CMMC Clockwork

Jacob Horne is the Managing Director at DEFCERT where he specializes in DFARS and CMMC level three compliance for manufacturers in the Defense Industrial Base. As a former NSA intelligence analyst and U.S. Navy cryptologic technician, Jacob has over 14 years of experience in offensive and defensive cybersecurity operations. As a civilian he has led Governance, Risk, and Compliance teams at AT&T, Northrop Grumman, and the NIST Manufacturing Extension Partnership. He has developed and taught numerous cybersecurity training programs for organizations including the NSA National Crypotologic School, UCLA, and UC Irvine. Jacob has a master’s degree in cybersecurity risk and strategy from the NYU School of Law and is an MBA candidate at the UC Irvine Paul Merage School of Business.

Jacob joins me at the bar to simply define CMMC, what organization’s are in scope, what they need to know, how the landscape is changing and explanation of it’s inner workings. We travel through time to truly understand it’s relevance in the Past, Present, and the Future.

SYMLINKS
LinkedIn
DEFCERT
CMMC – OUSD(A&S) Site
The Fascinating History of CMMC as Told by Jacob Horne
DEFCERT: A Banquet of Consequences

DRINK INSTRUCTION
CORPSE REVIVER #2
1 oz Gin
1 oz Triple Sec
1 oz Lillet Blanc
1 oz Fresh Lemon Juice
1 dash Absinthe
Pour all components into a shaker filled with ice. Shake it, then strain into a chilled glass. Optionally, garnish with an orange peel.

CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com

E40 Transcription

[00:00:00] Chris: This episode is brought to you by privacy. So for those that don’t know by now, privacy lets you buy things online, using virtual cards, instead of having to use your real ones, protecting your identity and bank info while you’re online right now, new customers will automatically get five bucks to spend on their first purchase.

[00:00:19] Chris: If you go to privacy.com/barcode to sign up. So I can’t tell you how long I was searching for quick and easy, yet secure service to protect my financial information. If I was making an online purchase. And my main concern was the same one that you have securing that payment info and where that payment info goes after you hit confirm purchase well with privacy, you’re in control.

[00:00:46] Chris: It puts you in a driver’s seat. You know, you set the speed limit. You can put that cruise control on 55 or 1 0 5. So before you make that next online purchase hit up [00:01:00] privacy.com/barcode. And get yourself an account with five bucks to spend on your first purchase. privacy.com/barcode

[00:03:51] Chris: I’m here with Jacob Horne, a leading expert on the integration of cybersecurity governance programs and quality management systems. Jacob currently [00:04:00] specializes in CMMC compliance or manufacturers in the defense industrial base. He has the baddest beard in the business right now. Jacob, my man. Welcome to barcode.

[00:04:11] Jacob: Thanks for having me, man. I appreciate it. 

[00:04:13] Chris: Yeah, for sure, man. So yeah, first off, let’s just set the tone for, for those of us who may not be familiar with CMMC or, or work with it as intricately as you do could you just give us a quick rundown of what CMMC is and why it’s important? Yeah, yeah, for sure.

[00:04:28] Jacob: I mean, it’s a it’s an increasingly common question as the hype around a CMMC deserved or not is becoming more and more common. So you know, we were talking earlier in the green room over here about trying to understand CMCs. It’s almost a difficult question to answer because it’s not, it’s not an island unto itself.

[00:04:45] Jacob: It’s not as new and independent as people are led to believe when they first see it. But the, the basic basic explanation is CMMC stands for. The cybersecurity maturity model certification, which is a [00:05:00] program that is being run by the DOD in an attempt to assess the level of maturity of DOD contractors, subcontractors, and suppliers, that handle specific categories of information.

[00:05:18] Jacob: Now the program that establishes the different categories of information is a government wide program that has a ten-year long history, full of all kinds of craziness. The actual intricate parts of the CMMC model itself are really derived from existing standards from NIST. People might be familiar with like their their cybersecurity framework or the risk management framework and things like that.

[00:05:45] Jacob: CMMC can really be thought of as like a rescan of existing NIS controls that have been picked up by the DOD. In their own program to attempt to assess their suppliers [00:06:00] and contractors under the larger umbrella of a bigger government program that has slowly been developing over the last decade or so.

[00:06:10] Chris: Gotcha. I think that’s the clearest explanation I’ve ever received. We’re just getting started. So we’ll see if you feel the same way by the time we get to the end. Well, no, again, it’s just, it sets the tone. It gives us an understanding of of what CMMC isn’t and those that don’t work with it have at least heard the acronym before.

[00:06:28] Jacob: It’s very common to hear and read about these days. You know, we hear about these organizations trying to align with CMMC and those that, you know, are required to become compliant. And many of these organizations are confused themselves on how to assess their posture and whether or not they comply with these requirements.

[00:06:49] Chris: You know, talk to me a little bit about the current state of CMMC and how organizations can help achieve compliance. 

[00:06:57] Jacob: Sure. Yeah. So really there’s a [00:07:00] series of we’ll, we’ll split things into two halves a couple of times, and hopefully that way of chopping up the conversation will help people and, you know, deal with maybe something, a little more bite sized.

[00:07:11] Jacob: So the, the first way of approaching CMMC that I like to use for people is that CMC is really two parts. There is the CMMC program. And then there is the CMC model and a lot of the news, a lot of the hype, a lot of the politics, a lot of the headlines, those are all generated mostly from the CMMC program.

[00:07:35] Jacob: Who’s running it. How much funding there is, how many assessors they have? When is it starting? What is it called? All of those things are programmatic elements of CMMC broadly. The CMC model. However, like we talked about earlier is really a rescan of existing NIS controls and far fewer [00:08:00] stories. And and you know, hype are derived from the controls themselves.

[00:08:05] Jacob: So a lot of the current events, a lot of the breaking news, a lot of the you know, what’s going on with CMMC in webinars and articles and stuff like that. Doesn’t really have anything to do with the details of what you’re actually going to be managing and thinking about or getting assessed against it has to do with timelines and funding and personalities and stuff like that.

[00:08:29] Jacob: So that’s the first thing to keep in mind with that being said on the program side. It’s crazy man. Like it’s it’s, you know, it’s it’s wild. Nobody would have ever imagined that government regulations of cybersecurity would be such a soap opera, right? There are there are competing agendas.

