April 23, 2025 • 61 mins
What does it mean to be CMMC 2.0 Compliant? Why does it matter, and how do manufacturers tackle it without getting lost in the weeds? Greg interviews Darren Gallop, CEO and founder of Carbide Secure, to cut through the noise on CMMC 2.0 and why starting with a self-assessment is step one. He digs into the certification process, budgeting, and tools available to support you on your journey to compliance. Plus, they clear up the confusion between NIST, ITAR, FedRAMP, and other compliance standards.
Whether deep in the compliance process or just getting started, this episode gives you the insights—and the game plan—to keep your shop secure and ahead of the curve.
Show Notes
00:58 The Importance of Compliance to Secure DOD Contacts
02:17 Current State of CMMC 2.0
04:36 Understanding the Requirements
15:30 The Risk Your Vendors and Software Play on Compliance
30:09 Real-World Examples
34:32 The Hard Way Vs. The Easy Way to Compliance
40:11 Preparing for Third-Party Certification
50:33 Maximizing Your Odds of Success
53:49 Tools and Resources for Compliance
The Datanomix Difference: What Makes It Work?
It’s not just what you see. It’s how fast you see it, how clearly it shows up, and how easily your team acts on it.
- Simple machine and data connectivity, handled by us
- Data that makes sense on day one
- No Operator Input™ means zero burden on your team for data entry
- Product Tracks built for actual shop floor behavior
- Stay connected to your shop floor with the Datanomix Mobile App
- Kick-Ass Coaching that walks the shop floor with your team and keeps you winning
- Best-in-class partnerships and integrations
- The Datanomix Community built on real relationships and real wins
- Mountains of success stories with manufacturers just like you
- Every customer starts with our Pilot Program
Learn more at www.datanomix.io
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Greg (00:03):
Welcome to Manufacturing Mavericks, a podcast where we showcase and
celebrate exceptional people from across precision manufacturing who are
boldly embracing new ways to improve their processes, grow their bottom
lines, and ensure American manufacturing will thrive for generations to come.
(00:25):
Welcome to this episode of Manufacturing Mavericks.
I’m your host, Greg McHale, and boy, do we have a great topic for today’s
show (00:33):
CMMC 2.0 compliance, the what’s the whys the whens the hows.
And this is not a topic I could cover on my own, for sure.
That’s why we have brought in a very special guest today, a
cybersecurity and CMMC expert, Darren Gallop, with Carbide Secure.
(00:54):
Welcome to the show, Darren.
How are you today?
Darren (00:56):
Hey everybody, great to meet you all.
Greg, thanks for the introduction.
Super happy to be here talking about CMMC.
I’ve been hearing about and thinking about
CMMC for about five and a bit years now.
It’s not a new thing, I think to any of us.
I’ve recently become a CMMC registered practitioner.
Before that, I’m also a CISSP, which is a
(01:19):
pretty renowned cybersecurity certification.
I also have several data privacy cybersecurity certifications and around data.
So, been in the business for a long time, cybersecurity, data
privacy, regulations, compliance, all these things have been a
big part of my life and career over the last about 14 or 15 years.
So, happy to share and help everyone wrap their heads
(01:43):
around what this is going to likely look like and how we
can move through it in a progressive and positive manner.
Greg (01:49):
Awesome.
Really appreciate that Darren.
We were at IMTS and coming out of IMTS, boy was, ‘what do I
do about CMMC as a manufacturer?’ One of the biggest topics.
And we definitely have heard within our customer base and folks that
are not necessarily Datanomix customers, just at the show, lots of
conversations, “Hey, how can we get some better information about CMMC?”
(02:14):
And Datanomix, us as a vendor, we have similar obligations, certainly different
than manufacturers making the physical goods, and with some of the assets
that you guys all have under control, but we as a vendor to manufacturers do
have to follow the same standards, just on a different part of the problem.
And we’ve been doing that, as a business, in conjunction with
(02:37):
Carbide, so we thought it’d be a great opportunity to give some
perspective on what are the common questions that we’re hearing?
What can you do today?
What can’t you do today?
How do you go through this process?
The when, the why, the how.
So, really, the approach that we’re going to take here
is, we have a cybersecurity expert here in Darren.
(02:57):
I’m basically going to go through and ask him questions from
the perspective of a manufacturer for, certainly, a lot of the
questions and topics that we have heard that are on people’s minds.
So, let’s start with where is CMMC 2.0 really at today?
And when I started digging into this several months ago, Darren had some
(03:18):
great statistics that I thought were worth sharing with the group here.
So, let’s start with this one, Darren.
So, where are we at today with CMMC 2.0?
Darren (03:27):
This is an estimate that I got from the Department of Defense,
estimating that there’s roughly 80,000 companies in the US that are going
to require that level 2 or greater certification as this program rolls up.
That doesn’t count the companies that also are outside of the US, and
there’s a lot of companies outside the US, in Canada, Australia, in
Europe, that are also subcontractors of the US Department of Defense.
(03:51):
That’s going to be—it’s going to be an interesting journey, right?
I think we’re a number—the number is probably well over 100,000
of companies that are going to have to go through this process.
The interesting fact is that there’s only 57 as of
when I looked last, certified registered auditors.
That being said, there are others, there’s about 200 candidate auditors
that are going through the process of becoming certified auditors,
(04:13):
and I expect we will see a lot of auditing firms go after this
opportunity because as that first line, 80,000 companies needing to do
this, if only 257 auditors had to handle, it’s going to take a while.
And to that point, yeah.
I think this is an interesting point to figure out or to understand
here is that the expectation from the Department of Defense is that
(04:35):
this is going to take about three years from the moment that they
launch it, which we estimate to be at some point in—it could be Q1 2025.
I’ll be honest to say that not all the estimates of
timeline for this implementation and the launch have
been super accurate, so it could be a little later.
But it’s reasonable to expect that 36 months, three years is going to
(04:58):
require—and I don’t think that we’re going to see everyone get certified.
I think we’ll still—it’s going to be a bit of a struggle to get
all these companies through this process in that period of time,
with the amount of auditors that are going to be out there.
It’s a big lift.
Greg (05:11):
And so, I think that puts us in this situation is, so wait a minute.
You said there’s all these companies that have to do it.
The timeline is unclear.
There are no CMMC-certified entities in existence today,
so what does that actually mean that we need to do?
And I think this is one of the very important topics
that we want to dig into here is, what are the acronyms?
(05:33):
What are the standards?
What do we know about what the obligations are really going to be?
And then, how do we all best position ourselves for what we
inevitably know is coming, based on as much information and,
sort of, official things there are that we can do today?
Darren (05:48):
And I’d love to be able to say that everybody
can just chill out and relax and just wait this out,
but unfortunately, that would not be a prudent approach.
Greg (05:57):
Right [laugh] . Right.
So, one of the first questions that, certainly, we’ve been hearing is, what
are the data sets in manufacturing that require safeguarding per CMMC 2.0?
And I think the slide here is a pretty good takeaway on the
categories of information that are going to need to be protected.
(06:17):
Darren, why don’t you take us through those?
Darren (06:19):
Yeah, this is great.
You’ve got FCI, which is effectively your Federal Contract Information.
One of the things I just mentioned about that particular information
is that it’s not always going to be labeled, so it’s going to be
prudent to basically—if it’s labeled as such, then obviously treat
it as such, but probably best practice to treat any information
(06:40):
in terms of your negotiations, contracting conversations with
the DoD supply chain is to treat them as default of being FCI.
So, that’s the level 1 foundational level, which, pretty straightforward.
And then CUI and CDI.
CDI is really a subset of CUI.
(07:01):
In that case, effectively, what we’re looking at
is the NIST Special Publication 800-171 controls.
That is what this program is built off of, and that’s been
around for a while, and that’s accessible and free, and
everybody should be able to—should access that and look at that.
That gives you a good idea what the lift is.
(07:21):
Now, CUI generally is going to be more diligently labeled, and
in fact, I believe we’ll be sharing some information with folks
afterwards, with some helpful links and whatnot, but there’s
actually a database that the Department of Defense maintains that
has all the different classifications and label identifiers of CUI.
So, that’s probably a really good place for businesses to look
(07:44):
at to get a good idea of what effectively you were touching.
I will say, so we talked about level 2 and level 3.
Level 2 is really the 110 of 800-171, and there’s still
a little bit of figuring out what the level 3 looks like.
They’re still working on some of those
pieces, but it’ll be that, plus some more.
But yeah, the FCI, if you’re doing any work at all with
(08:07):
the Department of Defense or in that supply chain, you’re
going to be touching some degree of FCI at a very minimal.
Greg (08:13):
Awesome.
So, this is where I’ve definitely seen the most, really confusion, I
would say, from folks I’ve been speaking to is, do I need to be FedRAMP?
Do I need to be CMMC?
Do I need to be NIST?
I think ITAR is the one everyone’s already got their head around because that’s
been out there for a while, and folks that are serving the DoD or in the supply
(08:35):
chain have certainly been doing the right things there for several years.
Even for us, sometimes customers say, “Are you FedRAMP?” Or, “Do I need to
be FedRAMP?” Or, “What do you need to be, and what do I need to be?” So,
I think going through each of these and really demystifying what exactly
is that thing—what is NIST versus what is CMMC versus what is FedRAMP—and
(08:59):
then what do we, as businesses, manufacturers, and vendors who serve
manufacturers, need to be doing to be prepared and be compliant, here?
Let’s jump into the first one.
Do I need to be NIST compliant as a manufacturer?
Darren (09:13):
The real answer there comes down back to CUI.
So, if you’re thinking of NIST, like, NIST, it’s a standards
organization, and they produce standards that include guides for
cybersecurity, guides for risk management, controls, they cover data
privacy, they have a standard around artificial intelligence governance.
(09:33):
They’re out there, that information is all available
to anybody to use to help in their business.
When you’re talking about the Special Publication
800-171, that is specifically designed for handling CUI.
If you’re doing contracts now and you see a clause that says, you
(09:54):
know, ‘must comply with or follow the DFARS clause 252.204-7012,’
that is basically a Safeguarding Covered Defense Information and
Cyber Incident Reporting, which applies to all contractors and
subcontractors doing business with the US Department of Defense.
(10:16):
And what that ultimately means, they leverage that NIST 800-171 standard.
So, if you’re seeing that in your contracts now that’s a good,
strong indicator that the expectation when this goes live is that you
will be required to do the CMMC, likely the level 2 certification.
So, by building an information security program and having your business
(10:41):
be in compliance entirely with the Special Publication 800-171 is
the best road for you to effectively be ready to then go about the
certification process when that process becomes available to follow.
When we look at 172, it’s really just an extension to 171 that covers a
(11:04):
little bit more in-depth around things like different types of attack vectors
that may be more modern, like persistent threats and things like that.
And the expectation—that’s why, in theory, that CMMC
2.0 is going to be the Special Publication 800-171 with
the additional elements of 172—that is not finalized.
There may be some additional requirements.
(11:27):
That’s information that we’re all patiently waiting for.
But again, if you were, if you’re falling into level 3 compliance, if
you’re having a lot of CUI, doing that 171 is a really good start, and
then maybe familiarizing yourself with 172 just to get a sense of what
that would look like if level 3 becomes a requirement for your business.
Greg (11:49):
Got it.
So really, the strong connection is that the NIST standards
are the foundation for the CMMC levels of compliance
that all of us need to be paying attention to here.
When I say, “Do I need to be CMMC 2.0 compliant,” what that
really means is achieving the appropriate level of NIST
(12:14):
requirements for whatever level of CMMC that I need to have.
Darren (12:18):
You got it?
That’s a great way of looking at it.
Greg (12:21):
And just to break it down, I see—so one of
these is 17 basic hygiene, and then another one is 110
requirements, and then there’s the all of the above plus.
So, just roughly speaking, in layman’s terms, what does
level 1 look like versus what does level 2 look like?
