CMMC has changed: Here's what you need to know

[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.

Today on cyber work. InfoSec instructor and 40-year cybersecurity veteran, Leighton Johnson talks to us all about all things CMMC. After last year's attempted rollout, CMMC pulled back and retooled its entire framework. But why? Leighton gives you all the details including how to train to be a CMMC certified auditor. That's all today on Cyber Work.

[00:01:23] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Leighton Johnson is the CTO and Founder of ISFMT, the information security forensics management team, providers computer security forensics, consulting and certification training. He has presented computer security, cybersecurity and forensics classes and seminars all over the United States and Europe. He has over 40 years’ experience in computer security, cybersecurity, software development and communications equipment operation and maintenance. So, Leighton’s primary focus areas include computer security, information, operations and assurance, software system development lifecycle, focused on modeling and simulation systems, system engineering and integration activities, database administration building process and data modeling. He’s also a longtime bootcamp instructor with InfoSec and has written material for our InfoSec skills platform.

So last year, we presented an episode of Cyber Work that was all about CMMC, the compliance standard and also the certification required by people who want to be CMMC auditors. So, although I enjoyed talking with Frank Smith at Antiva, a great deal last year, not long after the episode aired, CMMC went through drastic changes, followed by more changes and then more changes again. So finally, we put the topic on the back burner until we knew that any new episodes to come would reflect the newest changes and CMMC. So, Leighton’s here to tell us what's new with CMMC 2022, and going forward as well as the work of becoming certified to be one of many different levels of CMMC auditor. Leighton it's always nice to see you. Welcome back to Cyber Work.

[00:03:09] Leighton Johnson: Well, thanks, I appreciate it.

[00:03:11] CS: So, since Leighton was – again, trivia, our very first guest on Cyber Work back in 2018 and because I didn't have these stock questions in the arsenal, yet, I realized I've never really asked you this before. How did you get started in cybersecurity? What was your initial draw to computers, tech and security? You said you have 40 years’ experience in the industry, so, what was it like back then?

[00:03:32] LJ: Back then it was very, very raw and very open, and virtually, no security whatsoever when we first started.

[00:03:43] CS: The security was that nobody was there.

[00:03:45] LJ: Yeah, this security was nobody really wants to come after what we got. And so, you didn't have to protect it. The overhang that was really any interests, given my background in the military was the confidentiality side around intelligence back then. But that was about it. The general area as the Internet evolved, was all about making sure you had connectivity, not worrying about whether or not was safe.

[00:04:14] CS: Right, right. Yeah. So, as I said at the top of the show today, our subject is going to be entirely about the Cybersecurity Maturity Model Certification in 2022. So, just real quickly, I'm going to start off for anyone new to CMMC by explaining it in brief. The CMMC framework is intended to assess and enhance the cybersecurity posture of more than 300,000 companies that contribute to the research, engineering, development, acquisition, production, delivery, sustainment and operation of department of defense systems, networks, installations, capabilities and services. First of all, what type of contractors, vendors and companies will need to be ready to be CMMC compliant to continue working with the DoD? I'm assuming this goes all the way down to even the candy vendors and everything.

[00:04:59] LJ: It’s the entire supply chain. So, at so many levels down, from people who hold direct contracts with DoD, right down six, seven, eight levels, whatever it is, it's everybody.

[00:05:14] CS: Yeah. So, can you speak to the changes between CMMC as it was envisioned over the last few years and the current version? What contingencies or issues came up that caused the governing bodies to pull the framework back and just start from the beginning like they did?

[00:05:31] LJ: Well, a whole lot of assumptions that were made about what contractors are doing for their own cybersecurity, versus what was actually happening, was one of the biggest problems. And that had a lot to do with the fact that, of course, DoD’s viewpoint is that you're supposed to be because of the federal DoD acquisition regulations that have been in place since 2016, that there should have been some basic cyber activities already going for every single contractor. And as they actually found out, since the commercial world is not based on requirements, it’s based on cost, that wasn't actually what was happening.

[00:06:21] CS: Right. So, they didn't understand kind of the scope of what this was meant to be?

