The CMMC’s goal is to strengthen the cybersecurity of defense contractors, especially for the numerous small and medium-sized organizations. Many companies however are wondering how they can get started on the path towards compliance.
We recently spoke with Jonathan Hard of H2L Solutions on this very topic. Jonathan’s company focuses on helping clients develop and manage their cybersecurity programs, specifically around DFARS, NIST, and (coming soon) CMMC. The following conversation has been edited for clarity and brevity.
PreVeil: Can you start of by telling me a bit about how H2L got into the world of DFARS assessment?
H2L: H2L has been in business since April 2014. We came out of large DoD contractors who were doing cybersecurity – at that time it was called ‘information assurance’. In 2015, we did our first DFARS contract for a local company and that just stated us off in the 3rd party inspection world. At that time, most of supply chain and contractors didn’t know what DFARS was even though it had been out since 2013.
Many at the time also didn’t think there was much of a business to be made out of DFARS. But, we could see it was important and that it had a future.
PreVeil: Small to medium sized businesses are coming to you saying they are looking to become CMMC compliant. What are you telling your them in terms of getting ready? How should they start?
H2L: When we take on a new company, many are surprised by how much is required of them. We tell them that the fastest way to get to CMMC is focus on the DFARS 7012 adequate security clause one byte at a time. DFARS 7012 is already a law. That’s already a regulation.
“The fastest way to get to CMMC is focus on the DFARS 7012 adequate security clause one byte at a time…Then, they should focus on NIST 800-171 and knock out the first 110 security controls. “
Then, they should focus on NIST 800-171 and knock out the first 110 security controls. Then they should position their firm for additional controls and policies that will be part of the CMMC level 3 standard.
If a company doesn’t want to mess with managing all those controls, then they should outsource it. They should hire an MSP or MSSP. Or hire a 3rd party consulting firm like H2L that is neutral and knows about these things.
PreVeil: Do you see the language of DFARS changing once CMMC becomes law of the land? That could be a point of friction, particularly if companies are managing their cybersecurity to meet the expectations of the current 7012 language.
H2L: DFARS 7012 will be updated to reflect the new CMMC wording. However, the NIST 800-171 Rev 2 will still be the core of the CMMC assessment in addition to the 20 practices required by CMMC Level 3.
The flow down requirement in DFARS is one a lot of folks have wondered about. It will still be a requirement. However, the subs will only be required to achieve Level 3 or above if they receive CUI through the process. For example, a prime may be required to be a CMMC Level 4. Their sub though might only need to be a CMMC Level 3 base on the government requirement for type and amount of CUI they are handling.
PreVeil: A lot has been said about prepping for CMMC by small and medium businesses. One big issue is cost. How are you seeing this play out in the companies you are working with?
H2L: Most companies I work with have invested money in their security infrastructure based on DFARS and implemented most of the NIST 800 controls within their IT. So, they have put the upfront cost into becoming CMMC level 3 compliant
However, they aren’t done yet. There are still 20 extra controls that they need to meet.
Additionally, they will need to put more money into being certified and put money into audits and do this every year. So, there will also be a large investment to maintain their certification.
Where we see an issue is with some companies (smaller ones with 20 people) like A&E (Architecture and Engineering) firms balking at the price of inspection. They are postponing any kind of movement on security implementation until something is a lot more solidified from a requirements perspective.
PreVeil: For companies that are finding cost an issue, what do you tell them to do.
H2L: It depends on what level they want to achieve.
CMMC and the regulation is focused on protecting CUI. This is the root of the executive order that came out under President Obama and was focused on stopping the bleeding of CUI.
If I were starting a new company and needed to become CMMC compliant, I’d start by understanding the goal of protecting CUI. Then, I’d look at technical advisors that are cost-effective and care about the DIB – not ones focused on simply lining their pocket. And then I’d focus on creating a 1-on-1 relationship with trusted folks. I’d go to PTAC office and get their suggestions. I would absorb security and get it internally and do my homework.
“If I were starting a new company and needed to become CMMC compliant, I’d start by understanding the goal of protecting CUI.”
I’d get baseline policies. There’s a lot out there that’s available for free. And I’d set up my system in the most economically advantageous way.
If I wanted to outsource it I’d call a local MSP or MSSP. I’d call PreVeil. I’d ask them how I could do it in the most economically advantageous way. Or I’d shop around for reputable companies that care about protecting the country and do business with those people.
It doesn’t cost that much for a small company to secure for a few licenses. You can really set up shop with firewall. Get a trusted company to set up the internet and manage it. Call up PreVeil to protect email and file and protect CUI – that’s half the battle since so much data is shared on emails and through files.
Yes, there are policies around audit logs etc. But one of the biggest leakages is email. I have seen cases where a company emails a whole spec for an aircraft carrier to all their suppliers. At that point, the sub has designs to whole airplane.
PreVeil: Do you do pro bono?
H2L: Yes, we do a lot of pro bono. We do DFARS 7012 inspections for some of the smaller DIB shops in Alabama. We lose money on them but that’s fine. We get another assessment under our belt and we get another happy customer. And the client company is better postured to protect their information. And as the client grows, and they need something new, they’ll think of us. It all comes back.
PreVeil: Do you have a sense of how many SMBs will need to achieve the various levels 1-5
H2L: Of the 200 or so companies we inspect, just about all of them are shooting for level 3.
Originally, the DoD said that only 9-10% would need L3. But I think the standard will become L3. Why wouldn’t you?