[00:08:48] Jacob: There are people with opinions of who should be driving the ship. There are people who think that the whole thing should be ripped and replaced with other groups and, and, and programs. It’s it’s [00:09:00] crazy. I mean, you also have an administration change in the middle of all this. You have new funding calls for lots of different cyber security issues in Congress and at the agencies, that’s getting all mixed up in it.

[00:09:13] Jacob: So you could very easily pay attention to the news and convince yourself that CMC is going away. You could convince yourself that CMMC is going to be on your door tomorrow. The truth is really somewhere in the middle, right? As with most things. The reason why I’m confident in saying that the truth is somewhere in the middle is remember, this is not a new program.

[00:09:37] Jacob: This is not a new effort. It sounds new. It’s marketed as new. That’s what got everybody’s attention. But this has been common for a long time. And a lot of those details on the other half on the model, half are requirements and controls and technical things that you’ll need to manage that they all have a new name.

[00:09:57] Jacob: They have a new number, they have a new [00:10:00] description, but it’s the same fundamental sort of core concept. That part hasn’t changed. And that being said, that part probably won’t change. You can switch administrations, you could switch bus drivers so you could switch, you know, cover pages on the marketing material.

[00:10:17] Jacob: The fundamental core of the model is not really going to change. So when people are trying to orient with what’s going on, that’s kind of the guiding light that they need to pay attention to. You know, a lot can happen in two to five to seven years about what these things are called, but we already have a 10 year long history of this thing, changing names and the controls haven’t really changed all that much.

[00:10:42] Jacob: That kind of gets back into the history of how they determined what the controls were going to be which, you know, if you want to get into yeah. I mean, I was going to ask you, you know, I’m sort of speaking out of sequence here, but you did mention that this is not, this is nothing new, right. 

[00:10:57] Chris: So could you re, could you rewind for a [00:11:00] bit and just talk to us maybe about that, the origin of CMMC and how it got to be where it is today?

[00:11:04] Chris: Sure. Yeah. There’s a longer, yeah, there’s a longer talk and explanation for this. We could probably link it in the show notes if people are interested, but effectively what happened was. About, you know, 10, 15 years ago, the government decided they sort of woke up to the fact that it’s information security is a big problem, right?

[00:11:21] Chris: Are you having breaches? We’re losing infer intellectual property. We got a serious problem on our hands and there, we need to come up with a solution for how to fix it. And effectively the government’s very big organization. There’s a lot of people try and hard with a lot of good ideas for how to come up with a solution and they’re not always coordinating those efforts.

[00:11:39] Chris: And so over time, those efforts eventually collided with one another and they had to hug it out and compromise with who’s going to, whose ideas are going to win, win the day. And effectively DOD wanted a very small set of controls for their contractors to have to implement and NIST and [00:12:00] Nara, which is another government agency that was in charge of the bigger program.

[00:12:03] Chris: One of the very big set of controls for all of the contractors to have to have to deal with. The compromise that they came up with is a document called NIST special publication, 801 71. If you’ve heard people talk about CMMC, you’ve probably heard them mention this document. There’s 110 requirements in this document, 110 security controls.

[00:12:28] Chris: And it is essentially, if you think about the way that NIS is is structured, 853 is the ultimate catalog. It’s the mothership of security controls. If you will, there’s like, you know, thousands of controls and sub controls and enhancements and all kinds of stuff that is supposed to be like a think of it as like a database of controls.

[00:12:50] Chris: And you’re supposed to pick and choose and tailor in the words of NIST, a smaller subset of controls. And that’s what the government did. They said, Hey, [00:13:00] we don’t have time to tailor for every single company that we’re going to do business with for every single agency. That’s just not gonna work. We’re going to try to normalize everything.

[00:13:08] Chris: And the goal was to come up with the ultimate baseline, the absolute lowest common denominator that would be acceptable to the government for you to implement as a steward of their data. Right. This is kind of a key point. A lot of people will look at CMMC, they’ll look at 1 71 and they’ll say, oh, that’s the ceiling.

[00:13:31] Chris: Like if I put everything in place, that’s a hundred percent on the test, but I pass if I get a 70%, right. So what do I really need to do? That’s not what the government did. A hundred percent on the test would be all of 853, which is not what anybody in the world is going to do. Right. They said, Hey, this is the minimum.

[00:13:49] Chris: So think of it more like you got to do this many pushups and do this many set ups and run this fast to join the military. Right? Probably not getting a waiver. This is the [00:14:00] PT test. Like this is the minimum baseline for getting it. So effectively, they came up with this baseline. They developed it over years and years and they didn’t enforce it.

[00:14:10] Chris: They didn’t, they didn’t send auditors or assessors or, you know, anybody to certify that you were doing anything. You just had to check the box that you are doing it. And this is a whole separate conversation because these companies that got this requirement in their purchase orders or in their contracts, it’s literally one line that says this clause says, use good cyber security.

[00:14:32] Chris: And the average person is like, yeah, I do that because there’s a million of these deforest closets. They say it’s up to their interpretation, right? Yeah. They say, you know, don’t do business with North Korea and don’t use child labor and use good security to the normal person. They’re like, I do all these things.

[00:14:45] Chris: I’m an examined good person. I’m running a normal business. The problem is, is when you unpack that one line, it balloons into the world of cyber security and data governance. And there is no real way to know [00:15:00] that that was happening. Totally, totally understandable. Problem was from the government’s perspective, they’re getting all these checkboxes back.

[00:15:08] Chris: It was good enough for them. Everything’s good. Yeah. They used to yourself attesting that everything’s good. So you can see the problem that emerges over time. The security situation, the threat landscape, the IP theft from the United States by countries like China gets worse and worse and worse and worse until finally it gets so bad that Congress steps in and says, we can’t take self test stations anymore.

[00:15:34] Chris: We got to hold people accountable. We got to get in there and verify what’s going on. We got to know what’s. DOD we’re directing you. They did this in the 2020 NDA. So the big authorization act every year, they said, you got to come up with a mechanism. You got to come up with a framework for assessing these companies.

[00:15:53] Chris: So what they did was they essentially took 1 71, which had existed for 10 years. But by that point, and [00:16:00] they rescanned it, and they chopped it up a little bit. There’s different levels that correspond with different types of data. And they said, we’re going to create assessors. That will verify what you’ve been saying that you’ve been doing.

