Cybersecurity expert Rob Knake informally interviews top cybersecurity lawyer Evan Wolff regarding an important change to the Cyber Maturity Model Certification (CMMC).
On November 30th, the Department of Defense (DOD) Defense Federal Acquisition Regulation Supplement (DFARS) interim final rule on assessing contractor contractor implementation of cybersecurity requirements goes into effect. To understand what it all means, we talked to top cyber lawyer Evan Wolff.
In this interview, Wolff walks through the history of the DFARS cyber rules from their initial implementation in 2013 taking us all the way out to the 2025 deadline when the CMMC will go fully into effect. Watch the video below, or review the transcript at the end of this blog post.
While CMMC has gotten the most attention, Wolff says that small and medium-sized defense contractors should be far more concerned with immediate requirements to conduct and submit assessments of their compliance with the existing requirements from NIST 800-171.
When DOD first introduced cybersecurity requirements for contractors in with the DFARS clause (sometimes known as “the safeguarding clause”) in 2013, it required contractors to implement adequate measures to protect government information on their systems. DOD has moved from that general requirement to a requirement to meet the NIST 800-171 specification to introducing the concept of cyber maturity with CMMC.
The safe-guarding clause requires contractors to do three things:
- Develop a System Security Plan (SSP) to demonstrate how they are meeting the requirements of NIST 800-171 and develop a Plan of Action and Milestones (POAM) for how they will address any deficiencies.
- Flow down these requirements to sub-contractors that are shared covered information.
- Disclose any incidents involving the loss or compromise of covered information to the Department of Defense within 72 hour through the DIBnet portal.
Starting November 30th, contractors will be required to assess their compliance against 800-171. Lowest risk companies, the vast majority of contractors, must conduct a self-assessment of their SSP. DOD provides a process to score and measure implementation. This assessment must then be uploaded to the Supplier Performance Risk System. Guidance on uploading the assessment can be found here.
For higher risk companies, DOD may engage companies in a review of their assessments. For the highest risk companies, they will conduct audits of how controls are implemented for about 300 of the largest contractors. DOD has already conducted many of these onsite assessments.
Over the next four years, additional requirements related to CMMC will start to show up in contracts. What CMMC does is establish five levels of certification and associated requirements for each level. At the lowest level, contractors only need to meet 17 of the 110 requirements in NIST 800-171. At level 3, all 110 controls are required. Levels 4 and 5 establish additional requirements beyond 800-171.CMMC also establishes a rubric for third party assessments and certification.
Starting today, Wolff says that what contractors need to be focused on is not CMMC but making sure they have an up-to-date SSP and POAM. Then make sure you are ready to conduct and upload the self-certification. When CMMC comes into effect for contracts, all actions in the POAM must be fully implemented in the SSP.
For more information and other expert perspectives on CMMC check out our webinar CMMC: Choosing the “Right” Level. We provide resources including a white paper for Manufacturers specifically, a CMMC Project Plan, and a Framework Mapping document so you can see which controls generalize across different frameworks.
Rob Knake is a Senior Advisor to ActZero.ai (parent company to IntelliGO Networks) and Senior Fellow for Cyber Policy at the Council on Foreign Relations. He serves on the board across multiple cybersecurity companies, and has authored and contributed to numerous publications on the subject of cybersecurity. Rob served from 2011 to 2015 as Director for Cybersecurity Policy at the National Security Council. In this role, he was responsible for the development of Presidential policy on cybersecurity, and built and managed Federal processes for cyber incident response and vulnerability management.
Evan Wolff is a partner in Crowell & Moring. He is co-chair of their Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators.
IntelliGO Networks is a Gartner-recognized provider of Managed Detection and Response (MDR). We are focused on securing small to medium-sized enterprises with business-critical IT operations, sensitive data, or regulatory compliance requirements. Our MDR service is rendered by expert Threat Hunters, who leverage proprietary technology, augmented by advanced Machine Learning Models, which enable them to react at machine speed to contain and disrupt threats.
Is there any evidence that I'm recording on your end?
Yes. You are recording.
All right. So we are recording.
We're going across state lines, and I give you permission to record this and use this for educational and other intended purposes.
So you're making my introduction easier, because you're admitting at the start that Evan Wolff here from Crowell & Moring is in fact a lawyer, and so he's taking care of the legal niceties at the top of this. All right.
