September 26, 2024 • 31 mins
Are you feeling the pressure of CMMC and not knowing exactly what details you might be missing? Have you been struggling with the challenges of documentation for CMMC? If so, this episode is for you. Cuick Trac's Derek White is joined by Vince Scott, CEO and Founder of Defense Cybersecurity Group, to discuss the important details you don't want to miss as the CMMC rule-making process takes another step forward to being a requirement in your DoD contracts.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Quick 10 podcast brought to you by Quick Track, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10 ish minutes. Here's your host, Derek White.
(00:16):
All right, everybody. Welcome back to another episode of the Quick 10 podcast. I am your host, Derek White with Quick Track. And today I have a very special guest, Vince Scott, CEO and founder of Defense Cybersecurity Group joining me. Thank you, Vince, for being on.
(00:39):
Derek, thanks for inviting me. Really enjoyed being here.
Yeah, this is going to be a, it's going to be a good topic. Big fan of the stuff that you put out in the industry. Today we're going to get into the challenge of documentation specific to cyber regulations like CMMC and some others. But more importantly, I would like to let people know that, you know, if you're a first time listener or watcher, links below in the comments, you can go on our website, you can go on some other areas, subscribe, like, share, comment. We've had people submit some questions for future topics, which has been really
(01:11):
fun. But more importantly, take a look out for that. And then we're going to get into a brief conversation here, as brief as we can. There have been some updates from the industry that we're probably going to touch on. So we may go slightly over as we normally do.
Yeah, so Vince, thanks for joining me. You know, we, just to kind of let the listeners and watchers know, you know, give us a little bit about you and who you are and what you do so that people don't think that I just went to the supermarket and asked somebody to join me.
(01:41):
So a little bit of that so that we can get into this topic so they know that it's coming with some real world experience.
Yeah, I'm a Naval Academy grad. I was one of the early computer science majors out of the Naval Academy, retired from the Navy in 2010. I was a U.S. Navy cryptologist.
(02:02):
I actually started out as a regular old ship driver and then moved into cryptology as my career field. Think offense. I had everything to do with offense and nothing to do with defense as a Navy cryptologist.
And then since 2010, I've had a number of different roles in academia and industry around cybersecurity, cyber defense, etc.
(02:26):
I'm currently the founder and CEO of Defense Cybersecurity Group, where we help focus on helping defense companies do the cybersecurity that they need to do and be compliant.
So I like to see the compliance requirements as a leverage point to actually do cybersecurity. So we're better protecting these companies and our national defense information.
(02:51):
Yeah, well said. And thank you for your service. That's the kind of background that, you know, it goes without saying is the real world experiences, specifically maybe four or five years ago where things were, or even 10, 15 years ago where things were and where we're going really do change.
And I appreciate the comment on compliance because we want to see this done. The good people want to see this get done. They don't want to see people continue to struggle with anything on the cyber defense side.
(03:16):
As mentioned before, we have had a little bit of an update as of this recording. The CFR, 32 CFR 170 has been moved on and we expect that any day here to be.
So maybe by the time this is out, it is out. But that's a little bit of a big milestone, big movement here on the CMMC front.
(03:37):
Do you want to share just a couple seconds on what that means to the industry and those that are monitoring and hopefully working on their compliance, but what that really means to those that are listening?
Yeah, I think it's kind of confusing because there are actually two rules in progress simultaneously, right?
The leading edge of this is the 32 CFR 170, which is the CMMC program rule, the Cybersecurity and Maturity Model Certification.
(04:03):
So that's the DOD's new audit and assessment process for companies in the defense industrial base to ensure that they are actually doing the cybersecurity that they have been signed up to for the last eight years or so.
They have also added the requirements and expanded the scope of where those requirements apply in this new regulation.
(04:30):
So a lot of times the DOD will say, hey, this is just what we've always been asking you to do.
And I feel very strongly that that's not the case. We have expanded the requirements as a part of this regulation.
And so the 32 CFR rule is sort of like everything CMMC, how it works, how it's put together, what the ecosystem looks like, et cetera.
(04:51):
And then trailing that, you've got the 48 CFR rule, which is currently proposed.
So it's draft and it's out for comment right now. Comments close on October 15th.
And we expect to see that in the new year. What does this mean?
It means CMMC is real. The DOD is going to be checking your cybersecurity homework.
(05:13):
I think that's the biggest message for companies out there.
And the vast majority of companies, I would argue over 75 percent of the companies in the defense industrial base today really haven't done this.
They really haven't implemented the required security controls.
They really don't have programs to protect the DOD's information.
(05:38):
Yeah, sure. It's been another one of the stack of contract clauses that's included by reference in every contract that honestly,
in federal government contracting, it's very typical for contractors to not pay attention to all the clauses.
If you printed them all out and you would have fill a room with regulation in and it's just this huge volume of stuff that's thrown on the contracts.
(06:06):
Right. So it's not just cybersecurity that companies don't necessarily pay attention to all those clauses.
But now the DOD is saying, hey, we're going to come check your homework.
We're going to come look to see if you're actually doing this or we're going to have a commercial assessment organization, a C3PO come and look.
(06:27):
And we want them to certify that you are doing this.
That means that you need to be doing it. And so the biggest impact of 32 CFR is that no CMMC is real.
We expect that rule to be final, as you said, Derek, in the next few days, if not few weeks.
(06:47):
Right. So when that'll really get released out of the Pentagon into the federal register is always kind of opaque to the rest of us out here in the real world.
But it's definitely done. And they're putting the final polishing points on the public affairs release and all that stuff before it comes out.
So we will see this very soon. And I expect that we will also see 48 CFR probably final in the first quarter of next year.
(07:18):
Maybe it'll go into the second quarter. I honestly would be surprised if it went any further than that.
I fully expect that sort of March, April next year, we're going to see a final 48 CFR rule.
