CMMC: Not an 'IT' Certification

She has spent the last four years supporting the the company's CMMC program and at least two of the half two and a half years overseeing the development of a proactive cyber security program focused on mergers and acquisitions as well as developing the information security branch of blue halo cyber team. She has a masters in science and information technology management and is a CMC certified practitioner. With that, take it away. Thank you. Okay, thank you Chris. So, thank you all for coming. How many of you here are involved with a DoD company, a defense contractor or the military in some way? And how many of you are here because you are comfortable and not ready to move?

I will try to make sure that both groups do not regret saying thank you so much. Uh this is on C which is the cyber security maturity model certification that affects all companies that want to have contracts with the DoD. It has been a long time coming and it is generally considered an IT or cyber certification. When a company finds out they are going to have to achieve the search, they hand it to their CIO and then the executives never think of it again and then they wonder why things are getting hairy. This is an effort to circumvent that.

So, the first thing I want to do is thank the Bides crew for all of their hard work, for putting this together, for bringing our community together, and for taking the to review all of the presentations that were submitted. It's been an amazing day and I appreciate the opportunity to come and be part of this community. So, first a little bit about me, which Chris did wonderfully. I'm the director of information security for Blue Halo. We're now an AV company. We have a successful third party CMMC level two assessment and I was very honored to be at the head of that effort but I am by no means the one that made it happen and I'm about to show you why.

Uh we are responsible for all of our enterprise GRC and it's a wonderful job. I am a CCP also a CCA for the certified through the cyber which means I'm also a CMMC assessor. I want to blot and a glutton for punishment. So what is CMNC? Um I like to think of it as the price we pay for assuming. Back in 2016, DAR's 252 204712 was released and that one said that we had to have certain incident reporting practices in place and we had to set up our information systems according to a NIST special publication that we lovingly call 8001 171. Uh we were all the defense contractors supposed to be compliant with that no later than

December 31st of 2017. Three years later, it wasn't helping. We weren't cutting down on the loss of controlled unclassified information and exfiltration and breaches. So, they stepped it up. And then in 2020, we had three different def clauses added all about the same time that sort of stepped up our game. Uh 7019 says, "Okay, now you have to do an assessment on that framework, the 800 171, and you have to that you get it by uploading a score into a portal. Um, you have to do it at least every three years and you must have a system security plan in order to upload your score. And the defense companies said we've got it. They also said the DoD can come in and

assess you against what you've uploaded at any time. And we said that's great. Unfortunately, what we found was that there was a significant gap between defense companies assessed themselves at for compliance and what the DoD found when they came in and looked at the same evidence. That led us to what we call 7021 the CMMC clause where they said, "Okay, we're going to change things up. We're going to require third party certification and we're going to really really make sure that you are doing what you need to do." CMMC is based on the same framework, the same 110 security controls that 800 171 has, but it is not the same assessment. You can be compliant with 800 171 and

completely miss the mark when it comes time to assess for CMMC. Part of that is that CMMC includes assessment objectives that are taken from a completely different document, 800 171A. There are 320 of those and you have to each and every one of them that are related to a control for the control itself to be met. And I'll show you some examples of this later. Uh the CMMC uses the CMMC assessment guide and methodology which are a little bit different from 8171. And historically, you could have a plan of action. You could say, "We've done 98 of these and we have 12 on our list of things to get to in the next year and

here's our closeout date. We're good to go. To get a CMMC level two third party certification, you have to have every single objective met. So, the stakes are a little bit high. One of the biggest differences I run into is asset categorization. And I've talked to a lot of defense contractors who've been doing this for years. They may have wonderful information system set up, but they don't realize that there are different treatments for different types of assets. They are CUI assets, security protection assets, specialized assets like your OT, your IoT devices, your manufacturing equipment and your government furnished equipment. Uh you also have your contractor riskmanaged assets which have their own special subset of requirements and then your out

