You asked the questions and in this episode, we answer them! This week, Tony Buenger responds to audience questions that were asked during March 25th, 2021’s “Maneuvering Through The Minefield of CMMC Webinar“. If you have questions of your own, that you would like to submit for Tony to answer on air, please send them to [email protected] and we will try to address them on our next Q&A episode.
LAUREN FRICKLE: Welcome to Cyberspin, the podcast that brings you expert insights to today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries. Subscribe to Cyberspin on Apple, iTunes, Spotify, or your preferred podcast platform and a transcript of each episode can be found at Redspin.com
Hello, welcome back to Cyberspin. This week, Tony Bunger CMMC Provisional Assessor will address you, our listeners, and the audience with a few questions that have come our way. Tony hi, how’s it going?
TONY BUENGER: Hey, it’s going pretty good hanging in there. The weather is getting better, especially
LAUREN FRICKLE: Spring is in the air. So, Tony, you’ve been working with CMMC for a while now. Tell us first where these questions are coming from and where you get your answers, o why we should trust your answers.
TONY BUENGER: Yeah, very good question, Lauren. We held a webinar on March 25th that covered how to maneuver your way through the minefield of preparing for CMMC assessments. We got many questions from participants and provided answers on the fly, too many of those questions, but we could not get to all of them. Many of my answers come from actual reference documents from the CMMC itself. So, when I go through an answer, I try to provide to the best of my best ability to use the current documentation like the CMMC model, CMMC assessment guides, along with some of the latest Town Hall information that CMMC puts on every month.
LAUREN FRICKLE: To my understanding, you’re working through certifying Redspin right now too, right?
TONY BUENGER: That’s correct, Redspin is a C3PAO certified third-party assessment organization that is currently scheduled to have its assessment done by the DIBCAC which is Defense Industrial Base Certification Assessment Center. Some of you are aware that C3PAO’s must be also certified at CMMC Level 3 To conduct assessments, so we’re currently going through that process.
LAUREN FRICKLE: So you’re speaking on behalf of experience and as an expert, that’s great. Let’s dive right in, shall we?
TONY BUENGER: Sure, I think the first question we got on the web and I will just go in order with some of these here. The first question we got was “If a company wants to proactively pursue Level 1 certification but does not handle CUI or FCI, how would they scope the effort with no data to protect or segment? Is this possible? Will, this need to be a generalized certification of the entire infrastructure?
Now, this is a very broad question and I’ll paraphrase how I answered that on the web. First of all, there is no certification requirement. If there is no FCI or CUI present and if you do not have or are expected to have a contract with the DoD. Now if you desire to become CMMC certified with no data, then I recommend becoming familiar with CMMC Level 1 requirements, mostly because this asks for Level 1 certification in this question. CMMC Level 1 is based on DFARS 7912  safeguarding requirements for covered defense information or FCI. So now, if you as the organization you feel that it may be required to handle CUI or FCI in the future. Then, by all means, a C3PAO can conduct an assessment, a DoD contractor, or in CMMC terms, organizations seeking certification must be certified by the time of contract award. So, remember, you must be certified at the appropriate level by the time of the contract. So, in a sense, in this case, if you suspect you will be on a future contract where your organization will be storing, processing, and transmitting FCI, then it would be a good idea to plan for CMMC Level 1 certification. Then, by all means, get that process started so you will be ready to go for when you decide to bid. And if you can eventually possibly be awarded that DoD contract that might contain FCI so it would be possible to schedule C3PAO for formal assessment for certification if you met all the CMMC requirements, assuming you will be handling FCI once again, you’re assuming that you will be bidding on a contract that would have FCI requirements. So for FCI, it will be straightforward. You just need to meet the 17 CMMC Level 1 practices for basic cybersecurity hygiene which are based on those DFARS 7012 safeguarding requirements that I just mentioned earlier. So, to say that again and I said you know, you just need to meet 17. I don’t want to make it sound that easy, but that’s what I would recommend doing if you feel that you will be a part of some contract in the future that requires a protection of FCI.
LAUREN FRICKLE: Yeah, that was great. I think we should just roll right into the next question.
TONY BUENGERL: OK, the next question that we received, and I did my best to answer on the fly during the webinar is there a more detailed list that can help a company decide if they should be Level 1 or Level 3?