[00:06:24] LJ: Not particularly. And in a lot of cases, they were saying, we didn't do this, we shouldn't have had to been able to do this. But if you go back and you look at both the Federal Acquisition Regulations from 2016, and the Defense Federal Acquisition Regulations for 2017, they all said, “Well, yeah, you're supposed to have been doing this all along.” So, there was a lot of gnashing of teeth and mechanisms around that. DoD has always had an extremely strong viewpoint about security and cybersecurity, for its own components and its own activities. And so, they basically just translated that over to the commercial world, and that's when the big disconnect was seen.

[00:07:16] CS: Right. So yeah, when I spoke about CMMC, last year, there was seemingly a stopwatch hanging over the heads of contractors, there is a fairly short window to become CMMC compliant. So, has that timeline been reset? Or are we still under the sword of Damocles here, along the grace period where people –

[00:07:32] LJ: No. We’re still under Damocles. I mean, it’s still looking like, at least all the documentation coming out of DoD is still saying somewhere between March and May, probably May next year, will be when they actually hit in the contract requirements that come out for everybody. Which means, of course, the people who are the prime contractors in all of these contracts, plus all of their subs, have to meet the requirements that go through those areas. It isn't really all that major and effort, if you're only dealing with pure federal contract information and are not any specific engineering requirements.

That in and of itself is just basic cyber hygiene things. But it gets very complex and there's not a whole lot of grace periods or any of that type of thing along with it, when you start getting into, well, this is controlled information. It's unclassified. But it's controlled information of a variety of different types, technical defense, privacy, whatever it might be. You got some work to do to make sure you're there before DoD will authorize anybody getting that information to build and support what they need in their contracts.

[00:09:09] CS: Yeah, I think last year, when things were starting to look uncertain about the sort of finalized version of this, we were trying to sound the alarm and say, like, even if they're still working on this, you should be working on getting compliant bow. I mean, it's like the question of like starting working on your class project, the night before or whatever. Just because it's not finalized yet, it doesn't mean you shouldn't start putting it together.

[00:09:36] LJ: Well, a real quick thing to think about that. What has transpired is that those organizations who are volunteered to go through it already, the first thing that happens is the government asked them for their system security plan on a Monday morning, and they expect it to be delivered to them by Friday. I mean, there is not a whole –

[00:09:59] CS: It’s a real pressure.

[00:10:01] LJ: Yeah, you got to have it ahead of time, clearly, that type of thing.

[00:10:06] CS: Yeah. And you pretty much said this, but so the repercussion for not being CMMC compliant is that you're not going to be able to work with the DoD until you are. Is that right?

[00:10:16] LJ: That's basically it. You cannot get awarded a contract without having CMMC compliant.

[00:10:22] CS: Yeah, there's no pay a fine, but keep going while you work on anything like that. Yeah. So, the CMMC lays out several layers of or levels of certification as both assessors and as instructors. And we know that organizations will be assessed by an assessor that is qualified at the level the org wants to achieve, and that it is up to the org to determine what level they would like to do before scheduling the assessment. But how does that organization decide such a thing? Can you describe what benefits or clearances are given to organizations being assessed at these different levels?

[00:10:56] LJ: Well, there's two levels. First one is what they call federal contract information level or FCI level. That's level one. And so, that's basically information that's not public about the contract. Terms, conditions, schedule, stuff like that. All right. That's level one. That's pretty much everybody. Everybody has to get a level one. Because they always put that in contract information, wherever it comes, whenever you get a contract from DoD, or their prime subcontractors, their private contractors, I should say. The second level is the one that they call CUI level or level two, which is the controlled unclassified information. This is where the technical specification type things come in. This is where you're going to find out is that controlled defense information not classified or all. We're not dealing with that world whatsoever here. It is just a special criterion around whatever the contractor is building, that type of thing that is unique and specific to DoD and their requirements.