“Originally, the DoD said that only 9-10% would need L3. But I think the standard will become L3. Why wouldn’t you?”
Overall, I would say over 50% of the DIB will shoot for L3 or above. And maybe even higher. Some in Huntsville are even shooting for L4 because that will set them above the standard and set them apart. So, they are investing even more money in 24/7 monitoring and putting a security operation center online.
Learn how to get your defense company on the path to CMMC compliance.
Download our whitepaper
I don’t know if the government understood that when they created a baseline standard, people were going to seek to differentiate themselves. If L3 is the gold standard, then you are going to see more companies than you anticipated going after L4 and L5 to differentiate themselves
PreVeil: It seems like we don’t need to worry about how compliant H2L’s clients are. It’s these other hundreds of companies that haven’t heard of DFARS or are just getting to know about DFARS that we should worry about.
H2L: That’s right. Unfortunately, there are a lot of manufacturers in Alabama that aren’t plugged in to LinkedIn, don’t watch the webinars, or don’t go to conferences, or don’t have a person on staff that will teach them how to keep up to date. And that flows down to the subs. There are many we speak to that don’t even know about DFARS 7012 but that isn’t as large as it used to be.
One of the big communities that hasn’t done anything about DFARS 7012 yet is the A&E (Architect and Engineering) community. They do a lot of design, predesign, build, and commission work for NAFAC, USAS, and the Department of Homeland Security. And the reason they haven’t done much around DFARS is because these government agencies haven’t put a DFARS 7012 clause in their contracts.
A lot of the A&D companies will have a local U.S. shop doing the design but the company doing construction is sometimes overseas, where they’ll have local talent build the facility. Having DFARS in the contract would require the local company in say Germany to follow DFARS. And no foreign company wants to do and implement those standards.
Another problem with this is that in many cases these machine shops or A&E firms get whole schematics to buildings or how to build a widget. Those are the companies that need to take DFARS seriously. From a supply chain protection perspective, we need to worry that they are given keys to kingdom on schematics for something like the nuclear missile defense headquarters or the next interceptor that is being built. These are key weapon systems or key facilities that need to be protected. And because owners not plugged in, they don’t know about new cybersecurity standards.
“From a supply chain protection perspective, we need to worry that they are given keys to kingdom on schematics for something like the nuclear missile defense headquarters or the next interceptor that is being built.”
PreVeil: What challenges have you seen come up as companies are trying to get ready for CMMC by following DFARS 7012 and NIST 800-171?
H2L: The problem I see is that companies who are trying to get ready by following DFARS 7012 and NIST 800-171 is that they are coming up against the DCMA. The DCMA is doing DIB CAC inspections. This is being evaluated at DFARS 7012 standards and the inspectors are not looking at CMMC at all.
So what you are having and what we are seeing with some of the larger primes we have assisted in getting ready for a DIB CAC inspection is that they are having the challenge of creating policies that call out NIST controls and then have policies that call out CMMC controls. Because the policy has to be control specific. Companies don’t want a hybrid policy. They worry that inspectors will be confused and not like it.
So we have to write policies for both NIST and CMMC that are each control specific. Which means they are paying for two different inspections. So this is the opposite of folks complaining about it costing too much. These are medium sized companies who are investing in two policies.
The challenges in terms of technology have also been around things like mult-factor authentication (MFA) and introducing the standard throughout their infrastructure. Although that is getting less. Some have resorted to starting MFA with just their C-suite.
We are also seeing challenges around purchasing things like SIEMs (security incident event managers). They are having a similar pause around things like log access management and FIPS 140-2 compliance and servers.
Many are holding off on these complicated IT security devices and focusing on low hanging fruit because it makes sense for them now. As long as they can show they are working towards full compliancy, they can create POAMs around the other things
Even though DFARS is law of the land, when they signed the memo in 2017, it posted that all you needed was a system security plan (SSP) and POAM. Many companies stopped at that.
Until now, companies have created POAMs around this for now either because they don’t have the budget now and they think they’ll introduce the changes next year or because they want to see how CMMC plays out. DIB CAC inspections, peoples are trying to get those things off the POAM.
But, once CMMC comes, POAMs are going away. And the DIB will have no choice but to get started.
“Once CMMC comes, POAMs are going away. And the DIB will have no choice but to get started.”
PreVeil: For many small companies, it seems to me that the “enclave approach” could be an intelligent way to get on the path to CMMC compliance. Enclave means that only a portion of the company needs to become compliant. Why aren’t more companies taking this approach?
H2L: For a lot of businesses, they want to secure their whole infrastructure or create a designated center where all CUI data is focused on one focused, locked-down facility
Some companies can do an enclave approach. But I think there’s a greater sense of ease if the whole company has it implemented.
A lot of companies have Microsoft Offices E3 licenses. They hope something will come out that can be an alternative will enable them to not have to go to GCC High and pay the expensive migration fees. That’s the real killer to get to the GCC Cloud environment.
I tell customers there is an alternative to that and that’s to implement all the cyber controls for CMMC L3 they need. Then, decide who within company is touching CUI and implement PreVeil email and file sharing just for that subset or group. And they are good to go.
These customers have all been super happy.
PreVeil: Well, Jonathan, thanks so much for taking the time to speak with us. This has been great.
H2L: Jonathan: Thank you
*** This is a Security Bloggers Network syndicated blog from Blog – PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/accelerate-cmmc-compliance-with-nist-and-dfars/