The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced that it is creating a cybersecurity assessment model and certification program. Roger Bache, Chief Operating Officer at Forcepoint, discusses the ins and outs of CMMC.

Don’t forget to sign up for upcoming episode alerts!

How to Listen

Episode Table of Contents

• [00:57] Impact of CMMC: Hitting the Civilian Workforce
• [05:27] Preparing A Security Plan
• [09:38] Understand Where the Risk Is
• [12:57] Create Separate Rates
• About Roger Bache

Impact of CMMC: Hitting the Civilian Workforce

Eric: Welcome to the Point, I'm back this week with Roger Bache, COO of Forcepoint Federal LLC. Arika is still travelling and we'll get her next week, I promise. But what I wanted to do was pick up from our conversation last week with Roger regarding CUI and CMMC and really delve into the CMMC side of things, the Cybersecurity Maturity Model Certification, which is predominantly going to hit federal contractors in the DOD, but I suspect it's going to hit the civilian workforce, civilian contracts also. Roger, welcome to the show.

Roger: Thanks Eric. Glad to be back.

Eric: What do you think about that? I mean, do you think this is going to impact CMMC specifically, the civilian model also or, I mean it's kind of required for DOD, right?

Roger: Correct. It's starting within the government. It's going to start with DOD. I wouldn't be surprised to see it expand to anyone doing business with the US government going forward. But certainly DOD will be the test bed for implementing this.

Eric: Why wouldn't you, if you're DHS or HUD or, or department of energy or education, why wouldn't you just throw in a requirement for CMMC certification? What we talked last week about the levels, towards the end of the podcast, levels one through five. Why wouldn't you say I need everybody to be a level three or higher? I see that all the time.

Roger: Well, I think it might come down to cost. Within DOD they are going to allow CMMC to be an allowable cost. And also if you do not meet the maturity level specified in the RFP-

Eric: You're not doing business.

You're Not Doing Business, You're Out of Business

Roger: You're not doing business, you're out of business. So there could be some resistance to implementing that aggressively in other parts of the government. I think it behoves everyone to achieve certain standards such as NIST 800-171 I mean it's coming. And if you look at CMMC, it is a combination of many standards, not just NIST 800-171 it includes other standards, even FedRAMP are being considered. So, it's a best practice and if you're doing business with DHS right now and they're not mandating it, I think it just gives you the opportunity to get ahead of the game. Because I suspect it's coming.

Eric: If you can comply.

Roger: If you can comply, correct.

Eric: So FedRAMP is a great example. I love FedRAMP. I mean it puts in place tons of controls to better secure the cloud service providers, really, government customer data that sits at CSPs. The challenge with FedRAMP is it costs a lot more. Yeah, I've seen anywhere from 25 to 100% when you look at vendors that are FedRAMP certified. Cost increases over the cost of the product in a non-FedRAMP world. How with CMMC, you talked about the ability to build a government for CMMC certification. How do you see that playing out? Any ideas?

Dedicating Significant Staffing Resource to Achieve Cybersecurity Compliance and Improvement

Roger: Well, I think in a number of ways. One is that I think organizations, companies will have to understand the... They're going to have to become compliant. Ms. Arrington has suggested that businesses will need to dedicate significant staffing resources to achieve cybersecurity compliance and improvement. I think for the larger DIP companies that already have a large IT infrastructure, CISO and so on, they probably have the framework, not that there aren't additional costs to comply. It's the smaller companies that do not have the staff and the infrastructure. They're going to have to make a business decision whether they even can play in the game.

Eric: Right. I make a widget for an aircraft carrier or something that's very important to the government. Now I'm the only company in the world that makes that. I've got to comply with all of these requirements. It could raise my cost by a couple of hundred percent in some cases.

Roger: So I think in places like that they're going to have to look at potentially outsourcing, maybe some type of managed service where they can, maybe by virtue of the service become compliant. Not clear. And it's not clear how this is going to flow down to the other parts of supply chain if you're a prime contractor. That's still to be determined.

Eric: And those services aren't available today?

Roger: Correct. I mean, there are things with Microsoft and GovCloud and things such as that, but that's part. There are things you can do. I think it's a combination of things. I mean, if you're an industry partner, and you're not compliant, you have a good roadmap by looking at the NIST 800-171.

Preparing A Security Plan

Roger: Do you have an SSP? If you don't, you should. You should be working on-

Eric: SSP being a?

Roger: A security, what's the S S...

Eric: Security plan.

Roger: A security plan. I'm trying to remember what the acronym breaks out to, but right. Having a security plan, you probably should put a plan of action milestones in place because it's coming. So go ahead and prepare for it, and do it now if you're going to participate and play in this space, I think going forward.

