioner Robert Teague of Redspin, a division of CynergisTek. Together the group discusses Redspin’s unique position as one of the first 20 organizations accredited as a C3PAO for the DoD, and talk all things CMMC from who needs certification, what certification means, and who can perform a CMMC certification.
Subscribe to CyberSpin:
DAVE BAILEY, HOST: My name is Dave Bailey, and I’m the Director of Security Services at CynergisTek and, I’m really excited to talk about one of the divisions of our company Redspin, and all the exciting things that are going on at Redspin and certainly topic that’s really just new and exciting to the world of cybersecurity, to the world of certainly the defense industry, and all of the suppliers that do business for the Department of Defense.
I’ve got here with me today two individuals both, just really, really engaged in the CMMC process, and we’re here today to talk about the overall what is CMMC? So, the discussion today is going to be, what is it? What does CMMC mean? How, important it is to the, to the defense industry. And then really, where Redspin is uniquely positioned.
One of the aspects of how positioned we really are in the marketplace is we just received some very, very exciting news, and we’ve been planning for this for a while, but before I get a chance to introduce Tony to you all, Tony’ s going to tell us about some of that exciting news that was just announced here for Redspin.
TONY BUENGER: Hi. I’m Tony Buenger. I’m with Redspin. I’m a certified Provisional Assessor here, at Redspin, and some exciting news is that we are one of the first 20 certified C3PAO’s for CMMC. So, we’re, very excited about that opportunity to help secure the defense industrial base.
BAILEY: What does it mean to be a C3PAO?
BUENGER: A C3PAO is, if you’re familiar with the FedRAMP Program, they have their C3PAO, and what that means is [it’s] a Certified Third-Party Assessment Organization (C3PAO).
So, what happened when CMMC came on board/was formed. The CMMC Accreditation Body (CMMC-Ab) formed, what’s called the C3PAOs to model alongside the FedRAMP Program.
So, when you hear C3PAO I know, it sounds like Star Wars and there probably will be an R2D2 coming down the road, because you know, the DoD loves acronyms, you’ll understand that the C3PAO, they’re certified to conduct formal CMMC assessments on third party contractors.
BAILEY: That’s great. Yeah, we’re really excited at Redspin with this news because we’ve been paying attention to this for a while and just a short background, you know, CynergisTek has been around for many, many, years and we’re deep into the cybersecurity and privacy space.
We know how to do assessments in the regulated industries, we have a big presence in healthcare. You know, many other industries as well when it comes to, understanding assessments, understanding what needs to be done from a cybersecurity and privacy perspective.
And a few years back, we had the opportunity [and] as part of our growth to partner under an acquisition, the Redspin family, became a part of the CynergisTek family.
That brought another breath of just cybersecurity experience and assessments, and, offensive security, as well as just overall risk assessments in anything that’s regulated.
So, you know, most of us both in Redspin, and CTEK (CynergisTek) come with, years and years of, either military backgrounds, Department of Defense backgrounds, other industries as, finance industry, [or] energy.
So, this is the world we have lived in and when the announcement came out about this requirement for any supplier that was doing business with the federal government, it was just such an easy, easy spot for us to really say we want to be able to provide the great services that, that Redspin was doing and extend this into the CMMC space, so we’re really excited about that.
And with that said, I also have another individual with us today, Robert Teague and Robert, pleasure to have you here.
ROBERT TEAGUE: Thank you.
BAILEY: So, tell us a little about yourself, Robert.
TEAGUE: Well, as you can see, I was in the military United States Army for 31 years, retired, and then joined Redspin. We’re now, I’m a Registered Practitioner for the team.
It’s all provisional, obviously, because CMMC is still growing but mainly [I’m] Tony’s assistant for Redspin. [I] help him do the assessments and all that kind of stuff.
BAILEY: That’s great.
Hey, well, so we’ve thrown out a lot of acronyms, we’ve thrown out CMMC, we’ve thrown out C3PAO, so you know, all this is really about so we can start to have this dialog with the industry and so really what I want to say is what really is CMMC Tony? What is it, and why are we doing it?
BUENGER: Sure, CMMC is an extension of the program that that was started in 2017, which is not that long ago, where defense contractors were required to conduct a self-assessment based on the NIST SP 800-171.
Well, what the industry or what the DoD has noted, was that the contractors were not following through on those self-assessments and that they were very, very hollow and they really didn’t have much meaning to them, but what the requirement was, was to provide an SSP (System Security Plan) and a POAM (a Plan of Action and Milestones) to the DoD, but it was, looking, like, it really was hollow.