And with both those rules together, man, CMMC is live. It's in contract. It's going.
So this is another major step forward for the program and for companies that have been sitting on the fence and saying, oh, I'll wait until the rule is final to do this.
(07:48):
Now is the time to get serious. It's past time.
We often recommend that it's probably a year or 18 months to go from zero to fully implemented on this and CMMC assessment ready.
What I the timeline I just talked about was six to nine months.
So you're you're already inside the window of a cold start as we we see it.
(08:14):
So please encourage every company to be looking at this and be serious about, hey, we're we're going to have to have an assessor come in.
And those assessments are going to be pretty demanding. Yeah.
And you're right. And there's obviously there's a difference between people who have had these requirements and said we are versus those that are trying to figure out how this plays into it.
(08:38):
Because maybe they don't have the contracts yet. And that's a conversation we can go on and on about.
But, you know, that that that's almost sounded like a rehearsed transition into what we're going to get into,
because there is a difference between having things and buying stuff and looking at it and dusting it off later.
But there's also something more to be said about the compliance side.
(08:59):
What are they going to be looking for, to what depths and what responsibilities?
And this topic is all over the board because this is the reason that we have guests on like you is your opinion.
Vince might be different than someone else's opinion on how to do it and what it means in the depth.
And some things have to be very agreed upon when it comes to third party attestation and assessment certifications.
(09:20):
But this is unprescribed and you can do things different ways.
But a lot of people focus on documentation first without having everything in place, which makes it very difficult.
And we've got people over here, you know, starting with tools and things and they don't document deep enough.
So today we're going to get into the challenge of documentation.
I got a couple of questions for you.
(09:41):
Real quick, Derek, before you jump into questions, let me say one thing.
So I am a huge believer when I was a PLEBE at the Naval Academy,
they made us memorize quotes from famous naval leaders.
And there was one from John Paul Jones that is a standard part of PLEBE rates that has grown more and more and more true as I've gotten older in my career.
(10:08):
You know, when you're a PLEBE, you just memorize them.
But now you look back and go, man, they really had something there.
So in the Revolutionary War, John Paul Jones said, men mean more than guns in the rating of a ship.
And for all that it's not PC for today, what he was really talking about was people are more important than my hardware,
(10:31):
more important than the tools that I have on deck or the people that I have manning and using those tools.
And so I think that absolutely every cybersecurity and compliance program should start with not what technology I have or how have I documented that,
(10:52):
but should start with who do I have doing this work?
Do I have the right people?
Have I have I assigned the right people to the job?
People mean more than hardware is something that's often lost in the cybersecurity space.
We tend to look at the CEO, senior executives, look at this and say, yep, I see.
(11:13):
I see. What is that? Oh, it's a cybersecurity thing.
That means I.T. I.T. go take care of this.
That is not necessarily the right answer.
I don't think it ever is.
This is really a business problem for which I.T. cannot solve all the equation.
They're a big part of it, but they're not totally.
People are more important than hardware.
Yeah. No, that's a great quote.
(11:34):
And no, that's awesome.
Then totally agree.
And as we go through right now, it's the defense industrial base, but across FedCon,
the last small businesses, a lot of disadvantaged, a lot of resource constraints.
And you're right that cybersecurity is one part of the requirement.
There's a lot of other requirements that they have to do within contracting that have nothing to do with cybersecurity.
(11:55):
And that's probably the same same quote, right?
Yeah. Who and who and what is not the same thing.
So who do I have doing this work? Yeah.
But in the now, what we see here is we've got the technology piece of this right.
And Derek and I am talking for the audience decided that, hey, let's talk about the documentation side of this.
(12:16):
And that's a much more tactical question.
But what does that look like for CMMC?
Yeah. And I was so the question that always comes up because there are a lot of a lot of there's a lot of focus on on policies and procedures
and documentation and all this other stuff. So, you know, how much how much documentation is is needed?
(12:38):
I know it's a little bit of a relative answer here, but specifically, you know, how much work goes into that?
And I have a little follow up question, depending on how you answer this.
But, you know, how much documentation is needed for this to pass the assessment, you know, to show your compliance?
I normally say that we need 300 to 500 pages of documentation specific to your company.
(13:03):
This is not I went out and bought templates and I said, well, I'm doing those templates.
Every template has to be tailored for your company and the way you do things.
There is no getting around that. In fact, I don't even my company, we don't sell templates.
I sell tech writer time with access to our templates so they can bring those to the table to help you in your company.
(13:29):
But it's such a matter of tailorization that that I don't even try to push blank templates out for people to use and try to fill in themselves.
I don't find that a good approach.
I also say that of that 300 and 500 pages of documentation, there's really very little in the CMMC specification that tells you how to formulate that.
(13:56):
I like to say you could probably have, you know, one hundred three page documents or three hundred page documents.
I don't really care as an assessor, but everything that needs to be documented needs to be documented.
And there's a lot of requirements to document things in CMMC.
So it could, you know, so then answer.
(14:20):
So let's let here's my next question. So there's probably not something.
About too much documentation as it might be more confusing and how it's documented.
Right. So that's one of the big things we see is, you know, you hear people here, 300, 500 and, you know, OK, well, if you have it's tailored,
which it absolutely should be specific to the company and not just everybody can buy whatever you want.
(14:44):
But we also see if it's not documented correctly or it's all over the place that an assessor might say, hey, I can see it.
I just don't know where to find it. You know, who's going to pull it.
So you talk a little bit about not so much the too much, but the the too confusing and some of the things that you see that really help the assessor and the organization make it more efficient.
(15:05):
Yeah, I have seen Dibkak turned down a joint surveillance assessment because they found the documentation too confusing,
not because they didn't think it was right, was because they couldn't figure out whether it was right or not.
So there there is something to be said about making sure that we've got this organized and focused.
