Compliance Unfiltered is TCT’s new podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: CMMC
Quick Take
Today we tackle the bear that is CMMC! It’s a hot button topic for many folks in the compliance space, and if you do any work with the U.S. government and are subject to Department of Defense Regulations, this is the episode for you!
We go through why CMMC is making such a big splash in the space now, how it’s structured, why it’s causing so many issues at the moment, and what the heck you as a DoD vendor should be doing about it.
In this episode, Adam and Todd discuss:
- What is CMMC, and why is it important?
- How is CMMC structured?
- Why CMMC might be painful for a company going through it
- What are the challenges for a company getting an audit?
- TCT can help struggling contractors
- What to do now to get prepared
- Potential impacts for service providers
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
Well, welcome back to the latest edition of Compliance Unfiltered. I’m your host, Todd Coshow alongside the man, the myth. The compliance legend himself, Adam Goslin. Adam, how are you today?
Todd Coshow
Ha, ha, ha, ha, ha, ha, ha.
Adam Goslin
I’m good. It always makes me laugh when you when you when you give me like this big wild intro. I’m like we need to get like some like rock music or something in the background. I mean I think it just worked out better that way.
Todd Coshow
Pyrotechnics. Pyrotechnics.
Adam Goslin
Yes. Yes. One day. One day. Dare to dream.
Todd Coshow
Indeed. Speaking of dreaming, a lot of people are dealing with a nightmare right now, Adam, and that nightmare comes in the form of CMMC. It’s a hot -button topic that’s on everyone’s lips, especially if you play in the Department of Defense regulated space.
Todd Coshow
So tell us today, Adam, what is CMMC and why is it important?
Adam Goslin
CMMC is a framework that the government put together for government contractors that were providing services to DOD. They would run a program under just NIST -171, but found that it wasn’t quite cutting the mustard.
Adam Goslin
They also used to have a self -assessment capability, and go figure when people are reviewing their own stuff themselves, they found some variability in terms of the folks going through it, their perception of what these things meant, did they really have it in place or sort of in place, blah, blah, blah.
Adam Goslin
So, they came out with this CMMC, it actually created a better structure, and part of the challenge they’re going through is they’re just kind of rolling out the program as we speak. So, it’s been really hitting the news, and there’s a lot of movement surrounding CMMC and a lot of fronts, so there’s big changes coming, if you will.
Todd Coshow
No, absolutely. And I think, Adam, the real question on everyone’s lips is, why now? What is the big change? Because as you alluded to in the open and we’ll come on to it, a lot of this looks very similar to things that folks in this space have been seeing for a long time.
Adam Goslin
Yeah, the reality is that, you know, for some of the aforementioned reasons, they wanted to get a more structured, you know, kind of assessment plan in place so that they can gain consistency really in protection for, you know, for everybody in the, you know, both the supply chain for the government and, you know, in folks whose, you know, whose data is there, et cetera.
Adam Goslin
So they wanted to get the program, you know, kind of rolled out. In its current implementation, they’ve got a game plan for kind of a phase rollout heading toward kind of a 2025 culmination. So they’ve included an audit and assessment component of that.
Adam Goslin
They’re also kind of rolling it out to, they’re starting with a kind of a core group of core vendors to the DOD and then starting to roll it out in additional ways. So I expect both from the folks that have to go through it perspective and from the folks that are doing assessments perspective, there’s going to be, you know, kind of a snowball effect that starts to pick up.
Adam Goslin
There’s more of these core, you know, core groups that end up getting pulled in and actually going through the assessment audit process. That means more of their subcontractors, et cetera. So it just kind of continue to pick up steam, if you will.
Todd Coshow
Yeah, well I guess that kind of leads into the next question which is how exactly is CMMC structured? What should people be looking for as they prepare to undergo this? Sure.
Adam Goslin
Well, you know, really the driving force for CMMC is that there’s like five levels of, you know, of certification. And so, you know, most organizations are going to kind of fall in that level one through three, probably my guess is more primarily threes, you know, but there’s levels one through five.
Adam Goslin
And so level one, you know, really includes it’s just basic, you know, basic requirements. There’s 17 different practices there. Then when you get up to level two, then there’s a total of 72 or an additional 55 practices.