What kinds of things should I expect if I haven’t read through
(12:43):
that entire government publication, which everyone loves to read?
Darren (12:47):
Yeah, so if you’re looking at level 1, you’re going to have things
like access control, you’re going to have things like password security.
There’s going to be physical requirements.
You’re going to cover a lot of the domains, but 17 basic
hygiene requirements is pretty light compared to the 110.
I would expect that in a lot of the businesses, and a lot
(13:10):
of you on this call, you will have already implemented
a lot of those things in your business to some degree.
So, it may be just some improvements, maybe there’s some areas that you’ll
have to augment or add, and maybe a little better documentation around that.
And then you will go through a self-certification process.
And in fact, one of the things we’ll be able to share when we share
(13:31):
around some stuff after this is, there actually is a guide that’s
published by the Department of Defense that walks you through what
the current process is for self-certification, and there’s a NIST
Special Publication that you can reference that is actually for going
through and running an assessment of your posture against 800-171.
So, there’s 800-171 rev. 2 is what CMMC is built on.
(13:57):
I will just say—and I know it was in the last slide—but if you go look
at 800 rev. 2, it’s actually been replaced by rev. 3, however DOD is
still sticking to the fact that the program has been built on rev. 2.
We expect that there’ll likely be a move or an advancement to
rev. 3 through the process, but I’d focus on rev. 2 right now.
(14:17):
There’s really just some consolidation and a few
different things at it there, but nothing crazy.
And then the 800-171A document is really the guide that
shows you, like, how do you run a self-assessment process?
So, there’s some tools there that can be helpful in
seeing where you sit in relation to these requirements.
(14:38):
I honestly treat level 2 and level 3 is the same thing
until there is a confirmed declaration from the Department
of Defense of exactly what level 3 is going to be.
And what we know right now is it’s going to be the same as level 2 plus and/or
something other things, but we’re going to play the waiting game on that one.
Greg (14:59):
Understood.
And I know what one of the important items on this is the line that
says ‘requires third party certification for level 2.’ We are going
to get to that in a couple minutes, and exactly what that looks like.
One question, Darren.
Are the certification requirements different between
US-based entities and international entities?
Darren (15:18):
So, what you’re referring to is if we have a manufacturing
company in the US going through certification versus a manufacturing
company in, say, Canada or Australia going through the process?
As it stands right now, they are not.
I would not expect there to be a difference.
If I look at all of the other regulations and the way different data privacy
and data security certification processes run in the US in particular—and
(15:42):
it’s a very segmented [infrastra] landscape in the US—the way the US generally
looks at is, if you’re selling to us, you have to meet our standards.
So, that will be the expectation of how this is going to move forward.
Greg (15:56):
One of the questions we also see here is, “Okay, obviously I as
a manufacturer need to be CMMC compliant, but what about my vendors?
And specifically, what about my ERP system?
What about my QMS?
What about any software that I have that touches different pieces of information
that are part of my operation?” And really, I think this comes down to
(16:19):
something you alluded to earlier, which is basically, does it handle CUI?
Darren (16:24):
Yeah.
One thing to keep in mind, though, when we’re talking about
software vendors, the expectation under the CMMC program is that
software vendors would be following more the FedRAMP approach.
So, FedRAMP is effectively built for the purpose
of software vendors to meet certain requirements.
So, if you’re looking at your software vendors right now, then I
(16:48):
would want to see that they have an information security program.
So, if they’re already working with the Department of Defense directly, or even
other departments within the federal government, because I’ve definitely seen
examples where other government departments leverage compliance and require
organizations to meet the requirements of NIST Special Publication 800-171,
(17:08):
in fact, actually in Canada, I’ve seen it on Canadian federal government
contracts that organizations are compliant with NIST Special Publication.
So, it’s fairly accepted and adopted in a lot of government departments.
The real questions that you want to understand about your vendors,
if you’re sharing, particularly with a software vendor, like, an
off-the-shelf—and the concept of COTS, this sort of off-the-shelf
(17:31):
product or service, is etched out potentially in the process for CMMC.
So, if that company that provides an off-the-shelf
software as a service, for example, I would want to—the
first question I’d ask is, are they FedRAMP certified?
That would be really awesome, but that’s only likely going to be
the case if they’re selling to a federal agency directly already.
(17:52):
If they’re not, then I’d be looking for some other form of external
audit process that demonstrates that they’ve implemented controls.
So, do they follow this Special Publication
800-171 or some of the controls from 53?
Do they have a SOC2 report?
Do they have an ISO 27001 report?
You’re going to still be responsible to ensure that all your
(18:13):
vendors meet the requirements, the security requirements and the
privacy requirements of the work that you are subbing out to them.
And then, of course, when you’re talking about your
other vendors—so if you have—I’ll give an example.
I sit on the board of a manufacturing company, and sometimes they
manufacture components for other vendors that are selling to somebody else
(18:34):
like the Lockheed Martin that’s then selling to the Department of Defense.
So, they may be a couple of—they might be sub four, sub five in the mix, they
still—it comes back to them as a manufacturer in that particular situation.
They have to meet the requirements, so they’re going to have to be
CMMC Level 2 compliant because that CUI or some subset of that CUI,
(18:59):
is making its way down the supply chain into their organization.
Greg (19:04):
Do we think that companies that are not handling FCI and CUI
will ask for CMMC 2.0 just to ensure that their vendors are hygienic?
And if I understand—
Darren (19:15):
Yes.
Greg (19:15):
This correctly, I think this is saying, really, should our
expectation be that all vendors are just demonstrating a commitment to
not creating risk around compliance and around the handling of data?
And I totally agree with your answer here, Darren.
As a software vendor, vendors become hard to do business with if
(19:37):
suddenly they’re creating risk for your ability to do business.
Darren (19:40):
Yes.
Greg (19:40):
So—
Darren (19:40):
A hundred percent.
Greg (19:41):
software vendors that don’t see it that way probably aren’t
thinking the right way about how to best serve the manufacturing
industry, so you should absolutely be putting pressure on your vendors
to take the risk out of your ability to do business by saying, “Look,
you’re a software company, you’ve got access to all these great tools.
(20:03):
You guys are handling data in various capacities.” And maybe it’s not CUI, maybe
it’s right on the edge of CUI, but it’s not quite depends on, is it in the ERP?
What kind of data is it?
But at the end of the day, your vendors should be seeking
to minimize the complexity it takes to do business
with them by saying, “Yes, I am NIST 800-171 level 1.
(20:26):
I’m CMMC level 1 because I at least have the basic hygiene requirements.”
And if they are touching data that is today or ever has the potential
of being close enough to CUI or FCI, they a hundred percent should be
saying, “Here’s how I’m investing in my certifications, in my audits,
(20:47):
in my capabilities, so that you don’t have to think about this.”
Darren (20:51):
Yeah, a hundred percent.
I would expect that you’re getting requests, whether or not those
requests are really logical and coming from a source of true,
comprehensive understanding of how this is supposed to work, this
has happened in every other compliance requirement that I’ve seen.
I’ve had people come to me saying, “Hey, we need to have a SOC2
because we sell to somebody who has a SOC2, and they said that
(21:13):
we need to have a SOC2 as well.” Actually, that’s not quite
how it is designed to work, but that’s the interpretation.
And that becomes the easier way to de risk, to your point.
And, Greg, I think one of the things like that really plays into
this, all this stuff is happening so quickly that there’s really a
talent gap in terms of people that can actually do all this work.
(21:34):
So, the process of assessing your vendors,
it’s not necessarily a super easy process.
It takes time.
It takes skill.
And so, yeah, but you’re going to see people asking you,
I think, very regularly, to maybe be a little further
along than you may, like, verbatim, actually require.
And I think when it comes to the software vendors, if I was a soft—I am a
(21:56):
software vendor, but if I was selling a service or product that was going
to touch CUI, yeah, I would be putting together an internal audit program to
ensure that we meet the requirements of NIST Special Publication, 800-171.
I would very likely do that self-assessment
(22:16):
to get the level 1, that self-certification.
I would consider the audit for the CMMC level 2, but I’d
probably wait to see how that plays out a little bit.
I would definitely have an ISO 27001 and/or a SOC2, just to show that there is
a third party external component to our compliance and risk management program.
(22:36):
And I’d put a solid report in to show that, be able
to demonstrate to my customers that were on this.
I think the challenge, the part that’s unclear coming back to the fact that
there’s going to be so many organizations that need compliance, and a lot
of the pushback on why we went to CMMC level—or 2.0 before 1.0 was launched,
(22:58):
is because the organizations that are at—the stakeholders here have to
put something forward that’s actually reasonable, that the industry, and
the economy, and their vendors, their supply chain, can actually support.
And so, that’s one of the reasons that software has been [carved] out.
And FedRAMP was explicitly—not explicit, necessarily, to the
(23:19):
Department of Defense, but for government vendors to be able to adopt
cloud-based software, FedRAMP is that piece that was built for that.
So, my expectation—I know, and a lot of other practitioners
in the field share this—is that FedRAMP certification could
very well be a big piece of this as well for software vendors.
Greg (23:41):
Got it.
So, if the vendor software is on-prem, not SAAS, does the
software vendor need to be certified or self-certified?
I think what we’ve said is, look, no matter what, they
should at least be doing the level 1 self-certification so
that they’re somewhere on the CMMC spectrum that’s not zero.
Darren (24:00):
Right now, according to the training that’s provided to us
as registered practitioners, if it’s a COTS product, so if you’re
buying a product from a company that you’re installing on-prem in
your premise, it does not require that organization is CMMC certified.
So, the way I would treat that as a practitioner is I would
(24:22):
look at that piece of technology that you’ve purchased, is it
off-the-shelf, or is it custom built, and determine that piece first.
Then I would look at, so if the vendor doesn’t have any access to that, and
you’re completely running that in your environment, then it would be really
going through and testing that software, making sure that it’s in network
segmentation zones in a way that the risk of the data leaving the hands of
(24:47):
authorized, least-privileged access individuals, there’s a high likelihood
that, in that case, there’s not a need for that vendor to be CMMC-certified.
Now, if that vendor is offering some degree of support where
they’re remoting in or coming into your physical premises
and accessing data, that would be a different scenario.
But I think we’re going to see, the people that are selling off-the-shelf
(25:09):
software solutions, I would be surprised if they are the ones that are going
to be part of the first three-year certified CMMC companies, and I think we’re
going to be really looking at some of those other cybersecurity certifications
and really analyzing every individual software to understand the risks.
Greg (25:28):
So really, for a piece of software like that, it’s like anything else
you’re managing inside your facility at that point from a data standpoint.
It’s on your server, so your server must have all the
policies and practices around it that would ensure—
Darren (25:43):
You got it.
Greg (25:43):
—that you are compliant.
Access to the data, same thing, all the policies
and procedures that ensure that you’re compliant.
So really, if you have off-the-shelf software like that, that you are managing
on premises, the burden is on you to ensure compliance with the practices.
Darren (26:00):
You got it.
And think about that, I think the other thing that I
see sometimes in manufacturing facilities is open-source
software being deployed across and in those places.
Those open-source software tools are not going to be CMMC certified.
So, it’s the same idea, right?
You’re bringing this stuff, you’re going to be buying hardware,
that has firmware, that has bios, and componentry on it.
(26:20):
You’re going to be installing open software, openware, and open community
software, in some cases, like Linux versions, things like that, maybe.
Yeah, it’s really analyzing—and I think that if you go back to the
Special Publication document and spend some time reading it—it’s not
a very thrilling read by all means; we’re talking about cybersecurity
(26:41):
controls here—but it gives a lot of guidance on how to segment things.
And I know in my experience in working with manufacturing facilities,
sometimes we have technology in the manufacturing environment that
doesn’t meet the requirements of all of the security requirements, so
we have to get creative in compensating controls, we have to segment
things, we have to figure out, how do we make our technology and
(27:03):
some of our legacy systems and things like that fit into this model.