I also like to keep the total number of documents constrained.
(15:31):
So there are template stacks out there that you can buy that will give you a hundred different documents that need to be filled in.
I think that's too many. There are some, you know, there's some tactical pieces of how I divide up documentation.
Sometimes it's based on the organization and politics inside your company.
(15:54):
Hey, Fred's in charge of this stuff. So let's make a document that it's the stuff that Fred's in charge of.
And that covers these areas. That's OK. Right.
There's there. Maybe that's a good fit because now Fred has a piece of work that is and he's doing it back to the people being more important.
But in general, I like to keep this below 25 documents, you know, sort of 18 to 25 somewhere in there is generally where we land.
(16:26):
I like to put it so there's one document that you have to have to pass the CMMC certification assessment, and that's a system security plan.
It is mandated in the standard.
There is a standard NIST template for that that's posted to the NIST 800 171 revision to web page.
Most people start with that, although you should start with that understanding that it doesn't actually cover everything that needs to be covered in your SSP.
(16:55):
So it's a beef I've got with the template that NIST did.
I think they should have put a spot, a placeholder in for everything that had to be in there.
And that that isn't the case, in my view. But.
Better than. Yeah, no, it's a it's a great it's an 80 or 90 percent starting point, right?
It is the place to start with and you're not going far wrong.
(17:16):
But at the final tweaking and making sure that every I is dotted and T is crossed,
there are some things that we always add to that SSP template in order to make sure that our clients are good.
So you've got to have an SSP. You've got to have one.
You can reference other documentation in there.
So I've seen this question a lot. Hey, can do I have to put it all in there or can I reference something else?
(17:42):
Highly encourage you to reference other things.
So a great one for that.
And I think one of the first other documents that I like to see is an incident response plan.
This is a very industry standard document.
There's a NISP on how to write one that actually follows the control set in 171 that's required of you.
(18:07):
Those things match pretty closely, which is great.
But I think companies should have an incident response plan and that should probably be a separate document.
So when you get to the incident response section of your SSP, a lot of times it see my incident response plan.
No problem with that whatsoever. Yeah. Well, not to mention, you meant one of the things I was going to bring up earlier when you mentioned people is
(18:28):
getting into the details of incident response, for example, is a single point of failure and these other things that just enormously drive the risk up.
Right. And for a leadership team or maybe companies that are less expertise driven internally, that's a big thing for C-level.
We see this, you know, owners and general managers of companies and stuff when they start to see, well, yeah, I guess, you know, Ron is doing that.
(18:53):
But if Ron disappears, then what happens? And is there is there ways to keep our compliance in place or do we have do we have the right people in place to back up?
Documentation helps with that traceability. All that stuff helps a lot.
So you made a comment there when it comes down to referencing other things.
So question, is it policies for each control, each domain?
(19:16):
You walk through that a little bit to kind of tie that up a little bit more on what that means from a documentation standpoint?
Sure. There are 110 controls. I think a policy per control is a little bit much.
I started off when I did this four or five years ago, kind of did my initial implementation where I'm the chief.
(19:38):
I continue actually to be the chief security officer part time at a medium sized defense contractor.
We did a policy per domain, but over time, I'm actually shrinking even that.
I'm combining some because there's a lot of overlap, for example, between IA and access control.
(20:02):
There's a ton of overlap between what's in those two domains.
OK, let's put those two things together. So I have one document that I have to manage and I don't have to manage it separately.
I also I think it's really important for companies to think about what is a policy?
Who signs it? Where does it fit into my grand scheme of things or what's a procedure or what's a manual or what's a plan or what's a standard law?
(20:33):
Right. Sometimes this is called the policy to have policy, which sounds kind of silly.
But whether you document this is a separate policy or a thing, I think you need to have in your company.
What are we going to use policy for? Who's going to sign policy or who approves policy?
(21:01):
What's a standard versus a procedure versus a guideline?
So if you go to get your master's in cybersecurity, they're going to teach you or maybe undergrad, wherever you go to academia,
they're going to teach you policies, standards, procedures, guidelines is the standard stack.
Not everybody follows that. You don't have to follow that.
(21:22):
One of the places where I see a proliferation of documents is that I'll have a policy, a standard and procedure as separate documents for a thing.
I really am not a fan of a separate standard and a separate procedure.
I tend to squish those together whenever policy whenever possible.
(21:44):
Maybe I can deal with a single document right now.
My recommended approach to CMMC is to have an overarching policy that covers all the domains, kind of high level touchy feely.
How are we going to do this? Doesn't change very much.
Very standard corporate documentation. I can have one policy that covers all 14 domains, I think.
(22:07):
Then where needed, let's have a procedure document that covers specific things out of specific domains.
And that may not be every domain. Maybe we like I said, we combine things together.
You know, we're grouping stuff or we say, for example, I'm currently a fan of the awareness and training requirements are pretty.
(22:35):
Straightforward and just not real complex about how we do that.
I'm getting rid of my separate procedure for that and putting it in the system security plan.
It's the same words, essentially. I just decided I didn't need a separate document for it.
Incident response plan, I think, oh, absolutely, I got to have a separate document. There's no way I want to put those two things together because I wanted to live on its own.
(22:58):
It's used for a very specific purpose. When I have incidents, I want people pulling that out.
No. But how I do awareness and training relative to my CMMC compliance requirements, I could probably put that all into my system security plan.
So there's opportunities like that based on your business, et cetera, to try and reduce the number of documents that you have to manage while, you know,
(23:22):
if you need a separate document or there's one that's useful, then then do that.
But there's no standard set. Got it.
OK, so we're going over in time and it's OK because this next question.
And then I know I've heard you, I should say I've heard you and I've seen you post about this on on LinkedIn and other areas.
(23:46):
But when should people start the rev three, rev three, rev 171 revision three.