Well, just to prove that I'm actually a real lawyer, nothing I am saying should constitute legal advice and nothing I'm also saying constitutes anything I've learned from actual client engagements, but hopefully, both based on our friendship and the value I offer to the universe, it's more than just being a lawyer. It's actually my 20-year commitment to the cybersecurity community that we're talking about.
So I was actually going to say that you normally charge thousands of dollars an hour to provide this kind of advice, and now you're giving it away for free to the small to medium-sized businesses listening to this podcast. But that's actually not the case. This is not legal advice. All right, so now that we've gotten this out of the way, let me introduce you. You are Evan Wolff. You are, I always say, the top cyber lawyer in Washington, DC, which makes you the top cyber lawyer in the country. You have a roster of A-list clients, blue-chip clients in the defense industrial base (DIB). You've conducted how many cyber incident response investigations over your career?
Almost a thousand is the number. I stopped counting, but yeah, in the high hundreds.
And you are advising lots of the... We're not going to name specific names that you advise, but let we say companies like Northrop Grumman, the Lockheed Martins, these large defense contractors, you advise many of them on how they-
Yeah, so I'd say about over a hundred pure defense and government contractors. We're currently advising about the changing government contract cyber regulations. I'm a partner at Crowell & Moring, which is the largest government contracts law firm in the country. Actually, my day job is that I co-chair their privacy and cyber practice group, but I'm also a partner in the government contracts practice. And the area that I spend all of my time on is two things.
(1) I help companies when they've been hacked. So I'm part of that incident response team that goes into the burning network, so to speak, and helps them figure out the remediation and notification, and for government contractors, the important one is when and how do we need to tell the government about this incident?
(2) But then the other half of my time is under this broad number of cyber risk management, and for government contractors, since 2013, that's changed significantly, where they really have a very strict regulatory environment they need to worry about. So I'm advising over a hundred companies on these types of changing regulation for government contractors, which has been a very interesting Odyssey in the last 20 years, but gotten much more bumpy in the last seven.
So let's start there. So you advise these large contractors in part on how they meet these requirements, but also how they push these requirements down to their subcontractors that are the small and medium-sized businesses that build the sheet metal and the components that go into the fighter jets and things like that, right
Yep. And so it's a great point, because I always think of the... So just to prove that I'm a regulatory lawyer, I'll use the clause. There's a clause that the DOD created in 2013, and there's been three iterations of it since then. And it's called 252.7012, sometimes called “the safeguarding clause,” and it really creates a three-legged stool. And since you and I both like to talk about things in threes, I will continue that trend. And the first is that it requires you to have adequate security over your covered information system, and it's not to protect your entire network just for the fact that that's a good practice. It's really to protect your network that contains information that the government is giving you.
And that information has changed over time, but generally it's called CUI, controlled unclassified information, or federal contracting information, FCI or CUI. There's been some other names given to it, and DOD likes to call their information a little differently. But in general, the concept is, government is giving contractors information, it's on your network. That part of your network that that information is on, or that that information is stored, processed or transmitted to, needs to have “adequate security.” I'm using my air quotes cause adequate security the government has now defined as meeting the requirements set out in a NIST document called NIST 800-171. So that's the first leg of the stool, that you protect the stuff that the government's giving you.
The second is that you flow down these requirements to subcontractors where they're on the same clause. So if you're on a contract and they're sub, and the 7012 clause is on that contract, that's the first requirement. The second, that you're actually sharing the CUI or the FCI with them. So there's an out. They always like to have everything have a binary relationship, and the out is, if it's a subcontractor that's providing a commercial off-the-shelf technology product, then they don't have to supply to them. But if you are sharing that sensitive information to the sub, then you need to flow the cost down and they need to meet it as well. And that's what’s really changed over the last year or so with the advent of the Cybersecurity Maturity Modeling Certification process or the CMMC process, the government really.
And the third clause, the third leg of the stool, just to mention it, but we can move on, is that you report any cyber incidents that occur on your covered information system within 72 hours. And so that means that when you have an incident... Back to my day job before I was a lawyer, I used to work in information security where you're actually doing those investigations and that you're reporting that. And there's actually a portal, the Defense Industrial Base Network Portal, the DIBNet portal, that you have to report this to. And so those are the three legs of the overall requirement. And that's been around really since 2013-14, that companies have to do that. But what's changed a lot in the last few months, in the last few years, is really how the government's managing this whole compliance process.