[00:16:13] Chris: And part of the, cause of all the drama around CMMC is that the obvious issue was a lot of people weren’t doing that stuff. You know, they didn’t know nobody checked, you know, it was a perfect storm of variables to get us into a bad spot. 

[00:16:28] Chris: And there was no enforcement done, right? 

[00:16:30] Jacob: No. Yeah. It was just pure self attestation.

[00:16:32] Jacob: So the way I like to describe it. Yeah. The government set up their contracting base to do poorly. When the assessments inevitably would come by, they were not checking their work. They weren’t ever asking for details. They were just taking their word for it. And anybody that’s worked with manufacturers or small businesses in the industrial base, they are singularly focused on doing good [00:17:00] work for the DOD.

[00:17:01] Jacob: And if the DOD doesn’t ask them for something specifically, they are not going to do it. Right. You’re talking about companies that are hyper, hyper specialized in stuff like precision machining of parts or the precision coding of precision machine parts. They only do one process. It is not in their worldview.

[00:17:21] Jacob: That cybersecurity is, is a thing. This is common to all small businesses, not just DOD contractors and the DOD really did not put in. They didn’t manage this problem. Well, And the, the, ultimately, you know, the pickle that we’re in is that because of that self attestation problem, the DOD, his hands are partially tied in their ability to reimburse costs, to even estimate costs of how much a change would be, because they’ve got this pile of receipts over here that says people have been doing stuff.

[00:17:55] Jacob: So this is something I actually wished the DVD was better about in that [00:18:00] it isn’t that it isn’t that there aren’t lines of funding or funding appropriations that could exist to help small businesses with these requirements. It’s that if you’re asking the people with whom you already had a contract.

[00:18:14] Jacob: And you said I did a, B and C, and now you’re saying, pay me for a, B and C again, they literally cannot pay for that. So, gotcha. Because we’re on such a short timescale, all of these edge cases and issues. And what about this and what about that? They’re all coming together all at once. And that just adds a lot of confusion to the conversation.

[00:18:37] Jacob: I gotcha. And what, what’s the timeframe here from when, when this started till let’s say up to present day, are we talking 10 years, 15 years, 20 years? Like how long has this been in the making? If you follow the if you follow the timeline all the way back from when the government first got motivated for what we now think of as verifying this.

[00:18:56] Jacob: So seven back real quick, right? Cybersecurity, [00:19:00] maturity model certification has that name cybersecurity, and the name of the model. But the best way to think about it is it’s really more of a privacy model masquerading as a cyber security model. Right? So when the government was trying to derive 801 71, they took the CIA triad, the confidentiality, integrity, availability, triad, like the most fundamental idea in security.

[00:19:24] Jacob: And they said, listen, we’re only worried about a specific kind of data, and we’re only worried about its confidentiality, everything else. We’re going to go ahead and assume that you have a full fledged security program in place. And this is the, this is the hurdle that we need you to meet the performance levels that you need to hit in order to continue to do business with us.

[00:19:47] Jacob: So when you hand that to a company that doesn’t have a security program, They get the, they don’t have a paddle. They don’t know what to do because they don’t have the inputs. They don’t have, what’s going. They’ve never been asked to have a security program before it was a [00:20:00] bad assumption. So if you think about when the government was originally motivated to start doing that, it goes all the way back.

[00:20:06] Jacob: This is going to sound crazy. It goes all the way back to nine 11. So when nine 11 happens in the, in the nine 11 commission report it came out that the government was very bad at sharing data. Most people remember that they’re bad at sharing classified data, but the report also said they’re bad about sharing unclassified data, primarily terrorism related unclassified information, like what a police department might have or a local government.

[00:20:31] Jacob: Right? So as part of the reform, what they wanted to do was they wanted to create an information sharing environment for classified and unclassified information. And this went through years and years of presidential memorandums and executive orders to try to get the agencies to share this information.

[00:20:48] Jacob: Well no good deed goes unpunished. So all of the agencies said, Roger, that we’re going to come up with a way to share this information. And what happened was you ended up with like 150 different markings for the [00:21:00] data and 150 different names for what is essentially the same data. So then nobody knew how to share it because all the markings were different.

[00:21:08] Jacob: So fast forward to 2010 and the Obama administration goes to the agencies and they say, listen, we’ve been working on this for like nine years and nothing is better. What, what do you want me to do? Obama’s basically saying what, Hey, agencies, what do you want me to do to help you out? They get together.

[00:21:28] Jacob: They write up a report with like 40 recommendations and the COI controlled unclassified information. Executive order is essentially the report from the agency’s bottom line by Obama saying, okay, And one of the main recommendations from the agencies was expand the scope of CUI to not just unclassified terrorism information, but all forms of sensitive, but unclassified [00:22:00] information and normalize the markings.

[00:22:03] Jacob: So the CUI program, the controlled unclassified information program was, you know, traced all the way through this thing from nine 11 up to the agencies, asking for the data to be normalized. And then the government had spent years at that point, de duplicating the markings, synthesizing the markings and coming up with what we now know as the CUI registry, which is where you can go and see what all these, these different categories that I mentioned earlier.

[00:22:31] Jacob: All these different categories of information are contained in that database. And this took six years because they were. 2200 different regulations that the government had internally to protect the information. They had to read all of them and figure out who outranks, who, and which ones are repeated and this and that, but it would take, it would take years.

[00:22:51] Jacob: The problem was was that in that gap, in that six year gap, the DOD is getting hammered to get their contractors to [00:23:00] stop leaking this information. So the government has not finished. They haven’t finished closing the gap on their own organizational debt and the DOD is getting told, go fix it. Gotcha. So they come up with their idea to fix it.

[00:23:13] Jacob: Then they do this compromise to get to 1 71. And then that was the solution. There was no verification. So that was another problem. And now we have CMMC and that’s why I was saying earlier, if you want to know what CMC is, there’s a whole lot going on behind the scenes that got us here. 

[00:23:32] Chris: Yeah, definitely.

[00:23:34] Chris: Thank you for the explanation there, you know, in terms of how CMC has unfolded up until this point and then, you know, the evolution of awareness to those affected and those not effected by the requirement. 

[00:23:51] Jacob: Yeah. So put it this way just to put, yeah, just to put a bow, like on that long explanation right there.

[00:23:56] Jacob: The reason why it’s important to know [00:24:00] all those threads through the history of the development you’re, you’re looking at CMMC on your desk now, what do you care about what happened in 2010? The reason why it’s important is that when the headlines and the news and the hot takes come from the program side of CMMC, if you get convinced that these requirements are going to go away, then you you’re missing the bigger picture.