Sorry, I don't mean to add from here versus what's currently being pointed to is the revision two.
At what point here we are in September, October of twenty twenty four.
When is that the time to make the shift?
(24:08):
Yeah. So so in my chief security officer had met my medium sized defense contractor,
I had intended to do that shift in twenty twenty four.
Hey, it's coming out. It's got approved. Hey, let's we've got the you know, I was even going to start on the final version and then then move on.
And then CMMC wrote into the regulation, the 32 CFR 170 regulation.
(24:35):
We're going to specific to revision to.
Now, the DOD put out a class deviation that said, hey, you don't have to move to revision three right away
because the current D for seventy twelve clause says current version.
Well, the current version is rev three. But the D said, hold off on that.
(24:58):
Stay rev two. But my. My vision, when they put it in the 32 CFR,
that means in order to move from rev two to rev three, they're going to have to go through rulemaking, which is a multi year process.
So I have put the brakes on moving to revision three for now.
(25:18):
And because I made the decision as well that I cannot possibly chase both revision two and revision three simultaneously,
because revision three is a complete rewrite, it's it's one hundred and fifty percent of the requirements.
So it's another 50 percent more. It is rearranged.
(25:42):
So if I'm tailoring my documentation to the standard, so an assessor can follow it, it's very different.
And so I decided I didn't want to put my, you know, near term CMMC certification of revision two at risk
for chasing the future of revision three when I didn't know that that was going to be in the play, you know, in play.
(26:05):
I feel like and, you know, the D.O.D. and others, you know, have stated various things about this.
As long as this. Stays in 32 CFR 170, I.E. revision two specific,
I won't even start to worry about revision three until they start the process to modify revision the 32 CFR 170 to take it out.
(26:33):
Yeah. Well, well, thank you for for commenting that, because that is that the last six months has been for four months,
six months has been a topic that comes up frequently.
And there are different opinions on that. And now people know why.
And that's that's very and lots of people are like revision three is written better.
It's a better standard, blah, blah, blah. And I don't disagree with those arguments.
(26:55):
Yep. But in my capacity of having a limited number of resources as a defense contractor to go execute on this with high quality,
because to be CMMC certified, I've got to be 110 out of 110.
I cannot afford an 80 percent solution in my revision to implementation.
There is zero wiggle room in that world.
(27:17):
Man, I'm not going to I'm going to do it one way and I'm going to do it right.
And I absolutely refuse to try and fail to do two different standards simultaneously.
Now, I mean, way bigger up, right?
I mean, the impact of not doing it, what you just said is way bigger on a business than when do I start for three?
And when I focus on it, because, yeah, it's it's what's what's called out in front of you now.
(27:41):
Perfect world. You're right. If you have done this in 171 from day one and had it attached to you,
however you could and all these other things and then ramp up to rev three, then maybe that that path looks a little different.
But you're right. There's still a lot of time. It's still 50 percent more.
It's a great way to say it. It becomes a very, very big undertaking and make sure it's scheduled right.
(28:01):
And in your case, you're just asked on additional controls, which is what I expected them to do.
And they just gone from 110 to 150. Yep.
I would probably have those other controls on my list and be working toward them today.
Yep. Because it wouldn't endanger the existing 110.
(28:22):
But they rip the whole thing apart and put it back together again in different places.
So it's kind of the same, but they exist different places.
So in my view, my documentation stack can only ride one horse simultaneously.
That's right. And I am just not going to risk trying to do two at once.
(28:43):
I think it's we don't have a great deal of manpower.
No medium or small defense contractor has a great deal of manpower for this.
I need to use the people that I have very smartly in order to pursue excellence on this.
And I just I'm I'm not going to try to do that in two different places at once,
(29:04):
nor am I going to recommend that to any of my clients.
Now, that's great feedback. That's a good, good approach.
Well, we're we're over in the 10 ish minutes that we try to get this done.
But this is awesome. Obviously, different things to talk about today versus if we would have done
this a week or two ago. So thank you, Vince, for joining again.
Where can people find you if they want more info and they want to talk to Vince at length?
(29:26):
Yeah. Www cyber sec gru dot com is my website and we've got a contact information there.
Or you can find me on LinkedIn, Vincent Scott. I'm I'm very prolific on LinkedIn.
I type, comment, quote, post quite a bit. So it should be pretty easy to come up with me there.
(29:51):
Yeah. And I will second the LinkedIn thing for sure is is your and I'm not just saying this
because you're you're on and your friend. But I mean, this is the clarity on some of these
topics is so important. You know, make it digestible. That's that's what people want to see.
And you are one of the I would say one of the top LinkedIn resources where if I just want to hear
someone else's opinion and see that I'm seeing what I've seen over here in a clear mind,
(30:16):
I would say that you, Vince, are one of one of the best at that.
So thank you again for joining. We're going to have you on again in the future for sure,
because we're pretty much all of the events that have come up in the recent time.
Although I guess we've had these topics are going to be very fun to look back on
in the future and see where things are at. So thank you again for those listening or watching
(30:36):
on YouTube or on your favorite podcast platform. Make sure you go find us. Watch the old ones
that have been out so far. Make sure you pay attention to the new ones. But again,
thank you everybody for watching and listening. And Vince, we'll chat with you next time.
Thanks, Eric. I really appreciate the invite. Take care.
Thank you for listening to this episode. And make sure to subscribe to the Quick Ten podcast
(31:00):
wherever you get your podcasts and check us out on YouTube as well.
For more information about Quick Track, visit our website at www.quicktrack.com.
That's C-U-I-C-K-T-R-A-C dot com.
Welcome to the Quick 10 podcast brought to you by Quick Track, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10 ish minutes. Here's your host, Derek White.