This is related to the previous question but from a little bit different perspective. So basically once again the contractual requirements will dictate the Level of certification, whether security Level 1 maturity Level 3 or maturity Level 5. You know there are five maturity Level certifications. Right now, only two were defined Levels 1 and 3. Level 1 is for FCI and Level 3 is for CUI. So basically, that’s step one. Understand what your contractual requirements are. If you are considering bidding on a contract, I recommend the contract in office review the RFI or RFP to determine the certification requirements the defense clauses, and we’re not going to get into those causes in detail, but hopefully, many of you are familiar with the 7012 , 1970 ,7021. You know, maybe spelled out in those contracts, but if you don’t know what contracts that you may be bidding on, you can look at the services that you would be providing to the DoD and determine if you are storing, processing, or transmitting FCI or CUI. So, this goes along with this question. And as you do that be sure that you have a clear understanding of FCI and CUI. You know as an intuitive example, if you are manufacturing parts or handling blueprints for those parts then rest assured you are handling CUI and you can expect to be required to obtain CMMC maturity Level 3 to protect it. FCI, on the other hand, can be tricky and an intuitive example of FCI would be auxiliary services such as food delivery to deployed military forces or janitorial services on a military installation, just to name two. However, there may be some cases where that food delivery service may come into contact with FCI and this is where understanding your contractual requirements come into play. So while you think you may be Level 1 only, you may find yourself delving a little bit more into potentially handing or becoming in contact with CUI, and maybe you would need a CMMC Level 3 certification. So after such a long story there is not a specific list that you can go to for finding out which Level certification you may require, however, in the meantime, I recommend becoming familiar with NIST 800-171A, The CMMC model version 1.02, and the two published CMMC Assessment guides, one for Level 1 and the other for Level 3. Along with that CMMC model document that may help in understanding requirements for each maturity level. So once again, that was a mouthful. Get those documents and understand them too, so you understand the definition of FCI and how to protect FCI along with the definition of CUI and how to protect CUI.
LAUREN FRICKLE: I will note in relation to that question, folks can visit our website Resource Center at www.redspin.com where we reference a lot of those resources that you just mentioned, Tony as well as a recording of our webinar that you are referring to. So again, please visit www.redspin.com and hit the resources tab. Now onto question number 3.
TONY BUENGER: Sure, and this is also related to understanding what level of certification an OSC or DoD contractor may need. So we’re detecting a pattern here. We’ve got many questions with respect to that, so the actual question that we received during the webinar was “My organization does not handle CUI, do I still need to be certified at Level 1?” Once again, going back to the previous question, I would say yes. If you know for a fact that your company does not or will not store process or transmit, CUI but you will work with FCI which will be more than likely that your company is required to meet the 17 CMMC practices for basic cyber hygiene. Also known as maturity Level 1 certification. So keep in mind that the DoD specifies the required CMMC maturity Levels in the contracts through requests for information and requests for proposals, also known as RFI or RFP. But it’s not the only method, but I recommend that you understand which contracts are currently a part of any contracts that you will be a part of in the future, that that you may be bidding on it and win the award.
LAUREN FRICKLE: OK, and we have time for one more question Tony.
TONY BUENGERL Sure I got a very good question. I got a question concerning that NIST SP 800-72. So the question is in the resources the person providing this question is referring to the resources slide in the webinar. So in the resources, why wasn’t NIST SP 800-172 mentioned? That is a very good observation in this webinar, we discussed primarily the two available certifications, CMMC Level 1 and CMMC Level 3. There is no CMMC Level 5 certification at this point. So why do I mention CMMC certification Level 5? Well, that’s where NIST SP 800-172 comes into play. So in this SP 800-172 was recently published, it’s been out there for public comment in draft form. But it has not been officially incorporated into the CMMC model and in the CMMC assessment process. This guidance is expected to be required for CMMC Level 4 and Level 5 that focuses on the protection from advanced persistent threats, also known as a APTs. So in the webinar, we intentionally did not discuss specifics on CMMC maturity models, Levels 4 and 5 since those levels are still evolving and haven’t been published yet. Speaking of that, the CMMC assessment Guide for Level 5 isn’t published that I’m aware of. I have not seen that formally published, and I suspect that you will see NIST 800-172 requirements providing a foundation for those practices within Levels 4 and 5. So, the bottom line is that I suspect we will see the incorporation of NIST SP 800-172 requirements when the formal Levels 4 and 5 guidance is published. Now, there may be some.172 requirements at Level free3 but we’ll see. We’ll see once the next version of the CMMC model comes out, so I hope that answers your question there concerning this SP 800 172.
LAUREN FRICKLE: Tony, great. It looks like we are out of time for the day so thank you so much for your guidance and expertise and we will be back with another Q&A episode like this soon.
TONY BUENGER: Great, I hope this was helpful to you out there listening and if you have more questions please email them to me at [email protected]. And for those who haven’t memorized my last name yet, it’s BUENGER so [email protected], and we’ll do our best to respond in our next Q&A episode. So once again, thanks for listening. See you next time.