In this podcast episode, Bobby Guerra, Kaleigh Floyd, and Vince Scott discuss the complexities of the Cybersecurity Maturity Model Certification (CMMC) and its phases. Vince shares his extensive background in cybersecurity, transitioning from offense to defense, and the challenges faced by small businesses in achieving compliance. The conversation delves into the realities of implementing CMMC standards, the importance of incident response, and the future implications of these regulations on businesses. They explore the phases of rollout, the importance of self-assessments, and the risks associated with not being certified. The discussion also highlights the capacity issues that may arise as the certification process unfolds and emphasizes the need for proactive measures to ensure compliance and readiness.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:09] In today's episode, Bobby and I were joined by Vince Scott.
[00:00:13] Vince is the CEO of Defense Cybersecurity Group and a retired Naval Officer.
[00:00:19] Today we're going to be talking about the phased rollout of CMMC and our true perspectives on the implementation process.
[00:00:26] We hope you guys enjoy today's episode and let's get into it.
[00:00:32] Hello Climbers and thanks for joining us once again.
[00:00:34] Today we're joined by Vince Scott.
[00:00:36] Vince, thank you so much for joining us.
[00:00:38] Great to be here. I'm really glad to be a part. Thank you for inviting me.
[00:00:41] But I wanted to kind of, you know, give an opportunity, Vince, for you to sort of talk a little bit more about your history,
[00:00:47] about how you got into CMMC, because I find that really interesting.
[00:00:50] And then, you know, just maybe your history of your connections.
[00:00:54] And then we can start, Kaylee, having you just kind of take us through the phased discussion.
[00:01:00] Yeah.
[00:01:01] Yeah, sure. Thanks, Bobby. I really appreciate it.
[00:01:03] Thanks to you guys for inviting me.
[00:01:06] I am an early computer science graduate from the United States Naval Academy.
[00:01:11] I was one of the first classes that they were offering a computer science degree, which I guess means I earned my gray beard here.
[00:01:18] And then I went to sea in ships for six years.
[00:01:22] And, you know, that doesn't sound terribly relevant, but I really think it gave me a great founding in looking at things as a system of systems.
[00:01:33] A Navy ship engineering plant is this incredible system of systems and things interconnect and they affect each other.
[00:01:40] And I think that's the way we live in IT networks today.
[00:01:43] Right. We have systems of systems and how these things interconnect is super important.
[00:01:49] And then I fell into the clutches of the National Security Agency and became a U.S. Navy cryptologist.
[00:01:58] So most people don't realize over half of NSA's workforce is uniformed military and really lived in that sort of environment throughout the rest of my career.
[00:02:10] I was the cryptologist at U.S. Special Operations Command on 9-11.
[00:02:15] I went across the street to U.S. Central Command on MacDale Air Force Base.
[00:02:19] I ran intelligence collection for the bin Laden hunt for a while.
[00:02:23] I ran intelligence collection for the invasion of Iraq.
[00:02:27] I ended my career as the deputy chief of intelligence collection for Europe and Africa in U.S. European Command in Stuttgart, Germany.
[00:02:35] And so but all of that was really offense.
[00:02:40] Right. I didn't have anything to do with defense at all in that whole time frame.
[00:02:46] And so a lot of people in the cybersecurity community either grow up out of IT or grow up out of security and compliance.
[00:02:54] Right. So defense.
[00:02:57] I used to play offense and now I coach defense.
[00:02:59] So I do bring a little bit of a different outlook based on those experiences.
[00:03:06] And that at times leads to me to seeing risks very differently than the others in the professional community.
[00:03:16] I became the chief security officer for a company had been supporting that initiative.
[00:03:22] Indeed, it had brought me on board as part of that.
[00:03:25] Right.
[00:03:25] I became their chief security officer.
[00:03:28] So owning internal audit, FSO and cybersecurity, but not IT separate.
[00:03:35] Right.
[00:03:37] And early in that, even when I was still working the TU not for profit piece, the CEO of that company had said, hey, Vince, can you help us with this NIST 800-171 thing?
[00:03:48] I'm worried about it.
[00:03:49] And this was like 2018, spring of 2018.
[00:03:56] Okay.
[00:03:56] Right.
[00:03:57] So the one January 2018 was the deadline to have all of this in place.
[00:04:02] But he knew that his team hadn't, to that point, really gotten it all done.
[00:04:06] I got an SSP that was half done with comments in it.
[00:04:11] Here, go do this.
[00:04:12] And so really came at the 171 requirements very differently than many people.
[00:04:22] Many people come from the 853 federal government world and sort of get into that from that perspective.
[00:04:30] Mm-hmm.
[00:04:31] I have, I've got a lot of federal experience.
[00:04:34] And as we'll talk in the phase period, I've also collected some really good contracts experience, both at Oklahoma State.
[00:04:41] Had a lot to do with contracts and how that worked.
[00:04:44] And some of that even impacted on the cyber side.
[00:04:46] Right.
[00:04:46] And then, you know, today I'm very involved in sort of what's going on in contracting land.
[00:04:53] The, you know, the approach of cybersecurity, though, was very much from the, what I'd learned in corporate NIST, CSF, PwC.
[00:05:04] Hey, this is just another framework that we need to go do.
[00:05:09] Right.
[00:05:09] So a lot of what my company does is we go in to companies that need help and we start helping them to move on their CMMC journey.
[00:05:21] Okay.
[00:05:21] What do we need to do?
[00:05:22] Can I just buy this?
[00:05:24] No.
[00:05:25] You cannot just buy this.
[00:05:27] Okay.
[00:05:27] Let's start with that.
[00:05:28] No button that I can hit.
[00:05:30] Is it crazy?
[00:05:31] You can't just download it?
[00:05:33] Can't I just download a tool?
[00:05:35] Hey, I downloaded a tool.
[00:05:37] I'm in GCC High.
[00:05:39] I'm good.
[00:05:39] Right.
[00:05:40] I don't need to worry about this.
[00:05:42] Lord.
[00:05:44] I talked to Summit 7 once three years ago.
[00:05:47] That's good.
[00:05:47] Right.
[00:05:49] I'm saving their proxy.
[00:05:50] I used their bathroom in their facility one time.
[00:05:53] Wow.
[00:05:54] You got a lot of hats.