(00:16):
All right, everybody. Welcome back to another episode of the Quick 10 podcast. I am your host, Derek White with Quick Track. And today I have a very special guest, Vince Scott, CEO and founder of Defense Cybersecurity Group joining me. Thank you, Vince, for being on.
(00:39):
Derek, thanks for inviting me. Really enjoyed being here.
Yeah, this is going to be a, it's going to be a good topic. Big fan of the stuff that you put out in the industry. Today we're going to get into the challenge of documentation specific to cyber regulations like CMMC and some others. But more importantly, I would like to let people know that, you know, if you're a first time listener or watcher, links below in the comments, you can go on our website, you can go on some other areas, subscribe, like, share, comment. We've had people submit some questions for future topics, which has been really
(01:11):
fun. But more importantly, take a look out for that. And then we're going to get into a brief conversation here, as brief as we can. There have been some updates from the industry that we're probably going to touch on. So we may go slightly over as we normally do.
Yeah, so Vince, thanks for joining me. You know, we, just to kind of let the listeners and watchers know, you know, give us a little bit about you and who you are and what you do so that people don't think that I just went to the supermarket and asked somebody to join me.
(01:41):
So a little bit of that so that we can get into this topic so they know that it's coming with some real world experience.
Yeah, I'm a Naval Academy grad. I was one of the early computer science majors out of the Naval Academy, retired from the Navy in 2010. I was a U.S. Navy cryptologist.
(02:02):
I actually started out as a regular old ship driver and then moved into cryptology as my career field. Think offense. I had everything to do with offense and nothing to do with defense as a Navy cryptologist.
And then since 2010, I've had a number of different roles in academia and industry around cybersecurity, cyber defense, etc.
(02:26):
I'm currently the founder and CEO of Defense Cybersecurity Group, where we help focus on helping defense companies do the cybersecurity that they need to do and be compliant.
So I like to see the compliance requirements as a leverage point to actually do cybersecurity. So we're better protecting these companies and our national defense information.
(02:51):
Yeah, well said. And thank you for your service. That's the kind of background that, you know, it goes without saying is the real world experiences, specifically maybe four or five years ago where things were, or even 10, 15 years ago where things were and where we're going really do change.
And I appreciate the comment on compliance because we want to see this done. The good people want to see this get done. They don't want to see people continue to struggle with anything on the cyber defense side.
(03:16):
As mentioned before, we have had a little bit of an update as of this recording. The CFR, 32 CFR 170 has been moved on and we expect that any day here to be.
So maybe by the time this is out, it is out. But that's a little bit of a big milestone, big movement here on the CMMC front.
(03:37):
Do you want to share just a couple seconds on what that means to the industry and those that are monitoring and hopefully working on their compliance, but what that really means to those that are listening?
Yeah, I think it's kind of confusing because there are actually two rules in progress simultaneously, right?
The leading edge of this is the 32 CFR 170, which is the CMMC program rule, the Cybersecurity and Maturity Model Certification.
(04:03):
So that's the DOD's new audit and assessment process for companies in the defense industrial base to ensure that they are actually doing the cybersecurity that they have been signed up to for the last eight years or so.
They have also added the requirements and expanded the scope of where those requirements apply in this new regulation.
(04:30):
So a lot of times the DOD will say, hey, this is just what we've always been asking you to do.
And I feel very strongly that that's not the case. We have expanded the requirements as a part of this regulation.
And so the 32 CFR rule is sort of like everything CMMC, how it works, how it's put together, what the ecosystem looks like, et cetera.
(04:51):
And then trailing that, you've got the 48 CFR rule, which is currently proposed.
So it's draft and it's out for comment right now. Comments close on October 15th.
And we expect to see that in the new year. What does this mean?
It means CMMC is real. The DOD is going to be checking your cybersecurity homework.
(05:13):
I think that's the biggest message for companies out there.
And the vast majority of companies, I would argue over 75 percent of the companies in the defense industrial base today really haven't done this.
They really haven't implemented the required security controls.
They really don't have programs to protect the DOD's information.
(05:38):
Yeah, sure. It's been another one of the stack of contract clauses that's included by reference in every contract that honestly,
in federal government contracting, it's very typical for contractors to not pay attention to all the clauses.
If you printed them all out and you would have fill a room with regulation in and it's just this huge volume of stuff that's thrown on the contracts.
(06:06):
Right. So it's not just cybersecurity that companies don't necessarily pay attention to all those clauses.
But now the DOD is saying, hey, we're going to come check your homework.
We're going to come look to see if you're actually doing this or we're going to have a commercial assessment organization, a C3PO come and look.
(06:27):
And we want them to certify that you are doing this.
That means that you need to be doing it. And so the biggest impact of 32 CFR is that no CMMC is real.
We expect that rule to be final, as you said, Derek, in the next few days, if not few weeks.
(06:47):
Right. So when that'll really get released out of the Pentagon into the federal register is always kind of opaque to the rest of us out here in the real world.
But it's definitely done. And they're putting the final polishing points on the public affairs release and all that stuff before it comes out.
So we will see this very soon. And I expect that we will also see 48 CFR probably final in the first quarter of next year.
(07:18):
Maybe it'll go into the second quarter. I honestly would be surprised if it went any further than that.
I fully expect that sort of March, April next year, we're going to see a final 48 CFR rule.
And with both those rules together, man, CMMC is live. It's in contract. It's going.
So this is another major step forward for the program and for companies that have been sitting on the fence and saying, oh, I'll wait until the rule is final to do this.
(07:48):
Now is the time to get serious. It's past time.
We often recommend that it's probably a year or 18 months to go from zero to fully implemented on this and CMMC assessment ready.
What I the timeline I just talked about was six to nine months.
So you're you're already inside the window of a cold start as we we see it.
(08:14):
So please encourage every company to be looking at this and be serious about, hey, we're we're going to have to have an assessor come in.
And those assessments are going to be pretty demanding. Yeah.
