Troy Fine, a certified CMMC registered practitioner and provisional assessor at Schneider Downs gives us the low down on where we are with the CMMC journey at the end of 2020 and how DIB contractors should get started.
This is Ryan Boder with The Anchor. Today I’d like to welcome Troy Fine from Schneider Downs to talk about CMMC. Troy was recently certified as one of the first 100 provisional assessors for the CMMC. Can you tell us about that, Troy? What does it mean to be a provisional assessor?
Yeah, definitely. Basically, the CMMC has created a pilot program for the CMMC assessment process. As part of that assessment process, they randomly selected a hundred individuals, based on their background and experience doing similar assessments or their experience with, requirements or DOD assessments. They selected a hundred of us to go through the training. If we passed the exam, we became a provisional assessor. As part of this program, before they actually get it up and running and they needed to get some assessors out there to help pilot the program, get these first contracts assessed with the primes and subs and to provide feedback to the CMMC AB and the DOD about how to improve the program and where there might be pitfalls, where there might be things they can improve, things that are good. So that’s the idea of this program. Luckily, and fortunately I was selected as one of those assessors.
Awesome. Well congratulations, I guess that makes you a kind of a guinea pig as you’re helping them figure this out along the way, but also, you’re somebody who can help contractors in the DIB who are trying to work toward achieving compliance themselves. So that’s fantastic. Let me ask you a question about it then, as a government contractor, as a DIB contractor, how do I know which level I’m going to need to be certified with or certified at?
Yeah, so it’s a good question. If I were a contractor right now, technically as these contracts are coming out, they’re supposed to be putting the level that’s required in the contract, but if you’re unsure of what the level is, I would definitely reach out to your contracting officer if you’re a prime. If you’re a sub, I would definitely reach out to your representative as the, and ask them, what level you think you’re going to be. If you have controlled unclassified information CUI, you’re going to have to be level three. Level one is only for federal contract information FCI. The question really might not be what level, it’s do I have CUI? I know that’s a hard question to determine right now. I know there’s a lot of information they’re supposed to label it CUI, and it’s not always being marked appropriately. That’s probably difficult to figure out, but try to put the onus on your prime, your contracting officer at the DOD, that’s really the way to figure it out, but right now, if you have CUI, you’re going to have to be level three.
Got it. If that’s the case then by when do I need to be, when would I need to be, officially certified? How do I know when I need to do this by and when should I get started?
Another good question. When to get started, it’s kind of a wild card, I would guess. Obviously the answer is that the right answer is now, get started as soon as possible, just because you don’t know when, that new contract or that new RFP might come across your desk. Again, it kinda comes down to that CUI question is if you’re working with a prime, or if you’re a prime and you work with DOD and you have CUI, you might as well get ready now and start going towards level three. I mean, even though CMMC is not going to be required for everybody until 2025, they’re doing a phased rollout, and they’re only, prioritizing, I think, 15 contracts in 2021 fiscal year, 2021, but of those 15 contracts, they are, assuming that each prime has about a hundred subcontractors, right? They’re assuming that in fiscal year, 2021, 1500 organizations will need CMMC.
I don’t know, level three verse level one. I really have no idea on what that breakout will be off the top of my head. I think those numbers are out there. Again, it comes down to CUI and if you have it, technically you are already supposed to be in compliance with one NIST 800-171 anyway, so you should already be close to it. If you’re, if you don’t think you are, yeah, I would probably get that in the budget for 2021 as soon as possible and start preparing.
I see. It let’s say, theoretically, that even though I’m supposed to be compliant with NIST 800-171 today, maybe we haven’t really done a whole lot, and haven’t really put a whole lot into that yet. How do you think it’s going to, how long would it take for a typical company to roll this out completely? I mean, is this something we could knock down in a month, two months? Is it more like a six month to a year type effort? What’s the size of the effort here?
Assuming? Well, I guess I’m assuming you’ve already, you’re already in compliance with one NIST 800-171 already in comply…
Assuming I’m not already. Assuming I haven’t done anything because I didn’t know better before.
If you haven’t done anything. Well CMMC three level three has 130 practices or controls. I’ll use those terms interchangeably. It’s probably going to take a good minimum of six months to get ready if I had to guess. That’s, if you have the time you prioritize it, you have somebody driving the project. You have the C-suite on board willing to, and they give you the budget. That’s probably the quickest, I would guess it’d be six months if you haven’t done anything.
Okay. Even if I’m not going to be bidding one of these contracts in 2021, that’s going to require CMMC compliance. I better get started, even if I’m going to be, if I haven’t already gone down the path, I mean, I better get started if I want to bid on contracts in 2022 is what it sounds like.
