The Cybersecurity Maturity Model (CMMC) has arrived! with Stephen Ferrell

Secure Talk - Stephen Ferrell 

Hello everyone. And welcome to Secure Talk. This is your host, Justin Beals. 

Very recently, on October 11th 2024, the U.S Department of Defense released some information,  a press release about the Cybersecurity Maturity Model Certification Program. As a matter of fact, on October 11th, the final rule for CMMC was published.

What we understand about CMMC is the purpose of it is to verify that Defense contractors are compliant with existing protections for federal contract information and controlled unclassified information. And the Department of Defense broadly wants to make sure that all their vendors are meeting important cyber security practices.

This is going to have a big change on these industries and companies that are vendors for the Department of Defense. We did an analysis ourselves of the available market or the cost of the change. And we project that over the next three years, more than $9 billion will be spent on companies meeting CMMC compliance.

And of course, for our work here at Strike Graph, it's a critical area of opportunity to build, continue building a great compliance platform and helping these organizations meet CMMC compliance. Of course, I'm not the deepest expert in this particular space. So today, we've invited Stephen Ferrell, Chief Strategy Officer at StrikeGraph, to talk to us a little bit about CMMC and the impact it can have.

Now, Stephen is an expert in software assurance, IT governance, and cybersecurity, particularly within the heavily regulated life and health science sectors. He serves as our chief strategy officer at StrikeGraph, a provider of compliance posture management solutions. He is also the co-chair of GAMP Americas and sits on the International Society of Pharmaceutical Engineers GAMP Global Steering Committee.

He contributed to the ISPE's GAMP IT Infrastructure Control and Compliance Guide and GAMP 5, the second edition. Prior to Strike Graph, Stephen co-founded Compliance Path, which supports regulated clients globally, and the company was acquired by Ideagen in 2021. He advises the US FDA on CSV Cloud and data integrity matters.

His compliance expertise encompasses regulations such as GDPR, the FDA, HIPAA high tech, and as well as standards including NIST and HITRUST. Stephen is a certified information systems auditor and holds a certification in risk and information systems control. Please join me in welcoming Stephen Ferrell back on Secure Talk today.

Justin Beals: Stephen, thanks for joining us on secure talk again. This will be twice this year. 

Stephen Ferrell: Yeah. Thanks for having me, Justin. 

Justin Beals: Excellent. Today, we're talking about a little different topic than the last time when we spoke about life sciences and medical device, medical software. And,  we're talking about, kind of a recent change in the compliance marketplace with CMMC.

I think  maybe you can give us a little background on why this is such a big topic of conversation lately. 

Stephen Ferrell: Yeah. Sure. Just in the last couple of weeks, the final CMMC rule came into place. So this is essentially a cybersecurity hygiene standard for the whole,  defense industrial base.

So, anyone that serves the DoD or satellite agencies,  is going to be impacted to some degree. And it was delayed, has gone through different iterations and sort of a collective holding of breath to see if it would actually happen this time. But it has. So, the clock is ticking for folks to get compliant.

Justin Beals: So this is going to do with almost any vendor, Homeland Security, Department of Defense, those types of organizations are subsidiary organizations and being able to get or maintain a contract with him. That's, is that right? 

Stephen Ferrell: Yeah, specifically, it's it. It covers confidential, unclassified information. So anything that,  you know, it's not super sensitive, but it's being processed on behalf of the D.O.D. And if you think about that, the general sensitivity of everything that the D.O.D. is doing, you know, it covers essentially every interaction that you would have with them electronically.

Justin Beals: Yeah. So confidential, unclassified information. I mean, the confidential and the unclassified, I think, are telling words in this, right? And that the information is probably private. We don't want it to be leaked. We don't want it to be shared, but it wouldn't. There's a whole nother tier of compliance and security.

If you're dealing with classified information, which is a very distinct specification to certain intelligence information, etcetera That the government might be working with, right?   

Is there anything that sets CMMC apart? Maybe we can start with what is it? What does the acronym even mean?I think sometimes we skip over that bit. 

Stephen Ferrell: It's the Cyber Security Maturity Model Certification, so his basis is nest  800 171.  That's the standard that it is based on. And it gets certification applied to it because for the three levels, they each require a slightly different approach to certification.