And you're right. And there's obviously there's a difference between people who have had these requirements and said we are versus those that are trying to figure out how this plays into it.
(08:38):
Because maybe they don't have the contracts yet. And that's a conversation we can go on and on about.
But, you know, that that that's almost sounded like a rehearsed transition into what we're going to get into,
because there is a difference between having things and buying stuff and looking at it and dusting it off later.
But there's also something more to be said about the compliance side.
(08:59):
What are they going to be looking for, to what depths and what responsibilities?
And this topic is all over the board because this is the reason that we have guests on like you is your opinion.
Vince might be different than someone else's opinion on how to do it and what it means in the depth.
And some things have to be very agreed upon when it comes to third party attestation and assessment certifications.
(09:20):
But this is unprescribed and you can do things different ways.
But a lot of people focus on documentation first without having everything in place, which makes it very difficult.
And we've got people over here, you know, starting with tools and things and they don't document deep enough.
So today we're going to get into the challenge of documentation.
I got a couple of questions for you.
(09:41):
Real quick, Derek, before you jump into questions, let me say one thing.
So I am a huge believer when I was a PLEBE at the Naval Academy,
they made us memorize quotes from famous naval leaders.
And there was one from John Paul Jones that is a standard part of PLEBE rates that has grown more and more and more true as I've gotten older in my career.
(10:08):
You know, when you're a PLEBE, you just memorize them.
But now you look back and go, man, they really had something there.
So in the Revolutionary War, John Paul Jones said, men mean more than guns in the rating of a ship.
And for all that it's not PC for today, what he was really talking about was people are more important than my hardware,
(10:31):
more important than the tools that I have on deck or the people that I have manning and using those tools.
And so I think that absolutely every cybersecurity and compliance program should start with not what technology I have or how have I documented that,
(10:52):
but should start with who do I have doing this work?
Do I have the right people?
Have I have I assigned the right people to the job?
People mean more than hardware is something that's often lost in the cybersecurity space.
We tend to look at the CEO, senior executives, look at this and say, yep, I see.
(11:13):
I see. What is that? Oh, it's a cybersecurity thing.
That means I.T. I.T. go take care of this.
That is not necessarily the right answer.
I don't think it ever is.
This is really a business problem for which I.T. cannot solve all the equation.
They're a big part of it, but they're not totally.
People are more important than hardware.
Yeah. No, that's a great quote.
(11:34):
And no, that's awesome.
Then totally agree.
And as we go through right now, it's the defense industrial base, but across FedCon,
the last small businesses, a lot of disadvantaged, a lot of resource constraints.
And you're right that cybersecurity is one part of the requirement.
There's a lot of other requirements that they have to do within contracting that have nothing to do with cybersecurity.
(11:55):
And that's probably the same same quote, right?
Yeah. Who and who and what is not the same thing.
So who do I have doing this work? Yeah.
But in the now, what we see here is we've got the technology piece of this right.
And Derek and I am talking for the audience decided that, hey, let's talk about the documentation side of this.
(12:16):
And that's a much more tactical question.
But what does that look like for CMMC?
Yeah. And I was so the question that always comes up because there are a lot of a lot of there's a lot of focus on on policies and procedures
and documentation and all this other stuff. So, you know, how much how much documentation is is needed?
(12:38):
I know it's a little bit of a relative answer here, but specifically, you know, how much work goes into that?
And I have a little follow up question, depending on how you answer this.
But, you know, how much documentation is needed for this to pass the assessment, you know, to show your compliance?
I normally say that we need 300 to 500 pages of documentation specific to your company.
(13:03):
This is not I went out and bought templates and I said, well, I'm doing those templates.
Every template has to be tailored for your company and the way you do things.
There is no getting around that. In fact, I don't even my company, we don't sell templates.
I sell tech writer time with access to our templates so they can bring those to the table to help you in your company.
(13:29):
But it's such a matter of tailorization that that I don't even try to push blank templates out for people to use and try to fill in themselves.
I don't find that a good approach.
I also say that of that 300 and 500 pages of documentation, there's really very little in the CMMC specification that tells you how to formulate that.
(13:56):
I like to say you could probably have, you know, one hundred three page documents or three hundred page documents.
I don't really care as an assessor, but everything that needs to be documented needs to be documented.
And there's a lot of requirements to document things in CMMC.
So it could, you know, so then answer.
(14:20):
So let's let here's my next question. So there's probably not something.
About too much documentation as it might be more confusing and how it's documented.
Right. So that's one of the big things we see is, you know, you hear people here, 300, 500 and, you know, OK, well, if you have it's tailored,
which it absolutely should be specific to the company and not just everybody can buy whatever you want.
(14:44):
But we also see if it's not documented correctly or it's all over the place that an assessor might say, hey, I can see it.
I just don't know where to find it. You know, who's going to pull it.
So you talk a little bit about not so much the too much, but the the too confusing and some of the things that you see that really help the assessor and the organization make it more efficient.
(15:05):
Yeah, I have seen Dibkak turned down a joint surveillance assessment because they found the documentation too confusing,
not because they didn't think it was right, was because they couldn't figure out whether it was right or not.
So there there is something to be said about making sure that we've got this organized and focused.
I also like to keep the total number of documents constrained.
(15:31):
So there are template stacks out there that you can buy that will give you a hundred different documents that need to be filled in.
I think that's too many. There are some, you know, there's some tactical pieces of how I divide up documentation.
Sometimes it's based on the organization and politics inside your company.
(15:54):
Hey, Fred's in charge of this stuff. So let's make a document that it's the stuff that Fred's in charge of.
And that covers these areas. That's OK. Right.
There's there. Maybe that's a good fit because now Fred has a piece of work that is and he's doing it back to the people being more important.
But in general, I like to keep this below 25 documents, you know, sort of 18 to 25 somewhere in there is generally where we land.