[00:24:24] Jacob: This is an effort that the government has been working on now for a really long time. And there is no indication that they’re going to suddenly stop the effort. The people might change, the name might change, but the requirements are not going to change. So that’s the thing to keep in mind that doesn’t really help in terms of like, what do I do here on this detail and this detail, but I see a lot of people sort of getting convinced or allowing themselves to be convinced, Hey, maybe this is going to go away.

[00:24:52] Jacob: Don’t be so sure about that. Gotcha. Looking forward then. And you know, and how [00:25:00] CMMC is evolving right now. Where do you see it going? And also what are some of the challenges that organizations should be ready for? Yeah, so I think I, I think that if nothing changes, right, if, if nothing, with the way that things are currently written and structured changes.

[00:25:20] Jacob: The first thing we’re going to see is probably a bit of a delay. I mean, it’s a government program to government rollout. There’s a lot of vested interests. There’s a lot of stakeholders, right. And that’s perfectly normal. We anticipate that outside of that, if nothing fundamental changes, I foresee a lot of pain is the way I’ll put it.

[00:25:38] Jacob: Right. So it is, it is a bad habit that the DOD has and that the government has where this is just the nature of regulation. It is very reactive. Right. And typically we don’t get regular. I mean, look at solar winds, look at Casia. You know, all of this stuff that has happened in the wake of those issues, [00:26:00] or literally any other regulation ever, they don’t proactively regulate things.

[00:26:05] Jacob: They reactively regulate things after something bad has happened. And when that happens, they’re going fast. They’re not trying to listen. They’re not, you know, there’s, there’s not as much time as doing it proactively, but there’s no incentive to do it proactively. Right? So if nothing changes several things are going to immediately break in the CMMC ecosystem.

[00:26:27] Jacob: Several things are going to be exposed in terms of where the flaws are, and that could involve everything from lawsuits against the people running CMMC against the government. They could involve lawsuits against the assessors themselves. It could involve businesses going out of business. They could involve people spending money on the wrong thing and inadvertently going out of business.

[00:26:49] Jacob: It could result in worse security in some situations it could resolve in missing the mark on where the real leverage points in the system are. There’s a lot of stuff [00:27:00] that could happen because any time you’re going to take a really diverse and complex environment, like the defense industrial base, and you attempt to apply a single standard to it.

[00:27:11] Jacob: You’re trying to put a round peg in a square hole, like there’s there’s edge cases. And when those edge cases end up being people’s livelihoods, or, you know, who knows what then you’re gonna get some very strident reactions I’ll say, but that being said I don’t think that necessarily has to be inevitable, right?

[00:27:30] Jacob: So I’ve been doing this now, working with small companies, small manufacturers in the industrial base or in this working with the supply chain of big defense companies for several, several years. And I think there are some common patterns that have emerged that we could use to inform adjustments to the model, not to the program, to the model that would preemptively avoid a lot of these issues.[00:28:00] 

[00:28:00] Jacob: So I don’t care what the model is called. I don’t care. Who’s funding it. I don’t care. Who’s running it. Right. The requirements like you gotta do configuration management, you gotta do access control. You gotta do backup. You gotta do all that stuff. It doesn’t matter. So similar to like the CIS controls, right.

[00:28:16] Jacob: A hundred percent. So at a fundamental level, right? There’s a, there’s a a company called compliance forage. They have an open source project called the secure controls framework and effectively it’s it’s a gigantic, it’s the world’s biggest spreadsheet. Right. So be prepared, but it is a proof of concept that you can fundamentally map all compliance and privacy frameworks at a control.

[00:28:40] Jacob: To one another. Okay. Now they don’t all cover the same information. Some of them are more or less comprehensive, but at a fundamental level, all of these compliance frameworks are talking about the same thing. There’s only so many ways that you can describe configuration management. There’s only so many ways you can describe, you know, account privilege management, [00:29:00] right.

[00:29:00] Jacob: Or vulnerability management or this or that, or various life cycles of data. There’s only so many ways. So these are all talking about the same thing, which is why, if you think the requirements are going to go away or, you know, it’s not true. That being said, what we know about the industrial base, right.

[00:29:19] Jacob: At the sub tiers, not the big Northrop Grumman’s and Raytheon’s and stuff like that. But the smaller companies, the machine shops, the manufacturers, you know, subcontractors and below, they are mostly small businesses. Like seventy-five percent of them are small businesses. And there’s tens hundreds of thousands of these companies.

[00:29:38] Jacob: And you know what small businesses don’t have. They don’t have it. People, they certainly don’t have cyber security people. They don’t have budget, they don’t have understanding. They don’t have knowledge. Wendy, neither famously a few years ago, came up with a metaphor for this. She called it the cyber security poverty line.

[00:29:54] Jacob: And it is the best way of understanding the problem that we’re facing. Like [00:30:00] when we walk in and we say, here’s a model, here’s the compliance standard. Here’s a regulation. Right. And you ignore what it actually looks like on the ground. You’re effectively telling these companies to pull themselves up by their cybersecurity bootstraps and it’s.

[00:30:16] Jacob: It’s just not going to happen. I mean, perfect example. You’ll have people in Congress, a well-intentioned people trying to help and, and figure out what’s going on with the, with the problem. And they’ll say, listen, we don’t have enough. We have this big skills gap. We got a, we got a cybersecurity workforce gap.

[00:30:32] Jacob: We got millions of open jobs. Right? I think my buddy’s a recruiter and he was just telling me that the average cybersecurity candidate on the job market today is on the market for less than seven days. I mean, it’s, it’s wild. So if you’re a mom and pop machine shop, that’s been making parts for 30 years.

[00:30:50] Jacob: And now all of a sudden you’re, you’re trying to wrestle with this problem. Like it’s, we’re never going to close that gap on a timeline that will help what’s going on. The point is right. The point [00:31:00] of bringing that up, that they don’t have the resources. They don’t have the money. Is that whether it is because you can’t find people or you won’t find people, or you’re just doing good business, Small businesses outsource their technical requirements.