I've seen estimates go anywhere from 40% to 75% of all contracts will have that requirement. And literally, that literally depends on the contract against all – as those processes go. Now, as far as timing goes, they haven't really specified other than to say, it will start when the final federal regulation goes into play next May or so, somewhere in next spring, as far as that goes. But I've seen various reports, say, two years to three years. When it first came out, there was a five-year window, for everybody to get there. But they've compressed that because it's taken so long. We still have the problem. We said the problem is only getting worse. It's not getting any better. Adversaries of the government are still stealing data. That hasn't slowed down, if anything, it's actually picked off. So, timeframes are somewhat compressed when you look at what's the intent of this, it's to manage that sensitive information so it doesn't get into the hands of the US government adversaries and that's the point of it.

[00:13:59] CS: Yeah, now, you were careful to separate out unclassified controlled information from classified information. Is there sort of another version of CMMC that's for classified information higher up that we're not talking about right now or that controlled by its own?

[00:14:17] LJ: That program has been in play for 10 years or longer.

[00:14:21] CS: Okay. Gotcha. Gotcha. Oh, so late –

[00:14:26] LJ: So, it hasn't really had that.

[00:14:27] CS: Okay. Your video froze up for a moment there, so I was just waiting, but okay. All right. So, yeah, Leighton, can you talk about the process of becoming a certified CMMC auditor? I mean, I know there's several levels, you had two of them. But like what kind of material will you be learning about and mastering to ensure that you're able to successfully perform these crucial compliance audits?

[00:14:52] LJ: Number one, it's all based on NIST Special Publication 800-171. So, everything about assessment is focused around the NIST Special Publication 800-171, and its assessment guide, which is Special Publication 800-171(a). Now, DoD has produced on the CMMC website, several guides that go along with those. But that's the core foundation source material that anybody needs to understand.

Now, the security components for that are a subset of the big NIST guide that the federal government uses in general, including DoD, for assessing security, which is, of course, SP 800-53, like I call it the big security catalog in the sky. It's the most detailed security catalog worldwide, that's out there. And this is a subset of that. A significantly smaller version of it, here, we're dealing with 110 security controls. This guy, today, right now has over a thousand. So, a big one. So, we're literally like, less than 10% with 171 and 171(a). But those guides teach you what you have to do in order to do assessments in general in the federal space, and specifically under CMMC, what kinds of mechanisms you have to look for? What are the specifications? What are the practices? What are the processes? And what proof do you need? Because this is assessment, and those types of things, which is a nice way of saying an audit, but it is. So, it still requires evidence and all those types of things that you would expect in any assessment or audit anywhere.

[00:17:09] CS: Right. Now, sort of a two-part question on this. We have this very tight window coming up here for companies to get compliant by next March, April. I’m assuming that if you wanted to start becoming, to learn to become a CMMC auditor, so you could do this kind of work, there's got to be a bit of a time limit on that. Now, if you wanted to start working on that now, I'm assuming that this is not – this this particular job role, CMMC auditor is not going to go away after like, May of 2023. It's not like –

[00:17:46] LJ: No. It's an ongoing effort. First off, they only last for three years, and then you got to go through it again.

[00:17:53] CS: Okay. Got it.

[00:17:56] LJ: As long as you have a federal contract with DoD, you're going to have to go through this every three years anyway.

[00:18:03] CS: I see. And then the second part of that question is, if the April deadline comes, and there's a lot of people that DoD is used to working with, who are not ready by then, is there going to be any kind of, I don't know, supply chain issues? Is there going to be anything where there's going to be –

[00:18:23] LJ: That's one of the big conundrums that DoD is trying to work through, is what's going to happen, as they roll this out. That's part of the reason why they put in this pre-assessment upfront voluntary process right now, which started in the middle of August, and started working with some of the major supply companies already and system integrator companies, those types of big ones already, because they knew it was going to take a while to go through all this. Now, there's limited time and limited resources to do these, because right now, there are only 156 assessors.

[00:19:09] CS: Wow.

[00:19:09] LJ: That's it.

[00:19:10] CS: That's it. Wow, interesting.

[00:19:15] LJ: So, they are the rebranded CMMC assessment organization, is now called the Cyber Accreditation Board, is called Cyber AB instead of what it was used to be CMMC AB, which is the third-party nonprofit that's doing all the coordination for this.