of scope assets. So those are some of the differences. You'll notice it says briefly there are entire conferences focused on this. Now that CMMC certifications have begun, we've noticed a lot of false starts. And a false start is in phase one of your assessment, the assessors determine that you're not ready. And at that point, they can cancel the assessment, reschedu it. Uh they can put it off, postpone it for a little bit. These are the most common reasons that we're finding. people are failing that readiness assessment. And unfortunately, right now about for as of the May Cyber AB town hall, we found that about 45% of defense contractors who are asking for a CMMC assessment, they think they're

ready. They're good to go and they're failing their readiness review. They're not understanding the requirements. Documentation documentation documentation. It shows up everywhere in the uh discussions about why people are not ready. They've underestimated the adequacy and sufficiency of the controls and what evidence needs to be provided. And then scoping, what's in scope? What is actually part of your CUI environment? Uh this one, this one made me smile. Our IT team shared it quite a bit when we were preparing for our assessment and uh they don't share it anymore. they they've conquered that mountain. So why do we think of CMMC as an IT cyber certification? first bit the verbiage right it's in the name it's a cyber

security maturity model [Music] but in addition to that uh if you go to the to the NIS glossery it's actually called the computer resource center uh when you look at the topics within CMMC you're looking at networking encryption cryptography You're looking at access controls and provisioning accounts. That all sounds like it to me, right? But unfortunately, it's accurate, but it's not comprehensively true.

The devil shows up in the details. These controls are based, as I said, on passing all of the assessment objectives within a control. And sometimes you'll have have control with objectives that are shared among different departments within your company. If you haven't understood that, you haven't identified them and you haven't prepared them, they're not going to know what's expected of them. We see that security or facilities has approximately 40 individual items they have to get done and it's spread across 15 different controls. We see that HR and recruiting has approximately 10 objectives spread across different controls programs. Uh a lot of people don't consider that their actual program teams, the ones who are doing the work

for the contracts need to be included in this assessment. They need to be prepared and they need to understand their responsibilities as well as their documentation. Marketing, they have one control, that's it. It is collammable. But unfortunately, if that one's not done, it affects a different control that speaks specifically to controlling the flow of Cine. If an objective is not met, then the control is not met and you are not certified. The stakes are pretty high with CMMC. 66 out of 320 assessment objectives, this is on average, um may fall outside of IT and cyber. That's a significant number of people in your organization that you're not talking to if you're focusing all your efforts within your

CIO or so before we dive in, an important concept is adequacy and sufficiency. This shows up a lot. Adequacy is described as do you have the right evidence that shows you are implementing the control. So if you say you've implemented multifactor authentication for all of your network access, do you have proof that shows you are providing MFA and requiring for network access? Sufficiency is do you have enough of that right evidence? So you may be requiring it on your laptop endpoints, but are you also requiring it on mobile devices? So adequacy and sufficiency play a role throughout the assessment process. I like to think of it as when you look at a control, ask yourself, is it done

everywhere that it needs to be? Is it known by all who need to do it? And is it functioning as intended to? If your answers are yes, you're probably in a good spot. If you can prove it, you're definitely in a good spot. I do have some caveats before we dive in. Every company is different. Every single one of you has a different setup for how you do your onboarding, how you do your IT work, whether you even have a cyber department or it's part of your IT team. Every company is different. So, what I put up here are sort of broadstroke examples and the general flow still applies. For example, in our company, we have

security and we have facilities, two different teams. They have several controls that they do have to share and work together on, and so they endeavor to do so. Every control, however, will map into your environment. If you are trying to hold DoD contracts, every control needs to be addressed. Um, you want to understand the intent. Find the person who does the thing and get with them. Talk to them, understand how they do it. help them understand what they need to do and then document it. So what follows is not a complete list or description. It's just illustrated. So here are some security examples. These are some of the controls that are likely to fall under a security team or