[00:05:55] One of the things that I've said is this analogy is like you think you know what a bike is about.
[00:06:01] But if you had like 10 people and you're like say draw a bike.
[00:06:05] And what a lot of times people do is they get the joints on the bike wrong.
[00:06:09] Right.
[00:06:09] And they the way that they they draw it and it shows their understanding is not quite accurate.
[00:06:14] But when you start actually getting into the physics of doing it and applying it and it really opens your eyes a lot more.
[00:06:23] And I think that's so true because it provides a lot more value of how you're doing it.
[00:06:27] As we've done it, you know, I can go through and look at the controls.
[00:06:30] But then as I start thinking about what are the procedures and processes in my organization as an MSP?
[00:06:35] How do I do it?
[00:06:36] And then how can I do it at scale?
[00:06:38] Right.
[00:06:38] Well, I am so excited then for you to come on this podcast episode and share your perspective, you know, with with all of the different aspects in this, you know, CMMC environment that you are a part of, especially even to like what Bobby was saying as not only implementing it as a business yourself, but also trying to, you know, now help clients in that environment and that kind of thing.
[00:07:05] So I love this perspective that we have here.
[00:07:07] I want to dive into the timeline.
[00:07:10] Let's talk about these phases.
[00:07:12] Right.
[00:07:13] And what we've learned with this final rule and kind of your your guys's different perspectives on what you think this is going to look like.
[00:07:23] And, you know, we're going to say this because we get this question a lot.
[00:07:27] And do we know 100 percent what it's going to look like?
[00:07:31] No.
[00:07:31] But because we get this question so much, we thought, why not talk about our perspective on this, you know, and see if it can help some businesses, subcontractors, you know, those out there that are listening to this episode kind of get a little bit of a perspective if maybe they don't know.
[00:07:47] Right.
[00:07:48] So, okay, let's talk about the final rule was published, fully published on October 15th.
[00:07:57] Correct.
[00:07:58] Right.
[00:07:58] And so that 60 day period then begins after that, where now in December of 2024, companies can get certified.
[00:08:11] Right.
[00:08:12] So they can get assessed.
[00:08:15] And, you know, we are going to be we've said this very openly in our in our podcast before.
[00:08:21] We are going to be one of those that goes, you know, head over heels into our assessment.
[00:08:28] Potentially.
[00:08:30] Potentially.
[00:08:30] So there are a couple.
[00:08:33] The DOD has taken their break off the ecosystem.
[00:08:37] They were previously saying, you can't start.
[00:08:40] We're not going to let you start no matter how ready you are until the final rule.
[00:08:44] Yeah.
[00:08:45] So the AB said, no, no assessments, no certifications.
[00:08:48] That break is off.
[00:08:50] However, there are other breaks.
[00:08:52] There are other things that must be accomplished before we start certification assessments.
[00:08:58] Two big things.
[00:08:59] One is we need a cap, right?
[00:09:01] A CMMC assessment process document.
[00:09:03] We have a draft from a couple of years ago.
[00:09:05] AB is actively updating that document.
[00:09:09] Hopefully we're going to see it here in December.
[00:09:14] But I haven't seen it yet.
[00:09:16] My understanding is, is there they have engaged professionals in the space.
[00:09:22] Thank God.
[00:09:23] Yes.
[00:09:24] In the C3PO community in contributing to this update, which did not happen before and was very obvious that it didn't.
[00:09:31] They did not get enough input on the current draft that is posted.
[00:09:36] So some good people in part of that.
[00:09:38] And, and so we will see what we see.
[00:09:40] But my understanding is they're going to come out with a final cap.
[00:09:43] Like this is cap version, you know, 2.0.
[00:09:46] Here you go.
[00:09:49] Go.
[00:09:49] So, so it will be interesting to see what is in that document.
[00:09:54] Right.
[00:09:55] You think they'll pause it without the final?
[00:09:59] You think they'll, they'll hold it back?
[00:10:02] How do you mean?
[00:10:04] Like you, you feel like that, that if they don't have the, the, the full cap.
[00:10:07] By December.
[00:10:08] We can't, we cannot do a certification assessment really without a final assessment process document.
[00:10:17] I agree.
[00:10:19] That feels very insane to, to, to not do that.
[00:10:22] And I thought that might play out that way.
[00:10:24] That's why when I scheduled mine, they were like, you know, I think it could be in December.
[00:10:27] And I was like, let's do January and try to allow for a little bit more time.
[00:10:33] And, and I, and I was worried about the EMAS access as well, that that might not be ready.
[00:10:38] And, and I've heard some people say that you could almost like a credit card machine,
[00:10:42] write it all down and then load it when it becomes available.
[00:10:44] But, uh.
[00:10:46] Well, that'll be, that may be an interpretation that the AB and the DOD talk about that.
[00:10:51] Right.
[00:10:51] And they come out and give permission for C3PO's to physically record assessments, results,
[00:11:01] and then upload those when the upload is available.
[00:11:04] I, maybe, uh, but I, I, I think unless they come out and tell us you don't need that because
[00:11:11] it's a required part of the process.
[00:11:13] That's how I get certified.
[00:11:15] And the DOD knows that I'm certified is by that submission.
[00:11:19] Yeah.
[00:11:20] Uh, I think we need that in order to do that, you know, a final certification.
[00:11:26] See, this is why I was excited for this conversation because you can read and look at the graph
[00:11:32] that they've given us all you want, but until you start putting the implementation into perspective
[00:11:38] of what really occurs after this rule was finalized and published, what this means for
[00:11:45] the rest of the environment around it.
[00:11:48] You know, that's where you start to hear some of these, you know, interesting answers.
[00:11:52] I had another, here's another thing that's got to be finished.
[00:11:55] I think it's going to be, we're going to make the 16 December deadline on this, but still
[00:11:59] is work to be done.
[00:12:02] Qualification of lead assessors.
[00:12:04] The eight, it's a requirement in the rule to have a lead assessor.
[00:12:09] To have at least one.
[00:12:10] We have no lead assessors qualified officially today.
[00:12:15] Right.
[00:12:16] Uh, I expect the town hall.
[00:12:18] I know the town hall this month that's going to talk to that and what the submission process
[00:12:23] is, right?
[00:12:24] We've been told to kind of hold off.
[00:12:26] Don't flood me with your resumes and certifications yet.
