CMMC 2.0 Initial thoughts - a fireside chat with Tim Golden

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everybody to this week's edition of the compliancy guys today is november 25th on november 4th 2021 and we've decided to take today's meeting and make it more publicly accessible for everybody given the new cmmc 2.0 stuff that came out literally a couple hours ago in fact about three hours ago um and today's conversation i'm just going to kind of go over a little bit of some of the highlights here and then i'd like to kind of have an open discussion about how this will affect us as managed security providers and manage managed providers as well and so i will allow everybody attendees the opportunity to have just an open discussion and an open conversation so let me start by sharing what was put out and then was promptly uh do you share screen and so uh go ahead and just give me a little wave if you can see the pdf i have here up on screen yep we can see it awesome right so this was posted yeah kind of like late last night early this morning and then it was promptly removed from the dod site um fortunately a bunch of us were able to grab a copy before it was uh deleted but anyways um this and since then literally in the last hour and a half the dod site has completely changed around their stance on cmmc and so on and so forth but i just want to kind of bring a couple of key highlights to this right and you've probably seen this on linkedin and facebook and bouncing around and so on and so on and so on but some of the things that they were talking about as far as changes are concerned um is you know pursuing the rule making establishing 2.0 of the program uh some of the far changes and really as you're starting to get into the meat of it it is these modifications which i'm still digesting the actual pieces of what that means right so i have them all up here on the screen again open discussion for us to be able to chitchat and and kind of talk a little bit through this um quick highlights eliminating levels two and four well for those of us that have been following cmmc level two kind of wasn't a thing and level four was never really defined and most people in conversations were always asking about ml1 and ml i'm going to close my slacks and and ml4 so i'm sorry ml3 so now two and four kind of as suspected has gone away um no questions no comments looking for engagement amongst all of us so i don't know sit here and spend an entire hour chit-chatting well as she pointed out two and four weren't that big a deal because if basically everybody was going to three and if you're doing four we decided you were doing five anyway right yeah that was kind of a stop point along the way exactly exactly hey look we have adsf and adsf we're going to let britney in we're going to since i don't know who asdafd is you know they can kind of hang out there unless they want to rename and identify themselves that would be helpful so yeah one of the things i saw go by that was interesting while you were scrolling it said something about uh cmmc oh here it is eliminating a little suffer and cmmc unique practices um i was a little i'm a little confused by that statement simply because part of cmmc it kind of rolls up a bunch of other standards uh part of the maturity model was adding some of those other functions on um do you have any specifics behind what they mean by the unique practices so that's a really great great question i think as uh as they continue to refine the requirements and continue to put out scoping and guidance documents we'll start to see some more of what they mean by unique um you know like most rmfs uh wristband management frameworks some things are like while they use words like unique they don't actually define the uniqueness of it right and so as as us compliance experts we're always like what the hell do they mean when they don't really define that so yeah um yeah it's it'll be interesting to say the least and okay what does point three mean bifurcating cmmc level three requirements to identify prioritization prioritize acquisitions um for those that speak lawyer yeah exactly right it's um yeah you know it's it there's as i say there's probably a lot more on the dod site that they've recently literally just updated within the last hour and a half that oh there's some people in here in chat hold on let me see abf me is john as in john harmon i'm just looking at chat real quick making sure i'm not missing anything so according to the official site cmmc 2 for level 3 is literally just all 110 security practices from 171 yeah that's kind of like and again this came out around 12 30 1 o'clock and so you know we are all starting to digest what's here what's in the framework what we need to know the changes between the two the leadership um not only that but they redesign the way it looks too so you know there isn't a lot of scoping guidance at least i haven't been able to dig through a bunch of it yet the evolution how we got here where we're going from you know the key features yeah let's do this yeah so this is the this is the the chart that everybody has kind of been sharing where those other levels go away and now we're one two three right and so kind of as expected level three is pretty much 172 um based on 172. um you know it's interesting too that they're still referring to it as cmmc but there were there was other talks where they were going to drop the maturity portion well that's kind of the um behind it though i mean you're demonstrating the maturity of your assessment so you didn't just quickly come out and slap an assessment in because i had to hurry up and uh be compliant for the government showing that you're doing your quarterly reviews or annual reviews however whatever level you're at uh and showing updates in progress isn't that part of what cmmc is at least to my understanding yeah you know the the the requirement on level one so if