Yeah. Technically the rule says that you don’t have to be certified until the contract is awarded. You can still bid on contracts without the CMMC certification in your hands, but I don’t know how long it’s going to take between an RFP to get awarded, but I have a feeling it’s probably a shorter time period than it will take for you to actually get ready. If you haven’t done anything, I would definitely assume that you’re going to need it, especially if you do a lot of work already in that space, I think it’s a no brainer. If you only have a few contracts in that space, and it’s a small portion of your business, that’s a different question, right? Do I spend all this time getting ready and doing this for 5% of my revenue? I don’t know, right. That’s where that risk based question comes into play ROI and companies are going to have those conversations, but I guess they need the information to get it to the C-suite, to have the appropriate conversations with them.
Okay. Well that actually leads into another good question. There’s the old adage. You can either have it fast, or you can have it cheap. It’s probably the case where the sooner I get started, the less expensive this is going to be. If I have to rush it may end up being a bit more costly in the long run. Can you give me any idea as a company who, maybe from the perspective of a company who hasn’t done anything yet, and probably isn’t NIST 800-171 compliant, how much is it probably going to cost, as an order of magnitude? Also, maybe from a company who has, who is NIST 800-171 compliant. So, they’ve already done a lot of the work. What, what do you think it might cost for a company like that? and how did the two compare?
Yeah. I don’t know if I have exact numbers. I can tell you from an assessment perspective that if you only need to be level one, it’s probably not going to be, it’s probably going to be under $10,000 for the actual assessment. It’s only 17 controls. If I had to guess, level one is really small. It’s basic. You don’t need to do much. You get to level three, you’re jumping up to 130 controls. You can imagine if I’m 10X in the number of practices and controls, I don’t want to say the prices, an exact correlation to that, but it will be substantially more for a level three assessment because an auditor, or an assessor, has to now look at 130 controls instead of 17. As far as for preparing, that’s a really hard question for me to answer, because I don’t know, all the tools you’d have to purchase, but I mean, 130 practices, if you have to have a SIM tool, you have to have a vulnerability scanner, you have to have a penetration test performed. You have to, maybe, hire somebody to derive this compliance internally. The salary of the person driving it might be the most expensive or a consultant to help so it could, the price of preparing could, well, be way more than the actual assessment. If I had to guess for somebody that has not been in compliance with NIST 800-171.
For somebody that feels they’re already in compliance with NIST 800-171, it’s only 20 additional controls to get to level three. For level four and level five, the requirements are not a hundred percent published yet. I don’t know the delta exactly there. For level three 20 additional controls compared to NIST 800-171. I don’t imagine it would be too much of an expense to get those additional 20 controls. The assessment is probably gonna cost more than the preparation for those companies.
I see. It sounds like it could range anywhere from under $10,000 to, maybe hundreds of thousands of dollars, depending on your situation. You’re not going to know until you actually dig in and find out. The sooner you start looking into it, the sooner you’ll know how much this is going to cost and what this is going to take.
Yeah. I would say looking at that, the assessment guides that were published recently, like for level three, that is a good starting point to kind of going through that guide and understanding, okay, here’s all the practices I have to do. How are we going to accomplish this? Oh, we need to probably purchase a DLP tool. We need to maybe move the GCC high. Like you can see how the prices could definitely jump up, fairly quickly for preparing.
Yeah, absolutely. Absolutely. So, I guess I’m curious then, like, what are some gotchas that I might have to watch out for? What are some things that might be unexpected, that I should keep in mind or take into consideration as I move forward down this path?
Yeah. I guess I’ll, I’m sure a lot of people out there have been seeing the GCC High questions and do I need to be GCC High to be CMMC compliant. The reason I bring that up as a gotcha is because technically as part of DFAS 7012, the only way you can meet DFARS 7012, if you’re using office 365 is if you’re in GCC Hig. GCC High and DFARS 7012 don’t necessarily mean you need that for CMMC, which is DFARS 7021. However there’s a good chance that all the DFARS 70 series are going to be in future contracts, right? So they’re going to be kind of correlated with each other. If DFARS 7021 is in your contract, you’re probably going to have DFARS 7012 in your contract anyway, so you don’t need it for CMMC, but you need it for DFARS 7012. Chances are, you’re going to have to move to GCC High. That could be one gotcha. Cause if you have, if you’re a big organization and you have a thousand licenses for Office 365, and you have to now add $20 or $30 a month, potentially for GCC High, that’s a huge expense that a company might have.
