Blog

Helping Contractors Achieve DFARS Compliance

Interview with CMMC-AB Standards Chair
Regan Edens – Part 1

At its core, CMMC is focused on enabling a digital transformation of the Defense Industrial Base (DIB). The model is designed to fundamentally change how defense companies think about cybersecurity as well as how they manage their own security. With this level of ambition, it is no surprise that CMMC’s implementation has proved a challenge for many contractors.
 
For Regan Edens, this level of challenge though is an incentive. Regan, who is founder of DTC as well as a member of the CMMC-AB, believes that the harder the challenge the more interested he is in finding a solution. This attitude goes a long way to explaining his approach to helping DTC’s customers as well as accepting a role on the CMMC-AB.
 
PreVeil spoke with Regan at the end of 2020 about the challenges he sees contractors facing as they get on the path to compliance. We also asked some of the common misconceptions floating around the DIB. Our conversation below has been edited for clarity and brevity.
 

 
PreVeil: Let’s start with learning a bit about DTC. How did it start and get to where it is today?
 
Regan Edens: DTC (Digital Transformation Compliance) is rooted in my interest of applying technology to hard problems. So, when DFARs and CMMC came up in 2019, I thought it was a fit for the type of challenge and digital transformation I thought I could help with. You had the important national security interest, the compliance requirements of DoD and then the cybersecurity aspect. Through conversations, I realized the size of the challenge and need for manpower to establish the DFARS framework.
 
That’s when I started DTC.
 
Today, DTC focuses solely on defense companies and helping them with their ITAR and CMMC compliance issues. We work with small companies (200 employees or fewer) and large Primes but not many in between. We specialize in documentation and providing the templates that can expedite defense companies’ compliance path. We help companies with turnkey solutions as well as audit preparation. So far, we have done around 100 audits since the beginning of 2020.
 
PreVeil: What are you doing to help companies get ready for the DFARS rule? What are you doing to help companies for CMMC?
 
Regan Edens: The biggest challenge of DFARS is understanding what is required. It’s fundamentally an immature ecosystem and model which means that no small or medium business can navigate the challenges of implementation on their own. It’s obscure and ambiguous and unless you know the 7 or 8 languages the model speaks, you are lost

The biggest challenge of DFARS is understanding what is required [of you].

 
From a process standpoint, I tell people to get ready by meeting the most urgent requirements and those are the ITAR and DFARS 7012 requirements. If you’re not ready for ITAR, that vicious animal will eat you in the forest.
 
After that, through 2021, you need to focus on meeting the current DFARS 7012 requirements. Meeting these two standards should be their primary function from now until the end of 2021. Once a contractor can implement and sustain those requirements then the extra 20 requirements of CMMC, which are mainly maturity requirements, will be easy to do.
 
Typically, the next step I take with customers looking to become compliant is orienting them and understanding their business challenges around CUI. Unfortunately, most information is not properly marked so it’s hard to determine what’s CUI.
 
Contractors must understand that the safeguarding of Covered Defense Information includes unmarked CUI and CUI the Contractor develops in performance of the contract. Yes, the DoD has the initial obligation to mark and identify it in the contract, but the reality is contractors will deal with significantly more unmarked CUI that is received and also created by them. It’s the responsibility of the contractor to then determine unmarked and created CUI by definition. Then they are required to mark, handle, and safeguard the data appropriately.
 

Questions to ask if you think you might be handling CUI?

  • Do we have a DFARS clause in our contract?
  • How is sensitive data communicated to us?
  • What percentage of the information we handle is CUI and where is it being handled?
  • What types of CUI do we handle?
  • Do we handle technical drawings/ diagrams?
  • Do we know what’s in COTS and what’s CUI?

 
Those are the fundamentals. And for the most part, you really do need outside help to get this done. You have to be 100% conforming with 300+ assessment objectives. You have to get CUI and ITAR out of regular email or face a $1M fine.
 
PreVeil: Where are you seeing your customers getting into ‘trouble’ in implementing compliance policies?

Regan Edens: Again, most defense companies are really having troubles understanding the NIST and DFARS requirements. Their IT guys write policies during their lunch hour and they are a disaster. The policies they write are not helpful, meaningful nor understandable. Access Control is particularly challenging.

Complexity of Writing Policies Across Domains


We are trying to help the organizations we service transition to policies that are not in the language of compliance but into a language that is understandable by everyone.
 
These types of problems with formulating policies explain why we aren’t surprise to see an average SPRS score of -134.

PreVeil: With NIST assessments, you need to submit scores, no matter what they are, into the SPRS. What are you advising customers with regards to low scores?
 
Regan Edens: Yes, they need to submit their score but should they do their best to improve a low score before submitting?
 
Contractors need to be truthful and accurate- that’s most important. Falsehood and inaccuracy create enormous risks for the organization. The DoD is using SPRS as an incentive to get contractors to be compliant and demonstrate where they are right now.
 

Of the 300,000 contractors out there, only 5500 organizations have their score in the SPRS.

 
Some contractors might worry that their Primes have access to their score. The reality is that Primes cannot access the score of a subcontractor. Subcontractors must self-report.
 
At the same time, contractors should do what they can to improve their score. Contractors should aim to improve their score even after they have submitted their initial score and they should resubmit it as many times as want. They just need to document each time.
 
Contractors shouldn’t delay improving their score either. There’s a business reason for not delaying the improvement of your score which is that you need to plan your company budget. That planning starts off with having an accurate System Security Plan and an accurate POAM. Only then can accurately determine the amount of money you will require for IT, manpower, and technology.
 
PreVeil: I’ve heard a lot about the requirement for institutional maturity. Specifically, companies need to show they have been living the CMMC way for at least 6 months before they can become certified. Is this true?
 
Regan Edens:Access Control is a good example to answer this question as it’s the largest domain in CMMC L3. Access Control says we have to understand who has access to data. We need to know where data is and on what devices. In order to do this, we must control the flow of CUI and determine who needs access. We need to know what devices or apps can access data and which cannot. So, we need to have a plan, budget and resources to do all this.
 
In CMMC, employees will need to demonstrate that not only are the requirements implemented but also that they are sustainable. Do employees understand policy, in addition to being able to implement it and sustain it? Is there enough institutionalization of process to maintain control and protection of CUI? These steps take time and cannot be implemented overnight. So, that’s why some people started creating the notion of a required amount of time.
 
Right now, there’s no defined amount of time to have these processes in place. The issue of ‘time’ came from notion of people needing to fill in the blanks.
 

Check out Part Two of this interview.