we let's backtrack till last november right you know when they kept saying three hundred thousand contracts blah blah blah but a vast majority of them will be on level one blah blah blah all of them in the in the original 1.0 model sort of had third party assessments right and you need to be authorized and go through three cpao and then be approved by the a b and all that great stuff right now fast forward a year later now it's an annual self-assessment right as you can see here an annual self-assessment which is uh basically 171 that we've been doing without somebody actually monitoring that now that might change again but you know what in my 853 work i do an annual self-assessment but i do an every three-year annual ato authorization to operate so this might you know as i'm looking at the 2.0 model and and digging deeper into it you know it might turn into a similar process where every x number of years regardless of your level you go through an authorization or an ato process but you have annual self-assessments that you that are a portable reportable sorry that's a mouthful um if i had to guess that's probably where they will be going with this um level two third three cpao number three obviously a little bit more government assessments so on and so on and so on um i'm just seeing anybody have questions they have comments i think the other good thing on here is they're allowing certain poams now too so yeah i was getting to that part too because i've talked a lot about this for those that are in my peer group i've talked a lot about the poem process right um for me you know much of the work that i've been doing in compliance since those 607 has been based on 853 and you know my 171 clients obviously i've been doing poems with them um but you know the cmmc originally didn't have this idea of a poem process i like the fact that it's time bound um what i do with my federal clients right now in their current um grc system is a time-bound poem the doj has what they call csam it's basically their version or the government's version of a grc tool for those that don't know government's risk and compliance tool it's a way of managing your frameworks and managing the controls within those frameworks generating poems generating ssps so on and so on and so on right and so csam has the concept of the poem and time bound so that when i have a poem going in there and putting in an actual date of completion for this milestone on the back end getting alerts along the way to making sure that i'm actually on track to keep to actually enforce the fix for that poem right so i think you know i read a lot of this and what i'm seeing and again there's still a lot more here to digest um i believe jonathan has a question is this hand raised yeah sure that's done you're good good job hi i made it looking at this is it our msp still gonna be going for a level three or just a level two so i did not i did not ask that that of him to come in and ask that question but you make a really great question okay okay right if 171 is two then that's what they wanted us to do in the past so yeah so you're making really great questions and really great points right and and and you know kudos for reading my mind um and i'm going to get to this in a few minutes right i just kind of wanted to go over some of the you know key features and then how does that affect us obviously i'm cognizant of everybody's time and we have about 35 to 40 minutes here so i want to be cognizant of everybody's time but i want to spend a few minutes on like what has changed a tiered model assessment required implementations blah blah blah blah blah the evolution and so um and i'll get to that because i think that um let's just do this real quick uh for those those of you that are msps on the call raise your hand either on camera physically or with the little raise your hand button one two three four you know probably most of them five yeah probably most of them yeah so a vast majority of us are msps right so that's that's really you know uh oh look a whole bunch of other people they keep coming in that's fine let them keep coming in i'm just allowing people the opportunity to chat if they want so all right um so yeah back to like the tiered model level two and level four going away condensing it down to three levels which we've all kind of felt was gonna happen anyways that kind of makes sense we were talking about the poem idea and concept which i've kind of been harping on for the better part of a year now because originally it was go no go but now that they've introduced the idea of a poem uh and for those that don't know plan of action and milestones poem um does everybody know what a poem is if you don't raise your hand i know brit and brobee andrew even though you have your hand up hey tim yeah one thing i noticed on the website i don't remember where it was i saw it but they mentioned that poem would only be for non-critical items of the 171. you're stealing my thunder but yes absolutely right and so having the so first and foremost having the the ability to have a poem and a time-bound and enforceable poem those are some pretty key words right time bound and enforceable basically saying if you have an open item you better make sure you're being you're gonna do it within the time you say you're gonna do it and then we're gonna make sure we're following up to that and enforce the fact that you are gonna do it right um so however what is allowed or not allowed to be poemable is that a word poemable yeah it is now um and one of the concepts at least that i've been talking about amongst our peer group here is assigning a risk factor to each control right kind of like they already do in getting your scores for 171 and uploading to spurs is getting that risk score there will be certain things that will just not be allowed to be poemable i don't know 2fa i don't know weak passwords i don't know zero trust and as i continue