Cybersecurity Maturity Model Certification: Insights from a C3PAO

hi everybody Welcome to track one talk six and the topic of this talk is cmmc insights from c3poa and uh please welcome our speaker Matt over to you

all right good afternoon good afternoon everyone my name is Matt Siobhan uh today I'm going to give you some insights into cmmc uh where the program currently sits uh some insights into the assessment process which is brand new and some lessons learned uh that we as a C-3PO have experienced uh so just want to take a minute and level set c3pao this is a certified third-party assessment organization this is unique to cmmc we're not talking fedramp here so completely different 3pao that you might experience in the fedramp world uh the cmmc initiative here it's really initiative to enhance Security in the defense industrial base it's a DOD initiative and its purpose is to protect Federal contract information and

controlled unclassified information this will apply to all DOD contractors subcontractors and service providers both cloud and managed service providers so in 2017 we were introduced with the defense Federal acquisition 7012 and this applies again to all subcontractors Prime contractors and some service organizations who deal with the cui controlled unclassified information this required these companies to comply with Nissan nist 800 171. later we would see a requirement that these same organizations had to self-attest to their compliance and then later report their score to the spur system and this was again to enhance security but as you can imagine what they found was these self attestations they weren't necessarily accurate so in an effort to promote the

accountability and Security in the industrial base the dod is now requiring oscs to obtain the independent third-party Assurance around their nist 800 171 compliance uh the cmmc program is not yet finalized we are waiting on the final rule codifying cmmc into the dfars um defense Federal acquisition regulation and that again will require cmmc of these contractors pre-award so they will have to be certified before they can actually receive a DOD contract award we'll talk about that in a second but while the rule is being finalized you know they are taking assessors through training they are validating c3pos slowly um and they are operationalizing the joint surveillance program which is taking osc's organizations seeking contracts uh seeking certification

excuse me through a cmmc assessment and we'll talk about that a little bit as well um most of what we're going to be talking about these insights come from our experience as a c3pao obviously we had to go through our own assessment so we had Lessons Learned there taking uh actually taking oics again through their mock assessments or getting them submitted to Joint surveillance talking with some c-3poses and of course there are forums and Communications that are dedicated to c3paos and I wish I could stop saying that word here soon because it's not that easy to say um but these communications aren't privileged they're not confidential so I'm not sharing anything I shouldn't be a little bit about myself you know I

spent five years internal to the DOD myself before becoming a contractor and ultimately finding my way in public accounting as a CPA always been involved in the information security World Financial controls information system things of that nature So lately the past 10 years I've been focusing heavily on sock 2 some ISO uh 27001 as well uh but became interested and involved in the cmmc initiative uh when it was released in 2019-2020 I do work for Cherry Becker not too much information here other to know that we are a high trust in stock 2 uh provider and the only reason I say that is because it gives us some unique insight into these assessments um some of these c-3pos are only

dedicated to cmmc so with our ability to kind of integrate some of these testings it's a different process different different from what we're used to as I'll describe later yeah excuse me

so again in particular I want to give you some updates into the cmmc program and the initiative overall secondly I'll provide some lessons learned again both going through our own assessment and what we've seen in the marketplace so the entire program is waiting on the rule to be finalized and unfortunately we are not there yet we are anticipating the rule will be finalized in Q3 or 4 of 2024 there uh no surprise but again this will be a pre-award requirement um so we will start to see this Clause next fall maybe even at the end of next summer if you haven't be begun preparing you should as we'll talk about when I get to talking about the the cap process

here in a second this isn't entirely an exercise in nist 171 and it's one of the most common pitfalls we see osc is coming to us they think they're nist 171 compliant they have the documentation to support that but there's a little bit more to that there are specific requirements uh unique to cmmc that you're going to have to prepare for so we recommend you engage ac3pao early on in the process not formally engaged but at least start talking to someone vetting assessors understanding what they're going to be looking for and how they're going to assess you it's also important to note that there are strict requirements between consultants and assessors so Consultants can give you no I'm sorry assessors are

unable to give you any Consulting advice so it's important to have two parties early on in the process uh just a little bit ago I spoke about the joint surveillance program this is a program that's set up between dibcack the defense industrial based cyber security Assessment Center um and the Cyber a b who governs the assessors and the c3paos and what this is this is a program to take osc's through cmmc assessment sooner before the rule is finalized there's been about 15 of these assessments completed however there's about 70 contractors in queue they're scheduled throughout the end of the year and the advantage of getting in early is that your certification will automatically convert to a cmmc