Greg (27:08):
For sure.
If I’m using an outside process vendor, since I’ve machined a component
and I need to pass it along to an outside vendor for processing, do they
need to be CMMC compliant, or is it sufficient that if I redact enough
information, I.e.,.. I don’t have any FCI, I don’t have any CUI on what I
provide to that outside vendor, that it’s okay if they are not CMMC compliant?
Darren (27:34):
It is possible.
I think there’s a couple of things to keep in mind.
So, the concept of aggregation is really what the
Department of Defense is trying to eliminate here.
And what that means, effectively, is you may only have little
snippets of data, but if you start putting a lot of snippets of
data together, you can use advanced algorithms to try to determine
what’s being built, or what’s going on, or what this is referring to.
(27:57):
So, one of the great things about the whole reason this
whole registered practitioner concept has been built out
as a part of this program is the registered practitioners
have a community where they share things that are happening.
They get first sight at a lot of the different information coming out.
There’s a way for registered practitioners to get
(28:19):
affirmations directly from Department of Defense.
“Hey, what do I do with this thing?” This—I was laughing about this
this morning because I was like, I’m coming out here to be, like, the
CMMC expert, but keep in mind, there’s never been a company go through
a CMMC audit. So, there’s going to be a lot of a learning curve on
the side of the Department of Defense, from the auditors, from the
registered practitioners of how do we take all of these one-off cases
(28:42):
of all of these situations, and really bring this into the program?
And so, that’s going to be a part of this.
Hey, we can’t implement this control because of this.
Here’s the compensating control.
Okay, your registered practitioner can go get some data
from that, that can be put together, sent to the auditor.
The auditor can get some validation, and we’ll work together to solve
(29:03):
any of the outlier things that are not going to be straightforward.
Like the simple, straightforward things like awareness training for
your employees, or security policies, or encrypting your data at
rest, or some of those things that are more sort of ones or zeros.
Greg (29:18):
Sure.
Next topic, and I think this is the one that folks are probably most familiar
with, of course, because many companies have been doing this for a while.
Do I need to be ITAR compliant?
Who needs to be ITAR compliant?
Darren (29:28):
If you need to be ITAR compliant, it’s very likely,
I’d be very surprised if that wasn’t articulated specifically
to you in your contracts that you’re doing already.
There is a lot of overlap.
At the end of the day, the controls in Special Publication 800-171, those
are based on the common body knowledge of best practices for protecting data.
(29:51):
The difference here is that when we’re talking about ITAR, the
biggest purpose around ITAR is effectively to reduce the likelihood
that we’re exporting technologies or plans or information outside
of the United States into other countries, and particularly
certain countries that we may not want to have that data.
(30:15):
But the same general practices—so for example, I’m working
with a company right now, they’re a manufacturing company.
They earned a Special Publication, 800-171
compliant, and they will have to do Level 2 for CMMC.
They implemented ITAR before I started working with them.
So, when I walked in there, I was able to see, oh, sweet.
You already have locks and you have cameras and you
(30:37):
have proper lighting, and you have little badges.
I get a visitor badge when I go there.
People don’t just let me go on my own, and wander around in the server room.
I’m being escorted around the building because I am effectively a guest.
And they’re already following those same overlapping controls.
So, if you’ve implemented ITAR successfully in your business and you’re
(30:58):
following those requirements, when you do a gap analysis against 800-171,
that’s going to show that you’ve already done, you’ve done
some of the work, you’ve done probably 70-ish percent.
Depending on your environment and how well that it was
deployed in the business, you’re probably 60, 70% compliant.
Greg (31:17):
Awesome.
I think the one that probably causes the most confusion in the
conversations I have is, do I need to be FedRAMP compliant?
Or, who needs to be FedRAMP compliant?
Darren (31:28):
FedRAMP is focused on cloud service providers.
If you are a manufacturing company and you don’t have a cloud service
that’s part of that, then you’re not going to have to worry about FedRAMP.
But like I say, it’s something that’ll be
highly valuable for your software vendors.
Now, I do know some manufacturing companies that do have software.
(31:50):
For example, there’s an organization I sit on the board of their manufacturing,
they have a piece of software that allows people to go use, like, a
web-based, sort of, cloud-based, sort of, CAD program to design things.
Yeah, they’re going to have to likely do FedRAMP and CMMC as this rolls out.
Greg (32:10):
And to be clear, for software vendors, not every
software vendor can get an official FedRAMP certification.
However, there’s this concept of equivalence that I hear going around.
What does all that mean?
Darren (32:22):
FedRAMP is a big program.
It’s an expensive investment, but you can get this moderate equivalence, which
is, you’ve implemented controls that align with the FedRAMP Moderate level.
So again, a lot of overlap for them when you
look at the NIST Special Publication, 800-171.
There’s actually quite a bit of overlap.
Again, we’re all coming back to the common body
(32:44):
of knowledge of best practices that apply here.
If you do an ISO 27001, if you already have an ISO, 27001 audit in
your organization, you’ll notice that’ll also come out in the gap
analysis, you’ve probably implemented 50, 60, 65% of NIST 800-171.
So, there’s a great deal of overlap around all of these programs.
Greg (33:08):
Got it.
So really, the root takeaway is, the most important thing,
no matter which one of these that we’re talking about, is
to figure out how to get yourself NIST 800-171 compliant.
There’s the basic hygiene level.
The, really, level 2 certification seems to be the smartest, safest thing that
(33:31):
any business should be aiming for at this point because that’s the foundation
for a lot of what’s going to come down and how audits will be done, right?
Darren (33:39):
Yeah, and I think I mentioned that the DFARS clause 252.204-7012.
If you’re seeing that in your contract, that’s a real
strong indicator you’re going to be at least a level 2.
If you’re seeing the terms ‘CY,’ if you’re seeing the reference
to NIST 800-171, those are all pretty strong indicators.
(34:00):
And if you’re in the supply chain, effectively, who you’re
selling to, if they’re doing their due diligence on the process,
they’re articulating those necessities to you in the process.
In other words, they won’t work with you unless you, at this point, have a plan.
Greg (34:19):
If this is really the most important thing that we should be focused on,
so how do we go about getting compliant with 800-171 and with CMMC level 2?
So, there’s a hard way to do things, and there’s an easier way to do things.
Let’s start with, I’m starting to look at this Darren, and what’s the hard way?
Darren (34:40):
Well, hard way would just be, go about it, read the
requirements, put in the time to learn all about it, run your own gap
analysis, document your own policies, build your own controls, align
to that, run the program, and internally audit the program yourself.
Now, I like the term it ‘the hard way.’ Now, if you have an
in-house cybersecurity professional that really understands
(35:03):
this stuff, then that might not be that hard for that person.
Greg (35:06):
Sure.
Darren (35:06):
But if you don’t have, that’s a lot of learning to get there.
It’s a lot of time.
I say this all the time to business owners and founders and
department heads (35:14):
what’s the most important thing in your business?
Is it worthwhile for you to take time away from that to focus or does
it make more sense to go more for the what you’re calling the easy
way, which is, go find yourself a registered practitioner who has
years of experience in cybersecurity data privacy, who has worked
(35:36):
in the Department of Defense supply chain, and understands how to
interpret and implement these controls, and who’s following it.
Even people who have an interest in this and are good at it, and I think,
look, it makes sense for people to learn this in your business, the idea,
like, you can’t just outsource every bit of this and just be ignorant
to it; that’s not how cybersecurity in general, works, but there’s such
(35:58):
a value proposition of somebody who’s working on all kinds of projects.
When you’re talking to somebody who’s a registered practitioner, and they
may speak to ten different organizations in the run of a week, and hear
different challenges, and interact with auditors, and they’re part of
the registered practitioner community, so they’re getting the updates,
(36:19):
they’re interacting in the message boards internally, and really part
of that process, they don’t have to take the time to figure things out.
They can go through and really implement an action, and you can move
quicker, and effectively at the end of the day, save your own time,
and save money, and de-risk the likelihood that you get into an audit
once the audit opportunity comes about, and run into issues there
(36:42):
that cost time, and slow the process down, and everything like that.
So, that would be—that’s the assessment.
Do you have somebody in-house that has the expertise,
the interest, that makes sense to dedicate the time?
If you do, then the hard way might not be that hard.
If you don’t, then yeah, I think having somebody who has the expertise
be at least a core component in the implementation, though, I think what
(37:07):
you’ll find over time is that cybersecurity and data privacy is not going
away, and a lot of organizations have to manage several different programs.
So, I know manufacturing companies that are worried about CMMC, they’re
looking at FedRAMP for their software components, they have to comply with
the Canadian privacy regulation because they have access to PII, there’s
(37:28):
also the Canadian defense program, and then they have their ITAR program.
And then it can get a lot right.
So, at some point, there may be a practice for a full-time
person in a business, but you can get a lot of value
out of fractional experts at this stage in the game.
Greg (37:45):
Sure, and I can certainly speak from the perspective
of a software vendor who’s trying to do this, right?
We’re familiar with data, we’re very familiar with data
security, but really the project management side of this, and
the documentation, and the audits, and the gap analysis, that’s
certainly where us leaning on outside help has been a massive lift.
(38:08):
I know several customers who also have cybersecurity experts within their
third-party IT companies that they contract with, and I’m definitely
hearing folks having some pretty good success with that methodology as well.
But definitely the DIY is probably too big of a row to hoe here.
Darren (38:25):
You just said a couple of things there.
Having somebody coming in as a registered practitioner, generally, the
type of practice that I run, I focus on controls, processes, policies, the
governance of a security program.
You may determine that you have other—you define
other things that you want to outsource, right?
(38:46):
So, you maybe have an MSP or an MSSP who’s going to
take on some of the IT burdens that come from this and
IT practices that have to be deployed through this.
I don’t think bringing in a practitioner is necessarily replacing
some of the other third parties that you use for other components.
(39:06):
Yeah, depending on what you use from a tooler’s perspective, the level of
sophistication of your infrastructure, I worked with a company not long
ago where we determined that, hey, they need a lot of network segmentation.
There’s a lot of work that needs to be done.
And they went out and found a network expert that
came in, and we worked with them to build out a spec.
And then these guys came in on-prem for a couple of weeks and built
(39:29):
a really strong infrastructure that they’re now managing in-house.
But you may need some other technical expertise, depending on
what you have in place and that skill gap analysis of your team.
Greg (39:41):
Sure.
So basically, I get my initial assessment done, whether that’s
DIY, whether that’s help from my e-vendor, whether I have IT
expertise in house, or whether I engage in outside security firm.
So, now I know I have my gaps, I’m going to go through this
process, but ultimately, one of the things that we all are
(40:03):
going to need to move towards is this third party certification.
So, what is that ultimately going to look like?
Darren (40:10):
Yeah, the third-party certification
is going to… it’s going to be an auditor.
And like, when I look at some of the companies that are already
registered for this program, like, they’re auditors already.
They’re auditing for ISO, they’re auditing
for PCI DSS, they’re auditing for SOC2.
So, I think, conceptually, I don’t think the audit is going to be much
different than any of those auditors, in terms of an audit process.
(40:34):
The difference is going to be predominantly just that it’s going to
be against the specific control set of the NIST 800-171 framework.
And I can actually roll in—I saw somebody asked a question
about control map—and I’m not familiar with control map.
I believe it’s a GRC software, but yeah, this
is where GRC software can be really helpful.
So, with GRC software, you can run your security program, which can include
(40:58):
your CMMC program and your ITAR program, quite effectively, and then when
it comes to audit, generally what you’re going to be doing is your auditor
is going to come in, you’re going to have to walk them through and share
with them what your business is, some network diagrams, things like that.
They’re going to want to see what you’re doing to implement each control.
They’re going to want to see evidence samples.