to dig deeper into what was literally just put out two hours ago um i'll be making that in you know my some summarization of what i found um sort of out there in our group and amongst the socials anyways but yeah i think you make a really good point about what can and cannot be allowed to be poemable um how much will it cost that was going to be the next one right everybody talks about cost currently the department will publish cost analysis right because we've been talking a lot about what is this going to cost our clients what is it going to cost us you know do we go rpo do we go rp do we go ccp what is my investment as an msp to kind of get up to speed right our return how do we then pass those costs off onto our clients what are the clients willing to pay all that great stuff cos cost cost has always been a major conversation of the cmmc ecosystem right um according to what they put out they're going to be significantly lower uh because they want to streamline again i'm not going to insult your intelligence you all can read this just as easily as i can um but if i had to consider what this might look like to my clients i probably were just able to like reduce their cost by a third right those that i have been consulting for the better part of a year on cmmc knowing that these requirements are starting to change and looking at what potential ml level now they might need to meet chances are they're probably only a vast majority of them will still be at this level one and because there's a poemable process on certain controls that uh their cost to implement at least initially at least a gap analysis and all those kinds of other things and try to get get them prepared should drop let me just check chat real quick see if anybody has any questions you guys aren't a very lively bunch i was hoping that we'd get a little more input from people's see a couple people have hands uh alex you have your hand up do you have a question or brit you have your hand up um you know one thing i'd say with the level two i mean that's a hard one to even estimate because it just depends if that third party assessment flows down or not tri-annual third-party assessments that was what what i was referring to what i go through at in my 853 clients every three years if i'm reading tri-annual correct well if you go back to the actual document it says that that bifocal or whatever so they're gonna have two different paths for level two one's gonna be like the existing level three where you have to pay the third party assessor and the other one's gonna be the self-attested one just depending on the contract but it would be interesting to see that flows down you know you get companies like raytheon will have to have the level three probably but then are they gonna have to flow down that assessment to their their subs making widgets for them they're really that important of stuff compared to the whole product yeah i'm always talking about gooey always talking about the farm so they are breaking it down in a little more detail requirements at each level you know the 110 security practices out of 171 and then a subset of 172. uh for those of you on the call have you done a lot of work or have a lot of um experience in 171 172 specifically go ahead and raise your hand if you spend a lot of your time dealing with 171 and 172. cool andrew you want to talk a little bit about uh your experience with 172 um not really because i'm listening to this and driving aha okay well drive safe then don't come off you apologize for that um who else has their hand that brit you still have your hand up i'm assuming you've probably just left it up so i'll put it down for you all right so in the interest of time um you i'll drop the link in chat so you all have it but it's you know um [Music] what is the timeline for this to take place great andrew did you do that while you were driving seriously um as far as so yeah well stop it as far as i know and again i've been digging through this trying to figure out the timeline i think it's like today like now because they literally just pushed it out so what does that mean for the cmmc ab what does that mean for rp rpo ccp cca c3po r2d2 darth vader and the rest of them wow that's a mouthful um so on today's call with uh um this morning there were a bunch of us on discord kind of chatting about this right i think the general consensus is that rp and rpo well rpo might still have some weight rp probably won't um i think this the a b in and of itself you know i think the verdict's still out um you know i haven't looked at the a b yet this morning c m c a b have they made an update yeah so there's the press release town hall on tuesday if you guys haven't registered for the town hall you probably should i'm sure they're blowing up with all kinds of questions let me dump that in chat so you have the link as well significant removing two levels you know this is basically what was in the what was in the pdf to begin with right [Music] short term changes blah blah blah good adjustments blah blah yeah so i don't know i i think like a lot of us msps i think back in like last november we all jumped on the bandwagon got our rp got our rpo um got ourselves you know listed and so on and so forth took the horrible training that was available you know got our badges of honor and probably went nowhere from there i know as far as you know i know a couple of my msp peers were actually able to get some some contract work which is good so their roi turned out really well but it was because they already had existing relationships that saw cmmc as holy crap we gotta do something let's start to do it now but i think a vast majority of you know the organizations that i've been talking to and consulting with they don't you know they don't have a clue they think they want to be ml3 they're not really sure and well now we have a little bit more clarity on should they shouldn't be where they're