[00:12:29] Let us tell you how to do that.
[00:12:31] But that's going to get turned on very quickly.
[00:12:33] We're going to need to get, uh, the lead assessor, uh, qualification stack so that on
[00:12:40] the 17th of December or whenever this starts, the C3PO will be able to say this person, Kaylee
[00:12:49] is a qualified lead assessor and she can do this.
[00:12:53] Well, it's kind of like when you buy the car, right?
[00:12:56] But they didn't have it in stock.
[00:12:57] So they're going and getting it, you know, in, you know, a town wherever.
[00:13:04] And they were going to bring it there the next day.
[00:13:05] Like you can't get that fast enough.
[00:13:07] These C3PO's have gone through hell to get certified and all of this stuff.
[00:13:11] And they're like, let's get going.
[00:13:14] You know, the assessors that have gone through all of the tier three assessment process and
[00:13:19] gone through all of the stuff they got to do.
[00:13:21] They're ready to go.
[00:13:21] They want to get going, you know, they want to, they want to get started.
[00:13:24] Absolutely.
[00:13:25] No, I think the C3PO's are certainly going to be leaning into getting all the pieces
[00:13:29] in place as soon as we can.
[00:13:31] I don't foresee a long delay in that, but there are some other things that we need to
[00:13:35] keep our eyes on, uh, before beyond just the rule.
[00:13:40] Great point.
[00:13:40] I love that.
[00:13:41] Yeah.
[00:13:41] I love it too.
[00:13:42] Now I'm excited to talk about, let's go into phase one, right?
[00:13:46] So phase one is level one and level two self-assessments, correct?
[00:13:51] Which is there is no CCA required in those.
[00:13:56] That is when a company is doing it themselves, correct?
[00:14:00] So that won't pause because of a CCA shortage, right?
[00:14:07] Because you don't technically need a CCA for that.
[00:14:10] So companies should still be able, should still be able to accomplish these self-assessments
[00:14:19] themselves without that perspective.
[00:14:22] What are your thoughts on that, Vince?
[00:14:24] Like, and how that phase is going to go?
[00:14:27] A couple of things.
[00:14:28] Let's talk about when that phase starts.
[00:14:30] And that phase doesn't start on the 17th, right?
[00:14:33] And you guys know this, but for the, for the viewers, right?
[00:14:36] Like that phase one starts when the other rule that we're working on for CMMC, 48 CFR, goes
[00:14:45] final.
[00:14:46] So that was proposed.
[00:14:47] We had a comment period that actually closed October 15th.
[00:14:51] They now have to adjudicate those comments.
[00:14:53] It has to go back to OMB, go through that old process.
[00:14:57] We anticipate with the DOD really wanting to get this done and doing this faster than
[00:15:03] usual and all that stuff.
[00:15:05] Mm-hmm.
[00:15:06] And sort of the rumor mill, what we hear is that we will likely see a final 48 CFR rule
[00:15:14] March-ish of next year.
[00:15:17] Now we're speculating, right?
[00:15:19] Right, right.
[00:15:20] And then May-ish of next year, that will go final and we will have a start date.
[00:15:28] Right.
[00:15:28] Um, so, so when we talk about phase one, I'm thinking April, May next year, somewhere at
[00:15:36] quarter two is probably safe.
[00:15:39] Maybe that, I think you guys had June down.
[00:15:41] Yeah.
[00:15:41] You know, it easily could be June, uh, probably actually published in March and active in
[00:15:47] May is probably as soon as they could possibly do that.
[00:15:50] Right.
[00:15:50] Mm-hmm.
[00:15:50] Um, I, I, I tend to be a little earlier on that because I'm, I'm trying to push my clients
[00:15:55] to, hey, no, you don't want to wait until after the rule is final and you have a self-assessment
[00:16:02] requirement in order to be ready for this.
[00:16:05] Mm-hmm.
[00:16:06] Um, so, so phase one will start.
[00:16:09] What they said in the rule was phase one should be self-assessment.
[00:16:17] But if we feel like it, we can put a certification requirement in a contract.
[00:16:23] Here we go.
[00:16:24] We're going into it.
[00:16:25] Dip the toe in.
[00:16:27] Okay.
[00:16:28] Mm-hmm.
[00:16:29] Now, you also additionally, we're looking at the defense industrial base on this.
[00:16:36] Look at this from the Lockheed Martin perspective, back to me trying to get my clients already
[00:16:43] a little early.
[00:16:44] Right.
[00:16:45] But that's the DOD's implementation timeline.
[00:16:48] Uh, I talked to a Lockheed Martin skunkworks subcontractor this morning.
[00:16:53] Cool.
[00:16:54] They're doing some cool stuff.
[00:16:56] Uh, but they're like, no, we gotta be, we gotta be moving on this.
[00:17:01] And because there is, and part of my advice to them was, hey, when is Lockheed Martin going
[00:17:06] to tell you, you have to be certified?
[00:17:09] Mm-hmm.
[00:17:11] That's going to be very prime contractor dependent, maybe contract dependent.
[00:17:17] Yeah.
[00:17:17] Um, uh, so we don't know and we can't know the answer to that question.
[00:17:23] And it's not, it's outside of rulemaking and we're not going to find that written in
[00:17:27] the rule.
[00:17:28] Right.
[00:17:29] If you're a subcontractor to a beat prime, now that certifications have started or could
[00:17:36] start, you know, that's December, January timeframe, they could come in and Martin's
[00:17:40] and say, I need you to get certified to get this contract.
[00:17:45] We don't know how they're going to play it.
[00:17:48] Yeah.
[00:17:49] Yeah.
[00:17:49] Um, that, but, but so that there's this risk profile across the defense industrial base,
[00:17:56] I would argue that sometime after 17 December, your risk of having a contract that you care
[00:18:08] about that's going to mandate a certification requirement kind of starts to creep up a little
[00:18:14] bit every day.
[00:18:15] Yeah.
[00:18:15] In these early days, it's not very high.
[00:18:18] And indeed, because we've said mostly self-assessment for the first year, it's probably not real high
[00:18:27] for the first year.
[00:18:28] And maybe you could negotiate if somebody comes down and says, you've got to be certified going,
[00:18:32] well, this is actually the, the self-assessment period.
[00:18:35] And didn't you really mean to say that you thought it'd be okay if we self-assessed during
[00:18:39] this period?