All right. So you've taken us back to 2013, the introduction of the rule. Now let's talk about 800-171, and how that came in and what that means in terms of structuring the requirements for the protection of this covered information.
That's a great question. And actually the funny historical footnotes, since you and I spend a lot of time talking about funny historical footnotes, is that when the first version of the rule was established, it actually didn't look at NIST 800-171 for the obvious reason that NIST 800-171 didn't exist yet. It actually looked at NIST 853, which is a much more onerous and scary, I would say, parent of 171. And that was really predominantly used by federal contractors that are managing federal information systems. That was the standard that was created and used under FISMA, which is a different regulation that applies to the federal government and contractors that are managing federal IT systems. This is different, because these companies, these defense contractors, these 130,000 companies, are not managing federal IT systems. They're managing their own system that has this federal government information on it.
So after the first version, industry, government, and NIST, actually, developed NIST 800-171, which was basically they took 53 and they took the 700-plus controls and they cut them down to the 110 controls that we think are actually necessary. And those 110 controls are what companies must meet. And we've come up with a couple of different versions. 171's been updated. The most important updates really have come under the 110th control, as I call it, not to be confused with the fifth domain, to use numbers, but the 110th control is really that a company must document and develop a System Security Plan, or an SSP, that documents everything they're doing to meet their controls. So they have an actual plan that both government and now third parties can review to see how they're following their plans, but if they don't meet all of those requirements, and since you and I used to work in government, we have to use a certain amount of acronyms every time we talk, then they were developing a Plan Of Action and Milestones or POAM.
A POAM, which is a beautiful acronym. I always thought it was the most lyric acronym out there. And so the POAM just identifies, "Hey, if we're doing a hundred things in our SSP, these 10 things..." One of which every company has listed is multifactor authentication or MFA because that's one of the harder ones to implement, and the requirement that, especially for small medium businesses, takes a little time. That we're going to say, "We're going to implement our MFA. It's going to take us six months because we have to get the technology to work, get our people trained on it, sign the contract, do all those things, and we'll be doing it six months from now. And we're going to document that in our Plan Of Action and Milestones." And that becomes part of our SSP and together, in the wonder-twin powers like way, this becomes your approach to compliance.
Okay, yeah. So that's the background. Now let's talk about this upcoming November 30th. I'll call it an important date. Some people are calling it a deadline, but I'll call it an important date for changes in how DOD is regulating cybersecurity for the contractor community. So what's going on? What's up with this new rule?
Yeah, yeah. So another great question. So September 29th, the DOD published an interim final rule, which in the world of Administrative Procedures Act and regulations means that it's a rule that the government is going to implement. It's based on their underlying legal authority. But the important piece here is that it's a rule that they're going to be implementing on November 30th and they are seeking comments. So my law firm and others and other organizations are submitting comments on how it should be improved, but the bottom line is it's being implemented on November 30th. And I mean, it created three new clauses, and I'm not going to get into the specific numbers because that would bore both us and you. And I apologize for the background noise, but there's going to be a Fortnite battle beginning in the next few minutes, but that's normal for the work-from-home environment now.
And really what I want to focus on is it told contractors that have the 7012 clause in their contract now that they have to go through and do an assessment and use the 171 requirement to do an assessment. And they created three categories of people that have to do the assessment. If you're the lowest risk, which involves DOD estimated about 10,000, let's say, companies, then you can do a self-assessment. And a self-assessment just means you take your SSP, they actually have a rubric, they have a scoring methodology and you go through and you score yourself. Then you fill out the assessment, and then you send it over to DOD and there's actually an email address and a portal that you upload it to. And then they see that, just like how many of us file taxes, it's a self-certification process.
And then there's two other categories for high and medium, and for those categories, DOD actually comes on site and reviews your SSP. And in some cases, for the highest category, they're actually going to look at how you're implementing the controls. And for that highest category, they're looking at a slightly different version of NIST 800-171 that has a little more show-me elements to it. And that requirement starts on November 30th, that you have to complete yourself certification if you have this clause in the contract and you're required to do it. So that's going to be some portion, not everyone, but some portion of contractors and what we're going to see after November 30th. When this begins after November 30th, we're going to see a continued increase in the amount of contractors that are going to have to do the self-certification and DOD is going to be coming onsite.
