CMMC Level 2: Real Compliance Pain Points

Speaker 1  00:02

This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.

Jason Pufahl  00:10

Welcome to CyberSound. I’m your host, Jason Pufahl, joined today by Mark Jennings, part of our vISO team. Hey, Mark.

Mark Jennings  00:17

Hey Jason. How you doing?

Jason Pufahl  00:19

So this is the second podcast. I think, honestly, I think we’ve done like 140 podcasts. I don’t believe anybody has seen me solo in all of that time. So two in a row, everybody gets to put up with me alone with a guest. So Mark, I appreciate you joining today. Thanks for having me, and it’s interesting. CMMC has, I think, finally gotten the a lot of the formality that it has been lacking for a long time. Which, you know, frankly, I think that lack of formality caused a lot of companies to not make the progress they should have in in that time, because they’re really waiting for it to, you sort of stabilize, right?

Mark Jennings  01:01

Yeah. And, you know, people have been saying for years, it’s really never going to happen, because it’s a government program. And, you know, that’s how those go So, but it’s here. It’s definitely here now. And, yeah,

Jason Pufahl  01:12

So what I want to avoid, as we thought through this a little bit, there’s so much content out there around, you know, enforcement, dates and audit requirements and, you know, things I think that are pretty straightforward to get. The questions that I feel like I’m asked often are more like, you know, what do we actually need to do to meet some of these obligations? What, you know? What are the complexities people invariably ask, well, how much is going to cost? We’re going to avoid that for this, for this, for this podcast, too hard of a question to answer. But, you know, everybody wants to me to be able to say, you know, if you do these 10 things, you’ll be compliant, is going to cost you x, which just isn’t that practical. But I do want to spend time on what, what are the most difficult parts? And in a way, where do people need to start? And so, and I think that’s, that’s probably the part that I want you to start with, which is, right, if you’re going to tackle this, what’s the, what’s the best way to lay the groundwork to be successful?

Mark Jennings  02:12

Yeah, so, I mean, all of this focus is on controlled, unclassified information and and how you handle that, that’s, that’s really what it’s all about. And the hardest thing for most organizations to begin with is they don’t have a whole lot of control over the CUI that they handle. It kind of it comes in the organization, and it just kind of propagates throughout the whole organization. And so when you get when you’re going in for an assessment, one of the first things you need to do is identify what the scope is. So that’s all of the information, all of the parts of your environment, where CUI may find itself, where, who’s going to touch it, what devices it ends up on, where and how it flows, all of that. The the more control you have over that, and the smaller the scope you’re going to you’re going to reduce the cost of everything. So we talked, you know, we’re not gonna talk about cost, but that is one way to really, you know, get your hands around, you know, you know, how much is this really gonna cost, and what systems do I have to actually touch and upgrade and or isolate, or whatever? That’s one of the hardest things to do, and it’s the very first part of the process.

Jason Pufahl  03:21

Let me, yeah, let me. I just want to make one clarifying statement, because I think you’ve spoken now you’ve said CUI multiple times. Yes, we’re talking level two assessments, right? Because FCI level one primarily, right? So, vast majority people level two

Mark Jennings  03:35

Correct, correct, yeah. I mean, level one is, you know, it’s 15 controls. It’s very basic. It’s, you know, so, and that’s for federal contract information, which actually the scope for that is usually the entire organization, because people are going to be talking about the contracts and, but again, we’re going to focus on, you know, the the hard part is level two. I mean, that’s, that’s, you know,

Jason Pufahl  03:58

So, so how do you go about then working through, you know, I’ll call it the system security plan, because that’s, you know, how they define it. But you know, generally, that scoping process and setting your organizational boundaries for this, yeah.