Definitely. So I am curious then, why does DFARS 7012 require using GCC High?
I’m not an expert in DFARS 7012, but from my research, the reason is because Microsoft only guarantees that the data will stay in the US if you’re in their GCC High environment. They guarantee that only US persons and citizens will be the ones supporting your environment and have access to that data and GCC High. If you’re using their commercial environment, they don’t make those guarantees, which is why you cannot meet the requirement. Also I believe there’s incident response requirements as part of 70 12, that they also won’t guarantee unless you’re in the GCC high environment as well. Like you have to retain logs for a certain amount of days. They have to report incidents in a certain timeframe. They’ll only guarantee that stuff in their GCC High environment right now.
I see. If I’m not using Office 365, OneDrive, if I’m not using the Microsoft cloud, but rather, using on-premise storage and on-premise software, can I avoid the problem of having to be in GCC High? Is that an alternative way to do it, maybe a lower cost way, depending on my situation?
Yeah. It could be a lower cost way, definitely. Right. Depending on your IT department’s willingness to support an exchange server. I’ve never done it before, but I’ve heard that it’s never a fun thing to do. You’re going to have to add costs, from a time perspective there for support, you might have to hire an Exchange server person to help support that. The other idea too, is if you’re creating this enclave for CMMC and only 10% of your company maybe needs to access CUI. Maybe you have them as the only ones that are using the exchange server on-site. Now you only have to support 10% center users rather than a hundred percent. The rest of the 90% can still use the standard Office 365 environment. It’s a possibility, and I’m not, again, I’m not an expert, so you still have to make sure that it is truly an enclave, and there are no connections between the environments.
These users only have access to that Exchange or where CUI is. You could avoid definitely the costs there potentially, but it’s hard to measure what additional costs you might bring on, by doing it on premise. You guarantee that, obviously you want only US people then have to be supporting that Exchange server. You still have to follow the DFARS 7012 rules, but you have control over who supports that, who has access to it versus relying on the cloud environment. Obviously the incident response rules you have to now, consider as well, and take more ownership of that.
Got it. Okay. That makes sense. So then, maybe to another gotcha, this is something you’d mentioned to me before, can you tell me about SSPs and POA&Ms and how they play into the new CMMC?
Definitely. Yeah so I think, SSPs, everyone assumes kind of, you need an SSP, you have to have POA&Ms, and a level one, you actually don’t need an SSP, which is kind of interesting. But it’s only 17 controls. So I guess that makes sense. I mean, the SSP is supposed to cover the whole environment, and you don’t really need documented policies and procedures at level one, either you kind of just need to do it and show that you’re doing it. It doesn’t need to be documented and planned for maturity. There’s not even a maturity level for level one, actually, which is interesting. Maturity levels started level two, actually. So it’s kind of interesting. Basically your controls, they don’t really, they’re not too concerned about maturity level one, because they’re assuming that you’re not getting the CUI, so CUI doesn’t come into play until level three again.
Once you get to level three, there are, there is a practice. I can’t remember the number off the top of head, but there are practices that talk about having a documented SSP. And there’s one about documenting POA&Ms. Now the thing about POA&Ms is they can’t, if you have a POA&M as part of your SSP…
Sorry to interrupt you, what is a POA&M?
The poem is the plan of action and milestones. If you identify a failure or a risk, you have to put a plan of action, a milestone in place. Somebody has to own that POA&M. You have to have a remediation plan, you have to have a timeline associated with it to remediate that failure, that risk that you identified.
I see, it’s like your plan for being good. Yeah.
Yeah, yeah. It’s a plan to remediate the better way of looking at it. You’re supposed to follow up on those milestones. You’re supposed to track them, like you’re supposed to have a process in place, which is good. I’m all for that. The thing is for CMMC technically in order to pass CMMC it’s an all or nothing. If there’s 130 practices at level three and you fail one of them, you cannot be certified to CMMC technically, and you can’t say, Oh, we have a POA&M in place to get there. It’s still a failure. Technically you’re not allowed to have POA&M associated with the CMMC practice to pass CMMC. You can have POA&M and you’re supposed to have POA&Ms for emerging security issues that have nothing to do with the CMMC practices. It’s kind of a chicken and egg thing.
Well, how do I have POA&Ms if I am not supposed to have POA&Ms? So I, I’m not exactly clear on how that’s going to play out in the real world, but, yeah. Technically POA&Ms are not allowed for a CMMC practice.
