Manufacturing Mavericks

What does it mean to be CMMC 2.0 Compliant? Why does it matter, and how do manufacturers tackle it without getting lost in the weeds? Greg interviews Darren Gallop, CEO and founder of Carbide Secure, to cut through the noise on CMMC 2.0 and why starting with a self-assessment is step one. He digs into the certification process, budgeting, and tools available to support you on your journey to compliance. Plus, they clear up the confusion between NIST, ITAR, FedRAMP, and other compliance standards. 
Whether deep in the compliance process or just getting started, this episode gives you the insights—and the game plan—to keep your shop secure and ahead of the curve.


Show Notes
00:58 The Importance of Compliance to Secure DOD Contacts
02:17 Current State of CMMC 2.0
04:36 Understanding the Requirements
15:30 The Risk Your Vendors and Software Play on Compliance
30:09 Real-World Examples
34:32 The Hard Way Vs. The Easy Way to Compliance
40:11 Preparing for Third-Party Certification
50:33 Maximizing Your Odds of Success
53:49 Tools and Resources for Compliance

The Datanomix Difference: What Makes It Work?
It’s not just what you see. It’s how fast you see it, how clearly it shows up, and how easily your team acts on it.
Learn more at www.datanomix.io

Creators and Guests

Host
Greg McHale
Greg founded Datanomix, a company delivering game-changing production insights and intelligence to manufacturers of discrete components. Datanomix was founded on the premise that the 4th industrial revolution would require turnkey products that integrate seamlessly with how manufacturers work today—not clunky workflows that depend on human input or complex data extraction. He brings enterprise data skills to a market ripe for innovation. Greg has held engineering leadership positions at several venture-backed companies and is a graduate of Worcester Polytechnic Institute.
Guest
Darren Gallop
CEO of Carbide Secure and CMMC Registered Practitioner

What is Manufacturing Mavericks?

Manufacturing Mavericks aren’t afraid to shake things up and stand out from the crowd. They are embracing the best tools and technology to showcase world-class American manufacturing and grow their business.

Join Greg McHale, founder of Datanomix, as he sits down with these exceptional people to hear their stories and explore the important lessons they learned along the way. Listeners can gain valuable insights they can use in their own facilities to improve their bottom line.

Greg: Welcome to Manufacturing Mavericks, a podcast where we showcase and celebrate exceptional people from across precision manufacturing who are boldly embracing new ways to improve their processes, grow their bottom lines, and ensure American manufacturing will thrive for generations to come.

Greg: Welcome to this episode of Manufacturing Mavericks. I’m your host, Greg McHale, and boy, do we have a great topic for today’s show: CMMC 2.0 compliance, the what’s the whys the whens the hows. And this is not a topic I could cover on my own, for sure. That’s why we have brought in a very special guest today, a cybersecurity and CMMC expert, Darren Gallop, with Carbide Secure. Welcome to the show, Darren. How are you today?

Darren: Hey everybody, great to meet you all. Greg, thanks for the introduction. Super happy to be here talking about CMMC. I’ve been hearing about and thinking about CMMC for about five and a bit years now. It’s not a new thing, I think to any of us.

I’ve recently become a CMMC registered practitioner. Before that, I’m also a CISSP, which is a pretty renowned cybersecurity certification. I also have several data privacy cybersecurity certifications and around data. So, been in the business for a long time, cybersecurity, data privacy, regulations, compliance, all these things have been a big part of my life and career over the last about 14 or 15 years. So, happy to share and help everyone wrap their heads around what this is going to likely look like and how we can move through it in a progressive and positive manner.

Greg: Awesome. Really appreciate that Darren. We were at IMTS and coming out of IMTS, boy was, ‘what do I do about CMMC as a manufacturer?’ One of the biggest topics. And we definitely have heard within our customer base and folks that are not necessarily Datanomix customers, just at the show, lots of conversations, “Hey, how can we get some better information about CMMC?”