Mark Jennings  04:10

So basically, you know, you you identify where the CUI goes, you create basically, what’s called a CUI flow diagram. And you basically, you know, minors, they’ll just bear with basic arrows. And, you know, all over the place. It’s like, yeah, it comes in here, and then it goes there, and then who this person touches it, that department touches it, you know? So then you’re identifying, okay, these are all the things that are potentially within scope, you know, at the beginning, one of the things that, again, once you’re done, that you’d probably, you kind of look, want to look at, and say, you know, is there a way that we can reduce that. So does it always have to go from this person to that person? Or can we obfuscate some CUI, when you know, throughout the process, you know, all kinds of ways to, you know, really address that, reduce the scope. Because again, the next step is you’re gonna have to take a look, you know, take an inventory of all of the, you know, people, processes and things that it touches. And those are, you know, within scope. So that’s what the assessor is going to be looking at. And they’re good. That’s what needs to meet all 320 you know, 110 300 controls, 320 assessment objectives. If you miss one, essentially, it’s game over. You know, there is, there’s a process you can, you can get by with a, you know, most of it, and put things on a plan of action and milestones, but that’s, you know, they want you to get 100% is there? Absolutely it’s, you know, ultimately, within six months of that, that assessment, you got to be 100% or you start over and, you know, you

Jason Pufahl  05:39

So it then, based on what, you know, I’m referring here a little bit, but based on what you said, part of the discussion in the development of the SSP might be, can you change your business practice a little bit, such that CUI doesn’t flow over here, and we can take that out of scope. I mean, you’re having that kind of conversation?

Mark Jennings  05:55

Exactly, you know, especially, you know, you think about a manufacturing floor, there’s not a lot of security, you know, there’s, there’s safety controls, and there’s all kinds of things to keep people safe. But in terms of information flow, it’s, you know, it’s very tough to lock down an organization, you know, a an environment that you know, is basically manufacturing widgets or whatever.

Jason Pufahl  06:15

So, so how reasonable is it to constrain that scope? And part of my question, we didn’t talk about this, but part of my question probably is, you know, GCC high comes up, yep, and so I can, I can certainly wrap my head around, you know, some certain data flows. And minimizing that, can you minimize, also the GCC high potential spend, because that feeling that tends to be one of the more expensive areas are certainly one of the areas of concern for organizations. How do you address that?

Mark Jennings  06:49

So basically, yeah, let’s say you’ve got, let’s say you got 200 employees in your organization. Now, if the entire organization is within scope, that’s going to now, pretty much everybody has to have a compliant email system, file sharing, all of that. If now you can say, oh, you know what we’re going to we’re going to create an enclave here. We’re going to say, only these 25 people are, you know, touch CUI. We’ve controlled it to the point that this small group of people, touch a CUI. They can send an email. They can ship file, share it, they can do everything. Now, suddenly, your GCC high spend goes from 200 users to 25 now the other and so the the others, 175, they can be on commercial like so you’re on, you know, office, 365, commercial. So that’s per that’s, that is a great example of how reducing the scope can reduce the overall cost.

Jason Pufahl  07:48

Yeah, and GCC high often is a huge portion of the spend, right? And it’s, it’s a monthly recurring cost. There’s a, there’s a fair amount to implement it, that that’s an area where you really get some benefit,

Mark Jennings  07:59

Absolutely, and all the other you know, anything else that’s going to, you know, process, store or transmit CUI, your backup system, you know, if you can, you know, let’s say you’ve got, you know, however many gigabytes or terabytes of data you’ve got on the commercial side of your business, but you’ve got, you know this, this amount of data that you know that handles CUI, that has to be stored in the Cloud. Well, you know, that needs to go to a FedRAMP, authorized backup provider, and there’s not that many of those out there. So and again, those are going to be way more expensive per gigabyte or per terabyte or however they however they manage their programs. But everything that touches CUI is just more expensive.

