Sorry that I haven’t been publishing with the normal frequency lately.
I’ve been working overtime doing all the required activities for my company’s information system (we are a C3PAO candidate) and polishing the documentation to prepare for our (hopefully this year) DIBCAC assessment of our information system. Got to love system security plans and trying to explain how our cloud providers do cybersecurity. I expect that all of you sympathize!
Anyways, lots to read – hope this news roll up is useful to you!
CMMC-AB and DOD Town Hall
- The DoD is still performing an internal program review of CMMC. There were no DoD speakers in the CMMC Town Hall this month.
- Redspin’s parent company, CynergisTek, discussed their experience becoming the first authorized CMMC assessment organization. Caleb Barlow, the CEO of CynergisTek, said that the CMMC preparation process was similar to a Sarbanes Oxley audit of a public company or aligning manufacturing to Six-Sigma. They followed Agile techniques, for example: holding a daily SCRUM with their executive team, to build documentation and make sure that internal activities matched the documentation.
- Redspin has documented their lesson’s learned on their website as part of a video blog series. Link to Redspin’s CMMC videos. Amira’s note: I highly recommend watching these videos if you are an organization seeking certification (OSC). According to these videos and a press release by KTL Solutions, Redspin used an enclave approach leveraging Microsoft 365 GCC High.
- CMMC-AB training for Certified Professionals and Assessors review. No authorized training exists yet. No authorized training courses exist yet. The CMMC Certified Professional (CCP) “Beta” certification exam is expected to be available in late Q4 2021, with the final CCP certification exam available in Q1 2022 * Subject to change if course objectives are not released by DoD on schedule. Amira’s opinion: This is very disappointing news. It means that Provisional Assessors will continue to be the only game in town for yet another year. Even after the CCP exam is released and professionals pass it, CCPs would only be allowed to ‘participate’ in assessment teams, not lead them. The certified assessor exams (no timelines discussed) are what is needed to move from provisional assessors to fully fledged assessors.
- Introduction to the Industry Advisory Council (discussed in next section)
CMMC-AB Industry Advisory Council (IAC)
Originally announced in this press release in April 2021, the IAC has grown to 17 members according to my sources.
Current members of the IAC:
|Name||Member of||Company represented / Amira’s notes|
|Yong-Gon Chon||CMMC-AB||Chair of the IAC. YG Chon is the current treasurer of the CMMC-AB Board of Directors.|
|Nicole Dean||Accenture Federal||Accenture Federal is a well known defense contractor which provides IT and cyber services. Accenture is listed as an RPO on the marketplace. Nicole Dean was a member of the CMMC-AB Board of Directors (communications) until a few months ago.|
|Ben Tchoubineh||Phoenix TS||Phoenix TS is a training center offering courses on a variety of IT and cybersecurity topics. Ben was a member of the CMMC-AB Board of Directors (training) until a few months ago.|
|Brian Thompson||Salesforce||Salesforce offers FedRAMP-authorized cloud services to defense contractors and government. Brian Thompson’s LinkedIn profile shows that he is the communications officer for the IAC.|
|Richard Wakeman||Microsoft||Microsoft offers FedRAMP-authorized cloud services and software to defense contractors and government. Richard is very involved in webinars and in-person meetings leading Microsoft compliance for defense contractors.|
|Dave Reber||NVidia||NVidia provides computer hardware and discusses AI, predictive maintenance, cybersecurity, and autonomous machines in their public sector offerings.|
|Dave Ehinger||Rolls Royce||Rolls Royce shows business capabilities in aerospace, naval, submarines, land, defense services, and advanced technology on their website.|
|Adam McNair||Highlight Tech||Highlight Technologies is a small business that offers development, secure IT, and mission technologies to federal government.|
|Jake Williams||Doncasters||Doncasters Group is a manufacturer which creates components for civil and military aeroengine and airframe markets. Jake is knowledgeable about CMMC technical implementation and the unique challenges for manufacturers. Jake Williams is the secretary of the IAC and leads their SMB subcommittee.|
