S1 E4: CMMC: The Requirements, Challenges, and Benefits


Jordan Eisner: Welcome to Compliance Pointers. I’m your host, Jordan Eisner, VP of Sales at CompliancePoint. If you’re not familiar, CompliancePoint is a mid-sized consulting firm that helps organizations reduce risk by maturing data security and privacy operations.

Today, we’re talking about CMMC, or the Cybersecurity Maturity Model Certification. I’m joined by Chris Abacon, a Security Consultant in our cybersecurity group. Chris, tell our listeners a little bit about yourself.

Chris Abacon: I’m Chris Abacon. I’m a 10-year Navy veteran with a background in IT. My journey in IT and the Navy has allowed me to explore a gamut of diverse roles, from Navy Blue Team Analyst, which involves safeguarding networks against cyber threats, to Tactical Network Engineer, which helped me hone my skills in edge computing and in challenging austere environments. In the latter years of my naval service, I became an IT manager, where I led a team of amazing sailors in supporting a maritime operations center and its information system accreditation.

Since then, I’ve transitioned into the civilian sector, where I’m blessed to work at CompliancePoint as a security consultant, where I continue to address clients’ complex security challenges and leverage my experience to provide guidance and insight.

Jordan Eisner: Thank you for that, Chris. So, like I said, we’re talking CMMC, which is a cybersecurity certification organizations need to hold in order to work with the Department of Defense, right, the DOD.

Chris Abacon: Right.

Jordan Eisner: And so, we’re going to explore the requirements to achieve certification. We’re going to talk about some of the challenges organizations can expect along the way. We’ll get into the benefits of CMMC certification.

But before we do any of that, really, my first question, or from what I’ve seen of it, is it was all ready to start and get going, and then there was a pause, and perhaps it started again. But it seems like maybe in the marketplace, there’s a little bit of uncertainty as, you know, is it a hard fast? We’re ready. You know, it’s here. You can get certified. You know, what other requirements might come out of it? Where does it sit, ultimately, I guess, is what I’m asking, you know, for our listeners today. It almost seems a little bit fluid. How would you describe or preface that before we get into some of the questions about meeting the requirement or getting certified?

Chris Abacon: So I do want to preface with, as of November 22nd, this year, 2020, which was last week, the OIRA, which is the Office of Information and Regulatory Affairs, has actually completed their review of nine CMMC model documents, which clears the way for publication. So this means that the rule, CMMC rule, could be published soon, really, as early as mid-December, but really, we’re not really sure, given it’s the holidays and things of that nature, right?

So that being said, I predict a phased rollout of CMMC. So certain contractors, more likely to contractors that have a high-risk, high-priority mission, will probably be more likely to have to adhere to the rule. But as it stands right now, it’s still notional.

Jordan Eisner: Understood. Is it something that, in your experience, and I know this is a little maybe off-script, but in your experience, organizations are readying for, preparing for, so when it is officially out, I mean, they’re ready, they’re ready to go? Or do you find that maybe companies are waiting for the direction, right, on maybe new requirements and things before they start the legwork on it?

Chris Abacon: I mean, really, in my honest experience, more companies are actually more willing to wait until actually be proactive under cybersecurity accreditation, right? Because a lot of companies don’t look at cybersecurity as really affecting their bottom line at that point in time, right?

So until it does affect that bottom line, right? Until it says, hey, you need to have this contract in place, or you need to have this in place to gain this DoD contract, you know, that’s when companies start getting their stuff together.

So definitely recommend getting ahead of it. But historically, I’ve seen a lot of companies, I’ve seen a lot of, you know, even organizations within the DoD, right? They’ll wait till the last minute because it’s human nature, unfortunately.

Jordan Eisner: We’ve seen that with other frameworks for sure. But I think that lends itself well to this next question, right? Because NIST 800-171 has been out there. So how does CMMC differ, right, from other cybersecurity requirements like that? What implications does this have for contractors?

Chris Abacon: So unlike NIST 800-171, which primarily focuses on providing a framework for cybersecurity standards and controls, CMMC actually mandates a certification process. So this certification ensures that contractors not only understand the requirements but also implementing, right? So they’re not just saying, hey, we’re in compliance. They actually must demonstrate it through assessments, which adds that layer of credibility for their cybersecurity practices.

Now their implications are really significant because now they need to be more proactive in their cybersecurity efforts. So they need to ensure that they meet the specified standards for their specific levels, right? So this might require investing in new technologies or processes, or in some cases, seeking external expertise to ensure compliance, right?

So then the more streamlined nature of CMMC allows for a more focused approach to compliance than its predecessors, CMMC 1.0. But it also means that each level is more critical and requires a careful attention to detail.

Jordan Eisner: I have sort of a bolt-on question that I think you sort of answered it, but maybe just re-asking it a different way for the audience. So what if you’re an organization and you’re a NIST shop and you feel you’re all aligned with 800-171? Should you feel relatively confident that you could be CMMC certified?