[00:31:16] Jacob: They use managed services, right? Like everybody knows this. This is just sort of the way that the world is being run currently. And it scales it’s cheaper. You don’t have to find the workforce. There’s a lot of good reasons to do it. There’s a lot of reasons that small companies have to do it. So in my mind, we don’t have to really change the model in any major way because of the fact that these companies are looking from below the cybersecurity poverty line at CMMC or 1 71, or CIS doesn’t really matter.

[00:31:50] Jacob: The first thing they say is too expensive, too burdensome, too disruptive, too impactful, right? There’s no way that I’d be able to do it [00:32:00] and they’re not wrong. They’re not wrong, but is absolutely true. So the solution that is usually brought up is we need to make the models small. Right. We got to take stuff out.

[00:32:10] Jacob: Right? Well, that’s a big problem for two main reasons, right? Like if you remember what we talked about, the government already said, this is the floor. This is not the ceiling. So as a policy matter, unless you’re going to go amend some legislation, it doesn’t sound like Congress is in the mood to do less security.

[00:32:28] Jacob: Then that is a non-starter. The other issue is that if you start taking requirements and controls out of the model, you’re not adapting to the threat landscape, right? Like everybody’s saying zero trust is the future. Everybody’s saying that, you know, your cloud migrations for the companies that haven’t done it that’s the future.

[00:32:45] Jacob: You can never get to that higher level. Next gen architecture approach. If you can’t meet the baseline, right? If you can’t do configuration management and access control, you can’t do zero. And, you know, the government [00:33:00] and regulators and the 1% of the security world where we’ve all convinced ourselves that zero trust is the future.

[00:33:08] Jacob: Or if we don’t bring these people along, then they’re not going to make it right. And that’s that nobody wants that. So what do we do if we can’t take stuff out of the model and we don’t have the resources to just give to people for one reason or another? My proposal is that we split the model sideways, right?

[00:33:28] Jacob: So ISO 27,001 is actually a good example of this. So ISO 27,001, all the technical requirements for information security, those are in an annex. The core of the model is the management of your information security system. And what’s cool about ISO, even though the controls are sometimes lacking, right?

[00:33:48] Jacob: They could be improved. Is that the management core of all these models are universal. So you can pick up a quality management system or a safety management system, [00:34:00] or, you know, any, basically any ISO model and those management nontechnical requirements have been normalized. You add on these appendices to change that management system into whatever flavor you need.

[00:34:13] Jacob: We’ll guess what? That appendix to ISO 27,001. You’re not doing that, right? Your MSP is doing that. So with CMMC we have the same situation because we know that the controls fundamentally are all basically the same. So what we should do is we should split the model into a technical half and a non-technical half the non-technical half.

[00:34:38] Jacob: You’re still gonna assess those companies on those non-technical requirements. Right. But we know that the it guy doesn’t work for the company, they work for the MSP. So how do you judge the maturity of a company that outsources services. You judge them on their management of the service. You don’t judge them on the execution of the service.

[00:34:57] Jacob: You’re judging their MSP on the execution of [00:35:00] service. So the big bottleneck in CMMC right now is we don’t have enough assessors. Right? Big surprise. We got, we got a workforce shortage for everything involving security. And now we have a workforce shortage in the assessors for security. I mean, you could have seen that coming from a mile away.

[00:35:18] Jacob: So how are we going to use the assessors more efficiently? Well, the biggest risk is the MSP part of the div, right? We know that’s true. That’s where the bad guys go, right? That’s where they serve up their ransomware. It’s, it’s a, it’s the choke point for all the information flow. And we need to reduce the costs on small businesses.

[00:35:37] Jacob: We’ve gotta use assessors more efficiently. We need to address the risk better. Right? We got to do all these things and the simplest way of doing that without deleting parts of the model, which is a bad idea. Is to just split it, just split it, start with the MSPs to give the small businesses more time.

[00:35:55] Jacob: The assessments go faster, which means they are therefore cheaper. [00:36:00] They’re not as foreign and scary. And you know, for a lot of these companies, they have very good internal process control, right. They run their businesses well, that’s why they are successful. So if you are assessing a small company on their maturity and their management of these interfaces, you’d probably get to a point where instead of most of the companies in the DIB failing this assessment, it’ll probably just be a formality.

[00:36:25] Jacob: Yeah. They’re the real, the real leverage point is where we in a stick, that technical version right now, I think we’re putting it in the wrong place. And, and you’re saying that that would be the optimal approach because of the heavy presence of MSP a hundred percent. Yeah. So two big reasons, right? When we talk about the cost of complying with a model like CMMC.

[00:36:49] Jacob: The cost of complying generally comes from the technical controls, right? Not the non-technical controls, documentation management non-technical process. [00:37:00] That takes time. It doesn’t necessarily take a lot of money, right? The cost is all on the technical side, but since they are not doing the technical work themselves, the MSP is doing it.

[00:37:11] Jacob: Why would you ask them to do it? Not only do they not know what you’re really asking them, but they’re not going to be doing it anyways. Now, the reason that the MSP MSP business model works is they can scale right. Those investments and it is therefore cheaper over time for their clients. They’re you know, one of the reasons why you’d want to focus on that is because of these cost efficiencies and the assessment efficiencies.

[00:37:35] Jacob: But as of right now managed services, providers are an unregulated industry. This is kind of. This is kind of adjacent to the conversation, what we’re talking about. Well, let’s put it this way. The defense industrial base is a critical infrastructure sector and there are 16 critical infrastructure sectors.

[00:37:55] Jacob: You’ve been hearing this in the news, right? Legislation [00:38:00] SISA and DHS and Congress critical infrastructure sector. So electrical, water, food processors, and manufacturers, defense, industrial base to stuff like this. Right? So the crazy part is that the same problems that we’re seeing in the industrial base for the DOD exists in those other critical infrastructure sectors.

[00:38:23] Jacob: They are small businesses. They have no budget. They have no, it people, they have no cybersecurity people. They don’t know what you’re talking about. The, the dip is not unique in this instance. So what does that mean? That means those other critical infrastructure sectors are using MSPs. Well, yes. My theory is that you remember the shadow it problem that used to be, you know, the, the big headline years ago, you know, the, the unknown elements in your network are where the biggest risk is.

[00:38:54] Jacob: Well, if we kind of zoom out a little bit and you think of the critical infrastructure base [00:39:00] as a big old network, right? The MSPs are the shadow, it of those elements. And what we’re trying to do is we’re trying to regulate not just the dip, we’re trying to regulate pipeline providers and electrical providers and water purification plants, but we’re not regulating the MSPs.