Jason Pufahl  08:42

Yeah, every time, yeah. As people start to think about multi factor, which, frankly, it just, in my opinion, it’s not that interesting. A lot of ways, I think most companies have solved it. The place that I feel there’s continual challenges are, hey, I’ve got my my folks on the shop floor. They’re not really day to day computer users, but they need to log into, you know, one of these half dozen computers to get parts information or whatever. How do you generally work around the complexity of multi factor in an environment like that? And right? You might not want them to bring their cell phones or devices floor, right? You’ve got all of that that tends to be, if not a huge technical hurdle, maybe a just a sort of a productivity hurdle for people. How do you have that conversation?

Mark Jennings  09:32

Well, I mean, it’s tough because it is required, you know, there has to be multi factor authentication for, you know, even getting onto your computer internally inside the organization. So, you know, it really depends on the organization in terms of what, the, what the, the method is, you know, if, okay, yeah, they don’t allow cell phones into the organization. So you can’t have, you know, DUO push or whatever. But you can do, you know, RSA fobs or you can do something that you know, essentially is tied to their account. Another thing that you find, that you find in in organizations, is shared accounts. So, you know, you basically have, you know, I’m out on the on the floor, I need to go over do something in ERP, or do something and, you know, and, but I don’t have to log in as myself. I want to, you know. So we all use a shared account. It’s like, you know, whatever you know, floor worker at you know, and, and that’s a problem, because now there’s no unique traceability. There are ways to do it. There are, you know, there. But again, it’s going to be different for every organization in terms of how they how they actually manage that. And the same is true for MFA. It’s you know. It’s you know, depends on what, what tool you’re using. You know, whether, whether, again, people have all the the resources they need right there to get it done. So I don’t think there’s a one size fits all for that, but, but it is one of the complex areas.

Jason Pufahl  11:01

So what’s the what’s the first? Generally, the first part of the assessment is that the audit and accountability section, or is that?

Mark Jennings  11:09

Access control. I mean access basically, you always start with access control, just because a it’s the biggest family of controls, and it probably takes the longest to go through. But it’s also there a lot of, it’s, you know, foundational stuff. So, you know, how do you, you know, how do you authorize people to get into the system? How do you, you know, how do you actually try, you know, give them access to what they need, what they need, and only what they need. I mean, that’s and that being the big piece, the access of the, you know, the the concept the least privilege is huge. And, you know, he, you know, on everybody being in, you know, domain admin or, if you have, you know, how many people have domain admin rights? Or, you know, all of these, you know, you really have to get to nail down all that stuff early on in the assessment process. And those are some of the toughest controls to put in place

Jason Pufahl  12:00

Well, and that, you know, unlike the the SSP, which I feel like can be an organizational discussion, and people understand, you know, how data comes in, where it moves around the company, and how it goes out, something like asset control feels really technical. And so now all of a sudden, you’ve, sort of, you’ve jumped over from a larger group of people that can probably answer questions to a really smaller group that understands how systems are built and who’s logging in, what the what the data output might be. So how do you are you? Do you find that you often have the expertise within a company to answer all those questions, or is that incumbent on you to sort of do the deep dive and understand it.

Mark Jennings  12:42

I rely on them to do the deep dive in terms of what they have for systems and what capabilities they can put in place to meet the control mainly because, I mean, I do have a technical background. You know, I was a field engineer years ago. I’ve been in the IT industry for 35 years. So I have a I have a good technical background. I understand what can be done, but I rely on either their internal IT staff, or, in many cases, they’re working with an MSP. And so I’ll have the MSP during my during my gap assessments there, because they’re going to be involved in the actual assessment itself, and they’re going to have to show Okay, yeah. How did you handle that? Well, we did we put a group policy in place for that? Okay, great. Show me the Group Policy. Show me that it’s in that’s actually enabled on all you know, on all users, or all groups, or however you’ve done that. So I know that you can do this for Group Policy. Am I going to get on the keyboard and look at it? No, I mean, I rely on them for all that. So same thing, how you configure your firewall, how you configure your your your security, you know, within your within your servers and things like that, I rely on either the client themselves, if they have a strong it internal, IT staff, or the MSP. So