(41:18):
They may be required to come on prem to view a lot of that stuff.
There may be a way to do it over a camera.
Some of those things where you have to see where that’s going to go.
The pandemic has made things a little more flexible in a lot
of ways because traditionally, before the pandemic, just about
any type of cybersecurity audit required an on-prem component.
We’re seeing a lot of audits, like, 27001
(41:40):
audits from ISO that are happening remotely.
But yeah, the auditor is going to have to go in there, and they’re going to
have to look at each one of those controls, and they’re going to have to see
some validating component of evidence, whether that’s interviewing employees,
seeing logs, getting a tour of systems, virtually or physically, and they have
to make sure that they have a re—without a reasonable doubt, that they can say
(42:03):
that these controls have been effectively implemented into the organization.
And then you will get your audit, you will get your certification,
and that will be what you’ll be able to share with your customers.
Greg (42:15):
Got it.
So, no one’s done this yet.
Darren (42:17):
Correct.
Greg (42:17):
We started with that, but that’s what the process is, ultimately.
Darren (42:21):
If you’ve done an audit in any other cybersecurity framework
or standard before, it’s going to seem quite similar to that process.
Greg (42:29):
Got it.
Okay, potentially the scary part of this, I do my gap
analysis, I get my assessment, I’m trying to prepare
for my audit, and what remediations am I likely to need?
What kind of things are going to show up after that gap analysis takes place?
Darren (42:45):
Yeah, these are some great examples
up on the screen right now, for sure.
Some of the things—
Greg (42:49):
The first one’s my favorite, by the way.
We can’t have ERPRP as the login anymore on the computer on the shop floor.
That one’s got to change, guys.
Darren (42:58):
And I laughed when I saw that.
It’s funny, I can actually recall going through, several years, ago
into a manufacturing company, and one of the practice I noticed they
were doing is they had, like, generic logins for certain machines
so that anybody could walk up and log into the machine, or fairly
large sets of people could walk into the machine and do that.
Something like that’s going to be really problematic because you
(43:20):
need to be able to track who has access to what, who accessed what.
If I think of some of the challenges we’ve had working
with manufacturing is we’ve seen where there’s some legacy
technology where we actually can’t do what they want to do.
So, there’s a login and there’s a password for this tool;
we can’t have 50 of them, so what are we going to do?
We started to get creative with coming up with some creative solutions.
(43:43):
And that’s again, if you pick a good consultant who has experience—in
cybersecurity in general, not just the CMMC side—that knows how to can
come up with solutions that aren’t just the straight textbook, what
the control says, the control says your password needs to be this long.
What if it can’t be?
How do you get by that?
That’s where the experience of a really good cybersecurity
(44:06):
consultant is going to be a huge asset in this process.
But yeah, if you’re going out level 2, you’re going to have a whole set of
policies, procedures, you’re going to have an internal audit program on your
security controls, you’re going to have network segmentation, you’re going to
have firewalls, you’re probably going to need IDS/IPS technology in the network.
Like, you may have to get rid of things you have.
(44:27):
Like, I’ve seen cases where it’s like,
“Guys, you can’t use this email tool anymore.
Like, you either have to upgrade this and that’s going to be
expensive, or you’re going to have to outsource this component to
another vendor, like, a cloud provider or something like that.” This
is why, you know, I say to everybody, it’s like, the self-assessment
sooner than later because you don’t really know what the lift is
(44:48):
for your business until you’ve done a qualified self-assessment.
When I say a qualified self-assessment, the person conducting the assessment has
the experience to be able to interpret this stuff very clearly and very well.
Greg (45:03):
Got it.
I summarized this one as, “We’re going to need to be able to definitively show
who has access to what, and that nothing inappropriate can happen there.” And
then, from a devices standpoint, networking side, what has access to what?
So, who logged into the ERP, what can they see?
People with access to G-code, prints, billing information, purchase
(45:27):
orders, part numbers, et cetera, we need traceability and auditability
around all of those, and that’s where those vendors that we use should
be ahead of the game on that, and taking risk out of that process.
Darren (45:39):
100%.
Greg (45:40):
And then on the networking side, really the terms that
everyone should be able to turn to their internal IT team or
their third-party IT team, and say, “What do we have for VLANs?
What do we do for vulnerability scans?
And what do we have for whitelists?” If those are terms that are
out there that your team is talking about that there’s policies
(46:00):
around, you’re going to be on the right track because those are
the mechanisms that are used within the networking world to control
how devices have the ability to interact with other devices, and
ultimately gain access or not gain access to the data on those devices.
So, that’s a super important takeaway here.
And you mentioned cost right?
(46:20):
Might have to upgrade software.
Might have to upgrade systems.
A good segue to what really should I budget for this activity,
and when should I plan to be doing which elements of this process?
Darren (46:33):
Yeah, these are obviously estimates because who you
work with, how you go about it, is going to be a big piece.
I think the hard way is going to take more time, have more error,
save on the front-end costs, larger on the other side of things.
Really, do that gap—if you’re thinking about doing it internally, do a true
(46:53):
and honest gap analysis on the, like, skill gap analysis to make sure that
you have somebody who has the skill set and has the time to dedicate to it.
All of the tools, any tool, you’re going to see a slew of tools.
The cybersecurity industry loves nothing more than one of
these, like these externally-forced needs for [toolage]
and help, so you’re going to see a slew of tools.
(47:16):
I would estimate that they’re going to be designed
around helping you run these self-assessments.
There is still—I’ve never seen a tool—and I’m saying that
as a software vendor—we build—everybody builds GRC software;
we build solutions to help solve all kinds of cybersecurity
and data privacy challenges, including this challenge.
A tool without skilled practitioners is not going to solve the world’s problems.
(47:40):
It’s like saying that you just go buy Salesforce and then all
of a sudden the leads are going to come flying in the door.
It’s a tool.
It helps professionals execute, but you need the professional
guidance to do this in a safe and an optimized way.
But I think, yeah, I think you’re looking
at—you should be budgeting pretty high.
I don’t know for the audit.
I love 10 to 100,000.
(48:02):
Nobody’s ever done these audits.
I wonder if there’s going to be a supply-demand at the front where the
big guys are going to spend a lot of money, and that’s where the focus is.
I wouldn’t be surprised.
I don’t know if DOD they’re going to try to regulate this,
but there’s going to be an off balance of supply-demand.
And then, I would say by the year three and onward, you’re
going to see the price of audits go down substantially.
Greg (48:23):
My takeaway from this is, number one, the self-assessment,
whether done DIY, through a third-party professional, or through a
tool, that’s something that we should plan to do by the end of the year.
That’s at least going to give us a baseline.
Going through the 110 controls, yeah, the more we know about where we stand
versus those 110 controls, how much we’ve done towards that already is really
(48:48):
going to be the biggest thing that determines how much cost we likely have
to plan for next year because we’re going to do an assessment, figure out
what the gaps are, and then if you’re behind the curve on firewalls, port
scanning, your routers, your access control, your software vendors, yeah,
(49:08):
that’s where you’re probably going to have to spend your initial money.
And then ultimately, after you work towards implementation and compliance,
then there’s going to be the check for the auditor, at the tail end of this—
Darren (49:19):
You got it.
Greg (49:19):
When you actually have to get to the point of having that audit there.
So, it’s probably two years of five-digit money to get
yourself to full compliance, is what it’s feeling like.
Darren (49:32):
Yeah, I think that’s a good average.
Like, it’s going to be unique for each organization.
Like I would do the self-assessment on level 1, and then if you’re not
standing strong against that, then obviously start closing those gaps.
If you are, then that I would move along to
start doing the assessment against the level 2.
And until you do a gap analysis, really look at the business,
understand the requirements, that’s when you’re going to know
(49:54):
what your timeline, what your spend, and what overall resources
you’re going to need to apply to this to get through it.
Greg (50:01):
I think you had a stat at the beginning
estimating it’s going to take three years to get 80%-plus of
the companies to the point of compliance and proof of audit.
So, just what are the things I should be doing sooner
rather than later to maximize my odds of success?
Darren (50:20):
Don’t wait.
Go forward to understand where do you need
to be, where are you going to fall in this?
Is a level 1, level 2, level 3?
And get a sense of where you’re at.
And back to that point, we’re probably already seeing people ask your plan.
I think it’s a very reasonable question to
be like, “Hey, what’s your plan for CMMC?”
(50:41):
And a, you know, really good answer would be, “We hired a registered
practitioner, and we’ve conducted where we meet the compliance
requirements of level 1, and we’ve recently done a gap ana”—like,
that type of language is where you want to be right now, or very soon.
Yeah, sooner the better because, like I said before, until you do the gap
(51:02):
analysis and you know where you sit and where you need to be, you don’t
know what this looks like and what it’s going to take for you, right?
So like, I’ve seen a company where they realized they had to replace
a bunch of computers because they don’t have supported software.
Like, the OS is not supported on a particular
piece of hardware, and that’s a problem.
And as an example, you don’t want to get blindsided.
(51:23):
And then, like I say, when you do get—make sure, if you don’t
have the people in house that understand the stuff and can
really do this effectively, and assess things in a qualified
way, that you get the help sooner so you know what the lift is.
Greg (51:38):
Yeah, I think one of my observations in certainly talking to customers
of ours is every manufacturer is very proud of their capability statement.
And I think articulating your position relative to what you’re doing
on CMMC should absolutely be in your capability statement, right?
So, when I go look—
Darren (51:58):
One hundred percent.
Greg (51:58):
I see you’re already ITAR, you’ve done this, you’ve done that, and oh,
wow, okay, you’re already self-certified on the 17, you have an assessment
available on the 110 controls, and you are prepared for an audit when
the time comes and when we have clarification on what an audit actually
(52:20):
means and when we’ll really be doing them, that seems to be the strongest
possible position that you could get yourself into sooner rather than later.
Darren (52:28):
Yeah.
Look, I’ve had calls from my manufacturing customers
as, like, far back as, like, 18 months ago, being,
like, oh my God, we got to figure out the CMMC thing.
And that all comes from that was in their subcontractor of a subcontractor, and
that was part of the buying process already.
Greg (52:46):
Right.
Darren (52:46):
Yeah, you want to be able to answer this preemptively.
You want to have a good answer now, really.
You know it exists, you know what it is, you know
where you are and you’re on a road, you have a plan.
And that’s trust.
That’s confidence.
You want to be able to tell your customers right out of the gate, “Don’t worry.
We’re on this,” right?
You want to tell them that, you want it to be true, and you
(53:08):
want them to be able to believe you and trust you on that.
Or they’re going to opt to a vendor—this is back
to sales basics, right—they want to work with you.
They want you to be easy.
They don’t want their security department to shut down
the deal, and they might ask that right at the top.
Greg (53:24):
Exactly.
So, in closing here, some tools that can help.
So, there’s going to be the free assessment.
That’s a tool that Carbide is building the free assessment on level 1.
Some other options that are out there, if folks have not historically been
familiar with either GRC software or the registered practitioner concept,
(53:45):
I’ll do the plug here for you, Darren, so it doesn’t sound so shameless, but
we as a vendor have used Carbide to work towards our security preparedness
assessments, SOC2, ISO 27001, and then ultimately the preparation for CMMC
2.0 level 2, which is what we are going to be required to have as a vendor.
(54:08):
And I can just tell you, even as a software company, as a technology
company, not having to think about these things, having a project
plan, having a project manager who is an expert, who helps create
the policies, procedures, and does those assessments is fantastic.
Definitely, GRC tools are out there.
GRC is Governance, Risk, Compliance.
(54:30):
There are lots of vendors, lots of opportunity to
leverage that expertise, and not try to do this yourself.
This is worse than trying to do your own taxes.
I can absolutely testify to that.
When I first started looking at this stuff
over a year ago, that was my initial analogy.
It’s been fantastic to have some good help.