[00:18:40] You might be.
[00:18:41] Well, if, so if I'm a prime contractor, what are the prime contractors going to do?
[00:18:46] I want everybody to be certified because that makes my life easier as the supply chain risk
[00:18:52] management guy at Lockheed Martin.
[00:18:54] Right.
[00:18:54] Who I don't know, by the way, I have, I have not, I'm just using them as a case study for
[00:18:59] the big, big, uh, you know, defense contractors.
[00:19:03] Mm-hmm.
[00:19:05] RTX, whatever, pick one.
[00:19:08] So those supply chain risk management guys probably don't know CMMC as well as we do.
[00:19:14] Right.
[00:19:15] They just know it's a thing and they saw a certification and okay, now they start pushing
[00:19:20] out.
[00:19:20] Everybody's got to be certified.
[00:19:21] In fact, I have seen large prime contractors send questionnaires over the last two years
[00:19:30] asking, when are you going to be certified?
[00:19:33] Hmm.
[00:19:36] Well, until the final rule hit the street, nobody knew.
[00:19:42] Mm-hmm.
[00:19:42] I can't give you a date because I don't know when DOD is going to let certification assessments
[00:19:47] start.
[00:19:48] Don't ask me.
[00:19:49] I don't know.
[00:19:49] You don't know either.
[00:19:50] Go away.
[00:19:52] Right.
[00:19:53] That's a stupid question.
[00:19:55] Don't ask me that question.
[00:19:56] Don't ask me that question.
[00:19:57] So, so, but that's sort of where those supply chain risk management people are at.
[00:20:03] Yeah.
[00:20:04] Right.
[00:20:04] And once certifications can be done, now I can no longer say this is a stupid question.
[00:20:11] Now we got to say, when is that?
[00:20:15] And they may shift to at some point starting to require certification for their supply chain,
[00:20:22] whether they have a requirement yet or not.
[00:20:25] Right.
[00:20:26] Mm-hmm.
[00:20:26] That's up to them.
[00:20:28] Yep.
[00:20:28] That's up to them.
[00:20:29] And this is back to that very real, the CEO we talked about.
[00:20:34] They'll never not buy my stuff because I'm not certified.
[00:20:38] Mm-hmm.
[00:20:39] It's, it's good to be confident.
[00:20:41] Exactly.
[00:20:42] I probably wouldn't be that confident, but it's good to be confident.
[00:20:45] But there is some wiggle room in that.
[00:20:47] Right?
[00:20:47] Mm-hmm.
[00:20:49] People talk about there are no waivers, right?
[00:20:51] And you won't get a waiver.
[00:20:53] Right.
[00:20:54] But it might not get the requirement.
[00:20:57] You know, so there, there's some.
[00:20:58] Right.
[00:20:59] We might negotiate on that in the self-assessment timeframe, et cetera.
[00:21:04] So.
[00:21:04] Yeah.
[00:21:05] I see, I see that phase one.
[00:21:07] Definitely.
[00:21:08] There is an opportunity for negotiation from a prime to a sub.
[00:21:11] I think so.
[00:21:12] Absolutely.
[00:21:13] I definitely see that, but I see a competitive advantage for those people that do get it.
[00:21:17] Right.
[00:21:17] Mm-hmm.
[00:21:18] Because you were talking about the risk piece.
[00:21:20] But there's going to be a massive amount of flow down at a minimum of level one and two
[00:21:25] self-assessment processes that they have to.
[00:21:28] Do you feel that the primes, even though they can't see per se what their subs are doing
[00:21:37] in their Spurs score, other than if they pinky promise on that?
[00:21:40] How do you see that playing out?
[00:21:42] I'm just curious.
[00:21:42] Okay.
[00:21:43] So as a prime already, who already has the 7019, 7020 flow down requirements to my subs,
[00:21:51] what we have required is a snapshot of your SBRS entry.
[00:21:56] So you want a picture of it?
[00:21:58] I want a picture.
[00:21:59] All right.
[00:21:59] Show me the snapshot of your SBRS.
[00:22:01] I can't see the database.
[00:22:02] Show me the Carfax.
[00:22:04] Yeah.
[00:22:05] Right.
[00:22:05] Use your snipping tool on your computer.
[00:22:07] It's really easy.
[00:22:08] Pull it up.
[00:22:09] I mean, yeah.
[00:22:09] Snapshot it for me.
[00:22:10] Send it to me.
[00:22:10] Yeah.
[00:22:11] That's our requirement for our subcontractors.
[00:22:14] Now, I have had probably a majority of those subcontractors black out the score.
[00:22:24] I've accepted that up until this point.
[00:22:27] Yeah.
[00:22:28] Because I was not required under the regulation 7019, 7020, as it currently exists in DFARS,
[00:22:36] and flowing this down, the requirement was that a score was submitted.
[00:22:41] I've done my job.
[00:22:42] It didn't say a specific score.
[00:22:44] There was no minimum score.
[00:22:45] Okay.
[00:22:47] This is the massive change in CMMC self-assessment.
[00:22:52] If you're CMMC self-assessing, right?
[00:22:57] When 48, so May, June next year, you have to do your self-assessment.
[00:23:02] And be willing to fail yourself.
[00:23:04] But what's the minimum score under CMMC?
[00:23:07] Yeah.
[00:23:08] 88, I guess, right?
[00:23:09] 88.
[00:23:10] That's right.
[00:23:11] There is a minimum score inherently.
[00:23:13] Yeah.
[00:23:13] I have already drafted the letter to subcontractors that says, that's not going to fly anymore.
[00:23:18] You're going to have to show me what your score is.
[00:23:19] Yeah.
[00:23:20] What I'm telling my clients is, April of next year, 88 miles per hour.
[00:23:27] Right?
[00:23:28] That's good.
[00:23:28] That's the speed limit.
[00:23:29] I like it.
[00:23:32] I'm going to use that.
[00:23:33] Speed limit?
[00:23:34] Kaylee, do you not know what movie I got that from?
[00:23:36] Oh, yeah.
[00:23:38] What?
[00:23:38] I'm supposed to know.
[00:23:39] No.
[00:23:40] Come on.
[00:23:41] She doesn't know you have failed, Bobby.
[00:23:43] I have failed the father.
[00:23:45] For cultural upbringing.