going to be where they're not going to be see anybody else over here in china okay there's steve welcome steve hey how are you i'm swell thank you so what are you thinking of these new changes that hit today well i i actually just joined your webinar so i didn't hear about everything and i haven't gone and reviewed it i've been busy on a customer site but uh i definitely know that the changes i knew that changes were coming i just didn't know what all they were so yeah so basically you know streamlining the process removing levels two and four um allowing for a poem process uh time-bound enforceable um allowing for some waiver process which i think is interesting as well um development of a selective time-bound waiver process if needed and approved so that is basically a way out for some of them and you know time bound is it a week a year 10 years like waivers are an interesting concept as well i wonder if they're going to um they're going to in that waiver process loop in the department of defense cio office like they do right now for the nist 800 171 process correct right so and you know everybody's made a bunch of different points that kind of all come back to it's always been 171 it's always gonna be 171. if maybe we'll have some enhancements to 171 maybe we'll have some enhancements to the process and approval and certification we'll have some poem process approval and waiver approval and the ability to you know possibly opt out of certain individual unique controls based on risk factors yeah i think i think that's the big word of the day is oh now we have a little bit more guidance on 171 and 172. yeah that that is exactly my read as well you know i figured it i i think it was you know just a matter of time before they did away with two and four because they were always intermediate steps and no one was gonna waste their time on two and four no one was gonna do it and so why'd you split why did they even have it to begin with one three five you know going going you know that that's going to be interesting because it's going to change some of our statements of work um and uh that hey that'll be okay i the other side of it is i hope they come out with now that we have a little bit of more guidance i hope that they come out with a little bit more training you know from from the from the the lpt perspective right the the licensed professional trainer perspective yeah um well you know my opinion on the training [Music] hopefully their training actually improves [Music] [Laughter] yeah so the department intends to allow companies to receive awards with poems and in place like there's real no like definition in a bunch of this stuff so i would imagine like okay we made a rule we kind of need to put some stuff out there and then the exact details of how this is all going to work and flesh out will come in the coming weeks um because clearly define timeline because like this is just all fluff right this is just all fluff there's no like what is your what is the poem process what's allowed what's not allowed what can be you know hey do i have to roll out piv cards and a third factor authentication to all of them or you know can i just get away with you know google author microsoft authenticator right you know like that then the gory nuance details um you know implementation like there isn't a whole crapload of stuff yet i would imagine that it's going to be coming now there was a lot of discussion on discord this morning you know and into this afternoon about these far rules um there's certainly detailed and you know these things kind of have been around for a while right um and so there hasn't been a a lot of um you know changes that i've yet to see blah blah blah um yes still they're still talking about the five-year phase so and the and the far you know in terms of the far rules you know the all of the contracts that i've been dealing with um for my clients every one of them still has the nist requirement none of them have been renewed with with the ml you know with with any material level cmsc requirements it's all still in this right so um until until the until the contract language changes this is you know this is a project to work toward for your clients but you know keeping your focus on 171 and the clarity around 171 is going to be key for a lot of msps yeah there's a little bit more info on the on the faq but still nothing of great depth right you know i'm still seeing what a lot of hey we're 171 172 2.0 or 3.0 or in this case 12.0 right and all right so i'm gonna hello i'm gonna kind of roll back to our question by brett um so to the question that was posed a little while ago and as msps which a bulk of us on this call are today um where do we go today you know what do we do you know next week the next three months the next year um you know if i could go back to the recording i did in november last year yeah i should probably delete that um i think at least what i'm gonna do with my msp is internally so there's two paths that i'm doing with my msp number one continue to get my house in order continue to refine my own internal processes my own internal tools technologies sops and align myself with and continue to grow on 853 rev 5 because that's where i started in 07. um a lot of these controls uh align to cmmc 2 171 2172 um i uh i am classified as a moderate baseline system based on 853 so for me personally i'm going to continue to take my rev5 853 and shrink my poem and grow my ssp internally i don't know for those of you that are on this call have you done any of your own internal work on any framework if you have raise your hand and i better see hands from brian and david and and stephen going up right and jonathan yeah so so for those of you that haven't gotten your own house in order come join us on thursdays we're walking through cis 18 and we're walking msps through getting your own house in order because if you can't get your own house in