And then the point to know is that for those... There's about 300 companies where DOD is coming onsite. They've actually already done a lot of those. There was a prior initiative that was run by the Defense Industrial Base Cyber Assurance Center. I believe that's the name of the DIBCAC. And what the DIBCAC did over the last really year or so is come onsite to a lot of the tier-one defense companies that will remain nameless, and has done those onsite assessments. And that's where they've learned how to do this and it's now put into the rule. And that's the first requirement. That's under the 7020 requirement is that we do these assessments.
The second part of the rule that was published was the CMMC, and that really is the thing that is most talked about and often misunderstood, or is considered to be either the scariest thing ever, or something that everyone's going to run away from. And this also is not new. The publication of the rule wasn't the first time we heard about it. DOD started talking about it last year. And what it really does is establishes five levels of certification and says that not all contractors are created equal, not all cyber-security thinkers like you are created equal. There are the [inaudible 00:00:14:43], the TMC level five, the best in breed, and then there are everyone else going down to level one. And these five categories of maturity are really based on what type of information that we're giving with you and how much confidence, or how much faith, how much security do we want you to put in that?
And so, as you move up, there, there goes from the 17 basic controls in CMMC level one, so out of those 110, you only need to do 17 of them, to actually, if you get to CMMC level five, you need to do over the 110, and they added in a bunch of others that are both processes and other controls that you need to... Because the stuff you handle is so sensitive, or there's so much of it that we want you to do more than the 110. And if you're level three, you're at that 110. You're just satisfying that. So the vast majority of companies are going to be either, probably one and three, with some of the larger companies having to be four and five.
And also what CMMC does, instead of you certifying yourself or the government coming in and certifying, it created a third-party assessment process. And that third-party assessment process is actually created under the private sector, so it's not a government-run process, but the government is going to be accepting those third-party certifications. And we see this in other areas outside of cyber and government contracting, if you look at SOCs and other products. Companies do third-party assessments all the time.
Cool. So let's sum this up a little bit. So if you're a defense contractor at this point, and you're trying to figure out what you have to do, the first thing to focus on is not “how am I going to implement CMMC,” but “how am I going to meet these requirements that are dropped on November 30th? How am I going to conduct either the self-assessment, or how am I going to work with DOD to assess my security at this time?” So that's the first piece?
Yeah. So, right, absolutely. That's what you should be doing is making sure you have a System Security Plan and a POAM, and making sure that it's updated and it makes sense. Because there's always a risk that these documents, you're relying on them for your current contract. So the False Claims Act and all these scary legal requirements come into this. So that's the first thing is review your SSP and make sure you're comfortable with it. But then yes, go download the guidelines for how you do your analysis of your self-scoring. And then make sure you're ready to, if you need to, and you should ask the question of your contracting officers, "Are we required to update our self-certification by this time?" And then be ready to do that.
But you do need to think about where you are in CMMC, because the effective date, as stated in the rule, was 2025. We're going to see clauses that DOD has recently said by 2022. And so even though that seems like really far off, given that 2020 seems to be the never-ending year, but it will eventually end and we will eventually have to be going through and getting to that process. And there's a lot of requirements in doing this, because when you do your CMMC, you actually have to meet all these requirements. So you can no longer really have a POAM there. Everything in your POAM needs to be shifted over to the SSP.
All right, we've got the layout now. The last thing that I think we alluded to at the start of this, a lot of people are going, "Oh my God, how am I going to afford to do this? I'm going to go out of business." But your point is, this is actually cost-recoverable under DOD's contracting rules.
Yeah, many of these costs are going to be allowable. And how that works out is, like with everything in government contracting, the devil's in the details. That's why I work at the largest government contract law firm in the country, because there's a lot of things that we need to figure out. But most of these costs are going to be allowable costs, meaning that the expenses that are directly tied to the performance of these things, you may be able to add to your contract. If you're a prime or sub, you're going to have to look at that. But DOD has been pretty clear about that. And so that's the good news in all of this, that not all of these things are going to be coming out of your bottom line.
Will your legal fees be cost recoverable under this model?
That's actually a complicated question. Of course, for your legal fees as a couple-of-decade-old friend, of course not. But everyone else's, we'd have to look at that.
All right. Well, Evan, I want to thank you for spending time with us this morning, explaining these incredibly complicated issues that are going to be important for a lot of businesses that we work with at IntelliGO and ActZero. So really appreciate you taking the time this week.
Any time, Rob. Great to talk with you. Thank you.