And now here’s the part where I have to be shameless, and if you’re
looking for help with managing your G-code, specifically traceability,
(54:54):
auditability, control, revision control on your G-code, Datanomix
does have a platform that we launched at IMTS that is available to
help folks with that, so definitely feel free to reach out to us.
And Darren, really appreciate you having you on, and
your expertise and depth of knowledge on this topic.
I know it’s been a massive help for us, and certainly for
(55:16):
other customers of ours that you’ve been working with.
And glad we could do this for a larger audience.
Darren (55:21):
Awesome.
It’s been great chatting with you all.
Greg (55:26):
Thank you for listening to Manufacturing Mavericks.
If you’d like to learn more, listen to past episodes, or nominate
a future Maverick to be on our show, visit mfgmavericks.com,
and don’t forget to subscribe to and rate this podcast on
iTunes, Spotify, Google Play, or your favorite podcast app.
Welcome to Manufacturing Mavericks, a podcast where we showcase and
celebrate exceptional people from across precision manufacturing who are
boldly embracing new ways to improve their processes, grow their bottom
lines, and ensure American manufacturing will thrive for generations to come.
(00:25):
Welcome to this episode of Manufacturing Mavericks.
I’m your host, Greg McHale, and boy, do we have a great topic for today’s
show (00:33):
CMMC 2.0 compliance, the what’s the whys the whens the hows.
And this is not a topic I could cover on my own, for sure.
That’s why we have brought in a very special guest today, a
cybersecurity and CMMC expert, Darren Gallop, with Carbide Secure.
(00:54):
Welcome to the show, Darren.
How are you today?
Darren (00:56):
Hey everybody, great to meet you all.
Greg, thanks for the introduction.
Super happy to be here talking about CMMC.
I’ve been hearing about and thinking about
CMMC for about five and a bit years now.
It’s not a new thing, I think to any of us.
I’ve recently become a CMMC registered practitioner.
Before that, I’m also a CISSP, which is a
(01:19):
pretty renowned cybersecurity certification.
I also have several data privacy cybersecurity certifications and around data.
So, been in the business for a long time, cybersecurity, data
privacy, regulations, compliance, all these things have been a
big part of my life and career over the last about 14 or 15 years.
So, happy to share and help everyone wrap their heads
(01:43):
around what this is going to likely look like and how we
can move through it in a progressive and positive manner.
Greg (01:49):
Awesome.
Really appreciate that Darren.
We were at IMTS and coming out of IMTS, boy was, ‘what do I
do about CMMC as a manufacturer?’ One of the biggest topics.
And we definitely have heard within our customer base and folks that
are not necessarily Datanomix customers, just at the show, lots of
conversations, “Hey, how can we get some better information about CMMC?”
(02:14):
And Datanomix, us as a vendor, we have similar obligations, certainly different
than manufacturers making the physical goods, and with some of the assets
that you guys all have under control, but we as a vendor to manufacturers do
have to follow the same standards, just on a different part of the problem.
And we’ve been doing that, as a business, in conjunction with
(02:37):
Carbide, so we thought it’d be a great opportunity to give some
perspective on what are the common questions that we’re hearing?
What can you do today?
What can’t you do today?
How do you go through this process?
The when, the why, the how.
So, really, the approach that we’re going to take here
is, we have a cybersecurity expert here in Darren.
(02:57):
I’m basically going to go through and ask him questions from
the perspective of a manufacturer for, certainly, a lot of the
questions and topics that we have heard that are on people’s minds.
So, let’s start with where is CMMC 2.0 really at today?
And when I started digging into this several months ago, Darren had some
(03:18):
great statistics that I thought were worth sharing with the group here.
So, let’s start with this one, Darren.
So, where are we at today with CMMC 2.0?
Darren (03:27):
This is an estimate that I got from the Department of Defense,
estimating that there’s roughly 80,000 companies in the US that are going
to require that level 2 or greater certification as this program rolls up.
That doesn’t count the companies that also are outside of the US, and
there’s a lot of companies outside the US, in Canada, Australia, in
Europe, that are also subcontractors of the US Department of Defense.
(03:51):
That’s going to be—it’s going to be an interesting journey, right?
I think we’re a number—the number is probably well over 100,000
of companies that are going to have to go through this process.
The interesting fact is that there’s only 57 as of
when I looked last, certified registered auditors.
That being said, there are others, there’s about 200 candidate auditors
that are going through the process of becoming certified auditors,
(04:13):
and I expect we will see a lot of auditing firms go after this
opportunity because as that first line, 80,000 companies needing to do
this, if only 257 auditors had to handle, it’s going to take a while.
And to that point, yeah.
I think this is an interesting point to figure out or to understand
here is that the expectation from the Department of Defense is that
(04:35):
this is going to take about three years from the moment that they
launch it, which we estimate to be at some point in—it could be Q1 2025.
I’ll be honest to say that not all the estimates of
timeline for this implementation and the launch have
been super accurate, so it could be a little later.
But it’s reasonable to expect that 36 months, three years is going to
(04:58):
require—and I don’t think that we’re going to see everyone get certified.
I think we’ll still—it’s going to be a bit of a struggle to get
all these companies through this process in that period of time,
with the amount of auditors that are going to be out there.
It’s a big lift.
Greg (05:11):
And so, I think that puts us in this situation is, so wait a minute.
You said there’s all these companies that have to do it.
The timeline is unclear.
There are no CMMC-certified entities in existence today,
so what does that actually mean that we need to do?
And I think this is one of the very important topics
that we want to dig into here is, what are the acronyms?
(05:33):
What are the standards?
What do we know about what the obligations are really going to be?
And then, how do we all best position ourselves for what we
inevitably know is coming, based on as much information and,
sort of, official things there are that we can do today?
Darren (05:48):
And I’d love to be able to say that everybody
can just chill out and relax and just wait this out,
but unfortunately, that would not be a prudent approach.
Greg (05:57):
Right [laugh] . Right.
So, one of the first questions that, certainly, we’ve been hearing is, what
are the data sets in manufacturing that require safeguarding per CMMC 2.0?
And I think the slide here is a pretty good takeaway on the
categories of information that are going to need to be protected.
(06:17):
Darren, why don’t you take us through those?
Darren (06:19):
Yeah, this is great.
You’ve got FCI, which is effectively your Federal Contract Information.
One of the things I just mentioned about that particular information
is that it’s not always going to be labeled, so it’s going to be
prudent to basically—if it’s labeled as such, then obviously treat
it as such, but probably best practice to treat any information
(06:40):
in terms of your negotiations, contracting conversations with
the DoD supply chain is to treat them as default of being FCI.
So, that’s the level 1 foundational level, which, pretty straightforward.
And then CUI and CDI.
CDI is really a subset of CUI.
(07:01):
In that case, effectively, what we’re looking at
is the NIST Special Publication 800-171 controls.
That is what this program is built off of, and that’s been
around for a while, and that’s accessible and free, and
everybody should be able to—should access that and look at that.
That gives you a good idea what the lift is.
(07:21):
Now, CUI generally is going to be more diligently labeled, and
in fact, I believe we’ll be sharing some information with folks
afterwards, with some helpful links and whatnot, but there’s
actually a database that the Department of Defense maintains that
has all the different classifications and label identifiers of CUI.
So, that’s probably a really good place for businesses to look
(07:44):
at to get a good idea of what effectively you were touching.
I will say, so we talked about level 2 and level 3.
Level 2 is really the 110 of 800-171, and there’s still
a little bit of figuring out what the level 3 looks like.
They’re still working on some of those
pieces, but it’ll be that, plus some more.
But yeah, the FCI, if you’re doing any work at all with
(08:07):
the Department of Defense or in that supply chain, you’re
going to be touching some degree of FCI at a very minimal.
Greg (08:13):
Awesome.
So, this is where I’ve definitely seen the most, really confusion, I
would say, from folks I’ve been speaking to is, do I need to be FedRAMP?
Do I need to be CMMC?
Do I need to be NIST?
I think ITAR is the one everyone’s already got their head around because that’s
been out there for a while, and folks that are serving the DoD or in the supply
(08:35):
chain have certainly been doing the right things there for several years.
Even for us, sometimes customers say, “Are you FedRAMP?” Or, “Do I need to
be FedRAMP?” Or, “What do you need to be, and what do I need to be?” So,
I think going through each of these and really demystifying what exactly
is that thing—what is NIST versus what is CMMC versus what is FedRAMP—and
(08:59):
then what do we, as businesses, manufacturers, and vendors who serve
manufacturers, need to be doing to be prepared and be compliant, here?
Let’s jump into the first one.
Do I need to be NIST compliant as a manufacturer?
Darren (09:13):
The real answer there comes down back to CUI.
So, if you’re thinking of NIST, like, NIST, it’s a standards
organization, and they produce standards that include guides for
cybersecurity, guides for risk management, controls, they cover data
privacy, they have a standard around artificial intelligence governance.
(09:33):
They’re out there, that information is all available
to anybody to use to help in their business.
When you’re talking about the Special Publication
800-171, that is specifically designed for handling CUI.
If you’re doing contracts now and you see a clause that says, you
(09:54):
know, ‘must comply with or follow the DFARS clause 252.204-7012,’
that is basically a Safeguarding Covered Defense Information and
Cyber Incident Reporting, which applies to all contractors and
subcontractors doing business with the US Department of Defense.
(10:16):
And what that ultimately means, they leverage that NIST 800-171 standard.
So, if you’re seeing that in your contracts now that’s a good,
strong indicator that the expectation when this goes live is that you
will be required to do the CMMC, likely the level 2 certification.
So, by building an information security program and having your business
(10:41):
be in compliance entirely with the Special Publication 800-171 is
the best road for you to effectively be ready to then go about the
certification process when that process becomes available to follow.
When we look at 172, it’s really just an extension to 171 that covers a
(11:04):
little bit more in-depth around things like different types of attack vectors
that may be more modern, like persistent threats and things like that.
And the expectation—that’s why, in theory, that CMMC
2.0 is going to be the Special Publication 800-171 with
the additional elements of 172—that is not finalized.
There may be some additional requirements.
(11:27):
That’s information that we’re all patiently waiting for.
But again, if you were, if you’re falling into level 3 compliance, if
you’re having a lot of CUI, doing that 171 is a really good start, and
then maybe familiarizing yourself with 172 just to get a sense of what
that would look like if level 3 becomes a requirement for your business.
Greg (11:49):
Got it.
So really, the strong connection is that the NIST standards
are the foundation for the CMMC levels of compliance
that all of us need to be paying attention to here.
When I say, “Do I need to be CMMC 2.0 compliant,” what that
really means is achieving the appropriate level of NIST
(12:14):
requirements for whatever level of CMMC that I need to have.
Darren (12:18):
You got it?
That’s a great way of looking at it.
Greg (12:21):
And just to break it down, I see—so one of
these is 17 basic hygiene, and then another one is 110
requirements, and then there’s the all of the above plus.
So, just roughly speaking, in layman’s terms, what does
level 1 look like versus what does level 2 look like?
What kinds of things should I expect if I haven’t read through
(12:43):
that entire government publication, which everyone loves to read?
Darren (12:47):
Yeah, so if you’re looking at level 1, you’re going to have things
like access control, you’re going to have things like password security.
There’s going to be physical requirements.
You’re going to cover a lot of the domains, but 17 basic
hygiene requirements is pretty light compared to the 110.
I would expect that in a lot of the businesses, and a lot
(13:10):
of you on this call, you will have already implemented
a lot of those things in your business to some degree.
So, it may be just some improvements, maybe there’s some areas that you’ll
have to augment or add, and maybe a little better documentation around that.
And then you will go through a self-certification process.
And in fact, one of the things we’ll be able to share when we share
(13:31):
around some stuff after this is, there actually is a guide that’s
published by the Department of Defense that walks you through what
the current process is for self-certification, and there’s a NIST
Special Publication that you can reference that is actually for going
through and running an assessment of your posture against 800-171.