Chris Abacon: I would say that’s a true statement. If you already have gone through an 800-171 process, or at least have gone through the controls, check your methodology and check your processes and procedures and everything with 800-171 alpha, which is the assessment guidelines, then I believe there wouldn’t be too much of an effort minus the required documentation that CMMC may have that you might need to provide, to make it CMMC-ish, right?

To make it into a CMMC package, it requires perhaps templates or things like that. But we don’t know that rule as it stands just yet. But that said, getting ready with 800-171 is a very good way to get going with CMMC.

Jordan Eisner: So it’s a big framework, big certification, big requirement for somebody taking this on that’s not a big contractor, right? So not necessarily the mom-and-pop, but the small, the midsize organizations that are going to be faced with CMMC compliance. What’s your recommendation for how they approach this?

Chris Abacon: So we’re talking small, medium businesses, right? A lot of them don’t have the budgets. A lot of them have fewer in-house cybersecurity resources, which makes meeting the requirements for CMMC challenging. So the reduction to three levels in CMMC, so there are three levels in CMMC that provide a clear path for compliance, but the requirements at the advanced and expert levels are still very daunting.

So the cost of implementing necessary cybersecurity measures and the potential need for external audit and certification can be significant. So that means these businesses need to prioritize certain aspects of their business and cybersecurity over others to find more cost-effective solutions. So to address these challenges, right, like I think we already kind of went over it, small businesses and medium-sized businesses can go and start a thorough self-assessment of their cybersecurity posture against CMMC. So this helps them identify any potential critical gaps that need attention.

Also they need to collaborate and find knowledge sharing with other organizations in the industry, right, that can help them. Additionally, they should consider outsourced or cloud-based security solutions that can help them provide security measures at a more manageable cost instead of hiring a bunch of experts, and things like that. That can be very costly to your organization.

And then lastly, of course, I think this is the big one is regular training and awareness programs for employees, right? Because human error is the biggest cause for security breaches. So if they’ve got the human element, the people element down, I think that CMMC or any small business can get along with CMMC relatively quickly.

Jordan Eisner: So explain that tiered structure then, right? Does the company determine that? Are there steadfast, objective size, scale, and scope that determine that? How’s the appropriate level determined or tier of CMMC by a company?

Chris Abacon: So CMMC has those three levels, right? So level one is the foundational level. Level two is the advanced level. And level three is the expert level. The appropriate level is determined by the sensitivity of the information handled by the company.

So for level one, it’s for companies handling federal contract information, FCI. It’s information that is created by or on behalf of the government. Which can include process documentation, contract information, which requires basic safeguarding. So it’s not necessarily classified or anything like that. It’s just contract information between organizations.

Now level two is for those dealing with controlled, unclassified information. So that’s CUI. So that is information that’s created by or on behalf of the federal government, which requires safeguarding. Now while not classified, this information can be damaging to national security if all this information is aggregated. So this can include operational documents, physical security information, you know, something as simple as a work schedule for a company’s security team, right? Or vulnerability scan documentation, right? So that should be considered unclassified information.

Now level three is for companies working in, like I said earlier, high security, high value, high-risk projects that require the latest and greatest stability of cybersecurity practices, right? So that’s going to be the big organizations that have produced weapons and, you know, IT for the government, right? We all know who they are, they are more than likely going to have to go through a CMMC level three certification.

Now while level one only requires a self-assessment, third-party assessments are required for level two and three. Specifically with level three requiring an assessment from the DIBCAC, which stands for the Defense Industrial-Based Cybersecurity Assessment Center.

So then determining the appropriate level for an organization actually involves assessing the nature of the work that they do with the DOD and the types of information they handle. So in this case, companies really need to thoroughly understand the processes of CMMC for each level and evaluate their practices against these standards. Then this assessment can not only determine the current compliance level, but also helps in identifying areas that need improvement to meet that desired level, right?

And then it’s important for companies to engage with qualified assessors to get a clear picture of their compliance status. They really develop that timeline, a roadmap for achieving the necessary level of certification.

Jordan Eisner: You mentioned something there too about a third-party assessment. This isn’t just any third party that says they can do a CMMC assessment, right, or certification. This is, what is it, is it 3PAO, right?

Chris Abacon: Yes, it’s certified third-party assessment organization, C3PAOs. So those are the ones that can do level two assessments, right? But what’s interesting is that for level three assessments, the Defense Industrial-Based won’t let it go to the private sector. The government will still have to do a level three assessment. That’s the big difference. And of course, the increased number of controls, right?

So level three also encompasses 800-172, which augments 801.71.

Jordan Eisner: So talking about it, talking about 800-172, right? Another big federal cyber risk or least information security risk certification or program out there is FedRAMP, right? The Federal Risk and Authorization Management Program. How do the requirements intersect with that?

