In a recent podcast interview with Cybercrime Magazine's host Charlie Osborne, Robert Davies, CEO at Stealth-ISS Group, and Dasha Deckwerth, President and Founder of Stealth-ISS Group, discuss CMMC, or the Cybersecurity Maturity Model Certification. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast, sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Charlie: Robert, Dasha, welcome. Thank you for joining us today.
Robert: Thank you for having us.
Dasha: Thank you.
Charlie: So the main topic of this episode is Cybersecurity, Maturity Model Certification, otherwise known as CMMC. Let's begin with the basics, Robert. Perhaps you'd like to start us off by explaining what it actually is and what the overall impact is on those that need to comply.
Robert: Sure. So, it's targeted very much at the US DoD supply chain contractors. So, I guess the US Government got fed up seeing new Chinese warfighters looking very much like American warfighters and decided to do something about that. So, it's a very stringent set of cybersecurity requirements built predominantly to help companies build a culture of cybersecurity, which is seen to be quite lacking. CMMC has been quite an arduous journey. We're about to embark on CMMC 2.0 because 1.0 wasn't very well received. The impact is that over time, as the requirement rolls out and new contracts receive the language for CMMC 2.0, if the early supply chain contractors are not certified, then they lose the ability to bid on or win DoD contracts.
Charlie: Right. And Dasha, anything to add?
Dasha: No, that's really it. I mean, it started out, as Rob said, with DoD, but considering it is the entire supply chain, we're suddenly looking at everybody else outside of the US that is supplying some kind of service or product. So, let's take a look at manufacturing, for example. There's a lot of stuff that is being created for the supply chain, let's say, in India or China or Korea. We've got NATO allies that we work with that are part of the supply chain. So even though it started with a DoD, if you take a look at the big picture, this is pretty much global.
Charlie: And as Robert mentioned, the deadline for CMMC 2.0 is coming up for 2024. Dasha, are there any significant changes in this update? And what could that mean for companies?
Dasha: So DoD is planning to use NIST 800-171 as a baseline. Now, NIST 800-171 has been, I think, 2 months ago, revised to a new version that has included significant changes there. So yes, it will have some significant changes around requirements, more documentation, better-defined processes, including annual risk assessments that are not related to CMMC. You know, those kind of things that are to be expected. However, the CMMC 2.0 or 2.1 or 3.0, Whatever will be that has not been finalized yet. It will come out for decision-making and for commenting, hopefully very soon, but for now, we're waiting.
There are several groups in the CMMC space, including C3PAOs, including C3PAO candidates like we are, or even certified assessors, or provisional or former provisional assessors like us, that are helping to drive the message towards the DoD on how to change things to make it feasible and make it achievable because a couple of comments that we've heard from DoD were not really achievable, and if that comes into the rulemaking, this will have a huge impact on not just the supply chain but its companies as well. So we're trying to influence it a little bit to make sure it is all achievable, what the DoD is planning.
Charlie: And what are the potential consequences of noncompliance when it comes to these changes? Robert, if you would perhaps like to comment.
Robert: Sure. So, CMMC is pass or fail. Previous standards have suggested poems and promises to do things in the future that work to some kind of indeterminate date. That's how the DoD has progressed today. But, as I say, CMMC is pass or fail. It's binary. So, you have to pass all of the controls and evidence that you have done so before you can get your certification. From there, that gives you the ability to bid on and win Federal contracts. Without it, of course, that ability, that right, if you like, goes away.
Charlie: Thank you for diving into the details of that. I mean, it sounds like companies really should make sure they can comply as and when it's possible. So now, what steps could be taken to ensure compliance with a new update? Dasha? Perhaps you could provide our listeners with some tips and tricks.
Dasha: Sure. I think the biggest one is to get started in becoming compliant. And I think that's been a struggle with a lot of companies. They take a look and, "Yeah, it's technically, it's NIST 800-171. Yeah, we got it all covered. We got it covered. We're good." However, we've seen in the past, when we do consulting, or pre-assessments, or kind of status quo for several companies, we notice that they are far from being even close to achieving it. And this is not just us that seen it.
I believe Exostar did an assessment as well or kind of gathered information, and based on their stats, it's about 80% of the companies that think they are compliant, are not compliant. And usually, it's an interpretation. So my recommendation for those companies is, if you think you're good, get at least a sanity check with somebody that is in the space of CMMC that may have gone through the dip pack assessment themselves, like we did, or have done the certification, or the training, or all of that stuff, to really understand. Are you really compliant? How far off are you? Because there is a specific requirement that the DoD puts on to validate, are you compliant, are you not? It's not just, "Yeah. Yeah. We have access control or we use vulnerability, scanning." It's do you have it considered? Do you have a baseline? How often do you do it? Do you have to report? Who does it? Who accesses it? All of these questions that tie into, "Am I doing vulnerability scans or not?" And I think that's why a lot of companies fail. And that's why it's critical to get a sanity check from somebody that knows this area.
Charlie: And Robert, anything to add?
Robert: Yes, CMMC AB haven't helped themselves over time. There's been this tortuous route to whatever the standard will be, and that has caused companies to look at this and say, "Well, this is just another one of those things. It's never going to happen. It's not going to affect us." And, as Dasha said, a lot of companies think they're relatively secure, and it won't take very much to get there. Well, sorry, CMMC will happen. It will roll out. And further, to Dasha's comment, you're probably not as well advanced along your journey as you need to be. Given that, from a standing start, this can take 9 months to implement. Bear in mind it is a maturity standard. So, fixing something on a Tuesday does not necessarily mean that you can gain certification on a Wednesday. You have to have evidence these things over time.
Charlie: Thank you both for joining us today.
Robert: Pleasure. Thank you.
Dasha: Thank you so much for having us.
