The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced that it is creating a cybersecurity assessment model and certification program. Roger Bache, Chief Operating Officer at Forcepoint, discusses the ins and outs of CMMC.

Don’t forget to sign up for upcoming episode alerts!

How to Listen

Episode Table of Contents

• [0:22] Meet Our Guest, Roger Bache
• [05:06] Intellectual Property Protection: Then and Now
• [06:55] Cybersecurity Maturity Model Certification - Roger
• [08:32] What is CUI?
• [10:42] Protecting the Valuable and Critical Information
• [13:53] The Difference Between CUI and CMMC
• About Roger Bache

Meet Our Guest, Roger Bache

Eric: Welcome to To The Point. This week, Arika's on travel. She will not be with us. We're going to do a two-part episode with Roger Bache, chief operating officer of Forcepoint Federal LLC. And we're going to talk a little bit about CUI, controlled unclassified information, and the new CMMC, Cybersecurity Maturity Model Certification. Welcome to the show, Roger.

Roger: Good morning, Eric. Thanks for having me. I know this topic is of interest to many, so I look forward to a robust discussion.

Eric: It absolutely is. In fact, I get so many questions about it. And it's not even something that we can sell to help people but yet, there's so much talk about CMMC right now. But before we get into that, tell me a little bit about yourself or tell our listeners about yourself. What's your background? How did you get to the role you're in? And where have you spent your career?

Roger: Well, I'm a kid from the South Bronx and I enlisted in the Navy right after my 18th birthday and was a CT, a cryptologic technician, and went to school at night and earned associates. And I was accepted into the Enlisted Commissioning Program in the Navy and subsequently became a cryptologist in the Navy. 22 years in the Navy and retired in 1997. And I transitioned to industry. And I've been with Raytheon or a Raytheon subsidiary. I was the president of Raytheon Oakland Systems and the COO of Raytheon Cyber Products. And that transitioned into what is the government business of Forcepoint today. So, it's been a long and exciting road and really thrilled that I'm here at Forcepoint today.

The Threat Is Still There

Eric: So, 22 years in the Navy, enlisted. You went to, what we call it in the army, Green to Gold, really. Enlisted to officer. You were a Mustang essentially.

Roger: Right.

Eric: Cryptological officer, your whole career?

Roger: Yeah. Well, yeah. In cryptology my entire career, but enlisted and officer. Right.

Eric: I bet you saw some stuff. I know you were on carriers too.

Roger: Battleship. Served on Battleship Iowa back in the late '80s and served in a number of positions around the world during my 22 years. And really served during the Cold War. Saw the end of the Cold War during my watch, so that was exciting.

Eric: So, you were fighting Russia back in the day or preparing for a fight with Russia, I should say. You've seen in your commercial world, commercial time, which is almost 22 years also, I believe, you've seen the advent of China, China moving up in the nation-state activity. You've seen the wars, the terrorism wars, in the Mid-East. It seems like now, we're going a little bit back to Russia and China.

Roger: Right, right. I think the threat is still there. It's more ubiquitous than it ever has been before, particularly when we talk about cybersecurity because now, we have other nation-state players, organized crime and a myriad of other interests that can do a lot of harm from a cybersecurity standpoint. So, the threat is pervasive.

The Major Threat and the Traditional Threat

Roger: And I think that is a good segue into discussing why the government is doing some of the things it's doing, as related to improving the cybersecurity posture of not only the Department of Defense, but also of the Defense Industrial Base, the DIB, because that has been, frankly, the weakest link over the past 10 years, at least that's the perspective of many.

Eric: So, during the Cold War, the primary threat was nuclear, correct?

Roger: Correct.

Eric: The major threat.

Eric: Obviously, we had a lot of other threats out there but it was primarily nuclear. What do you see in the... over your history, your 44 years or so of history, how do you see the threat evolving? I mean, we talk about cyber all the time right now. We didn't talk about that in the '80s.

Roger: Right. Well, I think we went from the traditional threats, the major nation-state actors, to a more asymmetric environment. And I think now, we're starting to see maybe a return to what people describe as a near-peer type of conflict, whereas the last 10 years or so, we've been dealing with the global war on terror and dealing with actors who were not traditional, from a nation-state standpoint, but were a large threat to us nonetheless.

Eric: Your New York accent came out on "terror." I love it. Yeah. So, I mean, when you say "near-peer," I almost feel with cybersecurity, it's easier, it's more cost-effective, to be a near-peer.

Roger: Absolutely.

Intellectual Property Protection: Then and Now

Eric: And on the kinetic side, it's easier to steal information than it was back in the old days, both you can steal from your home country, but it's easier to exfil larger amounts of data. So, on the kinetic side, on the equipment side, you can actually take intellectual property, blueprints, whatever it may be, and create weapons of machinery, if you will.