And we’re seeing now that the adversaries are really targeting the defense supply chain. It’s a very lucrative target, and so now the DoD has taken it upon themselves to build the CMMC Framework with a model that ensures that or attempts to ensure that the defense contract tractors are taking cybersecurity seriously.
So, as of 2019 The CMMC Accreditation Body, known as the CMMC-AB, was formed to set up a third-party assessment capability. And that’s where you start hearing about C3PAO’s, The Provisional Assessor (which I am one of the first 100), to where we will provide third party certification assessments for these third-party contractors.
So, basically what we’re all seeing and if you look at the SolarWinds attack, which affected 18,000 businesses/entities. You can be rest assured that many of those are probably third-party contractors, that probably have been infiltrated, and that’s a very, very large concern, because the defense supply chain is very target rich. New weapons systems, new IT technologies, very advanced research is going on and, the threat agents are active today. They are actively succeeding, as we’re seeing in the news. And the DoD realized that something needed to be done to ensure that the third-party contractors are taking this threat very seriously and securing at least their portion of the overall defense supply chain.
BAILEY: Tony, you bring up some, certainly, some really good points. I mean, I don’t think anyone can get by today without seeing the gravity of what has taken place.
I know many of us still have friends and partnerships, and co-workers and colleagues that have a close tie to, not only the Federal Government but, [also to] some of these large firms and in areas that were impacted.
And I know that beyond the headlines this was a real impact. It wasn’t just a narrative being played. And I think that knowing where the accreditation body has established itself, has put forth these requirements. I’m excited to know that we can help along that journey and hopefully, get in front of, and provide due diligence, provide a really good framework that not only just says someone is secure, but puts some teeth behind it, you know, puts an overall certification emphasis behind it.
Alright Rob, I want to ask you a little bit about the roles. You mentioned you have a role in CMMC. Your supporting Tony, as well as is being a [Provisional] Assessor. So, talk a little bit about your role, and then also just, you know, what do the roles mean?
TEAGUE: Sure. I am one of seven Registered Practitioners with/inside Redspin.
You’ll hear us referred to as “RPs”. We provide advice, consulting, and recommendation to our clients. We don’t do the certified assessments, that’s Tony and [they] are Certified [Provisional] Assessors. But the main thing that clients need to know about the RPs is that we’re focused on CMMC, we have a basic understanding of its requirements because we’ve gone through their basic training, if you will, and that we follow and practice the CMMC-AB code of professional conduct.
BAILEY: Talk a little bit about why you have to go through some formalized training and what does that bring to the client. Like, what does the certification bring to the client?
TEAGUE: So, the different levels. As you know Tony mentioned earlier, he is one of I think it’s 70 or 100 that were selected to be The Certified [Provisional] Assessors. So, once they go through training, it starts with the basic training level that I completed and then, it goes all the way through encompassing NIST, the FAR and other kind of requirements that they need to know and understand in order to provide these assessments. So, they are the Certified [Provisional] Assessor’s.
The Registered Practitioners, on the other hand, because they [the DoD] realized the scope was so big for the Certified [Provisional] Assessors, they needed some assistance, but they didn’t want to open the full, Certified [Provisional] Assessor Program.
So, what they did was hand-pick a few of us to come out, go through the basic training, and just kind of stop there to assist The Certified [Provisional] Assessors in this beginning phase of the CMMC, because it’s still a pilot program, if you will.
And, once we start doing some assessments and Tony and the other CA’s start turning in documents and what they found while they were doing the assessments, it will help tweak the process to improve it. And then from there, the Registered Practitioners will be available to move into the other training programs to join Tony and the other Certified [Provisional] Accessors.
BAILEY: Great. Hey, and Tony from a company standpoint, does everyone have to get the same level of certification? Or are there different levels inside the CMMC model?
BUENGER: That’s a very good question. There are different levels. If you really break out that CMMC (Certified Maturity Model), the term ‘maturity’ is based on your level of really the stringency of your cybersecurity posture.
So, the way the CMMC model works is based on the kind of the traditional CMMI capability maturity model, I think it’s called institute model there.
So right now, there are only three levels. There are five levels defined, but for this first year, in 2021, there’s going to be two certifications, a level one certification [and] a level three certification.
