Industry and government alike have been pondering the new proposed rule on vendor cybersecurity that was published just a couple of weeks ago. The Defense Department wants to finally get its Cybersecurity Maturity Model Certification program off the ground. It would impose new requirements on contractors. For one industry view, the Federal Drive with Tom Temin spoke with the Chief Technology Officer at Fortinet Federal, Felipe Fernandez.

Interview Transcript:  

Tom Temin Well, exactly what does this impose on industry? Because I think depending on how large the company is and whether it’s a prime or a sub or a sub of a sub, the requirements vary.

Felipe Fernandez Certainly. And I think what the DoD would tell you is it doesn’t impose very much in regards to differences from the already existing obligations and D-FARS 7012 what the DoD would say is industry has already incurred these costs to implement any security controls that are required to be awarded DoD contracts. However, there are some obligations for certification assessments for organizations seeking level two or level three certification. So I think that’s really important to understand. Also, what’s going on is organizations need to understand that these assessments, depending on the size of the organization, are going to vary in cost. So anywhere between $100,000 to $20 million, according to DoD estimates.

Tom Temin Yes. The assessment in the third party, that whole apparatus is just getting stood up. And so you’re going to have to hire somebody to come in and say yes, what they say they have, they actually have. And that that entity would report that back to DoD.

Felipe Fernandez That’s right. And the good news on that front is the DoD has made some changes to the assessment process, essentially injecting more assessors into the pool available for industry participants to select for their various assessments. So you’re not waiting as a single company for assessors to become available to make you ready to be awarded DoD contracts, you can essentially get an assessor earlier than what was presumed with the earliest ruling.

Tom Temin And do the objectives of this whole program apply only to whatever government DoD data that the company might possess? Or is it also the companies own data, which I guess, from which a bad guy could infer what’s going on in the government?

Felipe Fernandez Well, it’s really important to understand that it’s about federal contract information and see why. So it is important for entities to understand exactly how that data traverses their systems to design and really illustrate a workflow for that. So that can be audited. And it’s really that data that the DoD is concerned about.

Tom Temin Because contracting information could also be CUI in some cases sensitive, been unclassified, for example, just to make something up, if an order for a million howitzer shells should come in and the shipment of where they’re headed is in that contracting information, that could be valuable to an enemy.

Felipe Fernandez That’s right. With enough pieces of SEI cobbled together, adversaries can really put together a plan of action and really execute advanced persistent threats against the United States and its interests.

Tom Temin And fundamentally, there are certain technical controls you have to have in place that’s presumed under CMMC. What are the chief ones, and in your experience, how many companies actually have it in place?

Felipe Fernandez For the most part, most organizations are applying these security controls or these practices as they’re called, particularly as they’re framed in level one. In level two, it calls out 110 NIST 800- 171 revision 2 controls or practices. And I think that’s also important. This is also been raised as a comment from a lot of the field. Is that the CMMC interim not interim ruling, but proposed ruling refers to 801-71 revision 2, which is the current standard. But revision three is on the precipice and about to be released. And that is actually what the D-FARS refers to in 7012. So we’re looking forward to seeing if the DoD clarifies that once the proposed rule becomes an interim rule, or sticking with that, and it may be to make it easier on industry to implement these controls and not have to implement the newer controls from revision three.

Tom Temin Because NIST solicits comments and issues revisions kind of on its own schedule, not on DoD schedule necessarily.

Felipe Fernandez Certainly. And we know it could be challenging for industry to adopt the new revision and implement all those controls. Obviously, with more controls becomes more costly for the assessments. And I think DoD is trying to help industry out. My assessment of it is DoD is trying to help industry out by saying the NIST 800-171 revision 2 is good enough, and we’ll see where revision 3 comes in to works. Maybe that comes into future revisions of the ruling.

Tom Temin We are speaking with Felipe Fernandez. He’s chief technology officer for Fortinet Federal and Fortinet itself as a cyber security vendor. And so are there special, I don’t know, requirements or impositions for cyber security, for people selling cyber security?

Felipe Fernandez Absolutely. And I think one of the things that entities are looking at us to provide them is help with access control, application control, things that allow them to provide or get greater granularity into controlling who, what has access to which information on their systems and when. And definitely contextual awareness around this access so they can apply strategies like zero trust for instance.

Tom Temin Yeah I was going to say these are in service of the zero trust idea. And I mean at what point will they say, well, you have to have micro segmentation, you know, and therefore that every call from every application to every possible database is a micro segment, a micro divided segment, and that has to have controls in place and so forth. It gets to be a big deal to do.

Felipe Fernandez Certainly. And it may be that DoD and NIST start rolling this 800-207 on zero trust guidance into these regulations and actually enforcing the assessment and verifying that these controls are in place in such a manner. But zero trust in these micro segmentation, as it’s referred to in industry today, I think is going to be rolled in in short order as these controls are in place and a standard or at least a baseline is founded.

Tom Temin So CMMC is in some sense a compliance exercise. But that is only the case alone if you have the technology in place. So I guess my question is who should be involved in a company in making sure that that contractor is good with CMMC?

Felipe Fernandez Well, from a company perspective, certainly at the highest levels, you need adoption. You need the CISO to be involved. Particularly, I would say CEOs need to be involved as well to ensure they have executive sponsorship on anything that needs to be funded or efforts that need to be resourced in order to become compliant with CMMC. As we know, this will impact the companies’ ability to be awarded DoD contracts and that could be very much their livelihood depending on the organization’s go to market strategy.

Tom Temin And serving both the commercial side, you know, other companies and federal agencies who’s generally in better shape, CMMC aside, industry or government, do you think? Loaded question, I guess.

Felipe Fernandez Well, what I can say is, uh, both sides have been focusing on it for quite some time now. Speaking from Fortinet federal perspective, small businesses to large businesses have come to us over the past couple of years to help them implement practices that have been called for in the various CMMC levels. Once CMMC level one through five, now one through three. And so these controls are taken very seriously by the organizations who feel like the federal government business is important to them. Uh, but I would say the DoD obviously, although small, the CMMC PMO office has taken it seriously. Uh, one of the things you can note from the proposed rule was that they’re reemphasizing why this is important, and they have not budged as to why the requirements are what they are. However, they have tried to ease the burdens, if you will, and make the implementation a lot easier for these organizations.

Tom Temin And just a final question on small businesses, because if you start at a business and you want to get some of that OTA money or whatever the case might be, or FAR, you know, contracts, the last thing you want to do is build a complicated IT system. You’re going to go with cloud applications and cloud hosting if you’re a small business startup. But that doesn’t absolve you from worrying about CMMC compliance, does it?

Felipe Fernandez No, it does not. And you’re right, they do have less complex systems. And perhaps, maybe only subject to level one. But, DoD does estimate that 60,000 small businesses will be subject to level two certified assessments. So, uh, that’s going to come at a cost, which DoD estimates to be around $105,000 every three years, just for the assessment itself. But from a technology perspective, they have the benefit of modern technology, helping them really collapse the infrastructure that’s required to implement security controls around CUI and FCI.