[00:19:38] CS: I see.

[00:19:40] LJ: They've instituted a whole new area around a training and development for certified instructors as well as assessors for this process called Keiko and they just put into play and authorize the first group of certified CMMC professionals, official professionals. They're not provisional anymore. It's real. That just came out like 10 days ago. And so, they're spending it all up. They've got licensed training providers, of which InfoSec Institute is one. They've got license publishing partners, of which InfoSec Institute is one. As part of those processes, to get everybody trained up that they're going to need. I mean, you're obviously going to have to talk thousands of participants in the ecosystem, not just hundreds, just because we are talking, 300,000 plus companies. Everybody's got to be at least a level one assessed. There is a self-assessment for level one. But if you want to be a level two, you got to go through level one to get to level two. So, everybody who's focused on becoming a level two, and dealing with the technical data, it's going to have to go through both and that's done by assessors and the assessment teams.

[00:21:22] CS: Well, good. It makes me not feel bad that I asked you a bunch of questions about becoming a CMMC auditor because clearly, this is the job role that we're going to need a lot.

[00:21:31] LJ: This is a job role that’s going to be around for a while.

[00:21:33] CS: This is a pound the alarm situation here. So, I want to ask about for people who are listening and might want to do this kind of thing. Are there any cybersecurity career roles that have adjacent skills to CMMC auditor? It seems like there could be some overlap in knowledge bases with people working in privacy or compliance or risk management for –

[00:21:53] LJ: Absolutely. I mean, there's multiple. Let's start with anybody who's a certified auditor, anybody who is actually truly a certified security component installer and engineer, i.e. CISA for mySoC. CISSP from (ISC)². SSCP from (ISC)². CIPP and other privacy mechanisms all have skill sets that are part of what's necessary here. So, as they go through it, their only big thing they have to do is to be actually on an assessment team is via CCP, which is the core foundational, just understand what is CMMC, with their technical backgrounds and other areas. All right, that type of thing. And that's what we work them through, is just you take your foundational information and then apply it to this particular framework,

[00:23:07] CS: Right, this is very much a theme and variations kind of thing. If you already know the music, then we're just doing –

[00:23:11] LJ: Right. We already know the music now. It’s just, is it Baroque, or whatever. Is it Bach? Is it Beethoven, whatever.

[00:23:21] CS: Let intervals this time around or not? So, going to the organization side of things. If you're an organization that's worked with the DoD in the past, and I know you shouldn't be feeling a bit flat footed, because you've known about this for years, but somehow a lot of people are. So, where do you begin in terms of making an evaluation of your organization's needs?

[00:23:42] LJ: Number one, go to FAR, Federal Acquisition Regulation 52.204-21. You will find 15 different basic cyber hygiene criteria in that regulation, That's level one.

[00:24:01] CS: Okay. Great.

[00:24:02] LJ: You start there. Then the first thing you do after that is write it all down. There is a template out there along with on NIST website that goes with SP 800-171. It's called a system security plan and you could fill it in to determine what areas you're missing. And then you got your plan on what you got to go forward for. Is it self-description? No. Does it require some understanding? Yes. Does it require people to get some sort of security person in to help? Probably. You go through this in a commercial world every time you get a SOC 2 review, or you get an ISO 27,000 audit or any of those types. It's the same type of scenario there, but it's more focused and just this area. So, in this particular area, really all you're focusing on is the information around what's on those specific contracts. So, it's a little bit more of a subset, than it would be if you were doing a full-fledged ISO audits or SOC 2 review, or any of those types of things. But –

[00:25:44] CS: But I also imagine that having this in the pocket would put you on a good footing for being ready for the big ones.

[00:25:49] LJ: Oh, it will put you way down the road ready for the others.

[00:25:52] CS: Yes. Okay good.

[00:25:54] LJ: And you only actually have to do it once, because the reviews are designed around looking at what you currently have. So, if you've done an under one, then that becomes just translatable to the other, prior to those efforts too. But you do have to look at it. I mean, there are differences, obviously, between any of them. Having done them all, I can tell you, yeah, there are differences. But you do look at what they are and where they come into play.