So, there’s 800-171 rev. 2 is what CMMC is built on.
(13:57):
I will just say—and I know it was in the last slide—but if you go look
at 800 rev. 2, it’s actually been replaced by rev. 3, however DOD is
still sticking to the fact that the program has been built on rev. 2.
We expect that there’ll likely be a move or an advancement to
rev. 3 through the process, but I’d focus on rev. 2 right now.
(14:17):
There’s really just some consolidation and a few
different things at it there, but nothing crazy.
And then the 800-171A document is really the guide that
shows you, like, how do you run a self-assessment process?
So, there’s some tools there that can be helpful in
seeing where you sit in relation to these requirements.
(14:38):
I honestly treat level 2 and level 3 is the same thing
until there is a confirmed declaration from the Department
of Defense of exactly what level 3 is going to be.
And what we know right now is it’s going to be the same as level 2 plus and/or
something other things, but we’re going to play the waiting game on that one.
Greg (14:59):
Understood.
And I know what one of the important items on this is the line that
says ‘requires third party certification for level 2.’ We are going
to get to that in a couple minutes, and exactly what that looks like.
One question, Darren.
Are the certification requirements different between
US-based entities and international entities?
Darren (15:18):
So, what you’re referring to is if we have a manufacturing
company in the US going through certification versus a manufacturing
company in, say, Canada or Australia going through the process?
As it stands right now, they are not.
I would not expect there to be a difference.
If I look at all of the other regulations and the way different data privacy
and data security certification processes run in the US in particular—and
(15:42):
it’s a very segmented [infrastra] landscape in the US—the way the US generally
looks at is, if you’re selling to us, you have to meet our standards.
So, that will be the expectation of how this is going to move forward.
Greg (15:56):
One of the questions we also see here is, “Okay, obviously I as
a manufacturer need to be CMMC compliant, but what about my vendors?
And specifically, what about my ERP system?
What about my QMS?
What about any software that I have that touches different pieces of information
that are part of my operation?” And really, I think this comes down to
(16:19):
something you alluded to earlier, which is basically, does it handle CUI?
Darren (16:24):
Yeah.
One thing to keep in mind, though, when we’re talking about
software vendors, the expectation under the CMMC program is that
software vendors would be following more the FedRAMP approach.
So, FedRAMP is effectively built for the purpose
of software vendors to meet certain requirements.
So, if you’re looking at your software vendors right now, then I
(16:48):
would want to see that they have an information security program.
So, if they’re already working with the Department of Defense directly, or even
other departments within the federal government, because I’ve definitely seen
examples where other government departments leverage compliance and require
organizations to meet the requirements of NIST Special Publication 800-171,
(17:08):
in fact, actually in Canada, I’ve seen it on Canadian federal government
contracts that organizations are compliant with NIST Special Publication.
So, it’s fairly accepted and adopted in a lot of government departments.
The real questions that you want to understand about your vendors,
if you’re sharing, particularly with a software vendor, like, an
off-the-shelf—and the concept of COTS, this sort of off-the-shelf
(17:31):
product or service, is etched out potentially in the process for CMMC.
So, if that company that provides an off-the-shelf
software as a service, for example, I would want to—the
first question I’d ask is, are they FedRAMP certified?
That would be really awesome, but that’s only likely going to be
the case if they’re selling to a federal agency directly already.
(17:52):
If they’re not, then I’d be looking for some other form of external
audit process that demonstrates that they’ve implemented controls.
So, do they follow this Special Publication
800-171 or some of the controls from 53?
Do they have a SOC2 report?
Do they have an ISO 27001 report?
You’re going to still be responsible to ensure that all your
(18:13):
vendors meet the requirements, the security requirements and the
privacy requirements of the work that you are subbing out to them.
And then, of course, when you’re talking about your
other vendors—so if you have—I’ll give an example.
I sit on the board of a manufacturing company, and sometimes they
manufacture components for other vendors that are selling to somebody else
(18:34):
like the Lockheed Martin that’s then selling to the Department of Defense.
So, they may be a couple of—they might be sub four, sub five in the mix, they
still—it comes back to them as a manufacturer in that particular situation.
They have to meet the requirements, so they’re going to have to be
CMMC Level 2 compliant because that CUI or some subset of that CUI,
(18:59):
is making its way down the supply chain into their organization.
Greg (19:04):
Do we think that companies that are not handling FCI and CUI
will ask for CMMC 2.0 just to ensure that their vendors are hygienic?
And if I understand—
Darren (19:15):
Yes.
Greg (19:15):
This correctly, I think this is saying, really, should our
expectation be that all vendors are just demonstrating a commitment to
not creating risk around compliance and around the handling of data?
And I totally agree with your answer here, Darren.
As a software vendor, vendors become hard to do business with if
(19:37):
suddenly they’re creating risk for your ability to do business.
Darren (19:40):
Yes.
Greg (19:40):
So—
Darren (19:40):
A hundred percent.
Greg (19:41):
software vendors that don’t see it that way probably aren’t
thinking the right way about how to best serve the manufacturing
industry, so you should absolutely be putting pressure on your vendors
to take the risk out of your ability to do business by saying, “Look,
you’re a software company, you’ve got access to all these great tools.
(20:03):
You guys are handling data in various capacities.” And maybe it’s not CUI, maybe
it’s right on the edge of CUI, but it’s not quite depends on, is it in the ERP?
What kind of data is it?
But at the end of the day, your vendors should be seeking
to minimize the complexity it takes to do business
with them by saying, “Yes, I am NIST 800-171 level 1.
(20:26):
I’m CMMC level 1 because I at least have the basic hygiene requirements.”
And if they are touching data that is today or ever has the potential
of being close enough to CUI or FCI, they a hundred percent should be
saying, “Here’s how I’m investing in my certifications, in my audits,
(20:47):
in my capabilities, so that you don’t have to think about this.”
Darren (20:51):
Yeah, a hundred percent.
I would expect that you’re getting requests, whether or not those
requests are really logical and coming from a source of true,
comprehensive understanding of how this is supposed to work, this
has happened in every other compliance requirement that I’ve seen.
I’ve had people come to me saying, “Hey, we need to have a SOC2
because we sell to somebody who has a SOC2, and they said that
(21:13):
we need to have a SOC2 as well.” Actually, that’s not quite
how it is designed to work, but that’s the interpretation.
And that becomes the easier way to de risk, to your point.
And, Greg, I think one of the things like that really plays into
this, all this stuff is happening so quickly that there’s really a
talent gap in terms of people that can actually do all this work.
(21:34):
So, the process of assessing your vendors,
it’s not necessarily a super easy process.
It takes time.
It takes skill.
And so, yeah, but you’re going to see people asking you,
I think, very regularly, to maybe be a little further
along than you may, like, verbatim, actually require.
And I think when it comes to the software vendors, if I was a soft—I am a
(21:56):
software vendor, but if I was selling a service or product that was going
to touch CUI, yeah, I would be putting together an internal audit program to
ensure that we meet the requirements of NIST Special Publication, 800-171.
I would very likely do that self-assessment
(22:16):
to get the level 1, that self-certification.
I would consider the audit for the CMMC level 2, but I’d
probably wait to see how that plays out a little bit.
I would definitely have an ISO 27001 and/or a SOC2, just to show that there is
a third party external component to our compliance and risk management program.
(22:36):
And I’d put a solid report in to show that, be able
to demonstrate to my customers that were on this.
I think the challenge, the part that’s unclear coming back to the fact that
there’s going to be so many organizations that need compliance, and a lot
of the pushback on why we went to CMMC level—or 2.0 before 1.0 was launched,
(22:58):
is because the organizations that are at—the stakeholders here have to
put something forward that’s actually reasonable, that the industry, and
the economy, and their vendors, their supply chain, can actually support.
And so, that’s one of the reasons that software has been [carved] out.
And FedRAMP was explicitly—not explicit, necessarily, to the
(23:19):
Department of Defense, but for government vendors to be able to adopt
cloud-based software, FedRAMP is that piece that was built for that.
So, my expectation—I know, and a lot of other practitioners
in the field share this—is that FedRAMP certification could
very well be a big piece of this as well for software vendors.
Greg (23:41):
Got it.
So, if the vendor software is on-prem, not SAAS, does the
software vendor need to be certified or self-certified?
I think what we’ve said is, look, no matter what, they
should at least be doing the level 1 self-certification so
that they’re somewhere on the CMMC spectrum that’s not zero.
Darren (24:00):
Right now, according to the training that’s provided to us
as registered practitioners, if it’s a COTS product, so if you’re
buying a product from a company that you’re installing on-prem in
your premise, it does not require that organization is CMMC certified.
So, the way I would treat that as a practitioner is I would
(24:22):
look at that piece of technology that you’ve purchased, is it
off-the-shelf, or is it custom built, and determine that piece first.
Then I would look at, so if the vendor doesn’t have any access to that, and
you’re completely running that in your environment, then it would be really
going through and testing that software, making sure that it’s in network
segmentation zones in a way that the risk of the data leaving the hands of
(24:47):
authorized, least-privileged access individuals, there’s a high likelihood
that, in that case, there’s not a need for that vendor to be CMMC-certified.
Now, if that vendor is offering some degree of support where
they’re remoting in or coming into your physical premises
and accessing data, that would be a different scenario.
But I think we’re going to see, the people that are selling off-the-shelf
(25:09):
software solutions, I would be surprised if they are the ones that are going
to be part of the first three-year certified CMMC companies, and I think we’re
going to be really looking at some of those other cybersecurity certifications
and really analyzing every individual software to understand the risks.
Greg (25:28):
So really, for a piece of software like that, it’s like anything else
you’re managing inside your facility at that point from a data standpoint.
It’s on your server, so your server must have all the
policies and practices around it that would ensure—
Darren (25:43):
You got it.
Greg (25:43):
—that you are compliant.
Access to the data, same thing, all the policies
and procedures that ensure that you’re compliant.
So really, if you have off-the-shelf software like that, that you are managing
on premises, the burden is on you to ensure compliance with the practices.
Darren (26:00):
You got it.
And think about that, I think the other thing that I
see sometimes in manufacturing facilities is open-source
software being deployed across and in those places.
Those open-source software tools are not going to be CMMC certified.
So, it’s the same idea, right?
You’re bringing this stuff, you’re going to be buying hardware,
that has firmware, that has bios, and componentry on it.
(26:20):
You’re going to be installing open software, openware, and open community
software, in some cases, like Linux versions, things like that, maybe.
Yeah, it’s really analyzing—and I think that if you go back to the
Special Publication document and spend some time reading it—it’s not
a very thrilling read by all means; we’re talking about cybersecurity
(26:41):
controls here—but it gives a lot of guidance on how to segment things.
And I know in my experience in working with manufacturing facilities,
sometimes we have technology in the manufacturing environment that
doesn’t meet the requirements of all of the security requirements, so
we have to get creative in compensating controls, we have to segment
things, we have to figure out, how do we make our technology and
(27:03):
some of our legacy systems and things like that fit into this model.
Greg (27:08):
For sure.
If I’m using an outside process vendor, since I’ve machined a component
and I need to pass it along to an outside vendor for processing, do they
need to be CMMC compliant, or is it sufficient that if I redact enough
information, I.e.,.. I don’t have any FCI, I don’t have any CUI on what I
provide to that outside vendor, that it’s okay if they are not CMMC compliant?
Darren (27:34):
It is possible.
I think there’s a couple of things to keep in mind.
So, the concept of aggregation is really what the
Department of Defense is trying to eliminate here.
And what that means, effectively, is you may only have little
snippets of data, but if you start putting a lot of snippets of
data together, you can use advanced algorithms to try to determine
what’s being built, or what’s going on, or what this is referring to.