All right. Well that is interesting. Could you tell me about the rule that went into effect in November and how does that affect me as a DIB contractor?
Definitely. Yeah. I’ll say right off the bat that the November 30th, effective date is not a deadline. I know there are a lot of people out there trying to sell fear, uncertainty, and doubt. Saying hey, we’ll help you meet the November 30th deadline and submit your questions here, or, submit your self-assessment here. Technically November 30th is just an effective date for the rule. What the interim role did is it added DFARS 7019 DFARS, 7020, and DFARS 7021. At a high level DFARS 7019 talks about how in the interim, until you have to be CMMC certified, you’re supposed to be submitting a self-assessment to the SPRS system at the DOD, which is like their supplier. I can’t remember exactly what stands for, but it’s their system where you have to submit your score to say, Hey, are we in compliance with NIST 800-171?
Before you just had to self attest and say, yeah, I’m good. Now they actually make you perform a test and put it into their supplier management system. That’s number one. Technically you do not have to do that as of November 30th, but they can’t retroactively add DFARS 7019 to an existing contract and force you to do that. It’s really for future contracts. So when they are now submitting RFPs and awarding contracts, they are now required to check the supplier management system and say, hey, does this prime have their score submitted? And by the way, do all their subs also have a score submitted to this system. It’s a self-assessment, you have to answer all the questions. You can have POA&Ms associated with it. I don’t know how they’re going to use the scores. I don’t know if somebody says, hey, we’re not doing anything. We have a score of 10. Does that mean we’re automatically disqualified from the contract? Technically the rule doesn’t state anything on that. It just says it’s kind of open for interpretation at this point.
It kind of sounds like the real deadline then is when I’m going to bid on a contract that has that clause in it.
When your prime is going to bid on a contract and require you to be part of that contract. If you’re a sub, that could be a little more difficult to figure out, right? So a lot of the primes are like, we don’t want our subs to hold us up. They better get their scores in there. We’re not going to pay our subs until they get their score in there. I’ve heard that kind of stuff is going on, but the sub is like, wait, I’m not actually required to do this yet. I don’t even have DFARS 7019 in any of my contracts with their prime. They don’t because it didn’t exist until a month ago. But the primes are in kind of a tough position, right? I mean, if I was a prime, I don’t want my sub to hold me up on a huge contract in the future that might come up when I don’t know.
Right. I don’t want that to delay me. I understand why the primes are doing that. It’s like a, again, a chicken and an egg thing. I can submit the score, but if it’s a bad score, I can’t really lie in the system. That’s a false claim, that could be really bad. I could get false claims, act, violations against me, which would cost millions of dollars or even more put me out of business. You don’t want to lie in that system. Do not, I do not recommend being untruthful. If it’s a poor score, but it’s better than saying you have a higher score when you actually don’t. That can be detrimental. I would not recommend that, especially for anything with the government.
I think it seems unnecessary to say you don’t want to lie on there, but I think you’re probably right. I think it can be incredibly tempting because you want to keep doing what you’ve been doing. Yeah, it’s a tough situation for everybody. We’re all trying to figure out how to get this working together. The primes have their position and the subs of their position. And then the government has their position.
And, and I would say DFARS 7020, just to add on what the rule it added. The DOD can now do inquiries based on the risk of the contractor. If it’s basic medium or high, the DOD, now has some teeth to do their own assessment on the prime. And subs actually, the primes only they can do it on the subs. The primes have to figure out the subs, but, yeah, they can actually do their own assessment and it has to be done once every three years. They submit their score to the supplier management system. That’s what DFARS 7020 to 7021 ar for. That’s where CMMC comes into play. In my opinion DFARS 7019 and 7020 were put into play because they can’t roll out CMMC fully until 2025. I think DFARS 7019 and 7020 are there to give teeth to the DFARS 7021 requirement because they can’t do CMMC for everybody until 2025, but it didn’t want people, not having to do something.
So that’s my opinion. Yeah exactly. That’s kinda what the interim rule did. Hopefully that kind of clears it up .
So, so what happens then if I’m doing my best, I do everything that I know to do, what happens if I fail the assessment? What happens if we go through the process and we get back and we didn’t achieve all 130 controls for level three.