A level one certification is based on the 15 basic cybersecurity hygiene requirements. They are pretty much your basic, some of your basic, technical controls. Level one is there to protect what’s called Federal Contract Information.
So, if you’re involved with DoD contracts and that type of information, you’re going to need to get the level one certification.
The very important one, the one that’s more time intensive is the level three which is defined as managed, so you have to prove that you’re managing – in a proactive way – your cybersecurity and that consists of all the NIST SP 800-171 controls in addition to some CMMC specific controls that you have to meet to become Level three certified.
The important point there, the difference between level one and level three is level three, those are for the contractors who are processing, storing, and transmitting or exchanging Controlled Unclassified Information, also known as CUI (another acronym for you to remember). So, if you’re a contractor who is processing, storing, transmitting/exchanging CUI, then you will need to get that level three CMMC certification.
Now, an example of a level one with CUI. Many times, those are your outliers. Those are the folks, the contractors who are supplying food to the troops, for example. They’re not necessarily processing or storing or transmitting CUI. They are under contract to supply the troops in the field for the example I’m using here, and we need to keep that information protected, because that could let the adversary know whether we have certain uptick in Military Operations. So, those are the two major levels that will be DoD contractors. There’s about an estimate of 1500 subcontractors that needed to be certified in 2021. And it’s going to be level one, or level three.
TEAGUE: If I could jump in real quick. Also, with the level one assessment that’s really defined as a performing level, which means you’re doing the practices, and the practices that are encompassed with Level one are the typical practices that most organizations are following right now. And they expect 300 to 350,000 organizations out there will require this level one certification.
It’s once that you get to the level three, which they define as a managed level, that’s going to encompass the 17 practices from level one along with the 55 from level two, and then another 58. So, you can see where it’s 130 practices total, to be level three certified. So, you can see how it builds, in order to protect the information, you’re storing.
BUENGER: That’s a very good point. I wanted to elaborate on level two, which we seem to have forgotten about. Right?
And as you correctly pointed out, that this is accumulative. So, to become level three compliant you do have to meet level one and level two compliance. Level two is based on “do you document?”. Do you have documentation? Have you documented your policies and procedures? So, as Robert mentioned, level one you’re just performing. Doesn’t mean that you have your procedures, or anything really documented, but you’re proving that you’re actually performing those controls.
BAILEY: So, hey, we’ve taken it a lot of information down, certainly around, what is it, what are the levels, what does it look like for lots and lots of companies to have to go level one and then what it means to have to go level three. Hey, Rob, you mentioned 130 things, right? 130 things is a lot of things to have to deal with so, from an overall certification perspective, do they have to get 130 things right? What, does that certification look like? What is required of those things, and those controls that we’re assessing?
TEAGUE: That’s a great question, because that’s probably a question a lot of CISOs (you know Chief Information Security Officers) have in mind is “do I have to meet all those?” and the simple answer is yes.
If you are going for a level one certification you must meet the 17 practices that are required. And it’s not just meeting, because when Tony comes out and along with us, the RPs, you have to show us that you’re meeting it, so you have to attest with some type of we have to witness screenshots or the actual systems performing those particular practices.
I do want to point out that as you mentioned at the beginning of the sessions, we’ve been planning this for a year. We started a year ago, and we’re just now getting our feet off the ground. So, you can see how long it takes to plan for this. So that’s important for folks that are out there listening right now. Don’t wait to get certified, right?
So, there’s two types of things you can do. If you’re not sure that you can pass those certifications that you have to (the 17 for level 1 and 130 level 3), have an assessment team come out. We’ll come out and do a pre-assessment for you, and let you see where you sit, and then you have time to build that program, and then when it’s time to actually certify, Tony can come out. And then, you’re much more postured, as well as being able to sleep at night knowing that you’re going to be able to pass those certification practices.
BAILEY: Yeah, and if you really look at the amount of companies that we’re talking about here, I mean, this is a critical infrastructure. It’s all the systems that supply materials and services to the federal government. I mean, it’s a very, very critical aspect of overall importance.
And, and I guess, Tony, one of the questions I would ask of you is a lot of these companies we are dealing with, these are not startups. These are companies that have been providing services for a long time and overall, what’s your take of the industry? Are they ready for this? What’s going on, on the other side of the aisle right now, you think?
BUENGER: That’s a very good question, and it’s not easy to answer or, put in quantifiable terms right now because no one has actually been through a CMMC assessment to be certified at this time. So, we kind of have to make an educated guess on who is ready and who is not.