Jason Pufahl  13:57

I want to be careful. I asked this because I, I so I tend right. I used to do some of the CMMC work. I’m much more an all on, sort of the pre sales discussions I often and what I’ll get are comments like, yeah, we’ve done. We’re feeling pretty good about CMMC. We have a score of, I’ll pick a number, 80, 90, something pretty high. And in some cases, I have no doubt, but there’s, they put a lot of effort. Could very well be there, right? But in some cases, the comments might be, well, you know, I did this two years ago, and I self assessed. And, you know, I think we’re at 80, I usually feel that that feels optimistic. What’s your general feeling? Because I’m sure you walk into organizations where they’ve already done an assessment, right?

Mark Jennings  14:52

Absolutely and and I share your skepticism when I hear numbers again, you can kind of look around sometimes. And, you know, somebody will tell you that, you know, oh, yeah, we got a, like, a 80 or 90 or something like that. And, you know, say, Well, show me your system security plans. Like, well, we don’t really have one right there. You can’t even, you know that that’s like, that’s an instant fail. So, you know, and you know, one of the things that I just I they, you know, the DOD and the NIST really didn’t do themselves any favors over the years, where they were saying, Yeah, you need to implement these controls, but they didn’t really give you guidance on what it meant to comply. And that’s why a lot of these people were honest about, you know, they were felt like, you know, we did everything, you know we but you know, well, show me your policy on that. Well, we don’t have a policy. It’s like, Well, again, you can’t meet the control without a policy in most cases. I mean, some of them, you can, but, but most of them need, you know, documented policies, documented procedures. And that’s, that’s the area that’s almost always missing. You know that? They say they Yeah, we do it. We meet that. But you know, again, none of it’s documented, so you’re not going to you’re not going to pass and that so in the more recent years, where there’s now very substantial training for like CMMC certified professionals like myself, or CMMC certified assessors, that’s where you know, if you go through that training, you really understand what it means to be compliant, what it means to meet those controls that wasn’t even available, like back in 2015 2016 when you know it was, yeah, here’s, here’s, go. Go read this. Go read the framework and just implement it. At least when they came out with CMMC, they came out with assessment guides that gave a little more detail, but there’s still nowhere near the level of detail that you need to really understand that. Yes, we do meet that control or we don’t. So I don’t think some people are being malicious. They’re just, they just didn’t understand what turned out

Jason Pufahl  16:51

compliant well. And I think, yeah, my opinion, typically, is people treat CMMC like it’s really a technology obligation. Which, which, of course, right, there’s huge elements of that, yeah, but it’s, it’s equal, if not greater, parts, policies, procedures, documentation, I mean, that’s a huge piece.

Mark Jennings  17:10

Absolutely, it’s, it’s, I’d say it’s 75% the actual technology. You think that much? Okay, yeah, so

Jason Pufahl  17:18

And, and I think a lot of people do the right things, you know, they haven’t written down what they do, which is, which is kind of balanced. So, so we, you know, we use software to perform the assessment, but you also develop that, that POAM, and then ultimately collect your all of the evidence, and whatever that format that might look like, right, whether it’s documentation or screenshots or things, how often do you feel you’re having conversations with folks that did an assessment, maybe in Excel, and kind of haven’t done the work to consolidate all the artifacts that would help, that are ultimately going to help that the that audit process,

Mark Jennings  17:56

I’d say most of them used a like an Excel or something like that. They, you know, very kind of unstructured program. There’s a couple that I’ve been working with. They did they have a GRC tool in place? They’ve, they’ve populated a lot of these manufacturers. They’ve gone through, you know, ISO certification, and that’s so they kind of built this, this, you know, set of documentation around that, you know, if it’s 9001 then it’s very little of it’s going to apply to CMMC. If it’s 27,001 more of it’s going to apply. But it’s, it’s, it’s, it’s, you know, generally not, yeah, there’s a lot of gaps, but yeah, some of them use GRC tools, but most of them are just like, it’s a spreadsheet. It’s like, yeah, here’s here’s what we did, and here’s how we scored ourselves,

Jason Pufahl  18:43

And lot of yeses and nos, but not really any data to go back exactly.