And Datanomix, us as a vendor, we have similar obligations, certainly different than manufacturers making the physical goods, and with some of the assets that you guys all have under control, but we as a vendor to manufacturers do have to follow the same standards, just on a different part of the problem. And we’ve been doing that, as a business, in conjunction with Carbide, so we thought it’d be a great opportunity to give some perspective on what are the common questions that we’re hearing? What can you do today? What can’t you do today? How do you go through this process? The when, the why, the how.

So, really, the approach that we’re going to take here is, we have a cybersecurity expert here in Darren. I’m basically going to go through and ask him questions from the perspective of a manufacturer for, certainly, a lot of the questions and topics that we have heard that are on people’s minds. So, let’s start with where is CMMC 2.0 really at today? And when I started digging into this several months ago, Darren had some great statistics that I thought were worth sharing with the group here. So, let’s start with this one, Darren. So, where are we at today with CMMC 2.0?

Darren: This is an estimate that I got from the Department of Defense, estimating that there’s roughly 80,000 companies in the US that are going to require that level 2 or greater certification as this program rolls up. That doesn’t count the companies that also are outside of the US, and there’s a lot of companies outside the US, in Canada, Australia, in Europe, that are also subcontractors of the US Department of Defense. That’s going to be—it’s going to be an interesting journey, right? I think we’re a number—the number is probably well over 100,000 of companies that are going to have to go through this process. The interesting fact is that there’s only 57 as of when I looked last, certified registered auditors.

That being said, there are others, there’s about 200 candidate auditors that are going through the process of becoming certified auditors, and I expect we will see a lot of auditing firms go after this opportunity because as that first line, 80,000 companies needing to do this, if only 257 auditors had to handle, it’s going to take a while. And to that point, yeah. I think this is an interesting point to figure out or to understand here is that the expectation from the Department of Defense is that this is going to take about three years from the moment that they launch it, which we estimate to be at some point in—it could be Q1 2025. I’ll be honest to say that not all the estimates of timeline for this implementation and the launch have been super accurate, so it could be a little later.

But it’s reasonable to expect that 36 months, three years is going to require—and I don’t think that we’re going to see everyone get certified. I think we’ll still—it’s going to be a bit of a struggle to get all these companies through this process in that period of time, with the amount of auditors that are going to be out there. It’s a big lift.

Greg: And so, I think that puts us in this situation is, so wait a minute. You said there’s all these companies that have to do it. The timeline is unclear. There are no CMMC-certified entities in existence today, so what does that actually mean that we need to do? And I think this is one of the very important topics that we want to dig into here is, what are the acronyms? What are the standards? What do we know about what the obligations are really going to be? And then, how do we all best position ourselves for what we inevitably know is coming, based on as much information and, sort of, official things there are that we can do today?

Darren: And I’d love to be able to say that everybody can just chill out and relax and just wait this out, but unfortunately, that would not be a prudent approach.

Greg: Right [laugh]. Right. So, one of the first questions that, certainly, we’ve been hearing is, what are the data sets in manufacturing that require safeguarding per CMMC 2.0? And I think the slide here is a pretty good takeaway on the categories of information that are going to need to be protected. Darren, why don’t you take us through those?

Darren: Yeah, this is great. You’ve got FCI, which is effectively your Federal Contract Information. One of the things I just mentioned about that particular information is that it’s not always going to be labeled, so it’s going to be prudent to basically—if it’s labeled as such, then obviously treat it as such, but probably best practice to treat any information in terms of your negotiations, contracting conversations with the DoD supply chain is to treat them as default of being FCI. So, that’s the level 1 foundational level, which, pretty straightforward.

And then CUI and CDI. CDI is really a subset of CUI. In that case, effectively, what we’re looking at is the NIST Special Publication 800-171 controls. That is what this program is built off of, and that’s been around for a while, and that’s accessible and free, and everybody should be able to—should access that and look at that. That gives you a good idea what the lift is.