So there's an estimated 170,000 folks within, the DIB space that will need level one. There's about 80,000 folks that will need level two, and then as you move up to level three, the number gets smaller because they tend to be, you know, the real heavy,  defense contractors. And, so, you know, a slightly smaller number, but, no, an insignificant.I mean, just between level one and level two is almost a quarter of a million contractors that are impacted by this. 

Justin Beals: it's a pretty sizable change, especially for a lot of contractors that have, these are all the existing relationships and not any new relationships the government might want to drive.

Do they have some time period to get this in place? Is this, or is the door going to shut soon? 

Stephen Ferrell:  There is a, there is a bit of a rolling time frame. So, it's four phases. Essentially, The four phases are more for the D. O. D. than they are, they actually, the impact of community. So, they sort of reserve the right to start including it in solicitations right now.

You know, I think the hope is that they'll give people a bit of a break, but essentially, we were in, we're kind of in phase one now. Phase two will begin 12 months after the end of phase one, and that's where you're going to start seeing, level two certification actually be required and solicitations.

And then, a year after that, you're going to see phase three be required. And the expectation is 36 months from essentially the rule being finalized. It will be in every solicitation. There is a provision that they could waive it, but I think, waive it in specific circumstances, but I think no one should count on that, and you'd have to have a very, very low-risk use case and a very, very compelling thing that somebody needed to get a waiver.

 So I, I think people have to be realistic that they're going to have to get going on this now. 

Justin Beals: One thing I tell folks all the time is like these waivers and stuff are kind of a political liability when you ask for it from that individual because they've got to go in and then sell you on on a risk, and that that's a hard road to climb as opposed to complying with the requirements 

Stephen Ferrell: of 100%. I mean, it's already exceptionally difficult to get a government contract. And I think anytime you create an artificial rule. Blocker or, you know, make it more difficult to do business with you than your competitor down the street. It's just not smart. 

Justin Beals: Yeah, one thing that we touched on, but we went through it pretty briefly, and I'd like to come back to it because it comes up in a lot of conversations with teams that I've had that are newer to compliance. They'll say, Hey, we want to be NIST compliant,  and I think sometimes they're not quite sure how NIST works and the relationship with something like CMMC or FedRAMP or other standards that are based on NIST.

How can you help explain to us what that relationship is between the NIST cybersecurity controls, the 800 framework and some of these standards that we go out and meet? 

Stephen Ferrell: Yes, generally, the NIST standards are just that they're basically provided for different use cases, you know, for the government to kind of pick up on.

And then what happens around that is that then certification programs pop up and require parts of, or all of, um, those standards like FedRAMP, as an example, is based on NIST 800 53, CMMC is NIST 800 171, so the main difference being that there's some kind of certification or validation mechanism,  specific to, you know, like a vertical in this case, the D I.B. Um, but you could take another, you know, part of the government could pop up and say, Hey, we're going to have a security standard. And we're going to base it on this 7171 as well, but it's completely, you know, separate and siloed from any of the CMMC work. 

Justin Beals: Okay, great. I think, you know, as an executive at a company, when I hear that description, even though I might want to pull like NIST 800 53 in the list of requirements that they had written, I'm almost more interested in the assessment methodology and what has been included in that assessment methodology, because that's more actionable.

Like that's what I need. I need to meet FedRAMP. I need to meet CMMC. You know, it's nice to know that the specification came from NIST at the end of the day, really, that that is the blocker, the gate, you know, if the way I think about it, 

Stephen Ferrell: 100%. I mean, I think you've got to, you really got to understand what it is, like what's your goal, you know,  building a cybersecurity program around NIST 800 171 might be a really fantastic thing for you to do as a good business practice, but without the CMMC certification or whatever you're trying to achieve certification wise, it wouldn't mean a whole lot other than making your day to day operations better.

So I think you're right. I think it's really having a clear picture of, you know, Ultimately, what certifications do we need and what's the best fit and the best path to achieve them? 

Justin Beals: So, let's talk a little bit more deeply about who it's affecting. And maybe a little bit of how it's affecting.

I know that we, of course,  work with a lot of customers that are working on CMMC. And we, you've undertaken for us a couple of activities recently just to help us be aligned with their needs as well. What are some of the initial tactics that you've been taking for us? 

Stephen Ferrell: So for us internally,  the first thing that we did was a self-assessment.