[00:39:19] Jacob: So I tell people all the time that CMMC is exposing issues in one critical infrastructure sector. And it is the Canary in the coal mine for what’s common for everybody else. So it’s easy to kind of write it. Yeah. It’s easy to kind of ride it off and be like, oh, that’s DOD. That’s, CMMC no way. 

[00:39:40] Chris: Yeah, because then you’re seeing your supply chain attacks, right?

[00:39:43] Jacob: Absolutely. I mean, if we’re going to reg it, listen, we’re not going to avoid regulation, right? I mean, the way things are going, self attestation doesn’t work. The government’s never going to accept, you know, not verifying what’s going on, especially in critical infrastructure sectors. And so, [00:40:00] as a result, I think over the next five to 10 years, there won’t be a single aspect of the economy, basically that isn’t regulated from the angle of cybersecurity.

[00:40:10] Jacob: The question is not, are we going to regulate things or not? The question is when we regulate them, are we going to unnecessarily crush these sectors when we don’t have to, the trick, is, is that not crushing them? Doesn’t involve fewer requirements. It involves separating the requirements, because think about it.

[00:40:30] Jacob: If we do the annex thing on CMMC, if something comes up where we need to add technical controls, To the technical annex of CMMC, the MSPs can absorb that hit no problem. Right. That that’s what they do. They see as theoretically, they liked doing that, right. It’s informed by risk and they can scale and distribute that cost accordingly.

[00:40:52] Jacob: If you li, if you sit that technical requirement on top of the small business and you try to add stuff to it, I mean, we’re [00:41:00] talking about taking stuff out right now. That’s too much. You’ll never, you’ll never, you’ll never be able to scale to meet the problem. Yeah. Very interesting perspective. And I think that it makes a lot of sense to me.

[00:41:11] Jacob: Yeah. It was of be, you know, my message to DHS and to SISA to, you know, the cyber policy folks in DC. Right? Put it this way. We’ve got these critical infrastructure sectors. You have a unregulated infrastructure provider to your critical infrastructure sector. Those infrastructure providers are not designated as critical in and of themselves.

[00:41:36] Jacob: If we’re going to regulate these sectors, we got to regulate them the way the bad guys attack them. Yeah, for sure. I know we’re coming up on like the final stretch here. I want to ask you about the final rule because it’s something that I’ve read about. Oh yeah. It’s something that you like to post about a lot.

[00:41:49] Jacob: So clear that out for us. W what is the final rule? And, you know, it’s something that we’re still waiting on. Correct. And it’s something that’s coming up very soon. [00:42:00] Yeah, definitely. So so like, like I’m not a lawyer, right? I’m just a, I’m just a guy like everybody else. So in my my journey here through trying to better understand CMMC in its history, you inevitably get drawn back to something called the federal register.

[00:42:16] Jacob: And the federal register is essentially a gigantic document. That is a, the, the description and the documentation of all of the government’s activities, especially in terms of what they call rule making. And rulemaking is sort of the other side of the coin of lawmaking. So in the United States, we have the U S code, which has all of the laws, you know, stemming from legislation.

[00:42:41] Jacob: And then we have the code of federal regulations that effectively have the force and weight of law. Essentially, this is not a law school primer, right? So the rulemaking process is usually conducted by federal agencies. And this could be done as a result of a direction of an executive order. It could be done [00:43:00] by the direction of Congress.

[00:43:01] Jacob: So for instance, we talked about in the NDA, Congress directed the DOD to come up with a framework for verifying security and the industrial base. So they issued a rule, right? You can see this in the recent. Software security executive order from president Biden. In that executive order, it says, Hey, we got to do all this cool stuff.

[00:43:23] Jacob: I’m directing these agencies to do rulemaking. And in that rule, you will have it say the following things, or you will do the following things to achieve these goals. You can see this in legislation, they’ll direct agencies to write rules. Anyways, the rulemaking process is a, it’s a big old process. It’s it’s gut, it’s the heart of government bureaucracy, essentially.

[00:43:45] Jacob: And anytime they’re going to issue a new regulation, they have to go through a public comment period, which usually means they issue a proposed rule. They get public comments back. It goes through an inter-agency review process, and this [00:44:00] could be any regulation, not just security. Big old cycle takes months to years sometimes.

[00:44:07] Jacob: And it’s, it’s how the government does its business with. CMMC. What we got in November of 2020 was the interim role. So there could be a proposed rule or an interim role effectively, very similar things. And we got an interim rule that said, CMMC has come in. There’s some new clauses in the de FARs.

[00:44:29] Jacob: There’s a bunch of stuff that’s happening. Here’s our reasoning. Here’s why we need to go fast. Here’s our estimates. Blah-blah-blah. So then there was a public comment period. We got a bunch of public comments back, and now the government is going through the long process of when, when I say. I don’t mean YouTube comment, right?

[00:44:48] Jacob: I don’t mean like little comment. A comment might be several pages long from people like the American bar association from, you know, concerned citizens. I mean, there a comment could be [00:45:00] significant. So when they say they got 850 comments on the rule, you’re talking about a lot of information to read, to process, to synthesize.

[00:45:10] Jacob: And part of the wonder of the way the government works is that they have to address them all so that they don’t just read them and then say, oh, thanks for the comments. They read them. And then in their new issuance, the final role, if they adjust anything or not, they have to provide an explanation for why things were adjusted or not in the light of the comments.

[00:45:33] Jacob: So really, you know, if you were to think about on a small scale, how you would want the government to get your feedback and improve on the rules. That’s probably how you’d want them to do it. When we zoom out to the level of a federal register, this could take a while, especially when people are starting to participate, right?

[00:45:51] Jacob: These are two rules. Like the common to a single rule could be an pages pages, a hundred percent. I mean, you could have given you couldn’t be a [00:46:00] single line. It says I don’t like it too expensive. Yeah. You know, the CMMC is dumb, right? You, you could do that. It’s your free citizen. You can participate in the making process.

[00:46:11] Chris: I was going to ask you who can, who can contribute? Who can write the comment? Anybody? 

[00:46:15] Jacob: Okay. Anybody? Yeah. Oh, you, you don’t, you don’t subscribe to the federal register and get it delivered, or like a phone book on your doorstep every quarter. Most people don’t. Right. Most people don’t know that this process is, is a, this is like I said, this is the, the, the deep dark heart of, of bureaucracy and the government.