Now, CUI generally is going to be more diligently labeled, and in fact, I believe we’ll be sharing some information with folks afterwards, with some helpful links and whatnot, but there’s actually a database that the Department of Defense maintains that has all the different classifications and label identifiers of CUI. So, that’s probably a really good place for businesses to look at to get a good idea of what effectively you were touching. I will say, so we talked about level 2 and level 3. Level 2 is really the 110 of 800-171, and there’s still a little bit of figuring out what the level 3 looks like. They’re still working on some of those pieces, but it’ll be that, plus some more. But yeah, the FCI, if you’re doing any work at all with the Department of Defense or in that supply chain, you’re going to be touching some degree of FCI at a very minimal.

Greg: Awesome. So, this is where I’ve definitely seen the most, really confusion, I would say, from folks I’ve been speaking to is, do I need to be FedRAMP? Do I need to be CMMC? Do I need to be NIST? I think ITAR is the one everyone’s already got their head around because that’s been out there for a while, and folks that are serving the DoD or in the supply chain have certainly been doing the right things there for several years.

Even for us, sometimes customers say, “Are you FedRAMP?” Or, “Do I need to be FedRAMP?” Or, “What do you need to be, and what do I need to be?” So, I think going through each of these and really demystifying what exactly is that thing—what is NIST versus what is CMMC versus what is FedRAMP—and then what do we, as businesses, manufacturers, and vendors who serve manufacturers, need to be doing to be prepared and be compliant, here? Let’s jump into the first one. Do I need to be NIST compliant as a manufacturer?

Darren: The real answer there comes down back to CUI. So, if you’re thinking of NIST, like, NIST, it’s a standards organization, and they produce standards that include guides for cybersecurity, guides for risk management, controls, they cover data privacy, they have a standard around artificial intelligence governance. They’re out there, that information is all available to anybody to use to help in their business. When you’re talking about the Special Publication 800-171, that is specifically designed for handling CUI. If you’re doing contracts now and you see a clause that says, you know, ‘must comply with or follow the DFARS clause 252.204-7012,’ that is basically a Safeguarding Covered Defense Information and Cyber Incident Reporting, which applies to all contractors and subcontractors doing business with the US Department of Defense.

And what that ultimately means, they leverage that NIST 800-171 standard. So, if you’re seeing that in your contracts now that’s a good, strong indicator that the expectation when this goes live is that you will be required to do the CMMC, likely the level 2 certification. So, by building an information security program and having your business be in compliance entirely with the Special Publication 800-171 is the best road for you to effectively be ready to then go about the certification process when that process becomes available to follow. When we look at 172, it’s really just an extension to 171 that covers a little bit more in-depth around things like different types of attack vectors that may be more modern, like persistent threats and things like that. And the expectation—that’s why, in theory, that CMMC 2.0 is going to be the Special Publication 800-171 with the additional elements of 172—that is not finalized. There may be some additional requirements. That’s information that we’re all patiently waiting for.

But again, if you were, if you’re falling into level 3 compliance, if you’re having a lot of CUI, doing that 171 is a really good start, and then maybe familiarizing yourself with 172 just to get a sense of what that would look like if level 3 becomes a requirement for your business.

Greg: Got it. So really, the strong connection is that the NIST standards are the foundation for the CMMC levels of compliance that all of us need to be paying attention to here. When I say, “Do I need to be CMMC 2.0 compliant,” what that really means is achieving the appropriate level of NIST requirements for whatever level of CMMC that I need to have.

Darren: You got it? That’s a great way of looking at it.

Greg: And just to break it down, I see—so one of these is 17 basic hygiene, and then another one is 110 requirements, and then there’s the all of the above plus. So, just roughly speaking, in layman’s terms, what does level 1 look like versus what does level 2 look like? What kinds of things should I expect if I haven’t read through that entire government publication, which everyone loves to read?