So, anybody who is level one,  CMMC, has to do this. Now, under the actual regulation and where we specifically set the type of tool that we are,  we don't technically have to do it, but we felt like it was a smart thing to do, um, to give our customers comfort. And also, I just think anytime you get to do a bit of a gap analysis and some kind of trust exercise.

You know, why not, right? So, uh, we did the self-assessment,  you know, kind of went through the process that any level one customers would have to do.  from that, one of the things that's required is a system security plan. So we prepared that,  and then we did an initial step, which was to sort of create a kind of a statement of compliance, if you like, which takes the SSP, takes our existing trust assets, uh, and takes that self-assessment and sort of brings it together to kind of form, you know, for our customers, a very quick understanding of where we sit and that sort of CMMC ecosystem.

And so what we did ultimately Is effectively what a level one customer would, would want to do. And of course, you know, our platform is set up in such a way that it easily facilitates that without,  you know, having to, you know, recreate the wheel or do, you know, a ton of manual labor or have spreadsheets everywhere.

Justin Beals: Yeah. You know, we always love; I think this is just an old product engineer methodology, but it's like,  in we, you can use your favorite metaphor, the minimum viable product, the crawl, walk, run, you know, whatever you want. But I thought it was interesting that, to kind of go through the stages. 

Like we did a level one, let's say that we, we knew level two was in our future for some reason because we were doing a direct relationship with the DOD doing the level one, I think has really helped us now. Feel confident that were that to crop up, we have some,  analysis on the gap, what our controls are and what we're meeting. 

Stephen Ferrell: Yeah, exactly. And I think, I think for anybody doing it, it's just a worthwhile exercise. Essentially, anyone that does it starts, they start with 110 points and then you. Sort of minus stuff off for any controls that you're missing.

So it's a useful kind of numerical way of getting a very quick snapshot of where you are or you aren't relative to cyber hygiene. 

Justin Beals: Yea, we don't get a lot of mathematically styled scores in compliance. It's either you missed the control, or you hit the control expectation. So that's interesting and the methodologies that we use start with the assumption that we're doing great and go down from there.

Stephen Ferrell: Yeah. You start, you start with a hundred per cent and then you just kind of screw up as you progress through, your certification.

Justin Beals  Um, classic, yeah. 

Stephen Ferrell: Yeah. And then the, there's like a one, three and five, kinda waiting depending on what it is that the assessment is calling for. So, you know, once you get to the end, you sort of add it all up and then minus it off. But definitely an interesting exercise. 

Justin Beals: Yeah. So once you move, once the team might do a self-assessment or if they're just big enough kicking off the level two, that requires an actual auditor, like a third-party assessor to come in and do the assessment. Is that correct? Is that one of the major differences between the level one and two?

Stephen Ferrell: That's the macro difference, but there is a nuance. There are some solicitations that will allow a self-assessment for level two, but the OSA will still have to review it, and you have to enter your results into the supplier performance risk system, which you, you do that with, level one as well. So that is kind of on tap for, you know, any DOD contract that's looking to hire you or procure your product.  I think that's going to be solicitation-based. So, you know, how and why there would be a nuanced difference there, I don't know. I suspect most people in level two will require a C3PAO, um, independent audit.

Yeah. But they do have a provision in there for some use cases. So. 

Justin Beals: Okay, so like most of the stuff, it depends on the buyer and what they want. 

Stephen Ferrell: It depends on the buyer, and I suspect just seeing what we've seen with previous federal stuff, The solicitations will air conservatively, so the chances of you not having to  trying to be level two without a C3PO, I think,, are slim to none, realistically.

Justin Beals: Yeah. And then from a level three perspective, again, this might just be a, uh, a macro understanding, but I think the auditor can't even be a C3PAO, the government themselves has to perform the assessment. Is that correct? 

Stephen Ferrell: Yeah. So you still, you, you still have the. The C3PAO still has to do their thing to maintain you at level 2 for you to maintain level 3.

You have to then submit it to what's called the, um, the DIBCAC, which is the, um, essentially the government's own certification center. So by the time they get to it, they've got a C3PO that said you're good for level two. So I think what they're doing then is looking at the delta and being like, okay, from this point, we know that that third party auditor has given you the thumbs up.

Anything in that mix to make us feel like you're, you're not fulfilling your requirements. So they've got a little bit of insurance in there as far as being able to handle that, um, but that's how it's designed at the moment. 

Justin Beals: Excellent. Okay. What do you think the level two self-assessment costs are going to look like?