order what makes you think you can get your clients who are contractually obligated to be in order right um now as far as my client work uh i just want to just take a second so brian you want to talk a little bit about your experience on what we're doing about getting our own house in order yeah well i'm actually a little bit behind the group but i had actually started doing um some self-assessment already doing uh not only just simple things like inventory but also um looking at internal policies how things are being done making sure we're in alignment with the same compliance that we're requiring of our clients um you know part of that is the fact that uh with everybody looking at the supply chain presidential orders coming down the line and possible legislation where most regular businesses are going to have to fall into some sort of compliance how can we expect our clients to follow these these processes if we're not willing to do them ourselves and i think that's kind of key to this entire process not only seeing what we're doing ourselves but you know it's easier to sell if you've done it but also how can you look your customer in the eye and say oh yeah you got to do this but no no we don't do that either and oh no we don't need two-factor authentication or change management or any of the other procedures that are in there um these things are critical so yeah what what do i call that eat your own dog food yeah eat your own dog food exactly great chance for osc and msp three videos that exist but a piece of the pie slice away into smaller pieces where they get to play yeah hey jeff baldwin you want to you want to you want to elaborate a little bit on that have i allowed you to chop yeah i can chat so for an osc it's a great thing that makes everything easier but for the ecosystem players right so the c-3pos are not going away the a b is not going away just they're going to be only at level two for things that are not self-esteem so they have a lot smaller piece of the pie because they won't be touching level three at all that's all government level one is going to be all self-esteem so you have a potential 300 000 it's probably going to be closer to that 30 000 when they get to actually play uh the other major change on this is the whole notion of everybody had to go get a ccp ccas cca1 cs83 and part of the rationale for that is because this was so new and so different we have maturity and all this other things well they just stripped all that out so if you're doing rmf you're doing 171 there's never been any kind of requirement to have any kind of certification other than 8570 right you have to have your cis or you know whatever else that's only been the requirement but this was something unique and special and new so that's the rationale for requiring you to take training and not allowing any kind of self certification all right ourselves self study to then go take an exam right right so i don't know i mean that's got to change so there's not going to be a cca one and cca3 it's if they keep that they might keep ccp and then they might have cca with no number associated with it but again that's a smaller piece too so if you're an osc great change if you're an ltp a c-3po very bad change but yeah all the consultants are still have a lot of play here because everybody's still got 171. they still have to work on their spur score to get their 110 score they have to work off their poems all that's the same so consulting is really not affected it's just really the the the ecosystem they made out of nothing that was never really needed yeah you know you make a really good point so i'm curious about how many refund requests the a b is going to get you know one of the guys in chat in discord this morning was like holy crap i literally just paid for my rpo this morning so it'll be interesting to see like how that you know how that whole training piece plays out how the certification and the a b plays out um as you said you know osc's organization seeking certification it's a win for them right training and certified product providers and three cpaos yeah we'll see where that ends up good i don't think that's a bad thing at all i think for purposes of the osce and rolling this out i think the approach they're taking is taking a risk management approach which is we care about the most critical data we're going to focus on that the less critical data we're not going to focus on you can still do south station so like i think that's that's the right goal the goal shouldn't be that get some people money right that's not the goal the goal is we want to roll out this program and have you know shore up the supply chain so that we're not losing cui that is you know going to our adversaries and you know providing national security threats to that aggregation so and the other thing that i've kind of was keying on and if you like look at 5200.48 when it's going through roles and responsibilities for the dod for the coi program they are in there talking about dcsa which is the defense counter intelligence security agency having cognizance over cui for classified programs and a lot of the cui you're thinking about that's going to be the most critical cui is probably going to be associated with a classified program because that's where you're going to need that security classification guide that talks about when you combine these things together it becomes classified so if you so like one scenario nobody else i've seen talk about is all right i'm an osc i'm doing a couple different contracts all cui all in the same customer base they're separate contracts right so you know there's separate level twos now right yeah they're different requirements but those two contract officers don't necessarily know that i'm working on those two different contracts and aggregating two programs information together which can very easily become classified so that's kind of been a blind spot of the