Darren: Yeah, so if you’re looking at level 1, you’re going to have things like access control, you’re going to have things like password security. There’s going to be physical requirements. You’re going to cover a lot of the domains, but 17 basic hygiene requirements is pretty light compared to the 110. I would expect that in a lot of the businesses, and a lot of you on this call, you will have already implemented a lot of those things in your business to some degree. So, it may be just some improvements, maybe there’s some areas that you’ll have to augment or add, and maybe a little better documentation around that. And then you will go through a self-certification process.

And in fact, one of the things we’ll be able to share when we share around some stuff after this is, there actually is a guide that’s published by the Department of Defense that walks you through what the current process is for self-certification, and there’s a NIST Special Publication that you can reference that is actually for going through and running an assessment of your posture against 800-171. So, there’s 800-171 rev. 2 is what CMMC is built on. I will just say—and I know it was in the last slide—but if you go look at 800 rev. 2, it’s actually been replaced by rev. 3, however DOD is still sticking to the fact that the program has been built on rev. 2.

We expect that there’ll likely be a move or an advancement to rev. 3 through the process, but I’d focus on rev. 2 right now. There’s really just some consolidation and a few different things at it there, but nothing crazy. And then the 800-171A document is really the guide that shows you, like, how do you run a self-assessment process?

So, there’s some tools there that can be helpful in seeing where you sit in relation to these requirements. I honestly treat level 2 and level 3 is the same thing until there is a confirmed declaration from the Department of Defense of exactly what level 3 is going to be. And what we know right now is it’s going to be the same as level 2 plus and/or something other things, but we’re going to play the waiting game on that one.

Greg: Understood. And I know what one of the important items on this is the line that says ‘requires third party certification for level 2.’ We are going to get to that in a couple minutes, and exactly what that looks like. One question, Darren. Are the certification requirements different between US-based entities and international entities?

Darren: So, what you’re referring to is if we have a manufacturing company in the US going through certification versus a manufacturing company in, say, Canada or Australia going through the process? As it stands right now, they are not. I would not expect there to be a difference. If I look at all of the other regulations and the way different data privacy and data security certification processes run in the US in particular—and it’s a very segmented [infrastra 00:15:43] landscape in the US—the way the US generally looks at is, if you’re selling to us, you have to meet our standards. So, that will be the expectation of how this is going to move forward.

Greg: One of the questions we also see here is, “Okay, obviously I as a manufacturer need to be CMMC compliant, but what about my vendors? And specifically, what about my ERP system? What about my QMS? What about any software that I have that touches different pieces of information that are part of my operation?” And really, I think this comes down to something you alluded to earlier, which is basically, does it handle CUI?

Darren: Yeah. One thing to keep in mind, though, when we’re talking about software vendors, the expectation under the CMMC program is that software vendors would be following more the FedRAMP approach. So, FedRAMP is effectively built for the purpose of software vendors to meet certain requirements. So, if you’re looking at your software vendors right now, then I would want to see that they have an information security program. So, if they’re already working with the Department of Defense directly, or even other departments within the federal government, because I’ve definitely seen examples where other government departments leverage compliance and require organizations to meet the requirements of NIST Special Publication 800-171, in fact, actually in Canada, I’ve seen it on Canadian federal government contracts that organizations are compliant with NIST Special Publication. So, it’s fairly accepted and adopted in a lot of government departments.

The real questions that you want to understand about your vendors, if you’re sharing, particularly with a software vendor, like, an off-the-shelf—and the concept of COTS, this sort of off-the-shelf product or service, is etched out potentially in the process for CMMC. So, if that company that provides an off-the-shelf software as a service, for example, I would want to—the first question I’d ask is, are they FedRAMP certified? That would be really awesome, but that’s only likely going to be the case if they’re selling to a federal agency directly already. If they’re not, then I’d be looking for some other form of external audit process that demonstrates that they’ve implemented controls. So, do they follow this Special Publication 800-171 or some of the controls from 53? Do they have a SOC2 report? Do they have an ISO 27001 report? You’re going to still be responsible to ensure that all your vendors meet the requirements, the security requirements and the privacy requirements of the work that you are subbing out to them.