(16:26):
I like to put it so there's one document that you have to have to pass the CMMC certification assessment, and that's a system security plan.
It is mandated in the standard.
There is a standard NIST template for that that's posted to the NIST 800 171 revision to web page.
Most people start with that, although you should start with that understanding that it doesn't actually cover everything that needs to be covered in your SSP.
(16:55):
So it's a beef I've got with the template that NIST did.
I think they should have put a spot, a placeholder in for everything that had to be in there.
And that that isn't the case, in my view. But.
Better than. Yeah, no, it's a it's a great it's an 80 or 90 percent starting point, right?
It is the place to start with and you're not going far wrong.
(17:16):
But at the final tweaking and making sure that every I is dotted and T is crossed,
there are some things that we always add to that SSP template in order to make sure that our clients are good.
So you've got to have an SSP. You've got to have one.
You can reference other documentation in there.
So I've seen this question a lot. Hey, can do I have to put it all in there or can I reference something else?
(17:42):
Highly encourage you to reference other things.
So a great one for that.
And I think one of the first other documents that I like to see is an incident response plan.
This is a very industry standard document.
There's a NISP on how to write one that actually follows the control set in 171 that's required of you.
(18:07):
Those things match pretty closely, which is great.
But I think companies should have an incident response plan and that should probably be a separate document.
So when you get to the incident response section of your SSP, a lot of times it see my incident response plan.
No problem with that whatsoever. Yeah. Well, not to mention, you meant one of the things I was going to bring up earlier when you mentioned people is
(18:28):
getting into the details of incident response, for example, is a single point of failure and these other things that just enormously drive the risk up.
Right. And for a leadership team or maybe companies that are less expertise driven internally, that's a big thing for C-level.
We see this, you know, owners and general managers of companies and stuff when they start to see, well, yeah, I guess, you know, Ron is doing that.
(18:53):
But if Ron disappears, then what happens? And is there is there ways to keep our compliance in place or do we have do we have the right people in place to back up?
Documentation helps with that traceability. All that stuff helps a lot.
So you made a comment there when it comes down to referencing other things.
So question, is it policies for each control, each domain?
(19:16):
You walk through that a little bit to kind of tie that up a little bit more on what that means from a documentation standpoint?
Sure. There are 110 controls. I think a policy per control is a little bit much.
I started off when I did this four or five years ago, kind of did my initial implementation where I'm the chief.
(19:38):
I continue actually to be the chief security officer part time at a medium sized defense contractor.
We did a policy per domain, but over time, I'm actually shrinking even that.
I'm combining some because there's a lot of overlap, for example, between IA and access control.
(20:02):
There's a ton of overlap between what's in those two domains.
OK, let's put those two things together. So I have one document that I have to manage and I don't have to manage it separately.
I also I think it's really important for companies to think about what is a policy?
Who signs it? Where does it fit into my grand scheme of things or what's a procedure or what's a manual or what's a plan or what's a standard law?
(20:33):
Right. Sometimes this is called the policy to have policy, which sounds kind of silly.
But whether you document this is a separate policy or a thing, I think you need to have in your company.
What are we going to use policy for? Who's going to sign policy or who approves policy?
(21:01):
What's a standard versus a procedure versus a guideline?
So if you go to get your master's in cybersecurity, they're going to teach you or maybe undergrad, wherever you go to academia,
they're going to teach you policies, standards, procedures, guidelines is the standard stack.
Not everybody follows that. You don't have to follow that.
(21:22):
One of the places where I see a proliferation of documents is that I'll have a policy, a standard and procedure as separate documents for a thing.
I really am not a fan of a separate standard and a separate procedure.
I tend to squish those together whenever policy whenever possible.
(21:44):
Maybe I can deal with a single document right now.
My recommended approach to CMMC is to have an overarching policy that covers all the domains, kind of high level touchy feely.
How are we going to do this? Doesn't change very much.
Very standard corporate documentation. I can have one policy that covers all 14 domains, I think.
(22:07):
Then where needed, let's have a procedure document that covers specific things out of specific domains.
And that may not be every domain. Maybe we like I said, we combine things together.
You know, we're grouping stuff or we say, for example, I'm currently a fan of the awareness and training requirements are pretty.
(22:35):
Straightforward and just not real complex about how we do that.
I'm getting rid of my separate procedure for that and putting it in the system security plan.
It's the same words, essentially. I just decided I didn't need a separate document for it.
Incident response plan, I think, oh, absolutely, I got to have a separate document. There's no way I want to put those two things together because I wanted to live on its own.
(22:58):
It's used for a very specific purpose. When I have incidents, I want people pulling that out.
No. But how I do awareness and training relative to my CMMC compliance requirements, I could probably put that all into my system security plan.
So there's opportunities like that based on your business, et cetera, to try and reduce the number of documents that you have to manage while, you know,
(23:22):
if you need a separate document or there's one that's useful, then then do that.
But there's no standard set. Got it.
OK, so we're going over in time and it's OK because this next question.
And then I know I've heard you, I should say I've heard you and I've seen you post about this on on LinkedIn and other areas.
(23:46):
But when should people start the rev three, rev three, rev 171 revision three.
Sorry, I don't mean to add from here versus what's currently being pointed to is the revision two.
At what point here we are in September, October of twenty twenty four.
When is that the time to make the shift?
(24:08):
Yeah. So so in my chief security officer had met my medium sized defense contractor,
I had intended to do that shift in twenty twenty four.
Hey, it's coming out. It's got approved. Hey, let's we've got the you know, I was even going to start on the final version and then then move on.
And then CMMC wrote into the regulation, the 32 CFR 170 regulation.
(24:35):
We're going to specific to revision to.
Now, the DOD put out a class deviation that said, hey, you don't have to move to revision three right away
because the current D for seventy twelve clause says current version.
