Even though CMMC itself is concerned only with protecting CUI, conceptually that includes fantastic cybersecurity best practices that organizations could implement throughout their entire organizations, not just on the systems that store a process or transmit CUI. Welcome to the latest episode of Unraveling IT, Expert Tech Talks. I'm Daniel Goffen, VP of Sales here at Corsica Technologies. And today, I'm sitting down with our Chief Information Security Officer, Ross Filipek, to talk about CMMC 2.0. What is it? Why compliance is important? And what resources are out there to help companies navigate this process? Ross, just to start us out here, what is the cybersecurity maturity model certification? And why is that important to manufacturers and distributors? It's a great question and one that many organizations have right at the moment. So CMMC is the cybersecurity framework that the United States Department of Defense is requiring that all its contractors abide by. So you could think of CMMC as sort of a long list of individual cybersecurity requirements. I mean, there are technical things. There are administrative and procedural requirements, but basically a large collection of requirements that contractors are going to have to demonstrate that they, satisfy in order to be eligible to bid on contracts to work for the DOD. So can you explain a little bit more in detail the different levels of CMMC and how each specific level has different requirements? So CMMC version two which is what the proposed version of the CMMC framework is currently is organized into three different levels- levels one, two, and three. So from the bottom level one you could kind of think of this as a baseline sort of cybersecurity posture includes very basic requirements in fact it's intended for contractors who are going to be working with something called FCI or federal contract information exclusively. So if you're a DOD contractor and you know that you don't work with any CUI or Controlled Unclassified Information, you only work with FCI, chances are pretty good that you're going to be targeting that level one, for compliance so pretty late lift with that in fact there are 15 requirements that go along with level one pretty easy for most organizations to attain. Level two, which is where almost all DoD contractors are gonna land, is intended for organizations that are actually working with CUI, Controlled Unclassified Information. This is the type of data that most contractors who are gonna be in the scope of CMMC are either, you know, storing or processing or transmitting or interacting with in some capacity. So with level two CMMC compliance, there are actually 110 individual requirements that those contractors are going to have to meet and those 110 requirements are all spelled out in a document called NIST Special Publication 800-171. It's freely available online you'll pull up the document and it's got 110 requirements in there. Like I mentioned almost all DOD contractors are going to fall into that level two compliance category. Level three CMMC compliance is really reserved for contractors who are going to be working with highly sensitive types of information that really go above and beyond the, the protections that are required, level two. With level three, you know, you've still got all one hundred and ten of those NIST 800-171 requirements but then we also add around 30 additional requirements that are catalogued in NIST 800-172. Basically these levels all build on one another but almost all, DOD contractors are going to fall into that level two categorization. Where do I start? Let's say that I'm a DOD contractor or even a subcontractor working with a large governmental, privatized organization like Boeing. Where do I start? How do I assess where I'm at within the level two CMMC framework? Yeah. Yeah. So that's a great question. So the first thing you need to do is get an understanding about what level of CMMC compliance the contracts that you want to bid on are going to require. So in other words, when the DOD goes to issue a, an RFP, you know, so they can get bids, for that contract. In that RFP, they're gonna clearly say prospective bidders need to be certified at CMMC, you know, level one or level two or level three or whatever that is. So what we need to do as contractors is try to get an understanding about what the level of compliance is gonna be required of us so that we can be eligible to bid on the RFPs that we want to bid on. In addition, you know, a lot of contractors already know whether they're storing or processing or transmitting CUI. CUI in theory is all, already supposed to be labeled as such, when it's received from the DOD or from whatever organization is supplying that information. So, yeah, this can be in the form of, like, a watermark on a document or, metadata in an electronic file. But, I mean, it should clearly say CUI or controlled unclassified information or something to that effect. Has there been any timeline of when this regulation is going to be strictly required? And has that timeline moved? What does that look like in the marketplace today? Yes. Some of you may have may remember, a number of years ago, we started out with the original CMMC, which was tabled and kind of reworked into this CMMC version two. Currently, we are in what's called the proposed phase of CMMC version two so in late December last year 2023 the Department of Defense released what's called the CMMC version two proposed rule and in that document they talked about all the requirements that they are proposing to require if CMMC version two were to go into effect. So the idea behind that, you know, issuing that proposed rule is that they wanted to give contractors and other stakeholders an opportunity to read those proposed rulings and give them a chance to comment and provide feedback and all those comments are things that the DoD takes into consideration as they draft what's called the CMMC final ruling. The final rule is targeted to be released either late 2024 or early 2025 but we don't have a firm date on that yet. So until the final ruling comes down, CMMC, you know, is still technically in just a proposed phase rather than an enforceable phase. But we do feel like that there's going to be a hard and fast ruling on this very soon and that this will be a strict business requirement. Is that correct? It will be. Yeah. So it's not going to, be effective from day one. You know, it's not like January first, the DOD is gonna say, okay, well, you know, here's the final ruling from this point on. You know, every prospective bidder has to, you know, have already been certified at, you know, CMMC level two. There's gonna be a ramp up period allowed just because all of these contractors are going to have to go schedule CMMC audits with organizations called C3PAOs. Those are the organizations that are accredited to do formal CMMC audits. So, yeah, contractors are gonna have to go out and find a C3PAO auditor, schedule their audits, have the auditor come in, do the audit, issue the certification. And, you know, there are a lot of contractors. There are relatively few C3PAOs. So that process is going to take a little bit of time. That's interesting. Let's say that that I'm a contractor, manufacturer, distributor, and