a facilities team. And you can see that they range from access control, awareness and training, auditing, configuration management, maintenance, media protection, physical protection, personnel, pardon me, they uh they run the gambit. I'm not going to go into too much detail on the notes in the asterisk since we don't have a whole lot of DoD folks here, but The final rule came out in October and they updated the level two assessment guide. They did change the numbering for HR, talent acquisition, recruiting. It doesn't matter how you get them done. However it is that your company brings people in, you're going to want to talk to the those teams about these controls specifically and their responsibilities. Programs again the people who are

actually receiving CUI in your programs, the people who are handling it, they may be generating it, you want to make sure that they understand their role in the environment and the processes that they take. Other relevant departments may be contracts subcontracts. Several of the def clauses do require flow downs. Are you working with your subcontracts team? Do they understand their responsibil? And Are they prepared to help? Also, the risk committee, uh, one of the controls involves risk assessments and a lot of defense companies say, "Yes, we have our system security plan. We review it annually. We are checking to make sure our controls are functional, and we're updating them when they're not." What they miss, and

we'll cover it here in a bit, is that there's an enterprise risk assessment component. Have you talked to your executive leadership? Do they know that they need to be doing an risk assessment, tracking their own coamps and handling that across all of their functional departments. So CMFC really needs to be part of the strategic vision. It is a massive lift and it affects every department that you have. Executive buy in up front, it'll reduce conflict. It will increase your responses from other teams and other departments. It will help incorporate buyin and culture throughout the company. All departments have to engage on this. This is this is hard to overstate because if your security team is not

aware that CMMC requirements are different from DCMA, they're going to give you what they have for DCMA and it's going to be good for DCMA. It's not going to satisfy what you need. You have to have those conversations up front. You have to come to an understanding. And it may be that your IT and cyber team decides to do the cyber security awareness training or it may be that you split the training. There are different levels and different elements. But having the discussions before you try to push for an assessment is crucial. Documentation is going to get in the way of operations. You guys have seen this. It doesn't matter if you're public sector, private sector, nonprofit,

your teams are overworked. They get so busy doing the thing that they don't stop to document how to do the thing. And then they move on and they do the next thing. And eventually, six months, a year down the road, you have got incredibly capable, competent people doing amazing things. And if they move to Aruba, you have to start over. This is this is how it goes. It's not a moral failing. It's not a lack of quality on your teams. It is human nature. We like to get things done and it feels good to do them well and then we move on to the next thing that needs to get done. But CMMC is crucial for documentation.

You'll you'll see an example enumerated later. Executive introductions, they make a world of difference. If your CMMC lead reaches out to the head of HR and says, I need a list of all of your hires and terminations for the last 12 months, your head of HR is going to wonder, why do you want this? Why should I give it to you? And they're going to finish wondering and move on to their next task, their priorities that are priorities for them. If however your CIO provides an email introduction and says, "This is Bob. He's our CMMC lead. Your department has some things that need to be done and he will help you get them collected." That is going to make a

world of difference in the response that you get, the collaboration you get, and the relationships you build along the way. So, how do we identify the right people? We scope our environment. I like to follow the entire life cycle of our people, our facilities, contracts and resources from when they enter our awareness until they leave our use. We stop interacting with them. As you track that, ask yourself, how do our people find out about us? How do we get our people? Start there. Those are some of the people you need to talk to. You're recruiting, your talent acquisition, your HR teams, your hiring managers, they're going to play roles later on down the line when it comes to

authority, lease privilege, and a bunch of other seemingly IT requirements that spawn from the authorization outside of it. Same thing with your facilities. when we have a facility, how do we protect it from the parking lot in and then how do we decommission them? Anybody who's involved with that, you you want to talk to those people. So, as you walk through each of your sets of resources, think about how they come in, what they do when they're there, and how they leave. And that will give you your starting points for who to contact. You will have to have some discussions about where and how CDI enters your environment. By and large, you're going to be really,