Eric: My hope would be, and I hate using that word, they would allow us as an industry to ease into the requirements. For instance, level one is much more basic than level three. They haven't even published level four and level five as of this date?

Roger: So, yeah. So I think the general feeling is that most companies that have some level of cybersecurity infrastructure and programs in place will have no problems meeting level one and two. I think level three and four are going to be more problematic, particularly if you're a smaller company. And the thing is if you're a company that doesn't handle CUI and you may be able to get by with level one or level two, which is more of an ad hoc cybersecurity framework. But if you're going to be handling CUI, it's unlikely that you can do business at level one and two. You're going to have to be at level three and four.

Eric: So, level three is really table stakes in most cases.

Roger: I believe so, and it could be level four depending on the type of work you do.

Third-Party Auditors: Come In and Audit Them

Eric: Which hasn't even been published yet. I'm going to read something to you. A quote from a Cyber Day industry, Cyber Day General, Major General Gary Yee up at DISA said, "A very small number of the 300,000 DIB, Defense Industrial Base, companies have state of the art cybersecurity. The majority of them are the lower end of that one to five scale. That's scary. I mean that's scary, 300,000 companies.

From what I understand, they have to have a third party auditor. That's the intent, come in and audit them. Which they'll also, I mean huge business for the three PAOs. They'll be able to start up a big business, not just auditing, but consulting and helping companies get there. Yeah. I don't think anybody would argue that we shouldn't have these standards, that they aren't good. The question is how do you go from zero to 300 miles per hour overnight and do you, or do you have to slowly ramp them up?

Roger: Well, I think the government would tell you that there's... Dating back two or three years, there's been an expectation that you would achieve the NIST standards and most companies haven't. So I think that's part of the frustration.

Eric: It's more standards, more costs.

Adversaries Steal the Information

Roger: Right. But, if you think about the threat and particularly how much these smaller companies, the lower levels of supply chain have been attacked. I think that the government has to do something. It feels compelled to do something. And implementing this model is one way of getting there. But it's going to be difficult and painful and expensive, I suspect for many. And there'll have to be business decisions made by many companies on whether they can continue to do business with the government or certainly DOD.

Eric: I think the opposite side of it is, we put all this money into R&D and our adversaries steal the information and they stay a couple of years behind us, but only a couple of years, not decades. Right, because we're doing all the innovation and they're stealing it and creating products and that's a real problem.

Eric: I want to switch gears a little bit. I was talking to a CISO of a very large integrator, a federal systems integrator a couple of weeks ago and I was asking him about CMMC and how that's going to apply to second and third tier subs. The smaller components they work with. If you make a ship or you make a plane, there are thousands if not tens or hundreds of thousands of suppliers that are under that prime contractor. And I said, "Are you going to... Is it your intention to push these requirements out to the subs?" It absolutely is, right. Because they're held to that standard and they're liable.

Understand Where the Risk Is

Eric: And then I said, "Well how do you enable them? You have a couple dozen second tier subs or third tier subs. How do you enforce it? How do you enable them or are you going to set up a service?" And the response was something I didn't expect. It was, "Well, no, because there's a liability there if we do that. We're going to push the terms down and mandate that they comply, but we really can't help them because that becomes our business then, and that's a liability to our business." I'd love to hear your thoughts on that. I mean, we're not typically a prime in our business. We get the terms thrust upon us.

Roger: Flowing down to us and we're [inaudible 00:10:20] FAR part 12 and we sell commercial off the shelf software. But I don't think there are any easy answers. I don't think the government has completely identified how it's going to flow down to all levels of supply chain. So, that'll be interesting to see. And if you're a large mission system integrator and you're relying on several small companies for key technology that is not available anywhere else, you're going to have to make a business decision.

Do you find a way to help those small companies become compliant? I think there's going to have to be some out of the box thinking here and everyone should probably be assessing their supply chain right now to understand where the risk is. Because it's not just a risk for these small companies, I actually would argue, it's a much larger risk of the large integrators that are relying on the supply chain to perform.

Who and What Is at Stake

Eric: I agree with you, at a different industry event, Admiral Nancy Norton, Vice Admiral Nancy Norton, District Director mentioned that in her keynote, "As an industry partner, you must understand who and what is at stake in this environment. Build cybersecurity into all of your products and services and capabilities from concept to completion. Be as innovative in your approach to cybersecurity as you are in your functional requirements."

