DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, and Tom Cornelius, who currently serves as both the senior partner at Compliance Forge, and senior director at the Secure Controls Framework Council, discuss the latest views the Cybersecurity Maturation Model Certification, or CMMC. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is Tom Cornelius, who currently serves as both the senior partner at Compliance Forge, and senior director at the Secure Controls Framework Council. He brings over two decades of leading professionals and innovating solutions to complex problems in both the private and public sectors. Welcome back Tom, it's great to have you with us today.
A: It's a pleasure to be back. Thanks for having me.
Q: So, Tom, let's discuss the new Department of Defense (DoD) Cybersecurity Maturity Model Certification or CMMC. Is CMMC a new requirement?
A: Relatively speaking, it is new. Version one of CMMC was released in January of 2020. But it's been well publicized that it's been coming, so it really isn't technically new. CMMC is really an offshoot of a failed rollout of NIST 800-171 that was enacted back in 2018. This is where companies that are in scope for 800-171, they were able to self-attest, that they were they were compliant with 800-171 and merely document all the issues they had a risk at register which is commonly referred to as a Plan of Actions & Milestones or POA&M.
So companies weren't actually fixing their vulnerabilities. They were just accepting to be a POA&M. So the DoD developed CMMC to force these defense contractors to comply with 800-171 controls and a few additional extras. And on top of that, have a third-party assessment model so that you're going to have a Certified Third Party Assessment Organization, or a C3PAO, to come and actually perform an assessment, so no self-attestation will be accepted.
Q: And so is it true that CMMC is impacting, not just the defense industrial base, but general IT and support services that are not traditional DoD or government contractors?
A: Oh yes, it's a trickledown effect of the supply chain that not only supports the US Department of Defense or defense industrial base, but Federal Government and just all of the primes and subcontractors that support that entire construct.
So this is really where it's all about the data centric nature of CMMC, where any organization that stores transmits or processes Controlled Unclassified Information or CUI, is required to comply with NIST 800-171 and therefore with CMMC. So these general IT and support, like Managed Service Providers are prime targets for CMMC based on how those MSPs have access to their client networks.
Q: And so what are the ramifications for companies that fail a CMMC assessment?
A: So CMMC is really a gateway to be able to support the defense industrial base. Without a passing CMMC certification defense contractors will not be able to bid on or participate in a contract that contains any type of CUI data. And we've already seen many large contractors are now making it a requirement for their subcontractors to have CMMC certification as a requirement to do business with that prime.
So you give it about a year or two, and companies simply won't even be able to play in the defense industrial space without having a passing CMMC certification.
Q: So where does an organization start their journey toward CMMC compliance?
A: So realistically, it starts with an understanding of, what data you have. Since a lot of companies, they may find the even though they're participating in the defense industry base that they don't actually store or transfer process to CUI. So if they don't have CUI, they still need to document how their business practices don't store transfer of process CUI. Just from the ability to prove to a larger prime. If a prime is saying you have to do this, a sub that doesn't have any type of CUI needs to be able to say based on their business practices. This is how we operate, there is no CUI, so that is not applicable to us.
But if a company does have CUI this is where they need to thoroughly document their network infrastructure and generate data flow diagrams. This is going to help an organization identify both what needs to be protected from a data perspective and also identify the overall scope of their compliance obligations.
Q: And so finally, Tom, what is the biggest takeaway that organizational leadership should be aware of in terms of CMMC?
A: So CMMC is a cost of doing business with the Department of Defense and the supply chain that supports the DoD. This is important because it's where you're going to find a lot of defense contractors that might not think of themselves like a Boeing or Raytheon, what a lot of people think of when they think of defense contractor.
But an IT provider or consultant to them, due to this trickledown effect, do become in scope. So it's better to prepare sooner rather than later. So assuming a CMMC is successful and address allowed to support the defense industrial base.
And there's already talked about how CMMC is going to expand beyond just the DoD into the US federal government. So this is really just a more of a matter of time before this expansion happens. So if an organization is compliant with CMMC it's going to open up markets. On the contrary, and not having a CMMC certification is going to close doors to both US Federal and DoD contracts, including all the supply chains that support them. So you have this immense pool of business that's pretty soon going to be basically blocked off behind a certification firewall, for lack of a better term.
Q: Well, Tom. Thank you so much for joining us today.
A: My pleasure. Thank you.
January 12, 2021