I think, impressed with your programs understanding where they get it, how they control it, and then all you have to do is come in and provide additional resources templates uh training points of contact, things like that. But talk to them and make sure they may not know if you have BYOD devices that they need to delete their works before they take their phone down to the have those conversations. Make sure that they understand the sufficiency of all of the controls and protections that they're putting into place. So now we start with a deep dive into a specific control. This is access control. This is a level two control. It's authorized access control. And we need to limit system access to

authorized users processes. on behalf of authorized users and devices including other systems. We do that, right? You have company devices, you issue them to new users, they work on them, when they're done, they leave and get them back, right? There's more to it than that. How do you know who gets a laptop? Hopefully your HR team works with your recruiting team and the hiring managers and you have a ticket system in place and that's what tells it we have a new user. This person is now authorized and you have the tickets. So now you have documentation. What do you do with it? You find out what they're going to need access to, right? What functions and transactions

are they going to need in the next control? So, we walk through this. When you have a device, a new laptop, do you just pull it off the shelf at Best Buy, give it to the new employee, and say, "Have fun." No. You bring it in. You put your company image on it. You make sure it's got your security stack. There is an entire process involved in something as simple as getting someone in your computer. Make sure that those steps are documented. Make sure that the triggers that initiate them are documented. And that means that you have to communicate with recruiting. You have to communicate with HR. Everybody along that chain needs to know their part and who they pass it off to

and what type of written authorization or request needs to be included. That's part of your documentation.

So this one is kind of fun. This is limiting physical access on CUI.

I was joking earlier that I'm a bit of a lite for working in cyber security, but I do love my printed notes.

organized. Okay, so this one is all about your physical operating environment. You're going to need your security team involved in this. They need to know how who's authorized to have access to the facility, right? So they have to talk to HR. They also need to know who has access to the more secured key internal restricted places within the facility. They need to talk to their program lead. These processes have to be documented for CMNC. They need to know do they have access to this lab? Do they have access to that manufacturing lab? And then the operating environments has to be limited to those authorized individuals. And that's where you get and your other security things. So you

can see this control alone is predominantly security with a whole lot of collaboration between recruiting HR and programs. This is a fun one. Some of these get a little hairy with a lot of objectives listed beneath them. define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. I promise you, if you were to walk up to your security team and say, "Hey, we have an engineer on a program and he needs to stand up a new lab. What does he need to do?" They will tell you exactly what he needs to do. And they will be right. If you follow your question with, "Do you have that in writing?" They will not. There

isn't a DCMA requirement that says they have to document that. So, they haven't. It's not written down. And you're going to have to ask them to let's let's get this written. Let's put this in a knowledge book. There's a lot of educating that takes place as you prepare for CMMC. Uh the first four fall strictly to your facilities teams. Uh particularly if you have physical keys often times facilities will handle the physical keys. Security handles the badging. Physical access covers both. So you need to make sure you're talking to both teams and getting documentation from both teams. And then it keeps going and the rest is it. It's also to your programs again because if they

have internal points, if they have a GitLab that's specific to the program and the program manager is the data owner for that, then they'll be able to add and remove people to that repository. They need to understand, you need to be reviewing this. You need to be documenting when you review it. You need to have a list of triggers already written down that tells you it's time to review it. You know, perhaps a time trigger and an employee These are things they're willing to do it. They're happy to do it if they know that it needs to be done. And as a CMMC lead, you want to set everybody up for success. So, a word about documentation.

There are 102 assessment objectives that begin with identify, define, or specify. That's in writing. You can't just tell the assessor on the site that this is how we do it. It has to be identified, defined, or specified ahead of time. You can put it in your system security plan, but you are so much better off if you have put it in a policy, if you've put it in your checklists, if you've talked to your contracts team and they have a checklist. Please take the time to understand the requirements because if one assessment objective is not met, that tire control is not met. And if you don't all 110 practices, you don't get your certification. It would be horrible