Mark Jennings  18:47

It’s like, show me your policy. Oh yeah, we don’t have that written down. It’s like, well, then you’re not compliant.

Jason Pufahl  18:55

The maybe my kind of last question is, anywhere else that you see really like, like a real challenge for work. So I think we hit a couple that I that I know are common, but, you know, anything else bubble up is really consistent problem?

Mark Jennings  19:11

Yeah, I think that one of the biggest ones that, you know, people kind of have have issues with is, is the configuration management section. That’s where, essentially, you know, you have to have a very structured way of deploying, you know, laptops and servers and firewalls and and document how those are configured. And you know, there’s, you know, are they? Are they mapped to some sort of a baseline, and things like that. So people really have a struggle with that, because, A, it’s a lot of information. B gets very technical. And, you know, there’s there, there are some guidance. There’s some guidance out there that you can use to say, Yeah, okay, we this is how we’ve configured all these things. We think it’s secure. There’s, there are, what are called DoD stigs, system, technical information guides, I think, is what those what they’re is what they’re. They stand for that. The DoD puts out that if you, if you’re implementing this product, these are the settings that you want to set to be secure. There’s CIS benchmarks that you can use to say, Yeah, we’re, you know, this is IG one. We’ve, we’ve brought this up to IG one or IG two, whatever, whatever it happens

Jason Pufahl  20:18

to be. Some of those might actually be like Windows policy setting where they can set that forward,

Mark Jennings  20:22

Correct, absolutely. They’re, you know, they’re, you know this, you should have this GPO set. You should have this setting within this, this policy. You should have the, you know, even you know, firewalls. You know, if you have a palo alto firewall and figure, you know, configure it this way. Now you’re CIS IG one or cis IG two, and again, that’s going to be acceptable. CMMC doesn’t demand you do any particular configuration. It just means that you know, you document it and it’s consistent, and it’s and it’s generally secure.

Jason Pufahl  20:50

So I’m going to wrap up with with this question. This is probably going to force you to opine a little bit. You we really haven’t, we haven’t seen a lot of companies actually go through the formal audit yet, and there aren’t that many three CPA was out there. I mean, you know, they’re hundreds, right, but not probably enough for the right? Yeah, I feel like part of the consternation for a lot of the manufacturers that I speak with are, well, how do we know who’s going to assess us? And frankly, you know how strict or lenient are they going to be? And I don’t know that there’s a ton of you know. One, there’s not a ton of data on it, because we haven’t seen a lot of companies right through it. And two, this in the same way that there’s probably a little bit of a lack of clarity on what you need to do to comply with CMMC star, where there’s probably some lack of clarity on how the auditor is going to engage in May,