And then, of course, when you’re talking about your other vendors—so if you have—I’ll give an example. I sit on the board of a manufacturing company, and sometimes they manufacture components for other vendors that are selling to somebody else like the Lockheed Martin that’s then selling to the Department of Defense. So, they may be a couple of—they might be sub four, sub five in the mix, they still—it comes back to them as a manufacturer in that particular situation. They have to meet the requirements, so they’re going to have to be CMMC Level 2 compliant because that CUI or some subset of that CUI, is making its way down the supply chain into their organization.

Greg: Do we think that companies that are not handling FCI and CUI will ask for CMMC 2.0 just to ensure that their vendors are hygienic? And if I understand—

Darren: Yes.

Greg: This correctly, I think this is saying, really, should our expectation be that all vendors are just demonstrating a commitment to not creating risk around compliance and around the handling of data? And I totally agree with your answer here, Darren. As a software vendor, vendors become hard to do business with if suddenly they’re creating risk for your ability to do business.

Darren: Yes.

Greg: So—

Darren: A hundred percent.

Greg: software vendors that don’t see it that way probably aren’t thinking the right way about how to best serve the manufacturing industry, so you should absolutely be putting pressure on your vendors to take the risk out of your ability to do business by saying, “Look, you’re a software company, you’ve got access to all these great tools. You guys are handling data in various capacities.” And maybe it’s not CUI, maybe it’s right on the edge of CUI, but it’s not quite depends on, is it in the ERP? What kind of data is it?

But at the end of the day, your vendors should be seeking to minimize the complexity it takes to do business with them by saying, “Yes, I am NIST 800-171 level 1. I’m CMMC level 1 because I at least have the basic hygiene requirements.” And if they are touching data that is today or ever has the potential of being close enough to CUI or FCI, they a hundred percent should be saying, “Here’s how I’m investing in my certifications, in my audits, in my capabilities, so that you don’t have to think about this.”

Darren: Yeah, a hundred percent. I would expect that you’re getting requests, whether or not those requests are really logical and coming from a source of true, comprehensive understanding of how this is supposed to work, this has happened in every other compliance requirement that I’ve seen. I’ve had people come to me saying, “Hey, we need to have a SOC2 because we sell to somebody who has a SOC2, and they said that we need to have a SOC2 as well.” Actually, that’s not quite how it is designed to work, but that’s the interpretation. And that becomes the easier way to de risk, to your point.

And, Greg, I think one of the things like that really plays into this, all this stuff is happening so quickly that there’s really a talent gap in terms of people that can actually do all this work. So, the process of assessing your vendors, it’s not necessarily a super easy process. It takes time. It takes skill. And so, yeah, but you’re going to see people asking you, I think, very regularly, to maybe be a little further along than you may, like, verbatim, actually require.

And I think when it comes to the software vendors, if I was a soft—I am a software vendor, but if I was selling a service or product that was going to touch CUI, yeah, I would be putting together an internal audit program to ensure that we meet the requirements of NIST Special Publication, 800-171. I would very likely do that self-assessment to get the level 1, that self-certification. I would consider the audit for the CMMC level 2, but I’d probably wait to see how that plays out a little bit. I would definitely have an ISO 27001 and/or a SOC2, just to show that there is a third party external component to our compliance and risk management program. And I’d put a solid report in to show that, be able to demonstrate to my customers that were on this.

I think the challenge, the part that’s unclear coming back to the fact that there’s going to be so many organizations that need compliance, and a lot of the pushback on why we went to CMMC level—or 2.0 before 1.0 was launched, is because the organizations that are at—the stakeholders here have to put something forward that’s actually reasonable, that the industry, and the economy, and their vendors, their supply chain, can actually support. And so, that’s one of the reasons that software has been [carved 00:23:14] out. And FedRAMP was explicitly—not explicit, necessarily, to the Department of Defense, but for government vendors to be able to adopt cloud-based software, FedRAMP is that piece that was built for that. So, my expectation—I know, and a lot of other practitioners in the field share this—is that FedRAMP certification could very well be a big piece of this as well for software vendors.