certification once the rule is finalized next summer so you can imagine once the rules finalized there's going to be quite a bottleneck of organizations seeking organ certification so that they can obtain those fall and and winter contracts and there may not be enough assessors to go around and really handle handle that demand

the other program update that has yet to really evolve is any reciprocity with regards to other certifications uh right now it looks like you may receive reciprocity if you are fed ramp moderate certified however this isn't yet finalized um and really not sure it's going to go that route because as you can imagine fedramp is dedicated to well it's for cloud service providers so there's not that many of the I mean there's there's quite a few but it doesn't really help the defense industrial base that that much when we're talking about manufacturers and other companies that aren't aren't cloud-based so it's possible that it's an option um and also being able to dedicate to demonstrate that fedramp moderate

equivalency may help if you are not a cloud service provider so we'll talk about an option there here in a second as well

so looking at the process itself and how there's common pitfalls and what may be unique to other processes again it's not just an exercise in nist 171 and this is really evident in phase one where a lot of oscs are experiencing some pitfalls so first is proper scoping uh we've seen many organizations and our self actually fail our first assessment remember we had to be assessed because we weren't properly scoped our msps had too much control and insight into our environment that we didn't really have sufficient controls around so what we've learned is that you really need to scope your environment to those systems that process transmit or retain the cui the smaller uh you know of

course we all know the the most the better you can limit your scope uh the easier lift the less resources required but we see a lot of oscs approaching this holistically they think their entire organization has to be near 71 171 compliant it's really only those systems that process transmit retain the cui so major Pitfall and not um refining the scope correctly but then also not documenting it sufficiently there is a cmmc assess scope and guidance and per the scope and guide you have to categorize all your in-scope assets cui assets specialized ask assets security protection asset contractor risk managed asset and then out of scope assets when you come to us for an assessment we expect

you hand us your SSP that should contain the asset inventory or could reference the asset inventory but this asset inventory has to have these assets categorized based on the cmmc classification so we are expecting you to bring us a refined documented and um clearly labeled asset inventory and scope

with regards to documentation we're also seeing a lack of the required documentation there is a Assessment program out that you can reference a lot of the documentation that we would expect we're not receiving first and foremost a shared responsibility Matrix and then secondly a catalog of evidence I mentioned that we expect you to really be prepared and have your scope refined we also want to see what evidence you are going to use to support your controls and your control objectives prior to even conducting um the assessment that allows to determine if we feel your evidence is adequate and sufficient to meet the assessment objectives

and then lastly with regard to phase one is you really have to have a good handle on your external cloud service providers your managed service providers again this is where we failed we didn't have sufficient controls around those providers and right now is where they're saying that they should be able to demonstrate some level of fed ramp moderate equivalency again this is tough and how are they doing this um one option we're seeing is that again they're fedramp certified that's easy secondly we are incorporating cmmc or the fedramp criteria into their sock 2 report a lot of organizations don't know but you can have sock 2 plus an additional criteria so stock 2 plus High

Trust stock 2 plus ISO we are performing stock 2 plus cmmc sock 2 plus fedramp allowing us to integrate those controls into their stock 2 report and then provide attestation over their ability to meet both sock 2 and that additional criteria this won't result in a certification but it will allow any external service providers managed service providers a body of evidence validated through a third party to demonstrate their fedramp moderate fluency we're also seeing some oscs themselves go this route in order to identify demonstrate their compliance with cmmc in the supply chain even before their cmmc assessment foreign so moving on to phase one if everything is in order uh we'll move into phase two

conducting the assessment and I have here know the Show Stoppers because there are excuse me

there are 58 of the 110 nist 171 controls that are weighted five and three points and if you fail any of these your assessment is immediately over they are not eligible for poem they are not eligible to put on your plan of action and Milestones so when we're going through an assessment this happens to be one here actually and if we're assessing you in any one of these a through G fail you will automatically fail the assessment have to start over go back to phase one after you've poem these items so you know just looking there if your incident handling capability doesn't include the preparation phase unfortunately we fail you um well we should that's what the guidance

is telling us as of now um so I mentioned plan of action and Milestones and then you'll see limited efficiency items outside with the three and five point items there are items that are are available for limited efficiency which means it's probably just an item or it is an item where you just need to go back and clarify something in your SSP or your policy or it's one minor tweet to your documentation you have five days to then remediate any of these limited deficiency items if not they can move to your plan of action and Milestones and in order to do that you have to achieve a score of 88 out of 110 throughout the entire assessment so