Adam Goslin
Level three, they layer on another 58 practices. Level four, another 26 and level five, another 15. And so the way that the DOD is going to work it is as they come around to either new contracts, they’re going to go push out or contract renewals, then they will based on the nature of the contract, they’ll have an associated level for the vendors that, you know, that can go ahead and submit, you know,
Adam Goslin
bids to be able to either renew or win that contract. And so that’s kind of kind of how they’re going to end up end up driving this out. So, so for, like I said, for most of them, I’m going to guess level three is probably where it’s going to end up falling.
Adam Goslin
But for those that are dealing with more sensitive data, etc, they’ll be up in the level four and level five, you know, arena, the interesting part of what they did with the level three is effectively level three maps directly against what was NIST one seven, you know, which still is one seven, you know, but they basically took the 171 requirements and, and segregated those out to form the levels one and two and three.
Adam Goslin
And then in levels four and five at layered on some additional, you know, kind of some additional elements, you know, in into those. So, so there’s got to there’s going to be some, there’s going to be some, you know, some interesting activity as folks are trying to get prepped up for it.
Adam Goslin
Obviously, if I’m about to go through, you know, about to go through or want to bid for a particular contract. Well, you know, this isn’t something that I can just decide on Monday that, by the way, on Wednesday, we want to go ahead and, you know, do a submission because there’s going to be some forethought and some planning and whatnot.
Adam Goslin
As it relates to CMMC, there’s a there’s a number of different, you know, kind of domains that they that they’ve got in here. So I’ll just kind of I’m going to get down in the nitty gritty because there’s a lot of detail under each of these, but just kind of reading through.
Adam Goslin
Oh, so go ahead.
Todd Coshow
just say no it’s, it’s good though giving the people an idea of what they’re actually looking for this is massive help to folks please go ahead
Adam Goslin
So I’m just gonna kind of go through the groups. And so, you know, there’s a section on access control and each of these sections that I’m kind of, you know, going through, there’s a good amount of detail to them contained within each of these sections, you know, are various, you know, kind of line items that would be deemed, you know, you need this in place if you’re gonna be, you know, compliant with level one versus level three,
Adam Goslin
that type of thing. So there’s areas that cover access control. There’s also access management. There’s audit and an audit and accountability section, talking about the, you know, kind of the audit and accountability plan that the organization needs to have in place.
Adam Goslin
Section for awareness and training, making sure that everybody’s kind of up to speed on what all is supposed to be being done in order to be CMMC compliant. Configuration management, so making sure that, you know, all of your systems are configured and maintained and kind of manicured appropriately.
Adam Goslin
Identification and authentication section, so controlling how folks are identifying themselves, getting access to systems, et cetera. There’s a section on incident response. So the way that the organization would respond to any form of incidents that would occur, you know, within the organization, ongoing maintenance elements and items, the protection of media, also personnel security.
Adam Goslin
So, you know, physical, you know, personnel security and practices that they need to take on, as well as physical protection, you know, for the organization. They also cover recovery. So the ability to kind of recover from various things that would happen within the organization, whether that be backups or disaster recovery and things along those lines.
Adam Goslin
There’s a whole section on risk management, as well as security assessment, situational awareness, and system and communication protection. So making sure that each of the systems and any of the communication involved in them, you know, has some care, feeding, love, and attention, and then system and information integrity.
Adam Goslin
So making sure that the systems are, you know, kind of protected and have some mechanisms in place to ensure the integrity of the information and the data that’s on them. But those are kind of the domains that this information falls in, with obviously a lot of detail underneath each of those individual sections.
Todd Coshow
Well, listen, that’s quite a mouthful, Adam. And I’m curious, is there any place where folks have the ability to go where they can, I don’t know, get a little bit like a too long, didn’t read version of that?