[00:23:46] No.
[00:23:47] We do not know.
[00:23:49] 88 miles per hour.
[00:23:51] Come back to Jacksonville for reconditioning, honey.
[00:23:53] Come on back.
[00:23:54] Come on back.
[00:23:54] I'm going to get freaking bullied for this now.
[00:23:57] It's just terrible.
[00:23:57] I'm going to have to edit this out.
[00:23:59] I'm going to have to edit this part out.
[00:24:00] It's the first.
[00:24:01] Oh, heck no.
[00:24:02] It's staying in.
[00:24:05] Oh, no.
[00:24:06] It is the first Back to the Future movie.
[00:24:09] Yeah.
[00:24:09] Oh, okay.
[00:24:10] 88 miles per hour is where the DeLorean enters the time warp.
[00:24:14] Oh, okay.
[00:24:15] Only 88 miles per hour?
[00:24:17] And then, wow.
[00:24:18] 88 miles per hour.
[00:24:19] Wow.
[00:24:20] That's a good.
[00:24:21] I'm going to have to.
[00:24:21] I'm stealing that one, Vince.
[00:24:23] Flux capacitor.
[00:24:23] I think we might have to make that into a shirt.
[00:24:25] Yeah.
[00:24:26] Yeah.
[00:24:27] For CMMC flux capacitor, 88 miles per hour.
[00:24:30] Oh, my gosh.
[00:24:30] I love it.
[00:24:31] I love it.
[00:24:34] So part of my advocacy for OSCs, OSAs, you know, organizations seeking certification
[00:24:41] or assessment across industry is you should plan to be an 88 by next April because when the
[00:24:49] self-assessment rule comes in and the clause is going to roll out everywhere.
[00:24:54] Yeah.
[00:24:55] Right?
[00:24:56] To mandate the self-assessment.
[00:24:57] So it's going to pop in all kinds of contracts across the board.
[00:25:03] Got to be 88.
[00:25:04] And you're affirming, which is the equivalent of swearing a legal oath, which comes with potential
[00:25:15] personal criminal fraud risk.
[00:25:20] You're signing.
[00:25:21] You're the named affirming official.
[00:25:24] You are swearing that you really are an 88.
[00:25:29] Right.
[00:25:30] So what have we seen broadly in the, you know, defense industrial base today is a lot of wishful
[00:25:35] thinking.
[00:25:36] Right.
[00:25:36] In score generation.
[00:25:39] Where, oh yeah, I'm a 110.
[00:25:41] Oh, you're going to look at me?
[00:25:43] No, I'm actually a negative 203.
[00:25:44] Oh, well, yeah.
[00:25:46] Right.
[00:25:46] Right.
[00:25:47] There's just been, I mean, go back to Dibcac 18 months ago or so did, you know, share their
[00:25:54] numbers and they said that the average Delta in score when they went in and looked at an
[00:26:01] organization was negative 100 points.
[00:26:05] That was the average that Dibcac put on their slides.
[00:26:08] Right.
[00:26:08] So over a couple of hundred companies, I think that was their average Delta.
[00:26:15] They said there were 110.
[00:26:16] We went in and they really were a 10 or they said they were a 70 and they were a negative
[00:26:23] 30, whatever.
[00:26:24] Right.
[00:26:24] Wow.
[00:26:25] So that affirming to me is a real hook.
[00:26:32] You have a person, an executive at an organization who's going to have to go down in writing that
[00:26:37] we really are that score.
[00:26:39] And it really does open up risk.
[00:26:41] And the requirement for the evidence to be stored for a specific period of time.
[00:26:47] Yeah.
[00:26:47] I think also.
[00:26:48] Yep.
[00:26:49] Does that.
[00:26:50] Yes.
[00:26:50] That was going to be another hook.
[00:26:52] Right.
[00:26:52] Which is you may have seen me post about that, Bobby, which was, hey, by the way, we all have
[00:26:57] to up our game on this because you have to archive evidence to support your score and you have
[00:27:04] to keep it for six years at the request of the Department of Justice is what they said
[00:27:10] in the rule.
[00:27:11] So there's no mystery about why they're asking you to keep this.
[00:27:15] Yeah.
[00:27:16] Right.
[00:27:17] So all of those things.
[00:27:19] So the personal risk, the liability, the requirement to collect evidence to support.
[00:27:27] And here's the last thing.
[00:27:29] Probably at some point, somebody is going to come and check your homework.
[00:27:33] Yeah.
[00:27:34] That's never been happening before.
[00:27:36] That's so true.
[00:27:37] Wow.
[00:27:37] Right.
[00:27:38] So not only are you taking this risk, but you're taking this risk knowing that probably
[00:27:45] someday an assessor is going to walk in here and look at that.
[00:27:49] Well, let's theorize about that for just a second, Vince.
[00:27:52] So let's say phase one, right?
[00:27:56] You have.
[00:27:57] We have a data past phase one.
[00:27:58] Okay.
[00:27:58] Yeah.
[00:27:59] So let's say that you.
[00:28:00] We're passionate, man.
[00:28:02] So let's say, you know, you have several contracts.
[00:28:06] You self-assess.
[00:28:07] You do your spur score.
[00:28:08] You win them.
[00:28:09] High five.
[00:28:10] Year two, you happen to be one of the lucky ones and you get a level two certification.
[00:28:18] You go in and you get assessed by a third party and you are woefully inadequate.
[00:28:24] Now you have multiple contracts and your spur score does not warrant you to have those contracts.
[00:28:31] So my point, I guess I'm making is, is okay, you might get away with that year.
[00:28:36] But later on when the third party assessment happens and it's clear, you haven't been doing
[00:28:40] it all along.
[00:28:43] Yes.
[00:28:44] Well, that's why that risk is different.
[00:28:46] Right.
[00:28:47] So I'm not just rolling the dice that I'm going to be one of three of 80,000 companies that
[00:28:52] the DOJ actually looks at.
[00:28:54] Mm-hmm.
[00:28:55] Maybe those Vegas odds are pretty good.
[00:28:57] But we're rolling the odds that almost 100%, you're probably going to end up with a certification
[00:29:07] assessment at some point if you're operating in this space over time.
[00:29:11] Mm-hmm.
[00:29:11] Based on the way the DOD has said this, it's, it's very likely that eventually you're going
[00:29:17] to have to be certified and not avoid the certification requirement altogether.