Roger: Right. Well, with the proliferation of the internet and massive amount of data that's available today, it's an opportunity-rich environment for many actors, including non-traditional actors. So, I think the threat is pervasive and ubiquitous as I mentioned earlier.

Eric: In your experience, how has the environment changed from what we're trying to steal, how we're trying to protect information? Let's talk intellectual property. Let's say aircraft design plans or something like that. How did we try to protect it in the past versus now?

Roger: Well, a lot of that wasn't online. It was stovepiped. The great thing about the internet, the proliferation of technology that allows information to be disseminated very quickly and widely, that technology didn't exist in the past. Although that's a great strength, it's also a great risk, right? Because now, that information can be accessed by other actors, which historically, they wouldn't have been able to do just by the limitations of the communications available 20 years ago.

Eric: Yeah. I was reading an article this weekend about the Chinese flying wing, something similar to the B-2, B-21 bomber that we have, and how similar they are. Makes you wonder where that information came from.

CMMC: Cybersecurity Maturity Model Certification

Roger: Yeah. Well, I don't think there's any question that a lot of our intellectual property throughout the United States has been vulnerable or has been hacked. And it continues to be a major issue for industry but certainly for the Department of Defense and the U.S. government.

Eric: The Department of Defense has been making a lot of moves in this area, specifically, which we're here to talk about today, the Cybersecurity Maturity Model Certification, the CMMC. I know it's very controversial. I'm not going to ask you for what we're doing internally or anything. But when you read the press, Katie Arrington and her team are pushing really hard to get these requirements out there. The document, the version .6 draft, came out a couple of weeks ago in November. It's almost a 100-pages, maybe a little more, long. What are your thoughts on it?

Roger: Well, I mean, it's understandable. I mean, if you look at the past several years, I really go back to 2017, the DOD has been held to a higher standard from a cybersecurity standpoint. And I think the feeling is that industry has not essentially complied, certainly with the NIST 800-171 standards. And-

Eric: Which are?

Roger: Those are the standard cybersecurity framework that is recognized as basically the playbook for industry, and really for any organization, to maintain a certain level of cybersecurity maturity.

What is CUI?

Roger: So, I think there's frustration in the government. And I think the ongoing identified weaknesses in the Department of Defense supply chain has really pushed the government, the DOD particularly, into mandating this Cybersecurity Maturity Model Certification, which, really, it's intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene, as well as protecting unclassified but controlled information, CUI, that resides on the DIB's networks.

Eric: CUI's a term I started hearing about maybe three or four years ago. And it seems to be really important yet intangible almost. What is CUI? I mean, how do we define it?

Roger: Well, it's all of the information that's not classified, it's unclassified, but is sensitive. I think many are familiar with FOUO, for official use only. FOUO is included in this broader categorization of unclassified but sensitive information. This could be a ITAR-related information that's not classified but sensitive, other information related to architecture, plans, travel information.

Roger: And the thing about CUI is often the aggregation of that information that makes it sensitive, and this information resides on the networks of a lot of defense contractors. And particularly, the concern is the smaller subcontractors that are not in a position to protect this information adequately. And I think what we've seen historically is that the target of the nation-states and other actors that are looking to exploit that information, the target is the smaller subcontractors that do not have the maturity in place to protect that information.

Protecting the Valuable and Critical Information

Eric: I keep reading about that. I read about it. I hear about it. I've got to tell you, when I meet with a large FSI or when I meet with our customers in the large FSIs, they talk about the hundreds of thousands of attacks they sustain every day. I personally think the attacks are hitting everybody. And there are differences. I'm not going to say the small subs are less attacked. I'm not going to say they're easier. They probably are easier to attack. But even with the large organizations, I mean, the footprint is so expansive. It's got to be incredibly difficult to protect an organization.

Roger: Yeah. I don't think anyone would disagree with you. But nonetheless, I believe the government feels that unless you implement a framework and come up with standards, it's going to be impossible to implement an architecture going forward that is going to adequately protect our valuable, unclassified but sensitive information.

Eric: How have you, as a COO, and I don't want specifics here, Roger, but how have we, up to this point, protected critical information? I mean, I know a quote could be, or a bill of materials could be considered CUI, right?

Roger: Yep, absolutely.

Eric: How have you, in your career, seen that protected to this point, pre-CMMC and really standardizing and formalizing what we're going to do?

Roger: Well, I think largely through segmentation of networks and access control. Again, if you have a network that's not connected to the internet or a network that the only folks on that network are U.S. personnel only, it makes it easier.

The Connectedness of Commercial Industry

Roger: It's when you're in a interconnected environment where you're also happened to work with subcontractors who are outside of your traditional framework, obviously you don't necessarily know what type of infrastructure they have in place and how that information is being disseminated beyond your enterprise.

Eric: And what have you seen over your time in commercial industry? Have we grown the number of second and third-tier subs, the connectedness of the DIB? Or is it less connected today as we've seen consolidation?