if we hadn't specified something in the time that we took putting in the effort to develop our secure information system. And that's what tripped us up. There are also another 18 assessment objectives that ask us to establish, document, or develop. This tends to speak to things like systems engineering, configuration baselines, architectural engineering, software development. How many of you would have talked to your software developers to prepare for an assessment? Very few do, but they have several controls that they are directly responsible for contributing to and they need to be able to speak to it. I'm going to brag on ours for a minute. I brought in one of our our fun software developers. He's like

most of them creative, funny, delightful, and really really really just wants to get things done. But he's also become one of our biggest champions. And I knew based on his willingness to come to us before he installs a package or before he finds a new OS that he understood what we're doing. So I would you come talk to the assessors? And he said yes. And the IT guy said he did fine. I said, "No, no, trust me, he's got this." And he showed up and he brought a screenshot of his contract that defined the security controls required for that program. He brought screenshots and did a live demo of his GitLab repository of their vulnerability scanning and their

flaw remediation. And then he also brought actual copies of his deliverable reports that showed that they were doing that consistently. His interview was a cakewalk for our assessment because he could speak to what he's doing and speak to what he knows is his responsibility. That would not have happened if we'd sprung it on. That would not have happened if we hadn't communicated holistically the importance of CMMC and the fact that it is an enterprise assessment. It's not an IT. So our key takeaways here are pretty simple for your executives. They need to be preparing their teams for the effort. They want to set their teams up for success. So your human capital executive and your finance, your CFO,

your CTO, the heads of your business developments of your contracts teams, they need to be prepared to message down that this matters that there are going to be things that they need to learn and things that they need to implement and that it doesn't mean they're doing a poor job. It just means that this is a very specific way of approaching what we've been doing and it's going to make us better once we've implemented it. They need to support the development of policies and procedures. That's if you do not have that support, you are not going to get them done and you are not going to pass your assessment. There is a little bit of leeway in the assessment

process, but not having anything of those 102 identify, specify is not the leeway that that the assessors are given. And remind them we know it's going to get in the way of our operations. We get that. We want to make it as painless as possible by helping them understand what needs to be done and knock it out. Ask your executives to provide those introductory communications. Convey that authority to you. I was at a conference a couple weeks ago and my CIO was pretty excited because Amy Williams was talking about the the things you have to do and you have to identify a lead. you have to empower them and encourage them to get their training and get educated. And he

was like, "We got this." And then she said, "The most important thing you have to do is give them authority." And I was ready to elbow him. And then he leaned over and said, "Or they can just take it. However you need to do it, whatever works in your environment, make sure that your CMMC league does have the authority to make the asks. And then respond to escalations when needed." You may that's going through a large platform migration. Um, they may just have a lot of projects that have all come due at once. It happens. It happens to all of us. But don't let your CMMC asks slide until until the uh end of the preparation time

before you escalate. Go ahead and escalate. Ask for the help. Ask for the support for your CMMC leads. And I'll make this quick because I am now out of time. Be prepared to educate departments. Help them understand their ask. Let them know that you are their cyber or IT or CMMC lead and you are there for them. Facilitate coordination between the teams where HR does need to be doing reconciliations with it. Make sure they know that. Work with each department to de to develop evidence because you're going to find a lot of it doesn't exist. And then be able to source your artifacts and develop your system security plan. to speak to the sufficiency of your implementation. When

you've made it a holistic endeavor, it becomes a much easier lift. Many hands make light work. And I really enjoyed Mary's speech this morning about community. You will build a community by reaching out across teams and you will find that that collaboration extends past your CMMC assessment, past the day you got your certification. And you will find you have people coming to you with ideas, next steps, plans, dreams, fears, and you've built that community. And you're still getting great work done. And now updating the documentation is much less ownorous a task than developing it. But you will be ready. So I have these resources. Does anyone have any questions?

>> Yes, sir.

>> He was probably actually >> very much so. So if any of you do end up finding yourselves tasked to lead a CMC effort and you would like to talk, I am on LinkedIn as Edington. I will update my slide deck with that link or you can find me here today. Thank you.

Thank you.