Greg: Got it. So, if the vendor software is on-prem, not SAAS, does the software vendor need to be certified or self-certified? I think what we’ve said is, look, no matter what, they should at least be doing the level 1 self-certification so that they’re somewhere on the CMMC spectrum that’s not zero.

Darren: Right now, according to the training that’s provided to us as registered practitioners, if it’s a COTS product, so if you’re buying a product from a company that you’re installing on-prem in your premise, it does not require that organization is CMMC certified. So, the way I would treat that as a practitioner is I would look at that piece of technology that you’ve purchased, is it off-the-shelf, or is it custom built, and determine that piece first. Then I would look at, so if the vendor doesn’t have any access to that, and you’re completely running that in your environment, then it would be really going through and testing that software, making sure that it’s in network segmentation zones in a way that the risk of the data leaving the hands of authorized, least-privileged access individuals, there’s a high likelihood that, in that case, there’s not a need for that vendor to be CMMC-certified. Now, if that vendor is offering some degree of support where they’re remoting in or coming into your physical premises and accessing data, that would be a different scenario. But I think we’re going to see, the people that are selling off-the-shelf software solutions, I would be surprised if they are the ones that are going to be part of the first three-year certified CMMC companies, and I think we’re going to be really looking at some of those other cybersecurity certifications and really analyzing every individual software to understand the risks.

Greg: So really, for a piece of software like that, it’s like anything else you’re managing inside your facility at that point from a data standpoint. It’s on your server, so your server must have all the policies and practices around it that would ensure—

Darren: You got it.

Greg: —that you are compliant. Access to the data, same thing, all the policies and procedures that ensure that you’re compliant. So really, if you have off-the-shelf software like that, that you are managing on premises, the burden is on you to ensure compliance with the practices.

Darren: You got it. And think about that, I think the other thing that I see sometimes in manufacturing facilities is open-source software being deployed across and in those places. Those open-source software tools are not going to be CMMC certified. So, it’s the same idea, right? You’re bringing this stuff, you’re going to be buying hardware, that has firmware, that has bios, and componentry on it. You’re going to be installing open software, openware, and open community software, in some cases, like Linux versions, things like that, maybe.

Yeah, it’s really analyzing—and I think that if you go back to the Special Publication document and spend some time reading it—it’s not a very thrilling read by all means; we’re talking about cybersecurity controls here—but it gives a lot of guidance on how to segment things. And I know in my experience in working with manufacturing facilities, sometimes we have technology in the manufacturing environment that doesn’t meet the requirements of all of the security requirements, so we have to get creative in compensating controls, we have to segment things, we have to figure out, how do we make our technology and some of our legacy systems and things like that fit into this model.

Greg: For sure. If I’m using an outside process vendor, since I’ve machined a component and I need to pass it along to an outside vendor for processing, do they need to be CMMC compliant, or is it sufficient that if I redact enough information, I.e.,.. I don’t have any FCI, I don’t have any CUI on what I provide to that outside vendor, that it’s okay if they are not CMMC compliant?

Darren: It is possible. I think there’s a couple of things to keep in mind. So, the concept of aggregation is really what the Department of Defense is trying to eliminate here. And what that means, effectively, is you may only have little snippets of data, but if you start putting a lot of snippets of data together, you can use advanced algorithms to try to determine what’s being built, or what’s going on, or what this is referring to. So, one of the great things about the whole reason this whole registered practitioner concept has been built out as a part of this program is the registered practitioners have a community where they share things that are happening.