[00:26:28] CS: In terms of the people who are going to be doing these assessments, I'm sure it depends on the size of the organization. But is there a benefit to having sort of in-house, like people in your own security staff be the CMMC auditors? Or is this going to be always a thing where you're going to have someone from outside come in to evaluate your system? Is this more of a freelance role, where you’re going from company to company?

[00:26:54] LJ: It's not. The system is set up that there's only specified organizations that can do third-party reviews and assessments. They're called C3PAOs, or Certified Third-Party Assessor Organizations. That's it. However, the entire system is set around the fact that a CMMC certified professional, a certified CMMC professional, CCP, can be an employee of the company, and that's who your subject matter expertise would come from internal as far as those efforts. And so, part of that whole scenario is allow them to have that. There are additional parts of the CMMC ecosystem that provides gap analysis and pre-assessment reviews and those types of things. And that comes from the registered practitioner organizations, the RPOs, that are out there, where each of those people who are associated with those organizations have some CMMC training in their background. And therefore, they can understand what the needs are, and general organizations.

Now, different organizations would want to do it different ways. I've seen both so far already. Some organizations who have CCPs on staff, other ones who have RPs or registered practitioners on staff, those types of things to help them work through what are the cyber requirements? What are their security requirements? Those standard things, so that they understand all the classic, technical, cyber speak that's out there, like, multi factor authentication, and all that kind, firewalls and all the rest.

[00:28:53] CS: All the rest of it. Yeah. Now, sort of spinning out from there, maybe this is an improbable thing, but if you sort of start your career doing these kinds of assessments, are there other job roles or career types that would benefit from the knowledge gained from studying for CMMC certification?

[00:29:14] LJ: Number one, risk management and how it works. So, C risk and risk management and all those come into play. Obviously, generalized Information system auditing, CISA and CAP and (ISC)², there's a variety of professional certifications where this type of background fits exactly with them. Not only coming in, but also going out and using it, because a certified authorization professional, a CAP, for example, does this, but uses the big catalog to do their efforts. 853, rather than 800-171 limited focus one, that type of thing. So yeah, it goes back and forth both ways.

[00:30:08] CS: I imagine, like, if you were to get into things like data privacy and sort of, data and privacy frameworks and things like that, this all sort of slots in kind of nicely with that as well.

[00:30:20] LJ: Yes, it does. And a lot of it is because NIST is the source for all of these mechanisms, and NIST has built the US government's cybersecurity framework, risk management framework, and privacy framework, all three of them. And so, they're all built to correlate with each other, that type of thing. So, it certainly works that way. And so, you can take information from any one of them and apply it in other areas. I won't say you don't have to study to get them, but they are correlated, so that does work together.

[00:31:03] CS: So, for our listeners who aren't currently working in defense, or federal jobs that would intersect with CMMC, but are considering it now, how do you kind of get on the map for these? Obviously, there are experiences that would be more desirable for landing an interview. But I think, when we talk to people in the live settings, they always get like, “Well, how do I get a security clearance and all this kind of stuff?” That seems like an impossible sort of bridge to them. How do you sort of get your foot in the door in that world that let you sort of recognize it?

[00:31:36] LJ: Well, there’s a couple things under CMMC that help. Number one, you don't need to have a DoD security clearance, because it's not classified. So, you don't have to worry about that part. Do you have to get a background check? Yes. Because you are dealing with information that the US government is interesting to you. But you don't need a clearance, any of those types of things, as far as those go.

Number two, experience in cyber itself, whatever level get you in the door, initially. For example, the new (ISC)² CC, certified cybersecurity one, which is brand new, and doesn't require any experience in order to get, is a great place to start. I mean, we are talking cybersecurity here anyway, and that's a fantastic one to start with. And at least until March next year, is going to be free.

[00:32:43] CS: Okay. Oh, also good to know, you heard it here first.

[00:32:46] LJ: That's part of their whole thing that they did with the white house a month and a half ago was that they were going to give away a million of the certification for free.