you're scored favorably per assessment objective you're able to meet and again if you reach 100 if you reach 88 you're able to qualify for poem uh provided you didn't hit any Show Stoppers and then you have your limited efficiency items that you can use to work towards that 88 as well so a little bit different scoring system uh in the fact that one if you fail uh you're done I I've heard that that's how PCI works I'm not very familiar with PCI myself I've again focused on the stock 2 and the iso world but um know the showstoppers and be prepared and then lastly is the last uh phase you you notice I skipped phase three it's

really just the scoring and submission of the package but in phase four the poem close out if you do put items on poem you have 180 days to remediate those items you do not have to use the same organization that assessed you for phase one two and three you can use a completely different c3pao as of now that is so make sure if you are an osc or you are going through your cmmc certification early on in the process speak with these assessors your service providers make sure that they're going to be available for poem should you need it with the bottleneck that could occur in the ecosystem c-3pos Maybe overwhelmed and unable to meet your

commitments at the 180 day Mark leaving your poem items uh kind of high and dry and which point you'll fail I don't see too many c3paos doing that it would just be poor customer service um but it is just worth pointing out that these are two different uh organizations that that can complete the poem closeout so I know that was a lot um try to keep it very high level but this is all new and we're all learning as we go so things are subject to change here as we await the final rule but again we're going through uh joint assessment with this current process and these are some of the lessons that we've learned so any questions

so you mentioned a company that they can't uh the assessor can't give design uh advice uh from that perspective can it be just two different individuals in the same company or does it have to be two different companies it should be two different companies I would be lying if I said there wasn't some organizations who feel that uh they have a Consulting team an assessment team that's not how we interpret the guidance that how that's not how many do it should really be two separate organizations gotcha so great I'm sorry gray area gray area maybe but not really in yeah

so if you do failure assessment what is the waiting period before you can resubmit there currently is no waiting period just as long as you uh your poem items are cleared you cannot bring one thing I meant to mention sorry you cannot bring open poem items into the assessment so when you come into the assessment we expect that you're under the impression that you are fully compliant you have no items to remediate on your poem so as soon as you're able to clear those poem items and be able to demonstrate those controls are effective you're able to resubmit so even if I have one of the showstoppers and I fail that do you still assess the rest of them so that I

can kind of get a complete picture of where I'm at or do I kind of have to hope for the best on the next one we're not supposed to uh we're supposed to just kind of stop and you go back and fix it but I think that's going to be really the assessors um call there I I should say I'm sorry I was looking for for a better word we're still waiting for the final guidance um what you how it's written and all you need to know is that you're not going to pass so maybe your assessor will be able to work with you and work through the other items but again should you hit one of

those showstoppers as of now you're done awesome thank you sir foreign question for you so if I'm an organization seeking certification about how long would an assessment take if I were to engage with a c3pao right now through joint surveillance and what we told the what we're told the intention is they're taking about four to five weeks so it's really you're notified of the assessment there's a couple planning meetings and then you're supposed to schedule two weeks of interviews and walk throughs and really turn these over within within you know four to six weeks of course size and scope depending okay thank you

so uh you said something interesting that I didn't know before the assessment perspective that some people are accepting sock 2 plus cmmc uh with that so it they're just accepting any CPA company assessing that you're good with those controls or any company whatsoever with that so for certification no it won't result in a certification but what it is being used for is there are prime subcontract there are prime contractors who are accepting accepting this is is a is a maybe a strong word but they're they're permitting this to demonstrate that they're subcontractors and other service providers are at least in line so they're using as a vendor risk got it okay that makes sense thanks

any more questions

so you mentioned early on that uh the c3pos cannot do any kind of Consulting throughout the assessment um what kind of groups or what kind of companies would you seek out or do you have another organization within Cherry Becker that can do that Consulting side yeah so again here at cherrybacker we don't we we take that hard line we don't provide Consulting and assessing for the same organization so we would look to partner RP's uh you know rpos the uh Consulting arm of the cmmc world and then any one who is familiar with the niss 171 and then aware of the specific cmmc requirements so it's it's good as I mentioned to have those rpos and those

RPS and the assessors in line themselves in addition to being you know cognizant of the independent rules and um just making sure everybody's on the same page you your consultants and your assessors

all right well I'll be around if anyone has any other questions uh thank you everybody for attending and enjoy your weekend thank you Mark