The CMMC’s goal is to strengthen cybersecurity of defense contractors, especially for the numerous small and medium-sized businesses. However, this leaves many companies wondering how they can be competitive and start on the path towards compliance.
We recently spoke with Jonathan Hard of H2L Solutions on this very topic.Jonathan’s company focuses on helping clients develop and manage their cybersecurity programs, specifically around Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, National Institute of Standards and Technology (NIST) 800-171, and the upcoming requirements detailed in the Cybersecurity Maturity Model Certification (CMMC) (coming soon). The following conversation has been edited for clarity and brevity.
PreVeil: Can you start of by telling me a bit about how H2L got into the world of DFARS assessment?
H2L: H2L has been in business since April 2014. We came out of large DoD contractors who were doing cybersecurity – at that time it was called ‘information assurance’. In 2015, we did our first DFARS 7012 contract for a local company in Huntsville, AL and that just started us off in the 3rd party assessment world. At that time, most contractors in the DoD supply chain didn’t know what DFARS 7012 was, even though it had been out since 2013.
Many companies, at the time didn’t think there was much of a business to be made from the DFARS 7012. But we could see the important role it would play in the future.
PreVeil: Small to medium sized businesses are coming to you saying they are looking to become CMMC compliant. What are you telling your them in terms of getting ready? How should they start?
H2L: When we take on a new company, many are surprised by how much is required of them. We tell them that the fastest way to get to CMMC level 3, is to focus on the DFARS 7012 adequate security clause one ‘byte’ at a time. DFARS 7012 is already a law and has to be implemented, if they want to work with the government.
“The fastest way to get to CMMC is focus on the DFARS 7012 adequate security clause one byte at a time…Then, they should focus on NIST 800-171 and knock out the first 110 security controls. “
They should focus on NIST 800-171 and knock out the first 110 security controls. Then they should position their firm to include the additional controls and policies that will be part of the CMMC level 3 standard.
If a company doesn’t want to mess with managing all those controls, then they should outsource it. They should hire an MSP or MSSP or hire a 3rd party consulting firm like H2L that is neutral and knows how to implement these things.
PreVeil: Do you see the language of DFARS changing once CMMC becomes law of the land? That could be a point of friction, particularly if companies are managing their cybersecurity to meet the expectations of the current 7012 language.
H2L: I think DFARS 7012 will be updated to reflect the new CMMC Program. However, I think the NIST 800-171 Rev 2, will still be the core of the CMMC assessment by requiring the addition 20 practices for CMMC Level 3.
The flow down requirement in DFARS is one a lot of folks have wondered about. It will still be a requirement. However, the sub-contractors will only be required to achieve Level 3 or above if they receive Controlled Unclassified Information (CUI) through the process. For example, a prime may be required to be a CMMC Level 4 but their sub might only need to be a CMMC Level 3 base on the government requirement for type and amount of CUI they are handling.
DFARS 252.204-7012 Flow Down Clause
DFARS Clause 252.204-7012 requires contractors to implement NIST SP 800-171 as a means to safeguard the [DoD’s CUI] that is processed, stored or transmitted on the contractor’s internal unclassified information system or network. Federal contractors, in turn, are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.
Source: Under Secretary of Defense, Jan 31. 2019
PreVeil: A lot has been said about prepping for CMMC by small and medium businesses. One big issue is cost. How are you seeing this play out in the companies you are working with?
H2L: Most companies I work with have invested money in their security infrastructure based on DFARS 7012 and implemented most of the NIST 800 171 controls within their IT. So, they have put the upfront cost into becoming CMMC level 3 compliant.
However, they aren’t done yet. There are still 20 extra controls that they need to implement.
Additionally, they will need to put more money into being certified and put money into audits.
Where we see an issue is with some companies (smaller ones with 20 employees or less) balking at the price of assessments and eventually certifications. They are postponing any kind of movement on security implementation until somethings are solidified from a requirements perspective.
PreVeil: For companies that are finding cost an issue, what do you tell them to do.
H2L: It depends on what level they want to achieve.
CMMC and the regulation is focused on protecting CUI. This is the root of the executive order that came out under President Obama and was focused on stopping the bleeding of CUI.
If I were starting a new company and needed to become CMMC compliant, I’d start by understanding the goal of protecting CUI. Then, I’d look at technical advisors that are cost-effective and care about the Defense Industrial Base; not ones focused on simply lining their pockets. Then I’d focus on creating a one-on-one relationship with trusted folks. I’d go to the Procurement Technical Assistance Center (PTAC) and get their suggestions.
“If I were starting a new company and needed to become CMMC compliant, I’d start by understanding the goal of protecting CUI.”
I’d get baseline policies. There’s a lot out there that’s available for free. And I’d set up my system in the most economically advantageous way.
If I wanted to outsource it, I’d call a local MSP or MSSP. I’d call PreVeil. I’d ask them how I could do it in the most economically advantageous way. Or I’d shop around for reputable companies that care about protecting the country and do business with those people.
It doesn’t cost that much for a small company to secure a few employees infrastructure. Get a trusted security company to set up the internet and manage your firewall. Call up PreVeil to protect email and file sharing and protect CUI – that’s half the battle since so much data is shared on emails and through files.
Yes, there are policies that will need to be done along with other items. But one of the biggest CUI leakages is through email. I have seen cases where a company emails a whole specification for a DoD System to all their suppliers without even checking for CUI. This must stop.
PreVeil: Do you do pro bono?