What the DoD has done in the meantime, you may have seen that the D-FARs interim rule, that was effective November 30th that mandated all DoD Contractors upload their self-assessment based on NIST SP 800-177 to the system called Supplier Performance Risk System (SPRS) to get to some sense of a baseline to see how ready they may be for a CMMC certification.
So basically, I think the level of readiness is going to be on the level of CMMC maturity that they need. They are required based on what their contract will stipulate. It’s going to be a level one or level three for 2021. Also, it’s going to determine what their level of readiness is at that given point for that level certification and the resources they have at their disposal to get ready for that certification. And as was mentioned previously, a level three certification is very extensive and its very resource intensive. And it’s all going to be based on the level of readiness and the resources that an organization can put into it.
BAILEY: Tony, you bring up a good point. I happen to believe that there’s a lot of companies that have very good programs that are abiding by cybersecurity frameworks and have the right level of expertise, the right technologies to do this. My caveat to that would be there is a difference of doing that on a day-to-day basis and then managing it in a formal way. And I think there’s going to be some opportunities over time now, because unless you get certified, unless you have some third party come in, you have to be able to demonstrate that formalization. And just because you’re doing something doesn’t always mean that it’s formal and that you can prove it, you can demonstrate it, and you can ultimately, show the effectiveness of it.
So, well, while I happen to think there’s a lot of great and sound secure companies, I also think that there’s a lot of opportunities and a lot of work ahead because they have to demonstrate that formalization.
BUENGER: That’s a very good point. I’m glad you mentioned that because there’s three security controls on that level three certification and this is amplifying the point that the [DoD] CISO Katie Arrington has said, It’s not a checklist approach. So, to really, pass the level three, you’re going to have three sets of processes that need to be documented and prove, that your organization has institutionalized these processes. And now, what are these processes? These processes are looking at to ensure that you’ve implemented your policies, that you’ve resourced the plan to ensure that you have a solid cybersecurity program in place and have had it in place for a while.
So, the key point there is, if we come out to assess your organization for level three certification and it looks like you’ve just set up your processes a month ago, that may not pass. That may not meet the criteria for level three to prove that you actually are/do to have managed processes in place and had them in place for a while.
TEAGUE: And that’s a very important thing that you bring up there, Tony, because the same runs on the technical side. You know we talk about playbooks. Playbooks, or run books are very popular in the military. We utilize those across the organization.
So, if, if you’re doing a level three assessment and we come out and the playbook, looks like it was just built a month ago and the tech team, the engineers, and all the security guys do not understand how to operate that book. You’re probably not going to pass. It has to be in place, fully understand, across the organization. They need to understand what that book does for them, and how to use it.
BAILEY: I’ll go the other way too. I cannot tell you how many organizations we’ve gone into from an assessment standpoint and certainly when we focus on incident response playbooks, they may have a playbook, but maybe it was something that was developed three years ago and in three years there hasn’t been one revision to it. And that would also give another indication that, you know, usually playbooks, have to be exercised, changed, it’s a living document.
You’re all bringing up very good points when it comes to this isn’t a checklist is not “hey, do you have a plan?” “Yup, I have the plan”, it’s nope, I have the plan, and I can demonstrate to you that we’re doing, what the plan lays out [and] we’re able to be effective. We are able to demonstrate that the control is in place, we have the plan we’re doing with it, it’s effective in its form. So, all good points.
So, hey we have a lot of great information on what is to expect. We’ve got the requirements laid out. The AB is established the certifiers are established. We’ve got C3PAOs now being approved for the certification process and really, we’re getting genned up for the start. The work’s been going on for a while but we’re almost to the starting line.
And, Rob, I’ve got a question for you. If I was a contractor out there and you know, everyone, I think would like to believe that they’re ready to go, they can be certified tomorrow, [they’ve] got our stuff in place, but let’s go the other side. Let’s say, Hey, you know, what? We don’t necessarily think that we’re ready. What does it look like? If you were the CISO in that company what are the things that you could tell another CISO, these are the things that you can be doing right now because this is coming.
TEAGUE: So great question. First thing is called Redspin.
BAILEY: Bring in the experts, for sure.
TEAGUE: So, that’s number one, but there’s reasons why. The way folks can start preparing now is go out and look at the Federal Acquisition Regulation, or the FAR clause 52.204-21. Again, the FAR clause, 52.204-21
BAILEY: And, I think, especially for those that may be looking at this, and not even knowing what like 800-171 is, I think it certainly, does require that you know, this is, this is real. It’s a real requirement, it’s formalized, and it’s certainly not going to be something in the future that is just a checklist. It is going to require a third party like Redspin to be able to come in and not only help you, either Redspin can help, or Redspin can certify, and those are things that I think are really important.