[00:29:24] There are some exceptions.
[00:29:25] Maybe you're totally a COTS.
[00:29:27] I sell seat covers.
[00:29:29] I sell seat covers to the DOD and everybody else.
[00:29:32] I'm COTS.
[00:29:33] I'm exempt.
[00:29:33] I never have to worry about it.
[00:29:35] Maybe you're only a level one company.
[00:29:40] But there's a lot of CUI out there and the DOD isn't sharing that increasingly and they're
[00:29:45] identifying it more than they ever were.
[00:29:48] Right.
[00:29:49] The rollout of the CUI program has been slow.
[00:29:52] So we haven't seen as much documentation marked as CUI, but where this is going is probably
[00:29:58] most contracts are going to involve some CUI.
[00:30:01] Some part of the statement of work is going to be CUI.
[00:30:04] Phase two is now going to introduce the option for level two assessments being done by a third
[00:30:11] party.
[00:30:13] Well, it will, because we put this caveat in that you can ask, the government can ask for
[00:30:19] them whenever they want.
[00:30:20] But it makes me wonder how much different there's going to be between phase one and phase two,
[00:30:25] because we're explicitly making it a part of the phase now.
[00:30:30] Yeah.
[00:30:30] But really, we said it was okay for them to do that ahead of time.
[00:30:34] And maybe rolling back to phase one on that, Bobby, based on my experience with the previous
[00:30:39] rollout of 70.1, I saw this happen.
[00:30:42] In the rule, they said you cannot do this unless you ask the DOD CIO's permission.
[00:30:49] I immediately got three contracts that they threw the 70-21 clause on.
[00:30:57] So I actually saw that memo out of big Air Force acquisition.
[00:31:02] Somebody shared it with me.
[00:31:04] They wrote a memo.
[00:31:05] The new 70-19, 20, and 21 all came out in a block in 2020.
[00:31:12] Right.
[00:31:13] Right.
[00:31:13] Is when that originally rolled out in 2020.
[00:31:16] And they rolled out a memo that said, hey, put all these on contracts.
[00:31:21] They didn't explicitly say that about 70-21.
[00:31:24] But if you weren't reading really closely the memo, it kind of sounded like, hey, put all
[00:31:29] these on.
[00:31:30] And so many contracting officers, 70-19, 70-20, 70-21 appeared on my contracts.
[00:31:38] You now got this L2 self and L2 C3PO sort of designations.
[00:31:45] I think we'll see that in the final rule is the way that will come out.
[00:31:51] However, there's still a requirement, right, for the contracting officer to then ask for
[00:31:58] those certifications, right, and check the CMC EMAS or SPRS.
[00:32:05] It's supposed to flow into SPRS to see that you have a certification assessment.
[00:32:11] If they don't do that, what will that mean?
[00:32:16] Right.
[00:32:17] They're rolling the contract out anyway.
[00:32:19] Yeah.
[00:32:22] Wow.
[00:32:23] What if they decide to just put a certification assessment in there as a requirement?
[00:32:27] Well, why should I have to update the contract next year?
[00:32:29] They're going to have to get certified eventually.
[00:32:31] Just put it in there.
[00:32:31] So just to briefly say, if we're saying June of 2025 for phase one, those of you who might
[00:32:37] not know how the phases work, they don't actually say dates in these phases, right?
[00:32:42] They say it based upon the previous phase.
[00:32:45] So like phase two is one year after phase one is started and phase three is one year after
[00:32:54] phase two, right?
[00:32:55] So if we're taking that into consideration with phase one, June 2025 starting, okay, we're
[00:33:02] going to say, let's say that date, then that would mean that full implementation.
[00:33:07] If it fully rolls out would be June of 2028, right?
[00:33:12] Is what they consider full implementation of this thing.
[00:33:16] Okay.
[00:33:17] But there's two things that I just wanted to talk about that are in the rule that I think
[00:33:20] are important to note.
[00:33:22] And you can't just say, oh, well, I'll wait until 2028, right?
[00:33:25] So the first thing that we talked about briefly is the DOD may choose to negotiate modifications
[00:33:34] adding CMMC requirements to contracts awarded prior to CMMC implementation, right?
[00:33:41] Which we have talked about could encompass phase one through phase three.
[00:33:46] At any moment, the DOD could come back and implement that, right?
[00:33:51] I would argue that that statement implies from December 17th until the start of phase one,
[00:33:58] two.
[00:33:59] Okay.
[00:34:00] Okay.
[00:34:01] So this, so what is this?
[00:34:04] I've heard rumor of it, of people having stuff starting to show up.
[00:34:07] Oh, really?
[00:34:08] Really?
[00:34:09] Okay.
[00:34:09] Yeah.
[00:34:10] Yeah.
[00:34:10] Now I, it's, it's hearsay.
[00:34:13] Well, and Bobby, I talked a lot.
[00:34:16] One of the parts of this was, was both views.
[00:34:20] I think you see it perhaps less scarily than I do on that.
[00:34:26] Oh, I'm scared.
[00:34:28] Well.
[00:34:29] I'm just hoping.
[00:34:31] He's doing it.
[00:34:31] He's doing a good job being hopeful, right?
[00:34:34] Yeah.
[00:34:34] Okay.
[00:34:34] All right.
[00:34:35] But is there anything for me that you would push back on and say, well, you know, Vince,
[00:34:39] I really see it maybe a little better than that.
[00:34:42] I think you're probably right.
[00:34:43] I'm just, I'm hoping cooler heads prevail in that perspective, you know, that Kennedy's
[00:34:51] on the phone saying, you know, don't shoot as the boats are coming, you know, and everybody
[00:34:58] sort of turns and this thing sort of plays out and the cooler heads prevail and, you know,
[00:35:02] no, no nukes were launched, but I wouldn't hold my breath.
[00:35:07] Uh, I, I feel like your perspective is probably more plausible, but.
[00:35:14] Okay.
[00:35:14] I, I, I, I'm sorry.
[00:35:17] What were you going to say?
[00:35:17] I was going to say, I like the.
[00:35:20] From every day, 17 December on as a Dib contractor, your risk of losing business because
[00:35:28] you're not certified is going to increase.
[00:35:30] I think that goes to you, Bobby about, Hey, do we want to get certified early?