|Jeffrey Dodson||BAE Systems||BAE is one of the largest defense contractors which primarily focuses on services.|
|Michael Baker||GDIT||General Dynamics Information Technology is a defense contractor which offers information technology services. Michael Baker focuses on CMMC technical requirements to help the DIB understand what is required in plain language.|
|Ted Steffan||AWS||AWS offers FedRAMP-authorized cloud services to defense contractors and government.|
|Tim Trickett||BDO USA||BDO USA offers consulting and audits to defense contractors and government on a variety of topics including cybersecurity and IT. BDO USA is listed as an RPO on the marketplace. Tim Trickett is the vice-chair of the IAC and is knowledgeable about CMMC and Risk Management Framework technical implementation.|
|Darren Death||ASRC Federal||ASRC Federal offers IT, infrastructure operations, engineering, and professional services.|
|Mike Rohde||ServiceNow||ServiceNow offers FedRAMP authorized cloud services to defense contractors and government.|
|Sam Salinas||Raytheon Technologies||Raytheon Technologies (RTX) is one of the largest defense contractors. Sam was Implementation Lead for CMMC at Carnegie Mellon University during development of the CMMC model and now leads RTX Enterprise Compliance Services.|
|Allison Krache Giddens||Win-Tech||AS9100-Certified Aerospace Machine Shop, small business. Allison is knowledgeable about unique cybersecurity challenges for manufacturing and small business. Allison is the nominations chair (the contact for IAC applicants)|
Per the press release: “The CMMC-AB IAC mission is to provide a unified voice as representatives of Organizations Seeking Certification (OSCs) to supply key feedback, input and recommendations for implementing CMMC back to the DoD and the CMMC-AB.” “The CMMC-AB IAC is comprised of highly-esteemed thought leaders representing large and small businesses from a wide range of markets within the Defense Industrial Base (DIB).”
Amira’s commentary: Reading through the list, a few things pop out at me. We have heavy CMMC-AB board influence on the inside of the IAC (chairman + 2 recent members). We have very heavy influence from vendors (4 FedRAMP cloud vendors). When I read the press release, I originally thought the IAC would be representational of companies that either make parts or work on military bases. I see the value of having input from the deeper supply chain, especially MSPs responsible for multiple defense contractors, but I am surprised to see the level of AB and vendor representation in this group.
For reference – here is a diagram from the CMMC-AB Board of Directors page which shows their org chart. Are cloud vendors also represented in the “Coordinating Council for Commercial Standards” group? Has a Stakeholders Committee been formed, and would that include RPOs or C3PAOs? This is confusing to me. Maybe the org chart is out of date, or maybe these groups are still in the future.
I want to remind you of the importance of the IAC. It represents 100,000+ companies that are in the DoD’s supply chain. That is a lot of constituents! It is absolutely vital to our country that they are represented, respected, and listened to.
YG Chon provided the following feedback: His role as the Chair is meant to only be for the first year, to be replaced by an IAC-nominated DIB representative. 4 of the 6 largest defense contractors are represented in the IAC. There are large and small manufacturers (Rolls Royce and Doncaster). Microsoft is a large COTS and services provider to the DoD. Agree that the cloud vendors have a heavy concentration. This choice was made because FedRAMP compliance experience is very relevant. The former AB members were selected because Accenture Federal SME support was important and Ben Tchoubineh provides a tie to the Academic Advisory Council.
C3PAO Stakeholder Forum
The CMMC Assessment Organizations (C3PAOs) have built a peer group to collaborate, share lessons learned about CMMC assessments, and discuss tricky assessment problems. It is independently organized as an industry group (full disclosure: my company is one of the founding members) and is standing up a council of representatives to advocate for C3PAO concerns to the CMMC-AB and DoD.
Approximately 50% of candidate C3PAOs are members already. If you work for a C3PAO, you are invited. More information here.
Resource for assessors and OSCs – Glossary of Terms
This a great resource for cybersecurity assessors (and wanna-be assessors). The NIST Computer Security Resource Center *Glossary*.