We get asked this all the time. How much will the audit cost? Do you have any, um,  I realized that this is going to change and that as people get used to it,  different pricing models are going to change for different companies, but you know, is there  sizes of the bread box rule of thumb that we should be thinking of?

Stephen Ferrell: It's difficult to assess, honestly. I think we've kind of heard things all over the map. I mean, I think you're safely in the over the $10,000 mark, I would expect, probably in the multiple tens of thousands. You know, it is 110 controls essentially, but which based on, you know, we have other certifications we look at that are in the multi hundreds, but it's such a deep level of assessment that I just think by the nature of how long it will take, uh, it will not be an inexpensive endeavour.

Justin Beals: Yeah, I mean, I think the horror stories on some level has been ones like FedRAMP, we hear typically going in, you know, over a hundred thousand dollars per assessment easily. You know, I've seen the more robust new PCI DSS version four audits going for over $50,000 for an audit. And I think, you know, we could see similar things from the C3PAO community of auditors.

Yeah. From a price perspective. 

Stephen Ferrell: Yeah. I wouldn't be surprised.

Justin Beals: Well,  tell me a little bit about, you know, some, I realized that the, the DOD relationship is really affected by this, but you and I have been working with customers in very specific industries that this is impacting pretty heavily.

What are some of the verticals that we're seeing an impact around this? 

Stephen Ferrell:  I think anybody could have in the, you know, broad manufacturing space, clearly anybody manufacturing musicians or musicians, excuse me, munitions. Yeah. Musicians are safe from CMMC. 

Justin Beals: Thank goodness. Yeah. That would ruin all the creative art sure would. I sure would. 

Stephen Ferrell: No, they can continue playing guitar without fear. 

Justin BealscMaybe the blues it would fit well with. There you go. 

Stephen Ferrell: This is solidly playing the Blues. So yeah, I mean, you know, anybody making munition or, you know, aviation equipment or software, you know, just broadly anybody manufacturing that, you know, DoD is buying, and I think some of the ones that we've come across that wouldn't be immediately obvious,  or at least it wouldn't come to mind, right?

I think you think D.O.D., you think, you know, weapon systems, people selling medical equipment, right? Hospital beds, like, you know, anything that's going into the that's been So, you know, procured by D.O.D., and again, it may be that those companies are level one, but still there's no provision for the types of things that you're selling.

The reality is, you know If you are party to information that, you know, base ABCD suddenly needs X hundred hospital beds, well, why is that? Right? Is there some military action that's about to happen that I need to, you know, like you could piece together that kind of confidential and classified information and come to a conclusion, right?

So as far departed as something like that is, I think there's a lot of folks out there that wouldn't immediately think they're impacted by this, that potentially are very, very broadly sweeping. 

Justin Beals: I have a family member that works on base as a civilian employee for the D.O.D., and they work in a capacity of social work for the staff on the base, especially the enlisted men and women, and I think about all the assets that she has to bring together through D.O.D. contracting to perform something that doesn't seem like munitions or,  a concern, but it's about third party risk, I think for the D.O.D. at this point. 

Yeah, very much so. What?  Could you give us since you did our self assessment? I'm a little curious. I always have this truth that I try to express about a lot of these standards where people are like, Oh, this is a security standard, and therefore, everything's about encryption and data backups.

And like, actually, a whole lot of these standards are about H.R. And, you know, business processes and financial fraud prevention. How did you feel about the layout of the standard itself? Like what were its focus areas? Yes. 

Stephen Ferrell: Yes, I see some very good question. You must do this a lot. I actually thought it was quite, it's quite well done.

Actually, I think it's,  across the, I forget how many exact questions are, but across the 110 points. It's quite practical. Nothing, nothing particularly strange. Nothing, you know, out there. I think everything they asked for. I think if you, it really is a hygiene standard, right? It's not a deep dive, you know, understand every packet in your network type of thing.

It's very much about, I don't want to say the basics cause that kind of undersells it, but it's definitely like a first level have you done this, uh, cybersecurity standard as opposed to like a really deep domain-specific. There really isn't anything in the CMMC that I saw that I, that jumped out of me.

And I thought, Oh, wow, that's super unique to D.O.D.. Like, I think you could take that framework and you could apply it to all kinds of verticals. There is, there's no, there's no defense flavor to it. That I came that I found anyway as I went through that process.  