I'm a small to medium sized business and I want to assess what I have today. Do we have any resources that could potentially help with that? Oh, absolutely. So Corsica provides what we call CMMC gap assessments so we are already confident that the core framework for CMMC version two level two is going to be that NIST Special Publication 800-171 that's you know that's been out for quite a while so, we help organizations assess their own posture, you know, the way that they're currently storing processing transmitting CUI against that NIST 800-171 framework and through that process we could identify, you know, which, requirements they are compliant with in which requirements we need to figure out, you know, ways to fix or ways to improve our processes so that we can become compliant with them. So even though CMMC is not a final ruling yet, we've still got plenty of information that we can use to be improving our own processes and our own technologies to put us in a better position to pass our audit once, the final ruling is issued. So once you've had that initial audit, the final ruling has been, in effect for some time. Do you think that the requirements are going to change over time? Is this going to be a moving goal post, or is this something where I put the policies, procedures, and controls in place, I have the security risk measured on an annual or semiannual basis. I'm good to go. What do you think is the future impact of this? Yeah. Yeah. So if there's one thing we know about the cyber threat landscape is it changes every day. Right? So I would very much count on CMMC not being a static, type of regulation, at least not in the long term context. I would expect new requirements to be added to CMMC over time and then organizations here are gonna have to continually be, re audited and make sure they keep up to date with compliance with everything that's required. So knowing that cybersecurity is a moving goalpost, the CMMC, the concept of it help contractors more than just the CMMC compliance? Is there an attitude about cyber security that's shifting in the landscape by adopting this NIST best practices? Yeah, yeah that's that's a great question. So even though CMMC itself is concerned only with how an organization is protecting CUI, yeah, conceptually that NIST 800-171 framework includes fantastic cybersecurity best practices that organizations could, readily take and implement throughout their entire organizations, not just on the systems that store a process or transmit CUI. So if you're an organization and you have not already adopted some type of cybersecurity framework, you know, basically like cybersecurity roadmap, if you will, that you're working towards, to make sure you're as well protected as possible. Yeah, that NIST 800-171 framework is really a fantastic resource that can be adapted for, general cybersecurity best practices that are applicable to the entire organization. Switching gears here for a second. How long on average does this process take? Obviously, it's gonna depend on where you're coming from. But from initial investigation of what you have policies, procedures, and assessment of the gaps. How long does it take to implement and be fully in certification of those one hundred and ten controls? That's gonna vary, quite widely. And it really just depends on as an organization, how familiar are you with exactly how you are currently storing, processing, transmitting using CUI. You know, if you're really on top of that and you understand very clearly what systems are, involved in the processing of CUI in some capacity and you know exactly how that information flows around your environment, you are going to be able to much more quickly capture the evidence, you know, to show the auditor what he or she is going to want to see and build your, your documentation, your system security plan and so forth. Conversely, if you're in a position where, you know, you say, well, you know, I don't even know if we have CUI or not and you have to undertake, you know, sort of a deep dive throughout the environment. And that that can really add a lot of time to the process. So, really, the more you know about your own environment, the quicker the process is. Well, let's talk about that a little bit. Are there specific categories within CMMC that matter? And if there are, what are they? So there are numerous categories of CUI. So CUI, you could kind of think of sort of a higher level label for types of information that need to be protected but maybe not to the degree that they would be considered, you know, secret information or classified information or you know something that, is a higher security level. So CUI, you could kind of think of it as occupying the space between classified information and public information. I mean, there are a lot more as far as the government's concerned, a lot more, you know, classification labels between those. But Well, I'm thinking about, like, user security training, user awareness training. Is there certain categories that that fit into standard cybersecurity frameworks and best practices? Yeah. Yeah. Like I was saying a couple of minutes ago, you know, taking that NIST 800-171 framework which, you know, contains all the specific requirements that, are written to, you know, make sure you're protecting CUI, any organization could those to expand the scope, you know, beyond CUI and just say any, you know, sensitive data, for instance, that the organization, you know, is entrusted with protecting. We need to train our users about how to recognize that, about how to protect it. We need to train them to, you know, not email it out to external recipients, not to print it out and, you know, leave it sitting on the printer for anybody to walk up and and pick up the paper. So, yeah. All of that translates very well, towards an organization just really expanding the scope to their entire environment. So, Ross, for anyone listening, what are the next steps if they're just getting started in the process or they're quite a ways through that they could take to potentially, benefit themselves and learn more? Yeah, another great question. So there are fortunately a lot of tools that are commercially available that an organization can use to assist with performing a CMMC gap assessment. So these are generally software as a service platform type offerings where you create an account, you log in, it's gonna take you through all those 110 controls and give you the opportunity to, you know, write a description of how you are accomplishing that, attach evidence to, demonstrate that you're accomplishing that requirement. So, for organizations who are, you know, think they'd be self sufficient for doing that, you know, by all means, it's, you know, if you've got the resources to do it, that's, that's a great thing to get started on. However, we do have a lot of clients and other organizations that come to us for assistance with that process. Certainly, Corsica can help you as an organization walk through that process and guide you in every step of the way. Ross, this has been awesome. Thank you so much for the time. Really appreciate it. And, anyone listening in, feel free to contact us as well. Always willing to help. Thank you so much. Yep. Thank you.