Adam Goslin
too long didn’t didn’t, didn’t read yeah I mean there’s, there’s several there’s several different ways that folks can you know get, get and you know acquire more information obviously the requirements are you know kind of posted up publicly on the on the web TCT itself has, has actually a couple of different blog articles about CMMC with a bunch more a bunch more of the detail in there also so folks can go over can go over there use that actually if you go in and you just go in and search on CMMC then we’ve got you know a couple of different blog articles about you know about CMMC level you know the levels and what they mean which ones are you gonna need to comply with etc so you know a good part of what we try to do is just try to you know try to help folks with kind of navigating the waters and that type of thing
Todd Coshow
Well, that’s excellent. You know, this does beg the question, Adam, and I think that the listeners out there are probably thinking this themselves is how painful is this going to be for a company to go through, right?
Adam Goslin
Yeah. Well, it really the pain level, if you will, is honestly is going to depend on what is the situation of the organization which is about to go head down this path. So, and what I mean by that is that it really depends on where they’re at in the grand scheme of things in the kind of the cybersecurity continuum.
Adam Goslin
So, if their cybersecurity program is pretty mature, has gone through audits against other standards, has been in place for years, you know, that type of thing. It’s not going to be nearly the, you know, nearly the leap, if you will, for those that are really approaching this for the either for the first time or no offense to those that have kind of gone through the self -assessment questionnaire.
Adam Goslin
But there’s, you know, it really comes down to, you know, how folks are, you know, are interpreting things, how seriously did they take it, etc. So, I would say anybody walking in the space for the first time has a pretty large lift.
Adam Goslin
Anybody that’s done a self -assessment questionnaire but not undergone any other audits is still going to have a pretty substantial lift, you know, but those that have been, you know, have a pretty mature program.
Adam Goslin
I think that they’re not going to find it near as painful, as painful as you’d think just because of the fact that they’ve got a lot of the underpinnings which are going to be useful for being able to navigate the waters of, you know, kind of the waters of CMMC.
Adam Goslin
Now, one of the big problems is we were kind of talking through the sections, right, you know, a minute ago. You know, it covers a really broad, you know, realm of the organization, right? This isn’t just, hey, we need to go slap a policy in place and just make sure everybody’s following it for this, you know, for this little section, but, you know, it’s covering everything from, you know, physical security and how people are getting on systems and,
Adam Goslin
You know, care pruning and maintenance of, you know, of users and, you know, security of the systems themselves and, you know, testing and validation and da -da -da -da. So, you know, it’s going to cover a pretty broad spectrum of any target organization that actually needs to go through it.
Adam Goslin
And one of the biggest problems for those that are either in that, you know, either in that, you know, actually whether it’s early or they’re mature, one of the challenges that folks don’t kind of key in on, you know, kind of key in on is making sure that they’re kind of tracking and managing all of their evidence, you know, down at that line item level, taking seriously the amount of time it’s going to take them to prep up for the going through of the audit, you know.
Todd Coshow
I mean that that really does raise an important question right there when it comes to managing the evidence and doing the audit prep is what kind of challenges are companies actually getting into as they’re getting ready for an audit.
Adam Goslin
Yeah. Well, and really part of the biggest part of the problem is that it’s so easy to just leverage existing systems, existing resources that you’ve got. And unfortunately, that means that different people have different communication styles and we’ve got a file server and we’ve got this drop zone where we go put things and you’ve got different people with different accesses to different folders.
Adam Goslin
You’ve got stuff flying through email and phone calls, meeting minutes, et cetera. So one of the big problems with any security compliance style engagement is just kind of controlling the spread of where all your stuff is and as best you can.
Adam Goslin
Number one, getting it all consolidated. Number two, really lining up the right evidence with the right line item so that you actually know what did I use for this or is this thing done, that type of thing.
Adam Goslin
So putting a forethought into the tracking and management piece is really going to be key as these folks kind of go through that process.
Todd Coshow
So, I mean, you talked about rollout, you talked about, you know, kind of tracking, you talked about setup, but above and beyond that, people need help, Adam. And I’m curious, how is TCT positioned, actually, to help folks that are struggling with these things?
Adam Goslin
Well, the CMMC we actually it’s kind of interesting the way that the way that TCT does what it does and that is that, you know, we’re, you know, we got into the, you know, got into the space to try to help people.
Adam Goslin
And so, you know, oftentimes we’ll get asked by, you know, by assessors by, by direct, you know, direct clients that lever TCT portal to be able to add, you know, add new certification CMMC was no different.