Roger: No. I think it's more connected than ever. In the past, at least, I can't speak for others, but I had subcontractors, but most of that information, it was done via the mail because the times, they didn't have the network infrastructure in place. So, I think it's the nature of our environment in 2020. Most things are connected. Most entities are connected. And I don't see any way of going back.

Eric: Yeah. I agree. So, with CUI, which has been out for a while, that's really DOD-focused. We have CMMC, which are the new certification standards, if you will, coming out. I think version one of the draft, or one of the release, is due in January of '20.

Roger: January. Correct.

The Difference Between CUI and CMMC

Eric: What's the difference between CUI and CMMC, recognizing one's a certification? Maybe I'm answering my own question.

Roger: Right, exactly. CUI is just a designation of information that is considered controlled but unclassified. CMCC is a framework being in place, put in place, to actually ensure there are actual technical controls that allow for documentation of policies and so on. There will be evaluations done under CMMC that will lead to certifications from level one through five, one being the lowest; five being the highest. Obviously, the higher your company certifies, the more contracts you will be able to bid on.

Eric: Okay, okay. So, take CUI for a second. What I want to do, I think, is turn this into a two-part episode.

Eric: I get so many questions on this. So, let's take CUI. Who determines whether something is CUI or not?

Roger: Well, traditionally it's the originating authority. It's usually the government.

Eric: And they mark it?

Roger: It should be marked but-

Eric: Never seen a single document marked "CUI."

Eric: Actually, I take that back. I've seen a couple.

Roger: Yeah, I think that's changing. And I think you've seen FOUO, which-

Eric: I've definitely seen FOUO.

Roger: ... which qualifies as CUI. And then I think there are other markings, like ITAR information, that de facto would be considered CUI.

More Specificity in What Gets Marked

Eric: So, FOUO, ITAR and the like, those seem easy to me.

Roger: Those seem easy. And I think there are other areas where maybe it's less clear. But I think, as time goes on, there's going to be more specificity in what gets marked. And I think it'll be clearer, become clearer, to individuals who have to deal with this information.

Eric: I think that'd be great because the average inside salesperson who's dealing with bill of materials, quoting, potentially project plans, they're talking to the government, they're 25, 27 years of age maybe. They don't know how to classify something. They haven't gone through... I know you and I have on the classified side of the world, we've gone through very specific training on classifying documentation for DOD classifications, right?

Eric: Confidential, secret, top secret, et cetera, et cetera. The average person, though, hasn't done that, yet they're dealing with... potentially be dealing with CUI.

Roger: Yeah. And I think contracts that companies receive, I think there'll be clarity, hopefully more clarity, on what is CUI and it should be outlined in the contract itself. I mean, we tend to think of classification guides that are promulgated as part of a contract, addressing the classified information, but I would hope that there would be information also discussing what is CUI. In fact, the contract might say that "all information related to this contract is CUI." And obviously, sensitive work, if you have a program where you're doing classified work, there will be certain unclassified information that perhaps could be considered all CUI.

Part Two: Delving Into CMMC

Eric: I would expect so. Okay, so, what I'd love to do... We try to keep these to the point but there's a lot of information here. If you're good, I'd love to take a break and pick up next week with a part two.

Eric: ... and really delve into CMMC and what that brings to the table and what that means for a business out there, what it means for the government.

Roger: Yeah, absolutely.

Eric: Awesome. Well, I really appreciate your time this week, Roger. Thank you so much.

Eric: To our listeners out there, tune in, subscribe please on the podcasting application of your choice. Give us your feedback. We love the feedback. Any questions, concerns, ideas, send them our way. And, like I said, subscribe and rate us. Tell us what you like. Tell us what you want to hear more of. Thanks. And until the next week, have a great week. This is To The Point.

Thanks for joining us on the To The Point Cybersecurity podcast, brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/govpodcast. And don't forget to subscribe and leave a review on iTunes or the Google Play store.

About Roger Bache

Roger Bache is the chief operating officer (COO) for Forcepoint’s Global Governments business, managing day-to-day operations. With more than four hundred employees operating in multiple facilities and geographical locations, Global Government Security delivers Forcepoint’s human-centric security product portfolio to domestic and international government organizations.

Prior to Forcepoint, Bache was the COO of Raytheon Cyber Products. He also served as President of Raytheon Oakley Systems, a wholly-owned subsidiary of Raytheon Company, providing advanced Insider Threat/UAM solutions across the U.S. government. Prior to his assignment at Oakley, Bache had a number of challenging assignments at Raytheon Company, involving managing complex programs for customers in the Defense and Intelligence communities.

Before joining Raytheon, Bache served more than 22 years as a naval cryptologist in a number of challenging assignment around the globe managing cryptologic, cyber and Information Operations. He retired from the Navy in November 1997.
Bache holds a Bachelor of Arts Degree, Cum Laude, in International Studies from the University of South Carolina and is a distinguished graduate of the Naval War College.