overall cmmc model already but focusing on cm cy for you non-classified programs uh you don't get as much into you don't get those security classification guides you don't get the dd254 so you don't get all that sort of additional information yeah you and again you make really good points on you know it's one thing if i have a blueprint of a lug nut right and i'm you know joe manufacturer and all i do is make lug nuts and i might have a blueprint of a lug nut but if that manufacturing company also on a separate contract has the blueprints for the wheel and the blueprints for the brakes and the and and and and and like cumulatively now you have i hate to say one eggs in a basket but now you have the makings of hey there's significant cui in this osc that as you said could be then as classified information right so it's not maybe the individual component but the cumulative portions that then make our federal government and in our you know and our dib uh vulnerable right so not necessarily the the lug nut maker that only does one portion but if their whole company has all of this information yeah i think it you know it does make them more vulnerable you know as you said taking a risk based approach with the guy making the lug nut probably doesn't have a lot of risk but if that guy making the lug nut was also making 47 000 other things and had all that information as part of his systems yeah that's a much higher risk right to kind of use that analogy do you think that that's a kind of an accurate analogy jeff yeah and it's a tricky one too because that's a total blind spot yeah they're not so when you're awarding a contractor looking you're saying all right do you have your say say we're in 70 21 days and there's a contract requirement it says you have your level three in my program my specific program has had its you know risk adjudication it says or you can self-assess to this or i need a cmc certificate but that's not looking at the aggregate risk posture of that organization that's like doing a true third party risk assessment versus a cmmc do you have a certificate risk assessment right right those are two separate things and from my research that i've seen is that the non-government organizations are actually probably doing supply chain risk management better than the government is is is that kind of normal though isn't it it could be because you know they don't have the same bureaucratic processes that take a little bit while and they don't have the same empire building this is my silo and you can't touch it they're no they're like you we don't have silos we don't have things to break down we have a problem that we want to solve so that's kind of the advantage of private sector anyways right and that's kind of a innovation of cmmc which was they wouldn't be able to scale for performing all those assessments so by introducing uh you know this construct of c-3pos that's one way that they could have scaled up my thing that i would have recommended was make an idiq contract and anybody that wanted to be on that idiq contract can apply to be on it and get awarded and then you're essentially a three po at that point uh not not really but you're an assessment organization on an idiq contract that's run through the duty and then you take that construct and you have the government people become the team leads and then field out those teams with people on those content that's on the contract on the idiq so anytime there's an open billet to be in on the assessment team anybody that's on the idiq can nominate a candidate and then the government selects that candidate and then they build out their contractor teams that way and they're each led by a government person as the team lead and then they can charge money through that and that's self-funding and it can scale as much up and down as needed and you don't have the whole iso accreditations you don't have the a b you don't have any of that because it's all housed within the dod itself and they're the actual risk adjudication authority that's handling everything they're just staffing up with uh consultant like uh you know staff like access for contractors that are part of contractor assessment teams they're led by government people that's how i would have managed it if i was you know the one in charge of this whole program two and a half years ago yeah if only right in hindsight so um let me just look so we have got about five or six minutes left um and and jeff i really really appreciate the insight that's been pretty helpful i think we're probably going to end up having a few more of these uh a few more of these sessions i'm probably you're probably going to see some from jacob and others around around the ecosystem probably pretty you know being pretty vocal about um the changes um so does anybody have any one or two pressing questions that we might not have answered already um that we might be able to answer in less than five or ten minutes no awesome awesome all right well if that's the case uh let me just wrap up with my shameless plug and uh and we can we can all be on our merry way um this sort of concludes this week's edition of the compliancy guys talking about cmmc 2.0 um we meet every thursday at three o'clock eastern time if you would like to uh be part of our peer group you can check us out at thecompliancyguys.com uh for those of you that re watch this on linkedin or uh youtube or facebook uh click like subscribe and share because you know that's what we're supposed to say during these things and uh yeah i look forward to kind of noodling some of the stuff around with us um thank you so much all for attending you

Info

Channel: VITAL Tech Services

Views: 172

Rating: undefined out of 5

Keywords: vital, vital tech services, VITAL Tech, cybersecurity, cyber security, technology, technology services

Id: DrKjGb3Ylcw

Channel Id: undefined

Length: 45min 48sec (2748 seconds)

Published: Fri Nov 05 2021