(27:57):
So, one of the great things about the whole reason this
whole registered practitioner concept has been built out
as a part of this program is the registered practitioners
have a community where they share things that are happening.
They get first sight at a lot of the different information coming out.
There’s a way for registered practitioners to get
(28:19):
affirmations directly from Department of Defense.
“Hey, what do I do with this thing?” This—I was laughing about this
this morning because I was like, I’m coming out here to be, like, the
CMMC expert, but keep in mind, there’s never been a company go through
a CMMC audit. So, there’s going to be a lot of a learning curve on
the side of the Department of Defense, from the auditors, from the
registered practitioners of how do we take all of these one-off cases
(28:42):
of all of these situations, and really bring this into the program?
And so, that’s going to be a part of this.
Hey, we can’t implement this control because of this.
Here’s the compensating control.
Okay, your registered practitioner can go get some data
from that, that can be put together, sent to the auditor.
The auditor can get some validation, and we’ll work together to solve
(29:03):
any of the outlier things that are not going to be straightforward.
Like the simple, straightforward things like awareness training for
your employees, or security policies, or encrypting your data at
rest, or some of those things that are more sort of ones or zeros.
Greg (29:18):
Sure.
Next topic, and I think this is the one that folks are probably most familiar
with, of course, because many companies have been doing this for a while.
Do I need to be ITAR compliant?
Who needs to be ITAR compliant?
Darren (29:28):
If you need to be ITAR compliant, it’s very likely,
I’d be very surprised if that wasn’t articulated specifically
to you in your contracts that you’re doing already.
There is a lot of overlap.
At the end of the day, the controls in Special Publication 800-171, those
are based on the common body knowledge of best practices for protecting data.
(29:51):
The difference here is that when we’re talking about ITAR, the
biggest purpose around ITAR is effectively to reduce the likelihood
that we’re exporting technologies or plans or information outside
of the United States into other countries, and particularly
certain countries that we may not want to have that data.
(30:15):
But the same general practices—so for example, I’m working
with a company right now, they’re a manufacturing company.
They earned a Special Publication, 800-171
compliant, and they will have to do Level 2 for CMMC.
They implemented ITAR before I started working with them.
So, when I walked in there, I was able to see, oh, sweet.
You already have locks and you have cameras and you
(30:37):
have proper lighting, and you have little badges.
I get a visitor badge when I go there.
People don’t just let me go on my own, and wander around in the server room.
I’m being escorted around the building because I am effectively a guest.
And they’re already following those same overlapping controls.
So, if you’ve implemented ITAR successfully in your business and you’re
(30:58):
following those requirements, when you do a gap analysis against 800-171,
that’s going to show that you’ve already done, you’ve done
some of the work, you’ve done probably 70-ish percent.
Depending on your environment and how well that it was
deployed in the business, you’re probably 60, 70% compliant.
Greg (31:17):
Awesome.
I think the one that probably causes the most confusion in the
conversations I have is, do I need to be FedRAMP compliant?
Or, who needs to be FedRAMP compliant?
Darren (31:28):
FedRAMP is focused on cloud service providers.
If you are a manufacturing company and you don’t have a cloud service
that’s part of that, then you’re not going to have to worry about FedRAMP.
But like I say, it’s something that’ll be
highly valuable for your software vendors.
Now, I do know some manufacturing companies that do have software.
(31:50):
For example, there’s an organization I sit on the board of their manufacturing,
they have a piece of software that allows people to go use, like, a
web-based, sort of, cloud-based, sort of, CAD program to design things.
Yeah, they’re going to have to likely do FedRAMP and CMMC as this rolls out.
Greg (32:10):
And to be clear, for software vendors, not every
software vendor can get an official FedRAMP certification.
However, there’s this concept of equivalence that I hear going around.
What does all that mean?
Darren (32:22):
FedRAMP is a big program.
It’s an expensive investment, but you can get this moderate equivalence, which
is, you’ve implemented controls that align with the FedRAMP Moderate level.
So again, a lot of overlap for them when you
look at the NIST Special Publication, 800-171.
There’s actually quite a bit of overlap.
Again, we’re all coming back to the common body
(32:44):
of knowledge of best practices that apply here.
If you do an ISO 27001, if you already have an ISO, 27001 audit in
your organization, you’ll notice that’ll also come out in the gap
analysis, you’ve probably implemented 50, 60, 65% of NIST 800-171.
So, there’s a great deal of overlap around all of these programs.
Greg (33:08):
Got it.
So really, the root takeaway is, the most important thing,
no matter which one of these that we’re talking about, is
to figure out how to get yourself NIST 800-171 compliant.
There’s the basic hygiene level.
The, really, level 2 certification seems to be the smartest, safest thing that
(33:31):
any business should be aiming for at this point because that’s the foundation
for a lot of what’s going to come down and how audits will be done, right?
Darren (33:39):
Yeah, and I think I mentioned that the DFARS clause 252.204-7012.
If you’re seeing that in your contract, that’s a real
strong indicator you’re going to be at least a level 2.
If you’re seeing the terms ‘CY,’ if you’re seeing the reference
to NIST 800-171, those are all pretty strong indicators.
(34:00):
And if you’re in the supply chain, effectively, who you’re
selling to, if they’re doing their due diligence on the process,
they’re articulating those necessities to you in the process.
In other words, they won’t work with you unless you, at this point, have a plan.
Greg (34:19):
If this is really the most important thing that we should be focused on,
so how do we go about getting compliant with 800-171 and with CMMC level 2?
So, there’s a hard way to do things, and there’s an easier way to do things.
Let’s start with, I’m starting to look at this Darren, and what’s the hard way?
Darren (34:40):
Well, hard way would just be, go about it, read the
requirements, put in the time to learn all about it, run your own gap
analysis, document your own policies, build your own controls, align
to that, run the program, and internally audit the program yourself.
Now, I like the term it ‘the hard way.’ Now, if you have an
in-house cybersecurity professional that really understands
(35:03):
this stuff, then that might not be that hard for that person.
Greg (35:06):
Sure.
Darren (35:06):
But if you don’t have, that’s a lot of learning to get there.
It’s a lot of time.
I say this all the time to business owners and founders and
department heads (35:14):
what’s the most important thing in your business?
Is it worthwhile for you to take time away from that to focus or does
it make more sense to go more for the what you’re calling the easy
way, which is, go find yourself a registered practitioner who has
years of experience in cybersecurity data privacy, who has worked
(35:36):
in the Department of Defense supply chain, and understands how to
interpret and implement these controls, and who’s following it.
Even people who have an interest in this and are good at it, and I think,
look, it makes sense for people to learn this in your business, the idea,
like, you can’t just outsource every bit of this and just be ignorant
to it; that’s not how cybersecurity in general, works, but there’s such
(35:58):
a value proposition of somebody who’s working on all kinds of projects.
When you’re talking to somebody who’s a registered practitioner, and they
may speak to ten different organizations in the run of a week, and hear
different challenges, and interact with auditors, and they’re part of
the registered practitioner community, so they’re getting the updates,
(36:19):
they’re interacting in the message boards internally, and really part
of that process, they don’t have to take the time to figure things out.
They can go through and really implement an action, and you can move
quicker, and effectively at the end of the day, save your own time,
and save money, and de-risk the likelihood that you get into an audit
once the audit opportunity comes about, and run into issues there
(36:42):
that cost time, and slow the process down, and everything like that.
So, that would be—that’s the assessment.
Do you have somebody in-house that has the expertise,
the interest, that makes sense to dedicate the time?
If you do, then the hard way might not be that hard.
If you don’t, then yeah, I think having somebody who has the expertise
be at least a core component in the implementation, though, I think what
(37:07):
you’ll find over time is that cybersecurity and data privacy is not going
away, and a lot of organizations have to manage several different programs.
So, I know manufacturing companies that are worried about CMMC, they’re
looking at FedRAMP for their software components, they have to comply with
the Canadian privacy regulation because they have access to PII, there’s
(37:28):
also the Canadian defense program, and then they have their ITAR program.
And then it can get a lot right.
So, at some point, there may be a practice for a full-time
person in a business, but you can get a lot of value
out of fractional experts at this stage in the game.
Greg (37:45):
Sure, and I can certainly speak from the perspective
of a software vendor who’s trying to do this, right?
We’re familiar with data, we’re very familiar with data
security, but really the project management side of this, and
the documentation, and the audits, and the gap analysis, that’s
certainly where us leaning on outside help has been a massive lift.
(38:08):
I know several customers who also have cybersecurity experts within their
third-party IT companies that they contract with, and I’m definitely
hearing folks having some pretty good success with that methodology as well.
But definitely the DIY is probably too big of a row to hoe here.
Darren (38:25):
You just said a couple of things there.
Having somebody coming in as a registered practitioner, generally, the
type of practice that I run, I focus on controls, processes, policies, the
governance of a security program.
You may determine that you have other—you define
other things that you want to outsource, right?
(38:46):
So, you maybe have an MSP or an MSSP who’s going to
take on some of the IT burdens that come from this and
IT practices that have to be deployed through this.
I don’t think bringing in a practitioner is necessarily replacing
some of the other third parties that you use for other components.
(39:06):
Yeah, depending on what you use from a tooler’s perspective, the level of
sophistication of your infrastructure, I worked with a company not long
ago where we determined that, hey, they need a lot of network segmentation.
There’s a lot of work that needs to be done.
And they went out and found a network expert that
came in, and we worked with them to build out a spec.
And then these guys came in on-prem for a couple of weeks and built
(39:29):
a really strong infrastructure that they’re now managing in-house.
But you may need some other technical expertise, depending on
what you have in place and that skill gap analysis of your team.
Greg (39:41):
Sure.
So basically, I get my initial assessment done, whether that’s
DIY, whether that’s help from my e-vendor, whether I have IT
expertise in house, or whether I engage in outside security firm.
So, now I know I have my gaps, I’m going to go through this
process, but ultimately, one of the things that we all are
(40:03):
going to need to move towards is this third party certification.
So, what is that ultimately going to look like?
Darren (40:10):
Yeah, the third-party certification
is going to… it’s going to be an auditor.
And like, when I look at some of the companies that are already
registered for this program, like, they’re auditors already.
They’re auditing for ISO, they’re auditing
for PCI DSS, they’re auditing for SOC2.
So, I think, conceptually, I don’t think the audit is going to be much
different than any of those auditors, in terms of an audit process.
(40:34):
The difference is going to be predominantly just that it’s going to
be against the specific control set of the NIST 800-171 framework.
And I can actually roll in—I saw somebody asked a question
about control map—and I’m not familiar with control map.
I believe it’s a GRC software, but yeah, this
is where GRC software can be really helpful.
So, with GRC software, you can run your security program, which can include
(40:58):
your CMMC program and your ITAR program, quite effectively, and then when
it comes to audit, generally what you’re going to be doing is your auditor
is going to come in, you’re going to have to walk them through and share
with them what your business is, some network diagrams, things like that.
They’re going to want to see what you’re doing to implement each control.
They’re going to want to see evidence samples.
(41:18):
They may be required to come on prem to view a lot of that stuff.
There may be a way to do it over a camera.
Some of those things where you have to see where that’s going to go.
The pandemic has made things a little more flexible in a lot
of ways because traditionally, before the pandemic, just about
any type of cybersecurity audit required an on-prem component.
We’re seeing a lot of audits, like, 27001
(41:40):
audits from ISO that are happening remotely.
But yeah, the auditor is going to have to go in there, and they’re going to
have to look at each one of those controls, and they’re going to have to see
some validating component of evidence, whether that’s interviewing employees,
seeing logs, getting a tour of systems, virtually or physically, and they have
to make sure that they have a re—without a reasonable doubt, that they can say
(42:03):
that these controls have been effectively implemented into the organization.
And then you will get your audit, you will get your certification,
and that will be what you’ll be able to share with your customers.
Greg (42:15):
Got it.