Justin Beals: It's funny because I have this, um, I remember ISO 27001 used to have a part of the standard that was about where your network clock was located and and how that was utilized, and a lot of. People that I would talk to her be like, I don't know what it's asking for. 

I'm like, Oh, you never, never racked hardware had run a clock in a server system before. Um, you know, you've, you've had, uh, the network provided for you in such a way. Uh, also most companies don't anymore. And so I think in the latest versions of 27001 that that particular part of the requirement is no longer included because it's, it's just not, not a big part of the requirement issues.

Stephen Ferrell: Yeah. 

Justin Beals: Okay. So I'm just gonna, um, make sure I'm catching some of these concepts really well. One is, is that we'll see CMMC as a part of the requirements.  I think you called it a solicitation or, like the RFP,  from the D O D starting already, right? Like going forward 

Stephen Ferrell: At the moment, they have the right to include it.

Justin Beals: Yeah. 

Stephen Ferrell: yeah. So there's kind of a little bit of a grace period where they may choose not to, but I, I don't know why they wouldn't, you know, I think it's very likely that you'll start seeing it sooner rather than later. 

Justin Beals: And then they'll specify, uh, what level of assessment they need for that particular solicitation.

So there's a level one, which is generally a self-assessment, a level two will mostly be a C3PAO assessment, but we might get some self-assessment in the solicitation. Yeah. And then a level three being a C3PAO plus a government auditor. In the mix. And then it did sound like you mentioned that there is a platform the government is providing for organizations that have been through any level of CMMC assessment to submit the outcome of that assessment so they can store it.

Stephen Ferrell: Yeah. The supplier performance risk system, 

Justin Beals: uh, that's hard to get an acronym for it's too many consonants. 

Stephen Ferrell: Yeah. SPRS. Good. Solid stuff. 

Justin Beals: And I think, you know, I think, well, you've been through the self-assessment with us already, and it seems like you felt like it was a pretty actually positive request and nothing, nothing bizarre in the assessment and actually a pretty measured approach to being able to look at a gap and how we're performing and what the expectations might be.

Stephen Ferrell: Measures approach. And I think by the nature of what we do, uh, as a business, it wasn't particularly difficult for us to answer. I think if, if you are, you know, making widgets,  you know, and you're not thinking about cybersecurity all day, it might be a little bit more challenging. But again, not because the questions are unreasonable, but because for a lot of folks, they just will never have come across something like this before, I suspect.

Justin Beals: Yeah, I think there were two things I want to highlight that we did that made it easy. Of course, you know, we, we operate this on our platform, but it's not an absolute requirement to have a platform like ours to do this. But one is, I think we had our SOC 2 audit with all our controls listed and what we've gathered and tested already.

So I believe that helped in doing the self-assessment quite a bit. 

Stephen Ferrell: It did. Yeah. Cause he, you know, you, you have two things. You have the benefit of, been able to understand what our control is, and then you also have the benefit of it having been third party, uh, reviewed, right? So it's not just me saying, oh, I think that's in policy 12345.

So we're able to tie it back to our SOC 2, which is then tied back to an actual auditor's attestation, so it kind of gives another level of, you know, assurance, and I think for anybody that already has certification standards, you know, I definitely would encourage that kind of crosswalk activity that we did because, you know, one control can serve many masters  as opposed to trying to have a completely verticalized CMMC approach.

Cause I, one, I don't think it's practical and two, I think you're almost playing pretend. You can't have two policies that do the same thing for two different things and expect anyone to follow both. So, you know, I think that crosswalk thing is really critical. 

Justin Beals: Yeah, this is the course; I think quarter the way we think about our platform and some of the value we provide is that It just gets exponentially complicated with every standard and once you get an extra standard and another standard on top of that you know, it's 3x as complicated as the initial standard that you started with and there is a lot more opportunity for failure either in audit or in or ineffective practices, you know, day to day.

Well, that's excellent. Uh, Well, Stephen, of course, I really appreciate you, uh, working on this with us and our customers. And also, I know our listeners, um, at Secure Talk, really appreciate having some pragmatic visibility into what's coming and how to prepare for it effectively. So thanks for being our expert and sharing that with us today.

Stephen Ferrell: Yeah, I appreciate it. It's always good to catch up.

Justin Beals: Excellent. All right. Have a great weekend. Thanks, Stephen.

Stephen Ferrell:  You too. Thanks.