Eric: But that's almost asking... Once again, let's say I make a wheel strut for an aircraft. You're almost asking me to be as proficient in cybersecurity as I am in creating that wheel strut or an engine. Pick on an engine manufacturer, engines have very advanced technology in them. You're saying, I have to be as good at cybersecurity or find somebody who is, maybe is the answer, outsourcing, as I am in engineering that engine designing and creating and producing that engine, I get it. It's an aspirational goal. This is going to be tough.

Roger: I agree. It's going to be tough, but I don't see... I know the feedback we're getting is that there'll be no waivers and no POAMS if you're not compliant. So it's going to be interesting when we do implement this and we start seeing this, the CMMC requirements coming out in RFI's RFP's, how the government will respond if they do not get the feedback or the inputs from industry or they see key players deciding not to participate or how they'll respond.

Create Separate Rates

Eric: Yeah. What do you do? When you can't buy a strut anymore? It's just not desirable to do business. Or the other thing I was thinking about, if you're a federal contractor, let's say for a second, the DOD is actually requiring CMMC, but your civilian customers aren't. Right. How do you do something as simple? I mean, do you have a separate, do you have a separate GSA schedule for CMMC compliant capability versus not?

Roger: I think, yeah. So-

Eric: Different price points?

Roger: DOD has said that, you should be looking at including this in your rates and if you are, how do you pass that cost along? It's a great question. And you know, one way to do it would be to have separate rates. But, if you're a company like Forcepoint where we have a GSA schedule, those prices are for all US government customers. So I don't even know if the government has fully contemplated that. I haven't seen anything specific to that, other than the fact that you can pass along that cost. So something we're looking at now, try to fully understand what our options are.

Eric: In your travels, have you talked to anybody on the government contracting side? I know from our relationship you spent a lot of time with government contracts where they're adding funding. They're creating additional funding because of CMMC requirements that are going to increase the program costs of whatever the program may be.

Roger: I have not seen that yet, but it's a probably a topic we really need to have, a discussion we need to have with our customers.

Think Hard About the Certification Level

Eric: I'm going to ask your opinion here. I won't hold you to this. So if we can assume for a second that most DOD programs will have some level of CMMC requirements in the future and that the government has allowed for bill back of CMMC, does that not inherently increase the cost of most, if not all government programs, regardless whether they're cybersecurity programs or they're back to that engine or wheel strut?

Roger: Yeah, they've made it clear that the CMMC certification is required whether or not you're handling CUI. So I think the difference is, if you're building wheel struts and the RFP you respond to has a CMMC level one maturity requirement, then it'll be a lot easier to... And I suspect that's going to happen. I think for...

Eric: Unless they're made with very, very classified technology, like some high tech carbon fiber or radar evading material.

Roger: Or by virtue of, if it's on an aircraft or a platform that is classified or has sensitive aspects to it. The end customer maybe decide to require everything to be CMMC, level three and four. Which then is an impact that may be an unintended consequence. So I think customers are going to really have to think hard about the certification level they're prescribing. So I think there are a lot of nuances that we don't fully understand that will play out over the next year or two.

Eric: So the good news is, a lot of industry days coming up, draft version .6 is out 1.0 Is coming out.

Roger: Coming out in January.

Increasing Cybersecurity Protection

Eric: The government's going in the right direction here. I mean, nobody can argue that this is something we shouldn't do. We shouldn't increase cybersecurity protection of the dead capabilities. Right?

Roger: Oh, I think everyone agrees. It's just how it's implemented and is it achievable?

Eric: Well, I'd love to bring you back after .1 comes out and get your thoughts. I know as a mid-sized company we're going through the same questions as the smalls and the larges are and even the DOD. How do we implement this most effectively? How do we deal with the spirit and the intent and also comply though?

Roger: Right. Exactly. I'd love to come back and follow up. I know after the new standards are promulgated.

Eric: Awesome. Roger, thanks. I know we don't have all the answers, but I really appreciate the dialogue.

Roger: Sure. Certainly. Eric. Great. Great discussion.

Eric: Thanks for joining us. Until next week. Thanks for signing in and listening to The Point. This has been a great two-part session with Roger Bache, COO of Forcepoint Federal LLC. Subscribe. Listen to us on your favorite podcast streaming application. Any comments, questions, feedback, send them our way. We'd love to get your feedback.

Thanks for joining us on the To the Point Cybersecurity Podcast, brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/gov podcast and don't forget to subscribe and leave a review on iTunes or the Google play store.

About Roger Bache

Roger Bache is the chief operating officer (COO) for Forcepoint’s Global Governments business, managing day-to-day operations. With more than four hundred employees operating in multiple facilities and geographical locations, Global Government Security delivers Forcepoint’s human-centric security product portfolio to domestic and international government organizations.