Adam Goslin
So the CMMC certification, it’s already on the platform. It’s ready to rock. You know, it’s, it’s available now. So yeah, we’re ready to go.
Todd Coshow
Solid effort. So important to know is really, when people come to the TCT portal and they have the ability to use something that’s already in place, that’s great. But especially when you’re looking at a new rollout, folks are oftentimes worried about how dexterous, you know, a tool set will be with the changes that come invariably with the new government rollout of a standard.
Adam Goslin
Yeah, and the reality is that you wanna be able to go, you wanna be able to go in and leverage the toolset for whatever’s facing you. So in the case of the TCT portal, it’s not, it was never designed to be a, no offense to the CMMC folks, but it never designed to be a CMMC portal or a HIPAA portal or a PCI portal, but as the name of the organization suggests is total compliance tracking.
Adam Goslin
So for those folks that are trying to find something to be able to leverage to help them through that process, obviously we’ve got the capability to handle N number of different types of standards, but yet do so in a kind of a consistent fashion.
Adam Goslin
So it ends up working out well for those that are facing more than more than CMMC.
Todd Coshow
Sure. So speaking of consistency, I’m a big fan of preparation. And I think that especially going into something like this, folks out there really need to understand what it means and what they can do to get prepped to undergo something like CM and C and beyond.
Todd Coshow
So what should they be doing?
Adam Goslin
Well, certainly, you know, certainly one of the one of the elements is planning ahead, right? I mean, we’re I talked about it. I talked about it earlier on where, you know, we can’t just decide on Monday that we’re going to go and go through a compliant compliance assessment and submit for, you know, for a particular contract on Wednesday, just because it’s not going to move that fast.
Adam Goslin
You know, one of the one of the big elements, you know, about this before, before you get into the kind of planning ahead, you know, the, you know, to talk about the, you know, to talk about the plan that they’ve got to have for getting into the audit.
Adam Goslin
And that is that with the assessor with the assessor groups out there, the assessor groups, they basically went out, picked up, you know, kind of a handful of assessment firms. Initially, there was just one assessment firm that was even going to be able to go in and do an audit.
Adam Goslin
And so one of the, you know, one of the things that they did is they not only did they pick a handful of folks to go through the audit, but they also picked up another handful of assessment firms to do these types of assessments.
Adam Goslin
So with a, you know, kind of ramping up, you know, notion of more and more and more of these companies getting, you know, kind of swept up into the into the fray with limited assessment audit firms to be able to go through and do the assessments.
Adam Goslin
That preparation that you were referring to, that’s critical because
Todd Coshow
Especially with the resource crunch.
Adam Goslin
Yeah, well, I mean, you know, if you think about it, right, these guys are just going through, getting themselves all lined up for, you know, going and doing CMC audits. Meanwhile, they got everybody under the sun is, you know, wanting their audits and, you know, and whatnot.
Adam Goslin
So I can imagine that these assessment firms are going to have, they’re going to have limited resources to be able to kind of meet the demand, if you will. They’re going to have tight timelines and be under a lot of pressure, you know.
Adam Goslin
So the real key for it going back to your kind of preparation notion is that these organizations that have to go through, they have to go through this audit, they really need to make sure that they’ve got their I’s dotted, T’s crossed, ready to go, you know, and whatnot, because they’ve just the availability limitations on the poor assessment firms, which are just going to, just about to get mobbed,
Adam Goslin
you know?
Todd Coshow
directly into the need for the proper planning.
Adam Goslin
Yeah, yeah. So certainly planning ahead, you know, first thing that I, if you know that you’re in the in this space, oh, I wouldn’t wait for the contracts to come around and whatnot because you’re really going to need to do some forethought, both in lining up your assessor, getting on their schedule, and then, you know, kind of getting yourself through the, you know, the preparation activity.
Adam Goslin
So, you know, starting to work, you know, I’d probably run those in parallel, I’d start, you know, banging down the doors of whoever to go get yourself lined up and on the schedule for the assessor, and then really look internally and put together a game plan for getting yourself organized for being ready to go.