And if anybody out there listening or reading this needs help with it, certainly feel free to reach out to Redspin spin, certainly from an education standpoint, as well as a preparation standpoint.
So Tony, a lot of things that are happening we’re in the final few weeks of 2020, which I think everyone is certainly very excited about putting 2020 to bed and getting to 2021. I actually saw a really crazy t-shirt and it said, “You thought, 2020 was bad, wait until it turns 21 and it starts drinking”. So, I hope, that’s not the case for 2021, but knowing that 2021 is coming, what is coming down the pipe, what are the next steps, not only what are you doing, where do you think this is going as we enter into 2021?
BUENGER: Yes. Exactly. Well, as a part of the Redspin team, we’re ensuring that we’re postured to be ready to ensure that we can do the best possible job for the DoD contractors out there, whether they need the pre-assessment, they need level one certification, or level three certification. We’re ensuring that we’re ready to go on our end.
What I recommend for those, DoD contractors is, first of all, learn the CMMC model and the standards that you need to adhere to. It’s very important that you get that correct. I’m actually talking to some contractors who, believe it’s kind of a let’s start with level one because it’s easy first. Well, if you’re processing CUI period, you gotta be a level three. And, as you recall, in our previous discussion, that level three is cumulative, so you gotta meet level one, and two, and level three requirements for that.
Second, understand your scope. What is in scope within your organization?
That’s going to make it very difficult. If you want to keep your entire corporate enterprise in scope, then you’re going to have to make sure that you’re protecting everything in your environment to that CUI level. So, it’s very important to define your scope segmenting, developing a secure enclave is a good idea.
Then, once you do that, do your own self-assessment and figure out if you need that’s a self-assessment. I’m finding out, so far, a lot of the contractors are opting to go with the pre-assessment to identify gaps. So, this is where a Registered Provider Organization, an RPO can help you. And once they help you identify your gaps; you can remediate those gaps. Then it’s time to find a C3PAO to actually conduct your formal assessments.
So, really, do your homework and get those things done.
And if you’re one of those 1500 for 2021, do what you can to get ready and hopefully you succeed with your Level one or Level three certification.
TEAGUE: Yeah, and if I can also add on Dave, real quick, they can reach out to the CMMC.org website to find a lot of that information.
The other thing is, as Tony mentioned, there’s only 20, C3PAOs out there. So, don’t be fooled when you Google looking for a CMMC certified organization to assist you. And there’s a billion out there. There’s only 20 that are selected and certified right now and Redspin is one of them. So, make sure you do your homework. Because you may bring somebody in that says they’re CMMC certified, come to find out they’re not in you’ve spent money and wasted time, and got nowhere.
BUENGER: That’s, correct. As of right now, there’s only 20 C3PAOs and the CMMC-AB is finding out, it takes a little bit longer to get the C3PAOs certified. So, there’s more on the way, but right now, in 2021, CMMC-AB is not going to have all the C3PAOs that they plan for. So, it’s going to be very, very tight. When you schedule your CMMC certification, look at the availability of your C3PAO.
BAILEY: All excellent points. And I think there’s a couple of things that I want to take out of this. First and foremost, I’m really glad that I had Tony and Rob be able to, educate me and the listening audience on what CMMC is and certainly what to expect. I want to thank you guys for the opportunity to, have this conversation today, for sure.
The other thing that I think potentially points out is there is, just as many, still, either questions or unknowns that are out there. I think it’d be really good to, maybe in an upcoming conversation, just really lay out what does a pre-assessment look like? What if I find that company out there, that says, yep, I’ve, gotta go through this requirement? How can Redspin help? So, I think up and coming we should outline to the audience, this is what a pre-assessment is and the type of services that we can do.
Thanks so much, guys, for bringing your time and attention to this. I know it’s exciting times, Redspin is certainly excited about being selected as a C3PAO. We’ve been involved and engaged in this for a while and building out a practice that we’re excited to launch and excited that we can provide this service to an extremely critical point.
So, once again, Tony, thank you very much for your time, Rob. Thanks a lot. Appreciate it, and certainly wishing. Everyone, a safe, healthy, and happy holiday Merry Christmas. Thank you.