Well, the current version is rev three. But the D said, hold off on that.
(24:58):
Stay rev two. But my. My vision, when they put it in the 32 CFR,
that means in order to move from rev two to rev three, they're going to have to go through rulemaking, which is a multi year process.
So I have put the brakes on moving to revision three for now.
(25:18):
And because I made the decision as well that I cannot possibly chase both revision two and revision three simultaneously,
because revision three is a complete rewrite, it's it's one hundred and fifty percent of the requirements.
So it's another 50 percent more. It is rearranged.
(25:42):
So if I'm tailoring my documentation to the standard, so an assessor can follow it, it's very different.
And so I decided I didn't want to put my, you know, near term CMMC certification of revision two at risk
for chasing the future of revision three when I didn't know that that was going to be in the play, you know, in play.
(26:05):
I feel like and, you know, the D.O.D. and others, you know, have stated various things about this.
As long as this. Stays in 32 CFR 170, I.E. revision two specific,
I won't even start to worry about revision three until they start the process to modify revision the 32 CFR 170 to take it out.
(26:33):
Yeah. Well, well, thank you for for commenting that, because that is that the last six months has been for four months,
six months has been a topic that comes up frequently.
And there are different opinions on that. And now people know why.
And that's that's very and lots of people are like revision three is written better.
It's a better standard, blah, blah, blah. And I don't disagree with those arguments.
(26:55):
Yep. But in my capacity of having a limited number of resources as a defense contractor to go execute on this with high quality,
because to be CMMC certified, I've got to be 110 out of 110.
I cannot afford an 80 percent solution in my revision to implementation.
There is zero wiggle room in that world.
(27:17):
Man, I'm not going to I'm going to do it one way and I'm going to do it right.
And I absolutely refuse to try and fail to do two different standards simultaneously.
Now, I mean, way bigger up, right?
I mean, the impact of not doing it, what you just said is way bigger on a business than when do I start for three?
And when I focus on it, because, yeah, it's it's what's what's called out in front of you now.
(27:41):
Perfect world. You're right. If you have done this in 171 from day one and had it attached to you,
however you could and all these other things and then ramp up to rev three, then maybe that that path looks a little different.
But you're right. There's still a lot of time. It's still 50 percent more.
It's a great way to say it. It becomes a very, very big undertaking and make sure it's scheduled right.
(28:01):
And in your case, you're just asked on additional controls, which is what I expected them to do.
And they just gone from 110 to 150. Yep.
I would probably have those other controls on my list and be working toward them today.
Yep. Because it wouldn't endanger the existing 110.
(28:22):
But they rip the whole thing apart and put it back together again in different places.
So it's kind of the same, but they exist different places.
So in my view, my documentation stack can only ride one horse simultaneously.
That's right. And I am just not going to risk trying to do two at once.
(28:43):
I think it's we don't have a great deal of manpower.
No medium or small defense contractor has a great deal of manpower for this.
I need to use the people that I have very smartly in order to pursue excellence on this.
And I just I'm I'm not going to try to do that in two different places at once,
(29:04):
nor am I going to recommend that to any of my clients.
Now, that's great feedback. That's a good, good approach.
Well, we're we're over in the 10 ish minutes that we try to get this done.
But this is awesome. Obviously, different things to talk about today versus if we would have done
this a week or two ago. So thank you, Vince, for joining again.
Where can people find you if they want more info and they want to talk to Vince at length?
(29:26):
Yeah. Www cyber sec gru dot com is my website and we've got a contact information there.
Or you can find me on LinkedIn, Vincent Scott. I'm I'm very prolific on LinkedIn.
I type, comment, quote, post quite a bit. So it should be pretty easy to come up with me there.
(29:51):
Yeah. And I will second the LinkedIn thing for sure is is your and I'm not just saying this
because you're you're on and your friend. But I mean, this is the clarity on some of these
topics is so important. You know, make it digestible. That's that's what people want to see.
And you are one of the I would say one of the top LinkedIn resources where if I just want to hear
someone else's opinion and see that I'm seeing what I've seen over here in a clear mind,
(30:16):
I would say that you, Vince, are one of one of the best at that.
So thank you again for joining. We're going to have you on again in the future for sure,
because we're pretty much all of the events that have come up in the recent time.
Although I guess we've had these topics are going to be very fun to look back on
in the future and see where things are at. So thank you again for those listening or watching
(30:36):
on YouTube or on your favorite podcast platform. Make sure you go find us. Watch the old ones
that have been out so far. Make sure you pay attention to the new ones. But again,
thank you everybody for watching and listening. And Vince, we'll chat with you next time.
Thanks, Eric. I really appreciate the invite. Take care.
Thank you for listening to this episode. And make sure to subscribe to the Quick Ten podcast
(31:00):
wherever you get your podcasts and check us out on YouTube as well.
For more information about Quick Track, visit our website at www.quicktrack.com.
That's C-U-I-C-K-T-R-A-C dot com.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Amy Robach & T.J. Holmes present: Aubrey O’Day, Covering the Diddy Trial
Introducing… Aubrey O’Day Diddy’s former protege, television personality, platinum selling music artist, Danity Kane alum Aubrey O’Day joins veteran journalists Amy Robach and TJ Holmes to provide a unique perspective on the trial that has captivated the attention of the nation. Join them throughout the trial as they discuss, debate, and dissect every detail, every aspect of the proceedings. Aubrey will offer her opinions and expertise, as only she is qualified to do given her first-hand knowledge. From her days on Making the Band, as she emerged as the breakout star, the truth of the situation would be the opposite of the glitz and glamour. Listen throughout every minute of the trial, for this exclusive coverage. Amy Robach and TJ Holmes present Aubrey O’Day, Covering the Diddy Trial, an iHeartRadio podcast.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.