Adam Goslin
You know, you want to make sure that you’ve got, you know, number one, if you’re going to, you know, determine which, if you don’t have the, you know, kind of the language of the contract, or you haven’t talked to the DOD contract office yet and figured out what level you’re probably going to fall into, shoot for three out of the gate, you know, and then really start getting in, looking at those line items,
Adam Goslin
associating your evidence down at that line item level, because it’s a far cry, going from, you know, the self -assessment world, where I go, oh, yeah, yeah, I got that, you know, to literally needing to go and prove it out to an assessor that we, you know, here’s the evidence that we have this.
Adam Goslin
You know, so there’s a pretty strong propensity for folks to acknowledge the existence of, you know, of the fact that they’ve met this requirement, and it’s another to have all the evidence right, ready to go, lined up, you know, and ready for review with the assessor.
Adam Goslin
So bringing that down to line item level is something that’s going to be really important, and for these companies that got to go through this, they really want to make sure they got their ducks in a row, because if you don’t, then, you know, you’ve now gotten onto this assessor schedule, but you don’t, you’re not really ready to go, and if all of a sudden your engagement starts languishing, I can see assessors just out of necessity,
Adam Goslin
you know, kind of pushing people back down to the, you know, kind of, you know, back further down the chain so that they can continue their preparation activities, and then they can go focus on somebody that does have it together, etc.
Adam Goslin
So I can imagine we’ll probably see some organizations going to get bumped down the line.
Todd Coshow
That’s a very realistic expectation. Well, that actually kind of leads me into my next question. And I think folks that have been through this much of this topic with us are probably asking something similar.
Todd Coshow
And that’s what’s the impact really that we’re gonna see on service providers in this space?
Adam Goslin
Yeah, I think really there’s a couple of different, there’s a couple of different organizations that are going to end up getting kind of swept up into this, right? So service providers is a good one and also I alluded to it earlier, which is the subcontractors to those that are going to have to go through the assessment, right?
Adam Goslin
So in both cases that’s going to start drawing in and putting pressure on both the subcontractors as well as anybody that’s providing services to one of these organizations that provide support to one of the folks that are going through audit.
Adam Goslin
So I’ve already seen kind of a lot of push on, especially on the, let’s call it the hosting providers out there, they’re already starting to kind of feel that pressure. But really anybody that’s providing services to a compliant organization, you might as well, you might as well just pretty much guarantee that you’re going to get pressure to be in the CMMC space as well.
Adam Goslin
Because the clients are already the ones that are really kind of got their eye on the ball and starting that kind of planning ahead are already approaching the service provider saying, hey, by the way, we’re going to be in this space, we’re going to need you guys to be able to support our compliance needs and we need you to be CMMC compliant as well.
Adam Goslin
So really for those folks that kind of fall into that space where they provide services to compliant organizations, they ought to be doing the same thing, taking a look at this, getting their arms around it, at least targeting kind of that level three notion because these service providers are just going to eventually get sucked in.
Adam Goslin
This way that they kind of rolled out CMMC, it reminds me a lot of the way that PCI did their rollout back in the day.
Todd Coshow
Is that right?
Adam Goslin
Yeah. When PCI went and rolled their program out, they basically went out, picked some of the core, I don’t know, I forget how many, but it was a handful of kind of core largest payment processors and started pushing with them.
Adam Goslin
And then from there went out to the next biggest payment processors. And in the process, they started basically pushing downstream into the merchant space, ended up starting putting pressure onto the merchants to also get up to speed with their compliance, et cetera.
Adam Goslin
This is kind of a similar model that we’re going to end up seeing in this DOD space where they just add another layer, another layer, another layer, and more people are just getting swept up into the CMMC snowball, if you will.
Todd Coshow
That makes sense. That makes sense. And I think that that parallel is a really important one for people to understand so that they can get kind of a general idea of the scope of the undertaking. So that makes a ton of sense.
Todd Coshow
Well, that’s all the time we have for today. I’m Todd Coshow
Adam Goslin
And I’m Adam Goslin. Hope we help get you fired up to make your compliance suck loss.
Todd Coshow
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow
Adam Goslin
I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