Important definitions which are often misunderstood with CMMC and NIST SP 800-171:
- Remote access: “Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet).” Amira’s note: From the CMMC Assessment Guide for Level 3, page 38: “Remote access sessions can encompass more than just remote connections back to a headquarters network. Access to cloud-based email providers or server infrastructures also are relevant to this practice if those environments contain CUI.” Many assessors do not consider connecting to clouds (such as your email) to be remote access. But according to the CMMC documentation, it is. Make sure you address your clouds in those sections of the system security plan.
- Incident: “An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
- Authorize: “A decision to grant access, typically automated by evaluating a subject’s attributes.”
- External information system (or component): “A system or component of a system that is used by but is not a part of an organizational system and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness.”
Redspin CMMC assessment – lessons learned
Worth saying again in case you skimmed the CMMC Town Hall section. Redspin has documented their lesson’s learned on their website as part of a video blog series. Link to Redspin’s CMMC videos.
Amira’s note: I highly recommend watching these videos if you are an organization seeking certification (OSC). According to these videos and advertising by KTL Solutions (a Microsoft cloud solutions integrator), Redspin used an enclave approach leveraging Microsoft 365. The level of effort that Redspin put into their procedures and documentation to pass the assessment will be astounding to small and medium defense contractors (and most large).
Katie Arrington placed on leave
The news broke in a Bloomberg article by Anthony Capaccio on June 29th.
“The Pentagon official who has been overseeing its new cybersecurity initiative for defense contractors has been placed on leave in connection with a suspected unauthorized disclosure of classified information from a military intelligence agency, according to an official document.”
“Absolutely no decisions have been reached regarding any aspect,” Arrington’s attorney, Mark Zaid, said in an email. He confirmed the content of the memo, saying that “when faced with such programmatic allegations DoD would routinely open an investigation as a matter of course. This is how the system works. Accepting an investigation, however, doesn’t prejudge the merits.”
“She has neither been fired nor had her security clearance revoked,” he said. “We look forward to an opportunity to completely clear her name and her return to work.”
Amira’s note: Katie Arrington has been the chief spokesperson for the CMMC since it was first announced in early 2019. Her absence for the last few months has been noted throughout the CMMC ecosystem and has been a major concern to stakeholders in regard to the overall viability of CMMC. This week, news broke that Katie has been out of the public spotlight due to a personal security clearance issue.
From the perspective of a CMMC stakeholder, this is a better answer than what had been reported by critics: that conflicts of interest during the CMMC-AB formation were the cause for her absence. Whatever happened, Katie has been incredibly influential to promoting cybersecurity in the defense supply chain and I appreciate the effort she’s put in to keep our country safe.
Regan Edens submits resignation from CMMC-AB Board
Regan is a founding AB member and served as the chair for the standards committee (the technical interpretations of CMMC requirements). His resignation will not be effective until late July or August.
Regan has been one of the most active AB members through this time. He was kind enough to give CMMCAudit an interview in 2020 as the first public explanation of cloud provider requirements for CMMC. Thank you for your service, Regan.
Draft bill moves cybersecurity incident reporting to 24 hours
BreakingDefense article by Brad Williams, published June 21, 2021.
“The bill is remarkable as one of the first attempts to create a federal law mandating cyber incident reporting by some entities to the government. Reporting has historically been largely voluntary, with a few exceptions. “
“The bill makes CISA, DHS’s lead on domestic cyber defense, the hub for receiving incident reports. The bill requires CISA to create “cyber incident reporting capabilities” so it can receive notifications from covered entities.”
Opinion: 24 hours is a ridiculously short amount of time from realizing there is an incident to reporting it. The real problem is that companies (including defense contractors which are already required to do so) are not reporting their incidents. I have sympathy for the non-reporters; when a cyber incident actually occurs, reporting is looked upon with similar trepidation to pouring gasoline on yourself and lighting a match. Making the law even more burdensome without addressing the problem of non-reporting isn’t the answer.
If you made it this far, enjoy this meme (Credit: Jacob Horne):
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of the C3PAO candidate Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.