[00:35:35] Um, you know, we know how long it, you work years on some of these DOD contracts.
[00:35:40] Mm-hmm.
[00:35:42] You, it would be terrible, devastating to lose.
[00:35:46] Yeah.
[00:35:47] A $40 million contract, uh, because you weren't ready.
[00:35:54] So there's one more thing that I wanted to ask.
[00:35:57] And I've just, just curious about just to sort of challenge a perspective of this phase rollout
[00:36:04] that we're discussing, because when talking about, if you don't, if you didn't know the
[00:36:11] proposed, uh, the 32 CFR proposed rule actually had phase one is six months long.
[00:36:16] And then the final rule extended it for a whole year.
[00:36:22] Right.
[00:36:22] So if you're listening to this and you didn't know that, that occurred, which is a nice
[00:36:27] extra six months, right?
[00:36:29] That's a good deal.
[00:36:29] So I just wanted to highlight though, in the section where they talk about this, um, the
[00:36:36] last sentence that occurs says further extension of the implementation period or other solutions
[00:36:45] may be considered in the future to mitigate any C3 PAO capacity issues, but the department
[00:36:53] has no such plans at this time.
[00:36:55] I, when I read this, I found this incredibly fascinating.
[00:36:59] Because they very specifically talk about mitigating C3PO, C3 PAO capacity issues.
[00:37:07] And so my thoughts are the perspective that they're looking at right now is the, the implementers
[00:37:15] as far as C3PO CCAs that when you were talking about lead, right?
[00:37:22] The leads that are required for this assessment team that it, that is literally required.
[00:37:27] They're going to be looking at that implementation to see if it goes faster than they're thinking
[00:37:34] or slower.
[00:37:36] And if it goes slower, then they might need to be thinking about what they chose to do as
[00:37:43] far as, you know, implementing this.
[00:37:45] And I just, I just found like, I just thought it was interesting that the reasoning behind
[00:37:50] that further extension possibility was, you know, to mitigate any C3PO capacity issues.
[00:37:58] And that's a completely separate issue, right?
[00:38:02] Uh, from what we've been talking about, about from the DOD's intent.
[00:38:05] Yeah.
[00:38:05] Is, uh, there is a capacity issue for assessments.
[00:38:10] Um, it's not really C3PO's.
[00:38:13] It's really certified assessors because 58 C3PO's is plenty to do everything.
[00:38:20] If they each have a hundred assessment teams, we're good.
[00:38:23] Right.
[00:38:24] But they don't normally they have one.
[00:38:26] Uh, so, uh, we, we have an assessor capacity issue.
[00:38:34] Um, yeah, we have exacerbated that in the new rule by going from a minimum of two to a minimum
[00:38:40] of three assessors.
[00:38:42] Uh, we have added the lead assessor as a new additional qualification.
[00:38:47] We saw it coming in the proposed rule, but we haven't done it yet.
[00:38:51] And we haven't seen how many lead assessors do I really have?
[00:38:56] Cause so that's going to be of the currently qualified certified assessors.
[00:39:00] How many of that can pull up to be lead assessors too?
[00:39:05] I, I, the AB just put a, uh, poll out on that.
[00:39:08] I think to all the certified assessors and certified professionals, I think to help answer that
[00:39:14] question.
[00:39:14] Cause we don't know.
[00:39:15] Yeah.
[00:39:16] Yeah.
[00:39:17] I just think it's just, you know, just those two things are just interesting to note as
[00:39:22] far as what they say about the full like implementation itself and how there still is this gray area
[00:39:30] for them to come in and say, Oh, hold on a second.
[00:39:35] Actually, why don't you just show me how you're level two certified or what, why don't we just
[00:39:40] do this a little bit, a little bit faster here?
[00:39:42] Cause everything's going well, you know?
[00:39:44] And it's like, yeah, I kind of scary.
[00:39:46] Yeah.
[00:39:46] I think there's, there, there certainly are possibilities for more changes there because
[00:39:50] we're going to hit some realities.
[00:39:52] Yeah.
[00:39:53] Certification, uh, capacity is going to be one, maybe a hidden risk that will be harder
[00:40:00] to quantify.
[00:40:01] And we won't, we'll call it certification of capacity, but it'll really be implementation
[00:40:06] capacity.
[00:40:07] Right.
[00:40:08] So the bar to get into a certification assessment is set relatively high in the current cap.
[00:40:17] So I have to show that I have a body of evidence that covers all the controls that I have a fully
[00:40:25] fleshed out SSP, you know, blah, blah, blah.
[00:40:28] I have to show all of these things so that essentially we, we peek under the rug and say, yeah, it looks
[00:40:34] like you could pass, uh, before we ever get into actually executing an assessment.
[00:40:40] Mm-hmm.
[00:40:41] Mm-hmm.
[00:40:42] Um, so there will be a challenge with companies who are going to go, I need a certification
[00:40:48] assessment now.
[00:40:49] Okay.
[00:40:50] Well, let's get you on the books and let's have the initial call.
[00:40:53] Well, on the books means nine months from now, but in the initial call, we asked to see your
[00:40:59] SSP and you were like, what's that?
[00:41:03] Well, then you probably have some work to do.
[00:41:07] Right.
[00:41:08] Yeah.
[00:41:08] Right.
[00:41:08] So Vince, um, if you would just kind of, now that we've really covered one and two phases,
[00:41:14] uh, can you maybe connect the two to the three to the four and sort of how you see this thing
[00:41:19] finishing out?
[00:41:20] Right.
[00:41:21] So in phase three, we're supposed to have certification assessments rolling out broadly,
[00:41:27] right?
[00:41:27] That's the, what the DOD has indicated.
[00:41:29] So they have estimated that there's about 80,000 companies in the DIV, give or take,
[00:41:35] that will require a certification assessment.
[00:41:37] So we would expect the contracts relative to those companies to hold a certification requirement
[00:41:44] at that time.
[00:41:45] And then, uh, they begin to roll out the CMMC level three certification assessments, which
[00:41:53] will be conducted by DIVCAC.
[00:41:55] Right.
[00:41:56] Um, and so level three for anybody who doesn't know, that's all the level two stuff and you
[00:42:02] must get a level two certification assessment first.