Chris Abacon: So CMMC and FedRAMP both aim to protect federal information, but there are different purposes. CMMC is specifically tailored to confidentiality and integrity for defense of contractors, specifically concerning the protection of controlled unclassified information. FedRAMP applies to cloud services for the federal government. So if the federal government wants to use a specific cloud service, AWS, Azure, right? They’ve got to be FedRAMP accredited at the specific level.

So there is an overlap of security controls. So compliance with one can aid in achieving aspects of another, but organizations obviously have to understand both sets of requirements to ensure they fully meet those compliance needs. So in this case, to effectively manage both, the companies can really benefit from integrating their compliance efforts, finding commonalities with each, doing a risk assessment. They can create those synergies and things like that.

But it’s also beneficial for companies to really stay ahead of the changes in both frameworks because they’re always changing, right? The security standards are always evolving. So regular consultations with cybersecurity professionals and experts can really help them align their strategies with both CMMC and FedRAMP.

Jordan Eisner: All right, this next question, I think is obvious for you and me, right? The benefits of CMMC. But we live in this space, right? We work in this space. This is what we do. This is what we preach and eat, sleep, breathe, whatever. What’s the long-term benefit? CMMC compliance organizations in this industry, right? Working with the DOD. What’s in it for them? Besides these huge owners’ tasks of sub-security policies and procedures and control requirements. Yes, there’s a contract and a relationship on the other end, but what else should they look forward to or see as a benefit of this program?

Chris Abacon: So it’s a great program because any of these types of certifications, you know, ISO 27001, PCI DSS, CMMC, they’re great specifically for CMMC in the federal industry and achieving and maintaining CMMC compliance. It signifies to the community and the market out there that they’re committed to cybersecurity. The commitment is recognized as a competitive advantage, which can help them gain those contracts through the DOD, right?

So I figure, you know, trust is paramount, right? Trust is paramount in the industry, specifically with cybersecurity. So robust practices can really differentiate a company from another with all these cybersecurity breaches going on in the environment, in the news.

And then further, CMMC compliance can help identify and mitigate vulnerabilities. So reducing the risk of cyber incidents, which can be obviously costly in terms of reputation. So but beyond the defense sector, right? So CMMC compliance is, you know, serves well for federal and private sector opportunities because cybersecurity becomes a priority across all sectors. So the stringent standards of the CMMC serve as like a good benchmark for best practices in cybersecurity, right?

So it also fosters that culture of security within that organization where employees are really more vigilant and aware of their cybersecurity risks, right? So this culture shift, I would say, is like the most invaluable part about getting CMMC compliant because it helps proactively address the emerging cyber threats and then while adapting to new challenges. So really, I’ll end with saying that it’s not just a regulatory requirement, CMMC, but it’s also a strategic investment in the future of the organization.

Jordan Eisner: And I’d say for executives listening of the small and mid-sized companies, don’t just push us off on the CISO or CIO or, you know, anybody in your organization is going to own this and put them on an island, right? Support them, message the whole organization around it, why this is important for us as a company, really incentivize teamwork, right? To accomplish your goal, because to your point earlier, right? There are a lot of people controls that need to go in place because that’s where a lot of the risk is, but it’s a tall task, right? You need to be in CMMC certified or any of these information security frameworks and you need buy-in from the executive team, you need buy-in from the employees, and a lot of times that starts there.

So last question, you mentioned earlier talking about keeping updated, these are going to change, there are going to be new requirements. How can organizations do that with CMMC?

With CMMC, like I said before, it requires a proactive and informed approach, right? So organizations, and companies should really consider establishing a dedicated team or a role focused on cybersecurity compliance, I mean, given budget constraints, right? But then this team could be ultimately responsible for monitoring updates to CMMC, interpreting how these changes can affect the organization and then implementing the necessary adjustments within the organization as they come to be.

So training and education of programs for companies are also crucial, like I said before, because fostering that culture where every employee is aware of their role is really paramount, really guard against all these compliance risks, right?

And lastly, leveraging technology, right? We can leverage technology to streamline these compliance efforts because they can be highly effective like tools such as compliance management software like Hyperproof, it can really help in tracking changes, managing documentation, and ensuring that security controls are adequately applied where they need to be applied.

And lastly, I think building relationships with industry groups, attending conferences, engaging with authorized organizations, you know, can really provide that insight.

So ultimately, ongoing compliance with CMMC is really about, you know, adapting and evolving to the cybersecurity landscape. And then we’re staying informed, prepared and agile is key to maintaining the bottom line and success.

Jordan Eisner: Well thank you, Chris. I think that about does it. It was great having you on the podcast.

For our listeners, thank you, of course, for listening. Make sure you subscribe to avoid missing future episodes.  If you are subscribed and enjoying the content, please be sure to leave us a review.

Lastly, if you’re interested in learning more about CompliancePoint, check us out online at compliancepoint.com.

You can email us at connect@compliancepoint.com.

We can reach out to Chris or me via LinkedIn. We’d be happy to help that way.

Thanks, everyone.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.