Yeah. Technically, unfortunately you wouldn’t be allowed to be awarded the contract that you were bidding on. Actually that’s another reason why I might have a C3PAO assess me prior to an actual contract being needed. In case you fail, you’re going to need to go through the assessment again, unfortunately. At least you’re not losing a potential contract by failure. The other thing is, there is a remediation process that can be put into place. However, let’s say you do 130 controls and you fail three of them and you’re like, well, it’s only three controls. You have a remediation period. I don’t want to have to go through all 130 controls again, provide evidence, do all these things to the assessor. If your C3PAO agrees to it, they can submit a remediation request to the CMMC accreditation body and explain why they feel remediation should be allowed. If the CMMC accreditation body agrees, the organizations seeking certification will have 90 days to remediate those practices. As long as they can show maturity for those three practices that they failed and the C3PAO can come back and assess those three controls, they can remediate those within 90 days, get a passing for those three controls and then pass the certification on it.
The other thing that could happen is the organization seeking certification can submit an adjudication request to the accreditation board or body. What that means is if the organization seeking certification fields that the C3PAO did not do something correctly, they did something unethically as part of the assessment, or they misinterpreted maybe an artifact they were provided and they actually feel they passed. They, some of the practices that the C3PAO said, they failed, they can submit adjudication requests to the accreditation body.
The accreditation body will review the adjudication request, and perform their own review if they feel that it warrants a review if they feel that adjudication request is appropriate. They’ll then do their own review of the assessment, and determine, if yes, hey, this artifact actually did meet the CMMC practice, we’re going to pass you now. That’s a possibility where you can kind of, I don’t want to say submit a complaint, but you can, push back on what the C3PAO assessed you at.
Yeah. If you think that something maybe wasn’t quite fair or wasn’t applied right in your assessment, you do have some method of recourse.
You have some method. I don’t know though, it’s like when you take a test, right. Your professor says, yeah, hey, if you feel like you got the answer, correct, you did, and I’ll take a look at it, you submit why you think it’s correct. Then, 99 of a hundred times they never changed the answer. It could be something like that, I don’t know. I don’t know if there’ll be a cost associated with the adjudication process because the accreditation body internally will have to do their own work and take time to do things. I don’t know if they’ll charge the organizations submitting the request a fee to do that. I’m not a hundred percent sure on any of that,
Gotcha. But that is super helpful. I think we’re kind of running out of time here, but I really want to thank you for your time and sharing this valuable information. Let me wrap it up with one final question. What, how do I get started? What’s the best way to get going down the CMMC compliance path? Where should I go? Who should I talk to? And, what do you recommend?
Definitely. Yeah so I would start by opening up the CMMC level three assessment guide. You can find that on the DOD website or if you just Google CMMC level three assessment guide, and that lists every single practice and guidance on how to implement each practice. I would start by looking through that diagnosis. It’s it’s fairly large document, it’s probably 400 pages, so it’ll take a while to go through, but that would give you a really good idea. Okay. Where do we stand? What maybe do we have to do, where do I go from here? How close are we to this? Then I would probably bring on a registered provider organization. An RPO, somebody who’s gone, who’s been assessed and gone through the background check to become an RPO by the AB. Go to the marketplace, find an RPO, maybe have them perform a gap assessment, maybe, do a mock assessment on you, to see where you stand.
Because a lot of times the first thing that people are going to have to do is document policies and procedures and, for 130 practices, that could take awhile. You might want a consultant to help you do that because somebody might not have time internally. So I would do that. Do a gap analysis, figure out, help them figure out where you stand and then maybe they can help you implement controls as well, and write those policies. Once you kind of do that, you can then start to think about, okay, am I ready for an actual C3PAO to come in and do an assessment? Now, if you do use an RPO, they’re not allowed to do the assessment on you because of a conflict of interest. And there’s separation rules there. They have to follow. We’re not allowed to assess anybody we consult with.
That’s probably what I would do. Cause a lot of it is going to be getting the right budget, in your hands, from whoever’s handled security to get what they need to do in order to get CMMC level three. Again, it’s going to be that ROI discussion with the C-suite. I mean, you’re getting X amount of business. I think it’s going to cost us X amount of money to prepare and then get the assessment. Is it still worth it to us to do this business? If a new contract comes our way, be having those discussions early on and trying to estimate that is going to save you a lot of time scrambling later on, I think, and getting people on board you’ll understand, where you sit. I don’t think I would go through 130 controls, do a gap analysis and do that without having those conversations with the right people internally, because you don’t want to waste your time preparing if it’s something that the business doesn’t want to continue doing anyway.
Well, that’s really good advice. All right. Well thank you so much, Troy. Once again, Troy from Schneider Downs, as a certified registered practitioner you’re somebody that can help companies start going through this process and provide that consulting. We’ll include your contact information here in case anybody wants to reach out to you directly. Thank you for your time today. I really appreciate it. It’s been great talking to you again.