They get first sight at a lot of the different information coming out. There’s a way for registered practitioners to get affirmations directly from Department of Defense. “Hey, what do I do with this thing?” This—I was laughing about this this morning because I was like, I’m coming out here to be, like, the CMMC expert, but keep in mind, there’s never been a company go through a CMMC audit. So, there’s going to be a lot of a learning curve on the side of the Department of Defense, from the auditors, from the registered practitioners of how do we take all of these one-off cases of all of these situations, and really bring this into the program?

And so, that’s going to be a part of this. Hey, we can’t implement this control because of this. Here’s the compensating control. Okay, your registered practitioner can go get some data from that, that can be put together, sent to the auditor. The auditor can get some validation, and we’ll work together to solve any of the outlier things that are not going to be straightforward. Like the simple, straightforward things like awareness training for your employees, or security policies, or encrypting your data at rest, or some of those things that are more sort of ones or zeros.

Greg: Sure. Next topic, and I think this is the one that folks are probably most familiar with, of course, because many companies have been doing this for a while. Do I need to be ITAR compliant? Who needs to be ITAR compliant?

Darren: If you need to be ITAR compliant, it’s very likely, I’d be very surprised if that wasn’t articulated specifically to you in your contracts that you’re doing already. There is a lot of overlap. At the end of the day, the controls in Special Publication 800-171, those are based on the common body knowledge of best practices for protecting data. The difference here is that when we’re talking about ITAR, the biggest purpose around ITAR is effectively to reduce the likelihood that we’re exporting technologies or plans or information outside of the United States into other countries, and particularly certain countries that we may not want to have that data. But the same general practices—so for example, I’m working with a company right now, they’re a manufacturing company.

They earned a Special Publication, 800-171 compliant, and they will have to do Level 2 for CMMC. They implemented ITAR before I started working with them. So, when I walked in there, I was able to see, oh, sweet. You already have locks and you have cameras and you have proper lighting, and you have little badges. I get a visitor badge when I go there. People don’t just let me go on my own, and wander around in the server room. I’m being escorted around the building because I am effectively a guest. And they’re already following those same overlapping controls.

So, if you’ve implemented ITAR successfully in your business and you’re following those requirements, when you do a gap analysis against 800-171, that’s going to show that you’ve already done, you’ve done some of the work, you’ve done probably 70-ish percent. Depending on your environment and how well that it was deployed in the business, you’re probably 60, 70% compliant.

Greg: Awesome. I think the one that probably causes the most confusion in the conversations I have is, do I need to be FedRAMP compliant? Or, who needs to be FedRAMP compliant?

Darren: FedRAMP is focused on cloud service providers. If you are a manufacturing company and you don’t have a cloud service that’s part of that, then you’re not going to have to worry about FedRAMP. But like I say, it’s something that’ll be highly valuable for your software vendors. Now, I do know some manufacturing companies that do have software. For example, there’s an organization I sit on the board of their manufacturing, they have a piece of software that allows people to go use, like, a web-based, sort of, cloud-based, sort of, CAD program to design things. Yeah, they’re going to have to likely do FedRAMP and CMMC as this rolls out.

Greg: And to be clear, for software vendors, not every software vendor can get an official FedRAMP certification. However, there’s this concept of equivalence that I hear going around. What does all that mean?

Darren: FedRAMP is a big program. It’s an expensive investment, but you can get this moderate equivalence, which is, you’ve implemented controls that align with the FedRAMP Moderate level. So again, a lot of overlap for them when you look at the NIST Special Publication, 800-171. There’s actually quite a bit of overlap. Again, we’re all coming back to the common body of knowledge of best practices that apply here.

If you do an ISO 27001, if you already have an ISO, 27001 audit in your organization, you’ll notice that’ll also come out in the gap analysis, you’ve probably implemented 50, 60, 65% of NIST 800-171. So, there’s a great deal of overlap around all of these programs.