Mark Jennings  21:44

Yeah, and there is, you know, there’s recognition of that at the cyber AB this, that’s the group that basically oversees the whole program in terms of assessment and training and and everything. And so they’ve actually created a new, brand new Advisory Board of C3PAO advisory board. And one of the things you know is actually the one of the first subcommittees they created under one of these is focused on external service providers, of which MSPs and cloud service providers. There’s a lot of misunderstanding around those. So there’s definitely, you know, this is a work in progress. Still, even though it’s, you know, it’s firm in law, there’s going to be more known. Assessors are going to get better at, you know, identifying things quickly and and there’s, frankly, there’s been a lot of false starts to that. You know, there’s the the assessment process is a phased process. There’s four phases. Phase one is basically collecting all the information, getting that to the C3PAO, and at the end of that, there’s a go. No, go. It’s like, look, we, you know, we’ve, we’ve looked at, we’ve scanned, we’ve skimmed your SSP, we know, so we know you got one. Okay, that’s good. But, and we’ve, we’ve looked at some of the evidence, you know, we’ve collected all this evidence. They haven’t gone into it in detail, but they kind of get a general sense. It’s like, you’re ready, you have a higher likelihood of passing. They’re not going to say you’re going to pass. They’re just going to say you have a likelihood. Or they’re going to say there’s no way you’re going to pass. Based on what we see, there’s, you know, so come back in six months after you fix some stuff or whatever. And so there’s been a lot of those that, you know, they get in there, because there’s a real negative to going into phase two and beyond. Because once, once you get into that phase, everything’s official, like whatever comes out of that, even if, even if, the first day they’ve already identified, there’s no way you’re going to pass this. You still, they still have to post whatever score comes out of it. So you might as well go through the whole process. Whole process and now it’s official. It’s, you know, it’s in the email system. It’s, it’s known you’re, this is, this is your score. This is what you got. So there’s, there’s a lot of emphasis on, look, if you’re, if they’re not going to pass, fail him, fail quickly.

Jason Pufahl  23:56

It’s really, Pare, yeah, that’s reasonable, rather than spending a lot of time and money. Like there’s, you know, again, coming back to budget, there’s definitely concerns around the potential cost for that audit when the time comes. Oh, absolutely right. And you know, that’s the language that everybody uses anyway, is, you know, this is an expensive program, and it’s also not perfectly clear what we need to do. So you can’t even really put that box around it easily,

Mark Jennings  24:20

Yeah, and, like I said, it’s, it’s the, it’s the 100% or nothing is, is, you know, man, perhaps you know, again, I can opine on this all day long, that maybe they could come up with, like, give you a little more leeway that you know, you know, you don’t have to have one, one assessment objective. You know, out of the 320 you miss one of those and you’re dead. You know, it’s, it just seems like, wow, you know, the, you know, a lot of times we talk about, you know, like Perfection is the enemy of the good enough. Yeah, there’s none of that. You know, it’s basically perfection is what they’re looking for. So, yeah, and.

Jason Pufahl  25:00

So hopefully that doesn’t come back to hurt the program, because I could see, you know, a lot of orgs sort of rolling the dice and say, Well, you know, maybe I won’t receive the contract that has the clause. I know I speak that. You know that that’s getting less and less likely, of course. Or, you know, maybe I won’t be audited for three years, and I can sort of skate along. I mean, there’s that feeling,

Mark Jennings  25:19

Right, yeah. I mean, you know, it’s up to you whether you get audited, or whether you get whether you get assessed, essentially, I mean, you, you, you contract with the C3PAO. They go to them. So, you know, it’s a voluntary program. If you want, if you want to cut of the federal pie,

Jason Pufahl  25:37

You go through it any last minute things you want to add before we adjourn here?

Mark Jennings  25:45

No, I think you know, like I said, it is an evolving program, and I think you know it’s going to change over time that as the assessors come back with different feedback from their assessments and what’s really gotten into their way, or their clients, way, or whatever. But so yeah, I mean, I’d say keep posted on the program. Keep your eyes on it. It’s, you know, I think overall it’s a good thing. It, you know, you know, people, organizations of all sorts, need to up their game when it comes to cybersecurity. So this is something that’s going to force that. So, so, yeah, overall, it’s a good program. I think you need some tweaks, though, and we’ll see what happens.

Jason Pufahl  26:27

Yeah, you know, as I always say at the end of these, this certainly isn’t a one and done. If you know one, we do a ton of manufacturing work, so we’ve got a lot of expertise here. If anybody has questions though about it, you know, reach out to us. We’re happy to just shed some light on it and open there, and if there’s questions, we’ll Marquis joy back out and we’ll talk more about some of the other objectives in here. Sounds good. Cool. Hey. Thanks for joining. I appreciate the time this morning. Thanks for having me. Lot of fun.

Speaker 1  26:54

We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant. Stay resilient. This has been CyberSound.