H2L: Yes, we do a lot of pro bono. We do DFARS 7012 inspections for some of the smaller Defense Industrial Base (DIB) companies and we lose money on them but that’s fine. We get another assessment under our belt and we get another happy customer. The client company is better postured to protect their information and as the client grows, and they need something new, they will think of us. Money isn’t everything.
PreVeil: Do you have a sense of how many SMBs will need to achieve the various levels 1-5
H2L: Of the 200 or so companies we inspect, just about all of them are shooting for level 3.
Originally, the DoD said that only 9-10% would need Level 3. But I think the standard will become L3. Why wouldn’t you?
“Originally, the DoD said that only 9-10% would need L3. But I think the standard will become L3. Why wouldn’t you?”
Overall, I would say over 50% of the DIB will shoot for L3 or above. And maybe even higher. Some in Huntsville are even shooting for L4 because that will set them above the standard and set them apart. So, they are investing even more money in 24/7 monitoring and establishing a security operation center.
Learn how to get your defense company on the path to CMMC compliance.
Download our whitepaper
I don’t know if the government understood that when they created a baseline standard, people were going to seek to differentiate themselves. If Level 3 is the gold standard, then you are going to see more companies than you anticipated going after Level 4 and Level 5 to differentiate themselves.
PreVeil: It seems like we don’t need to worry about how compliant H2L’s clients are. It’s these other hundreds of companies that haven’t heard of DFARS or are just getting to know about DFARS that we should worry about.
H2L: That’s right. Unfortunately, there are a lot of manufacturers in Alabama that aren’t plugged into LinkedIn, don’t watch the webinars, or don’t go to conferences, or don’t have a person on staff that will teach them how to keep up to date with current regulations. There are many we speak to that don’t even know about DFARS 7012 but that isn’t as large as it used to be.
One of the big communities that hasn’t done anything about DFARS 7012 yet is the A&E (Architect and Engineering) community. They do a lot of design, predesign, build, and commission work for NAVFAC, USACE, and the Department of Homeland Security. And the reason they haven’t done much around DFARS 7012 is because these government agencies haven’t been putting the DFARS 7012 clause in their contracts until recently.
A lot of the A&D companies will have a local U.S. shop doing the design work but the company doing the construction is sometimes overseas, where they will have local talent building the facility.
Having DFARS 7012 in the contract would require the local company in say Germany to follow the DFARS 7012 regulation. And not many foreign companies want to implement those standards.
PreVeil: What challenges have you seen come up as companies are trying to get ready for CMMC by following DFARS 7012 and NIST 800-171?
One problem I see is that companies who are trying to get ready by following DFARS 7012 and NIST 800-171 is that they are coming up against the Defense Contract Management Agency (DCMA). The DCMA is continuing to conduct Defense Industrial Based Cybersecurity Assessment Certifications (DIBCAC) Audits. The audit is being evaluated at DFARS 7012 standards and the inspectors are not looking at CMMC at all.
We have assisted larger primes in preparation for the a DIBCAC audit. They are dealing with the challenge of creating policies that call out NIST controls and then have policies that call out CMMC controls. Because the policy must be control specific. Companies don’t want a hybrid policy. They worry that inspectors will be confused and not like it.
So, we must write policies for both NIST and CMMC that are each control specific. Which means they are paying for two different inspections. So, this is the opposite of folks complaining about it costing too much. These are medium sized companies who are investing in two policies.
The challenge in terms of technology is implementing multi-factor authentication (MFA) and introducing the standard throughout their infrastructure. Although that is getting less. Some have resorted to starting MFA with just their C-suite.
We also see challenges around purchasing technology, like Security Information and Event Management (SIEM) tool. They are having a similar pause around things like log access management and Federal Information Processing Standard (FIPS) 140-2 compliance and servers.
Many are holding off on these complicated IT security devices and focusing on low hanging fruit because it makes sense for them now. If they can show they are working towards full compliance, they can create Plan of Action and Milestones (POA&M) around the other things in preparation for the CMMC.
Even though DFARS is law of the land, when they signed the memo in 2017, it said that all you needed to be compliant by having at a minimum a System Security Plan (SSP) and POA&M. Many companies stopped at that.
Until now, companies have created POA&Ms, either because they don’t have the budget now and they think they’ll introduce the changes next year or because they want to see how CMMC plays out. DIBCAC audits, peoples are trying to get those things off the POA&M.
But, once CMMC comes, POA&Ms are going away. And the DIB will have no choice but to get started.
PreVeil: 10) For many small companies, it seems to me that the “enclave approach” could be an intelligent way to get on the path to CMMC compliance. Enclave means that only a portion of the company needs to become compliant. Why aren’t more companies taking this approach?
H2L: For a lot of businesses, they want to secure their whole infrastructure or create a designated center where all CUI data is focused on one on one locked-down facility.
Some companies can do an enclave approach. But I think there’s a greater sense of ease if the whole company has it implemented.
A lot of companies have Microsoft Office’s E3 licenses. They hope something will come out that can be an alternative will enable them to not have to go to GCC High and pay the expensive migration fees. That’s the real killer to get to the GCC Cloud environment.
I tell customers there is an alternative to that and that’s to implement all the cyber controls for CMMC Level 3 they need. Then, decide who within company is touching CUI and implement PreVeil email and file sharing just for that subset or group. And they are good to go.
These customers have all been super happy.
PreVeil: Well, Jonathan, thanks so much for taking the time to speak with us. This has been great.
H2L: Jonathan: Thank you