[00:42:05] And then add on the top of that, a level three certification assessment, which puts the
[00:42:12] 22 additional controls in NIST 800-172 that they picked.
[00:42:17] 24.
[00:42:18] 24?
[00:42:19] Is it 24?
[00:42:20] Okay.
[00:42:20] Um, I haven't studied level three terribly yet.
[00:42:24] Yeah.
[00:42:24] Um, put those additional controls.
[00:42:27] So it's not the entire control catalog from 172, but some of them, the majority of them.
[00:42:33] And, and you're going to have to get certified that you have implemented those as well.
[00:42:37] It also level three changes the scoping requirements.
[00:42:43] Some, it becomes more restrictive, uh, and tougher on how you draw your boundary.
[00:42:48] Uh, in particular contractor risk managed assets as a connected to your system, but not intended
[00:42:56] to process or transmit CUI go away.
[00:42:59] No, no more CRMA at level three.
[00:43:02] Um, so that will be a, uh, you know, the third phase will be, they'll start to put those
[00:43:10] in and then in phase four, Hey, this is rolled out completely.
[00:43:14] It's in all new contracts, everything, but cots, the contracting officers are designating
[00:43:20] what level and whether or not you need to be self or independently assessed.
[00:43:24] And that is, that is broadly working in the marketplace in phase four.
[00:43:30] Because at that situation, people that were early are now starting to come back around and
[00:43:34] they're getting hit again on their next.
[00:43:36] That, that is right.
[00:43:38] Their third three year.
[00:43:40] So, so what we don't know is there's the potential for some certification assessments in phase one.
[00:43:47] Mm-hmm.
[00:43:49] Probably lower, but potential for some.
[00:43:53] And, and as we discussed on how well will the contracting officers use this and how will
[00:43:58] they see it?
[00:43:59] And there's some unknowns in there.
[00:44:00] They could, you know, we could have some instances where a service says just put a
[00:44:05] certification requirement out, maybe.
[00:44:07] Um, so there could be some things to drive that up, but let's say that stays pretty low.
[00:44:11] Right.
[00:44:12] Right.
[00:44:12] And then in phase two, that starts to ramp up really to phase three, wherever all the
[00:44:18] certification requirements are out there.
[00:44:20] Yeah.
[00:44:22] Wow.
[00:44:23] Well, thank you for this approach.
[00:44:27] Vince, it's been really awesome.
[00:44:29] Honestly, we need to have you on to now explain a little bit about self-assessments more because
[00:44:34] I wanted to go into that, but we couldn't open fully with talking about all the phases too.
[00:44:40] But it's so important because I mean, just like you said at the beginning of this, and
[00:44:44] this is how we feel as well.
[00:44:46] We care about this community.
[00:44:47] We care about the SMB space that's having to step into this and what they need to know
[00:44:55] to be able to accomplish this properly.
[00:44:58] Um, and you know, these self-assessments are going to be happening.
[00:45:01] They're going to be happening soon.
[00:45:03] We want to help people prepare, make them feel even just a little bit more equipped as
[00:45:08] much as we can on a podcast episode, obviously.
[00:45:11] But I'd love to talk more about that.
[00:45:14] Um, thank you for talking about this phase rollout because I mean, Bobby and I have talked
[00:45:18] about it multiple times, but man, we've gone in depth a lot more with you and I've loved
[00:45:22] this perspective because it really does open my eyes to, you know, to a few implementation
[00:45:27] things that we might not have talked about before on this, on this podcast.
[00:45:31] So, so thank you so much for your insight for real.
[00:45:33] We've, we've loved having you on.
[00:45:35] Thank you for inviting me, Bobby.
[00:45:37] I really appreciate it.
[00:45:38] Thanks to you guys for doing the work to put this together.
[00:45:40] Uh, I think it's a great platform, uh, to get the word out, to help companies understand
[00:45:45] what they need to do.
[00:45:46] Uh, I think that's hugely important and the more we can do that across the professional
[00:45:51] community.
[00:45:52] I think that that's awesome.
[00:45:53] Thanks for the work you guys are doing.
[00:45:55] Vince, tell us, uh, tell the people that might be tuning in who, you know, aren't perhaps
[00:45:59] familiar with the organization, how they can connect with you to possibly explore.
[00:46:02] Sure.
[00:46:03] And some more things.
[00:46:04] Uh, so, uh, my company is Defense Cybersecurity Group.
[00:46:09] Uh, we are at www.cybersecgru.com, uh, cybersecgru.com.
[00:46:19] Uh, if you Google us, we're out there.
[00:46:21] Uh, we focus on consulting and helping companies understand what they need to do to implement.
[00:46:28] If you have not seen the Cooey Discord, I hope the link will be in the description section,
[00:46:33] Kaylee.
[00:46:34] Yes, I can do that.
[00:46:34] Because if you're really serious about this and you want to get in there and get some
[00:46:38] advice from somebody at two o'clock in the morning, there's probably somebody online.
[00:46:41] And if they gave you the wrong advice, eight people will come back and jump on them and
[00:46:46] go, Oh, I don't agree with that.
[00:46:47] Yeah.
[00:46:48] Yeah.
[00:46:48] So it's crowdsourced in a really good way.
[00:46:52] Pretty respectful.
[00:46:53] Uh, not politics, not sales.
[00:46:57] It's really about the whole bunch of professionals.
[00:47:00] We bang our heads together in there.
[00:47:01] And we also have new to CMMC asking a question.
[00:47:05] There are no stupid questions on this.
[00:47:07] There's always somebody who'll jump on and help answer.
[00:47:09] Yeah, that's awesome.
[00:47:10] I love it.
[00:47:11] Well, thank you everybody for listening to this episode.
[00:47:14] Um, we hope you enjoyed, uh, this perspective, um, joined by, you know, by Vince, uh, to
[00:47:20] talk about the phase rollout.
[00:47:21] Again, we're going to be covering a bunch of this as it's going along.
[00:47:25] So please follow us, subscribe to be able to be notified anytime we post.
[00:47:30] Um, but we're going to always post an episode on Thursday.
[00:47:33] So tune in for those.
[00:47:34] Um, and just remember guys to keep on climbing.
[00:47:37] See ya.
[00:47:39] Cheers.
[00:47:40] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:47:45] We hope you guys enjoyed today's episode and listen out for the next one.
[00:47:49] But until then, keep on climbing.