[00:46:32] Jacob: No one in their right mind has a normal interest. In a, in what’s going on. And, and honestly, man, like I’ve said this before, if it weren’t for coronavirus lockdown, I probably wouldn’t have stumbled across it myself. Wow. You know, I’m not a lawyer or anything, but when you start, I just started asking why, why is it that it’s so obvious that people can’t afford CMMC but the government doesn’t seem to care once other, the government doesn’t care, there are answers.

[00:46:59] Jacob: [00:47:00] Policy-based answers. Why it, why they have the statements that they’re making, why they have the positions that they take so on and so forth. And the only real way to get that reasoning behind why things are the way they are, is not to read the model. It’s not in the model, it’s in the federal register, in the rule making process.

[00:47:22] Jacob: And so when you go back and back and back and you read all of the rules, that interim rules and the adjusted rules and the final rules. They answer every comment. Every time the pattern that shows up is they’ve been answering those comments the same way for 10 years and where they say costs, burden, impact, blah, blah, blah.

[00:47:44] Jacob: And they say, Nope, no change, no change, no change, no change. So when you go forward and you say, okay, it’s going to take them about a year or so normally to go from an interim rule to the final rule in black and white, [00:48:00] this is the final rule. It usually takes about a year. That means that this fall, November, December, maybe January, you know, into the holiday timeframe, somewhere in that timeframe, we would probably expect the final rule to come out.

[00:48:17] Jacob: And it is my opinion that if you read the way the comments had been addressed and you listened to the way that the government has communicated to everybody. I don’t think that we are going to see answers that are fundamentally different from the ones that we got over the last 10 years. And people are going to be real surprised.

[00:48:41] Jacob: I think when they say it costs money and the government says, okay, and they say, it’s going to put people out of business. And they say, okay. And they say, because they’ve said it before, they said it twice before now we’ve gone through this process twice. The only thing that’s different is now the assessors are coming.

[00:48:57] Chris: Hmm. Gotcha.

[00:48:58] Jacob: Right. So I put a chart [00:49:00] up maybe we can link to it where the federal register on their website shows you the page views you know, old school page count page view counter at the bottom of the page. Right? Well, they’ll show you the page views for each of the rules for this line of rulemaking over the years.

[00:49:16] Jacob: And on average, nobody reads them. Why, why would you write not only are you not being assessed, you don’t even know the federal register exists. It doesn’t, it doesn’t affect you. So you’re talking, you’re talking page views in like the a thousand, a thousand page views. Well, the current interim rule on the federal register, 90,000 page views, since it came out in November.

[00:49:41] Jacob: Wow. Like 11 times more page views than the average page view of any cybersecurity rule that’s been issued over the last decade. So now all of a sudden people are paying attention. Yeah. And that’s why it’s, it’s such a, it’s such a [00:50:00] precarious position for everyone because these are issues that have existed for a long time in the government’s mind.

[00:50:08] Jacob: We’re out of time, we’re losing the war, right. We’re, we’re losing weapons systems as fast as we make them because China just steals the data for it. Right. So we’re, we’re re we’re out of time where we’ve been out of time. We got to go and do something now for everybody else. Everybody’s just becoming aware that this has been going on the entire time.

[00:50:30] Jacob: So does the holdup come down to the extensive process of reviewing and replying to those comments? Well, that’s the funny part, right? In terms of, you know, people are like, oh, there’s a holdup. Well, from the rulemaking perspective things are moving according to schedule. And if you think about it, if you were to go back from the, you know, look at the whole history of 1 71 and, and see UI protection in the dip, and you just take the sliver of CMCs time on the stage, the [00:51:00] government has moved incredibly fast, right?

[00:51:02] Jacob: I mean, they’ve been moving, it will add a Lightspeed for the government. And for them to, I wrote this up a while ago, know you can also see the number of comments, these big comments for all the other rules. This, this rule has 850 other comments might have like 40. And in that rulemaking process, Nine months, 12 months, 14 months.

[00:51:27] Jacob: Now we got, we got 850 comments and they’re saying, yeah, it’ll still take us a year. Which, I mean, you would think it would take him 80 times longer, but but that’s not what’s happening. So it feels slow. But from the government, in terms of how they normally operate, things are flying one sort of snarky way to put it is everybody loves to, I don’t, I’ve listened.

[00:51:53] Jacob: I don’t work for the government. Like I said, I’m just a guy, but everybody loves to like [00:52:00] jeer at the government and say, you know, the give the private sector goes fast and they break things. We innovate. Well, that’s great until the government does the same thing. And what is getting broken is your ability to work for the government, right?

[00:52:15] Jacob: Like everybody wants the government to go fast and break things until your company is getting broken off because they didn’t get it. So I always tell people I’m like, you gotta be real careful about telling the government to go faster, go faster, go faster, because the faster they go, the less precise those answers are going to be.

[00:52:33] Jacob: And it won’t be until something bad happens that they react and then they write the new regulation. So just be careful what you wish for in terms of them going fast. So tell me a little bit about your company Def sir. Yeah. So Def sir we are a small boutique cybersecurity consulting company and we specialize in working with companies on understanding their differs compliance [00:53:00] obligations typically involves the obligations under NIST 801 71, the standard set of DOD cyber security clauses, and the upcoming.

[00:53:10] Jacob: Cybersecurity maturity certification program slash model. So we like I said, we’re a very small company. It’s mostly advisory services. So effectively we come in in order to try to cut through the haze of what’s going on, you know, primarily the main differentiator around what we do from what you might hear in the marketplace is everybody says, Hey you know, you gotta do a gap assessment.

[00:53:34] Jacob: You gotta come in, you gotta check your gaps. You have to figure out where your gaps are. That’s the wrong approach, right? In, in situations where you work with small businesses, which is what we specialize in the biggest driver of costs and therefore cost savings is not the number of gaps you have.

[00:53:50] Jacob: It is the size of the scope that is going to be assessed. So, if you aggressively limit the scope of your environments, you will save much more [00:54:00] money and your assessment will be much simpler and you will probably have a higher assurance of passing. Hopefully whenever the details come out in the future, if you limit your scope as aggressively as possible, if you walk into a company and you say, let me see your gaps, you’re going to find gaps everywhere.