So, no one’s done this yet.
Darren (42:17):
Correct.
Greg (42:17):
We started with that, but that’s what the process is, ultimately.
Darren (42:21):
If you’ve done an audit in any other cybersecurity framework
or standard before, it’s going to seem quite similar to that process.
Greg (42:29):
Got it.
Okay, potentially the scary part of this, I do my gap
analysis, I get my assessment, I’m trying to prepare
for my audit, and what remediations am I likely to need?
What kind of things are going to show up after that gap analysis takes place?
Darren (42:45):
Yeah, these are some great examples
up on the screen right now, for sure.
Some of the things—
Greg (42:49):
The first one’s my favorite, by the way.
We can’t have ERPRP as the login anymore on the computer on the shop floor.
That one’s got to change, guys.
Darren (42:58):
And I laughed when I saw that.
It’s funny, I can actually recall going through, several years, ago
into a manufacturing company, and one of the practice I noticed they
were doing is they had, like, generic logins for certain machines
so that anybody could walk up and log into the machine, or fairly
large sets of people could walk into the machine and do that.
Something like that’s going to be really problematic because you
(43:20):
need to be able to track who has access to what, who accessed what.
If I think of some of the challenges we’ve had working
with manufacturing is we’ve seen where there’s some legacy
technology where we actually can’t do what they want to do.
So, there’s a login and there’s a password for this tool;
we can’t have 50 of them, so what are we going to do?
We started to get creative with coming up with some creative solutions.
(43:43):
And that’s again, if you pick a good consultant who has experience—in
cybersecurity in general, not just the CMMC side—that knows how to can
come up with solutions that aren’t just the straight textbook, what
the control says, the control says your password needs to be this long.
What if it can’t be?
How do you get by that?
That’s where the experience of a really good cybersecurity
(44:06):
consultant is going to be a huge asset in this process.
But yeah, if you’re going out level 2, you’re going to have a whole set of
policies, procedures, you’re going to have an internal audit program on your
security controls, you’re going to have network segmentation, you’re going to
have firewalls, you’re probably going to need IDS/IPS technology in the network.
Like, you may have to get rid of things you have.
(44:27):
Like, I’ve seen cases where it’s like,
“Guys, you can’t use this email tool anymore.
Like, you either have to upgrade this and that’s going to be
expensive, or you’re going to have to outsource this component to
another vendor, like, a cloud provider or something like that.” This
is why, you know, I say to everybody, it’s like, the self-assessment
sooner than later because you don’t really know what the lift is
(44:48):
for your business until you’ve done a qualified self-assessment.
When I say a qualified self-assessment, the person conducting the assessment has
the experience to be able to interpret this stuff very clearly and very well.
Greg (45:03):
Got it.
I summarized this one as, “We’re going to need to be able to definitively show
who has access to what, and that nothing inappropriate can happen there.” And
then, from a devices standpoint, networking side, what has access to what?
So, who logged into the ERP, what can they see?
People with access to G-code, prints, billing information, purchase
(45:27):
orders, part numbers, et cetera, we need traceability and auditability
around all of those, and that’s where those vendors that we use should
be ahead of the game on that, and taking risk out of that process.
Darren (45:39):
100%.
Greg (45:40):
And then on the networking side, really the terms that
everyone should be able to turn to their internal IT team or
their third-party IT team, and say, “What do we have for VLANs?
What do we do for vulnerability scans?
And what do we have for whitelists?” If those are terms that are
out there that your team is talking about that there’s policies
(46:00):
around, you’re going to be on the right track because those are
the mechanisms that are used within the networking world to control
how devices have the ability to interact with other devices, and
ultimately gain access or not gain access to the data on those devices.
So, that’s a super important takeaway here.
And you mentioned cost right?
(46:20):
Might have to upgrade software.
Might have to upgrade systems.
A good segue to what really should I budget for this activity,
and when should I plan to be doing which elements of this process?
Darren (46:33):
Yeah, these are obviously estimates because who you
work with, how you go about it, is going to be a big piece.
I think the hard way is going to take more time, have more error,
save on the front-end costs, larger on the other side of things.
Really, do that gap—if you’re thinking about doing it internally, do a true
(46:53):
and honest gap analysis on the, like, skill gap analysis to make sure that
you have somebody who has the skill set and has the time to dedicate to it.
All of the tools, any tool, you’re going to see a slew of tools.
The cybersecurity industry loves nothing more than one of
these, like these externally-forced needs for [toolage]
and help, so you’re going to see a slew of tools.
(47:16):
I would estimate that they’re going to be designed
around helping you run these self-assessments.
There is still—I’ve never seen a tool—and I’m saying that
as a software vendor—we build—everybody builds GRC software;
we build solutions to help solve all kinds of cybersecurity
and data privacy challenges, including this challenge.
A tool without skilled practitioners is not going to solve the world’s problems.
(47:40):
It’s like saying that you just go buy Salesforce and then all
of a sudden the leads are going to come flying in the door.
It’s a tool.
It helps professionals execute, but you need the professional
guidance to do this in a safe and an optimized way.
But I think, yeah, I think you’re looking
at—you should be budgeting pretty high.
I don’t know for the audit.
I love 10 to 100,000.
(48:02):
Nobody’s ever done these audits.
I wonder if there’s going to be a supply-demand at the front where the
big guys are going to spend a lot of money, and that’s where the focus is.
I wouldn’t be surprised.
I don’t know if DOD they’re going to try to regulate this,
but there’s going to be an off balance of supply-demand.
And then, I would say by the year three and onward, you’re
going to see the price of audits go down substantially.
Greg (48:23):
My takeaway from this is, number one, the self-assessment,
whether done DIY, through a third-party professional, or through a
tool, that’s something that we should plan to do by the end of the year.
That’s at least going to give us a baseline.
Going through the 110 controls, yeah, the more we know about where we stand
versus those 110 controls, how much we’ve done towards that already is really
(48:48):
going to be the biggest thing that determines how much cost we likely have
to plan for next year because we’re going to do an assessment, figure out
what the gaps are, and then if you’re behind the curve on firewalls, port
scanning, your routers, your access control, your software vendors, yeah,
(49:08):
that’s where you’re probably going to have to spend your initial money.
And then ultimately, after you work towards implementation and compliance,
then there’s going to be the check for the auditor, at the tail end of this—
Darren (49:19):
You got it.
Greg (49:19):
When you actually have to get to the point of having that audit there.
So, it’s probably two years of five-digit money to get
yourself to full compliance, is what it’s feeling like.
Darren (49:32):
Yeah, I think that’s a good average.
Like, it’s going to be unique for each organization.
Like I would do the self-assessment on level 1, and then if you’re not
standing strong against that, then obviously start closing those gaps.
If you are, then that I would move along to
start doing the assessment against the level 2.
And until you do a gap analysis, really look at the business,
understand the requirements, that’s when you’re going to know
(49:54):
what your timeline, what your spend, and what overall resources
you’re going to need to apply to this to get through it.
Greg (50:01):
I think you had a stat at the beginning
estimating it’s going to take three years to get 80%-plus of
the companies to the point of compliance and proof of audit.
So, just what are the things I should be doing sooner
rather than later to maximize my odds of success?
Darren (50:20):
Don’t wait.
Go forward to understand where do you need
to be, where are you going to fall in this?
Is a level 1, level 2, level 3?
And get a sense of where you’re at.
And back to that point, we’re probably already seeing people ask your plan.
I think it’s a very reasonable question to
be like, “Hey, what’s your plan for CMMC?”
(50:41):
And a, you know, really good answer would be, “We hired a registered
practitioner, and we’ve conducted where we meet the compliance
requirements of level 1, and we’ve recently done a gap ana”—like,
that type of language is where you want to be right now, or very soon.
Yeah, sooner the better because, like I said before, until you do the gap
(51:02):
analysis and you know where you sit and where you need to be, you don’t
know what this looks like and what it’s going to take for you, right?
So like, I’ve seen a company where they realized they had to replace
a bunch of computers because they don’t have supported software.
Like, the OS is not supported on a particular
piece of hardware, and that’s a problem.
And as an example, you don’t want to get blindsided.
(51:23):
And then, like I say, when you do get—make sure, if you don’t
have the people in house that understand the stuff and can
really do this effectively, and assess things in a qualified
way, that you get the help sooner so you know what the lift is.
Greg (51:38):
Yeah, I think one of my observations in certainly talking to customers
of ours is every manufacturer is very proud of their capability statement.
And I think articulating your position relative to what you’re doing
on CMMC should absolutely be in your capability statement, right?
So, when I go look—
Darren (51:58):
One hundred percent.
Greg (51:58):
I see you’re already ITAR, you’ve done this, you’ve done that, and oh,
wow, okay, you’re already self-certified on the 17, you have an assessment
available on the 110 controls, and you are prepared for an audit when
the time comes and when we have clarification on what an audit actually
(52:20):
means and when we’ll really be doing them, that seems to be the strongest
possible position that you could get yourself into sooner rather than later.
Darren (52:28):
Yeah.
Look, I’ve had calls from my manufacturing customers
as, like, far back as, like, 18 months ago, being,
like, oh my God, we got to figure out the CMMC thing.
And that all comes from that was in their subcontractor of a subcontractor, and
that was part of the buying process already.
Greg (52:46):
Right.
Darren (52:46):
Yeah, you want to be able to answer this preemptively.
You want to have a good answer now, really.
You know it exists, you know what it is, you know
where you are and you’re on a road, you have a plan.
And that’s trust.
That’s confidence.
You want to be able to tell your customers right out of the gate, “Don’t worry.
We’re on this,” right?
You want to tell them that, you want it to be true, and you
(53:08):
want them to be able to believe you and trust you on that.
Or they’re going to opt to a vendor—this is back
to sales basics, right—they want to work with you.
They want you to be easy.
They don’t want their security department to shut down
the deal, and they might ask that right at the top.
Greg (53:24):
Exactly.
So, in closing here, some tools that can help.
So, there’s going to be the free assessment.
That’s a tool that Carbide is building the free assessment on level 1.
Some other options that are out there, if folks have not historically been
familiar with either GRC software or the registered practitioner concept,
(53:45):
I’ll do the plug here for you, Darren, so it doesn’t sound so shameless, but
we as a vendor have used Carbide to work towards our security preparedness
assessments, SOC2, ISO 27001, and then ultimately the preparation for CMMC
2.0 level 2, which is what we are going to be required to have as a vendor.
(54:08):
And I can just tell you, even as a software company, as a technology
company, not having to think about these things, having a project
plan, having a project manager who is an expert, who helps create
the policies, procedures, and does those assessments is fantastic.
Definitely, GRC tools are out there.
GRC is Governance, Risk, Compliance.
(54:30):
There are lots of vendors, lots of opportunity to
leverage that expertise, and not try to do this yourself.
This is worse than trying to do your own taxes.
I can absolutely testify to that.
When I first started looking at this stuff
over a year ago, that was my initial analogy.
It’s been fantastic to have some good help.
And now here’s the part where I have to be shameless, and if you’re
looking for help with managing your G-code, specifically traceability,
(54:54):
auditability, control, revision control on your G-code, Datanomix
does have a platform that we launched at IMTS that is available to
help folks with that, so definitely feel free to reach out to us.
And Darren, really appreciate you having you on, and
your expertise and depth of knowledge on this topic.
I know it’s been a massive help for us, and certainly for
(55:16):
other customers of ours that you’ve been working with.
And glad we could do this for a larger audience.
Darren (55:21):
Awesome.
It’s been great chatting with you all.
Greg (55:26):
Thank you for listening to Manufacturing Mavericks.
If you’d like to learn more, listen to past episodes, or nominate
a future Maverick to be on our show, visit mfgmavericks.com,
and don’t forget to subscribe to and rate this podcast on
iTunes, Spotify, Google Play, or your favorite podcast app.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.