[00:32:58] CS: Yeah. That's a pretty aggressive, I hope to sort of ramp things up, I imagine.

[00:33:04] LJ: Well, (ISC)² knows what’s happening just like the other major security bodies out there. They see it. It's not like they don't know that we're a million and a half people short, and all the rest of that.

[00:33:17] CS: Worth making the investment for it, absolutely.

[00:33:19] LJ: Absolutely.

[00:33:20] CS: All right. So, as we wrap up today, Leighton, can you tell our listeners about some of the boot camps you teach and InfoSec skills that you’ve created so you can – where should they get started? What are some of your favorites?

[00:33:32] LJ: I have been teaching for InfoSec for over, I don't know, 13 years, 14 years, something like that. I wrote all the original courseware and delivered it for CAP, for C risk, for CISA, all those types of things. For InfoSec Institute, I've taught pretty much, all of my SOC certifications, and all of – most all of (ISC)² certifications, at least all the ones that I hold, I've taught for InfoSec Institute.

As far as that goes, I've focused on some of the more advanced ones over the years, so I developed and teach and have videos available around ISSAP, ISSEP for InfoSec Institute. I still get people who asks me questions about those videos. And I still occasionally, like once or twice a month, get somebody who ask me questions about some of those videos as far as that. So, that type thing as part of those processes.

[00:35:04] CS: All right, well, yeah, if you spin the wheel, chances are 50/50 you're going to find a Leighton class in there somewhere.

[00:35:10] LJ: Absolutely. Also, if you would like to tell us more about ISFMT and let our listeners know more about it and where they can get involved?

[00:35:19] CS: Sure. Oh, well, ISFMT is my boutique cybersecurity company I started in 2007, when I got done being the regional CIO at Lockheed Martin. I walked out the door on Friday and started my own company on Monday. We do security assessments and audits, primarily detailed mechanisms involving both auditing and in a lot of cases, forensics, because that's what the F stands for an ISFMT. So, yes, you'll find forensic courses I've taught for InfoSec Institute as well. They’re out there, as far as those efforts.

So, we provide services around where are people at giving them gap, understanding of what they need to get to. I have a series of subject matter experts in a wide range of areas that I basically hand selected over the years to assist in these efforts as we go through looking at all of the different areas. I mean, cybersecurity is a huge field and it's a subset field of information security, because you still got all the stuff and paper and you still got all the stuff in video, and you still got all this stuff in audio, and all the rest of that, you got to deal, even beyond that.

We go through and we assess and we review. We provide gap analyses, we provide advice. If they need her official audit, well, we can do that too, because we've got upwards in the neighborhood of 40 professional certifications that are supported by our organization that goes through these things, and pretty much all the major audit ones worldwide are available, 27,000, 31,000 for international. [inaudible 00:37:38] and all the rest of them for all these others CISA, clearly, all sorts of them.

[00:37:46] CS: So yeah, one last question for all the marvels of Cyber Work listeners want to learn more about is ISFMT or Leighton Johnson, where should they start looking online? What are your handles?

[00:37:56] LJ: www.isfmt.com. Find me on LinkedIn. That's the only social media I go on, and I'm there. You'll know it's the right place when you see my name and a couple of credentials after my name. You got the right one.

[00:38:16] CS: The right one. Leighton Johnson, thank you for your time and the great conversation. It's always a pleasure to talk to you.

[00:38:22] LJ: Absolutely, Chris. Always enjoy these things.

[00:38:26] CS: And as always, I'd like to thank all of you who are listening to and watching the Cyber Work podcast on a larger scale ever. 2022 has blown through all of our stretch goals and all our hopes and expectations. So, we are delighted to have you all along for the ride.

These days, we want you to all go to infosecinstitute.com/free, because that's where you get started with your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles, including SOC analysts, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. So, one more time, that's infosecinstitute.com/free, or click the link in the description I assume is below me, right here, to get your free training plans, plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free.

Thank you very much, once again to Leighton Johnson and thank you all so much for watching and listening, and we'll speak to you next week.