[00:54:17] Jacob: Everybody’s got gaps, but you might have gaps in parts of the network that don’t need to be in scope. So you’re going to have a bigger capital expenditure. You’re going to have longer to remediate. You’re gonna have more complexity. You’re just gonna make it. You’re just going to snowball this situation out of control.

[00:54:33] Jacob: So we approach it from the idea that we’ve got to limit that scope as aggressively as possible first. That’s awesome, man. 

[00:54:40] Chris: So how can our listeners that that may be in need of these advisory services, get in touch with you and you know, where can our listeners follow you on social media? 

[00:54:52] Jacob: Yeah. So the best part, the best way to get ahold of us is just a desperate.com at our website.

[00:54:56] Jacob: It’s very simple website, nothing too flashy or fancy. [00:55:00] You can email us their info@defcert.com and the best way to get ahold of me, honestly, on LinkedIn, man. That’s it’s the only real social media presence that I have, but that’s where you and I met put out a lot of awesome content over there.

[00:55:11] Jacob: We don’t, we don’t maintain an email list. We don’t maintain a pay wall. We try to democratize as much of this information as possible. 

[00:55:19] Chris: You’re my CMMC expert, man. So anyone listening, Hey, listen, you got, you gotta follow Jacob. 

[00:55:25] Jacob: I appreciate it, man. I’ve got my, you know, I’ve got my angle on the model that I think helps people understand what’s what’s going on.

[00:55:32] Jacob: You know, we have our own approach with our clients that we work with, you know, that primarily revolves around reducing scope and integrating existing management systems to save as much time and money as possible. But when you know that. As, as a, as hopefully clear as we’ve made the the outline of CMMC in this episode, there are still a lot of issues that you got to think about when you dive into [00:56:00] those details.

[00:56:00] Jacob: And one person doesn’t necessarily have the answers, a great resource that we could probably link in the show notes. There is a discord server where it is a, you know, effectively a hive mind of people across this landscape of compliance that ranges from consultants to people who want to be assessors to small companies, to big companies.

[00:56:23] Jacob: I mean, it’s all comers that have, for some reason or another needed to interact and understand CMMC and basically any type of compliance regulation. And they have an awesome happy hour every week where you basically get free consulting. That’s the first place I always go when I have a question.

[00:56:40] Jacob: So I was hanging out over there, but yeah, if you want to get ahold of usdefcert.com info at or reach out on LinkedIn, I’m always on there. 

[00:56:48] Chris: Cool, man. So just wrapping up here, you’re on Soquel, right? Yeah. I’m in LA. So speaking of happy hours, like what is your go-to spot out there?

[00:56:57] Jacob: Yeah, there’s some, there’s some awesome [00:57:00] bars in LA man. There’s some really awesome bars. I’ll put it this way. It depends on what vibe you’re looking for. So if you’re, if you’re looking for, if you’re, I love cocktails, right. I love classic cocktails. I think it’s super though. The history of the drinks, how they’ve evolved.

[00:57:14] Jacob: I think it’s super, super cool. So if you’re into classic cocktails and you want the real sort of LA vibe, there’s a place called the varnish in downtown LA and it’s got that sort of speakeasy kind of vibe to it. It’s actually in the back of the restaurant where they invented the French dip sandwich.

[00:57:32] Jacob: So it’s like a sandwich shop. Yeah. But you go through and it’s like this, like, you know, dark wood, low light, really, really awesome bartenders. Really, really awesome drinks. What I will say though, is that sometimes the traffic in LA is famous, right? It can be faster to drive down to San Diego to get a drink, then it can be to drive up the street to get into downtown.

[00:57:54] Jacob: So if you’re in LA, look for the varnish, if you’re ever in San Diego, you got to find a place called [00:58:00] polite provisions. And it’s like sort of the exact opposite. It’s very open and very airy, but their drinks are really, really good equally as good, really great bartenders. If you’re into craft cocktails.

[00:58:13] Chris: Nice. Nice. Now, what about like, you know, Santa Monica. And you want to hit it like a nice beach bar. 

[00:58:20] Jacob: All right. Well, if you’re over there, what I’d say is if you want the best bar in town hit me up because my home bar, I’m going to, I’m going to just go ahead and say my home bar is definitely, I should probably come up with a good name for it.

[00:58:30] Jacob: Now that I think about it, it’s an unnamed unnamed bar at this point. Listen to me, we all, we’ve all expanded our, our, our home hobbies, I think during Corona virus, but you know, LA LA is really cool, man, because the, the craft cocktail scene is so big that they have, you know, meetups like the bar, the really amazing bars that are out here sometimes they’ll do classes.

[00:58:51] Jacob: I mean, all of the places where they get their super great ingredients and even their specialized ice you have access [00:59:00] to because he lived down the street from those places. So it’s, it’s easy to kind of play along yeah. A hundred percent. So yeah, I just started last call here at barcode. You got time for one more.

[00:59:10] Chris: Yeah. If you decided to open up a cybersecurity thing in bar, what would the name be and what would your signature drink? 

[00:59:18] Jacob: Man. All right. Well, first things first if, if I’m over it, usually when I’m going to the bar, it’s because of cybersecurity and I don’t want to deal with it anymore. Right. I think most of the most of the folks understood most of the folks who are hanging out at the bar who work in the security industry are there because of working in the security industry.

[00:59:37] Jacob: So I don’t know if theming it is to, it’s going to be my speed. But yeah. So if I was going to name it something right, it would have to be, well, maybe we’ll go off that maybe the home bar expands one day, right? Maybe we’ll call the bar the final rule. Right? So we’ll call it the final rule. 

[00:59:53] Chris: Okay. What the signature drink would be.

[00:59:57] Chris: Let’s see, no comment. 

[00:59:58] Jacob: No, [01:00:00] that’s pretty good, man. No comment is pretty good. It would have to, it’s got to be some sort of a play on some, some obscure rule process. But yeah, I don’t know. I’ll have to think about that. I’ll say, I’ll think about that. It’d be interesting if people, people you know, give feedback on the show, what they think the trick would be, but yeah, I think the final, the final rule would definitely be the, definitely be the bar for sure, man.

[01:00:23] Chris: Well, Jacob man, thank you for coming on and sharing this knowledge with us. Go down the street and enjoy yourself. A drink on one. Do the same here. 

[01:00:30] Jacob: All right buddy. Yeah, anytime, man. I’m really happy to be here. This is great. All right, man, take care later.

To top