Greg: Got it. So really, the root takeaway is, the most important thing, no matter which one of these that we’re talking about, is to figure out how to get yourself NIST 800-171 compliant. There’s the basic hygiene level. The, really, level 2 certification seems to be the smartest, safest thing that any business should be aiming for at this point because that’s the foundation for a lot of what’s going to come down and how audits will be done, right?

Darren: Yeah, and I think I mentioned that the DFARS clause 252.204-7012. If you’re seeing that in your contract, that’s a real strong indicator you’re going to be at least a level 2. If you’re seeing the terms ‘CY,’ if you’re seeing the reference to NIST 800-171, those are all pretty strong indicators. And if you’re in the supply chain, effectively, who you’re selling to, if they’re doing their due diligence on the process, they’re articulating those necessities to you in the process. In other words, they won’t work with you unless you, at this point, have a plan.

Greg: If this is really the most important thing that we should be focused on, so how do we go about getting compliant with 800-171 and with CMMC level 2? So, there’s a hard way to do things, and there’s an easier way to do things. Let’s start with, I’m starting to look at this Darren, and what’s the hard way?

Darren: Well, hard way would just be, go about it, read the requirements, put in the time to learn all about it, run your own gap analysis, document your own policies, build your own controls, align to that, run the program, and internally audit the program yourself. Now, I like the term it ‘the hard way.’ Now, if you have an in-house cybersecurity professional that really understands this stuff, then that might not be that hard for that person.

Greg: Sure.

Darren: But if you don’t have, that’s a lot of learning to get there. It’s a lot of time. I say this all the time to business owners and founders and department heads: what’s the most important thing in your business? Is it worthwhile for you to take time away from that to focus or does it make more sense to go more for the what you’re calling the easy way, which is, go find yourself a registered practitioner who has years of experience in cybersecurity data privacy, who has worked in the Department of Defense supply chain, and understands how to interpret and implement these controls, and who’s following it. Even people who have an interest in this and are good at it, and I think, look, it makes sense for people to learn this in your business, the idea, like, you can’t just outsource every bit of this and just be ignorant to it; that’s not how cybersecurity in general, works, but there’s such a value proposition of somebody who’s working on all kinds of projects.

When you’re talking to somebody who’s a registered practitioner, and they may speak to ten different organizations in the run of a week, and hear different challenges, and interact with auditors, and they’re part of the registered practitioner community, so they’re getting the updates, they’re interacting in the message boards internally, and really part of that process, they don’t have to take the time to figure things out. They can go through and really implement an action, and you can move quicker, and effectively at the end of the day, save your own time, and save money, and de-risk the likelihood that you get into an audit once the audit opportunity comes about, and run into issues there that cost time, and slow the process down, and everything like that. So, that would be—that’s the assessment. Do you have somebody in-house that has the expertise, the interest, that makes sense to dedicate the time? If you do, then the hard way might not be that hard.

If you don’t, then yeah, I think having somebody who has the expertise be at least a core component in the implementation, though, I think what you’ll find over time is that cybersecurity and data privacy is not going away, and a lot of organizations have to manage several different programs. So, I know manufacturing companies that are worried about CMMC, they’re looking at FedRAMP for their software components, they have to comply with the Canadian privacy regulation because they have access to PII, there’s also the Canadian defense program, and then they have their ITAR program. And then it can get a lot right. So, at some point, there may be a practice for a full-time person in a business, but you can get a lot of value out of fractional experts at this stage in the game.

Greg: Sure, and I can certainly speak from the perspective of a software vendor who’s trying to do this, right? We’re familiar with data, we’re very familiar with data security, but really the project management side of this, and the documentation, and the audits, and the gap analysis, that’s certainly where us leaning on outside help has been a massive lift. I know several customers who also have cybersecurity experts within their third-party IT companies that they contract with, and I’m definitely hearing folks having some pretty good success with that methodology as well. But definitely the DIY is probably too big of a row to hoe here.

Darren: You just said a couple of things there. Having somebody coming in as a registered practitioner, generally, the type of practice that I run, I focus on controls, processes, policies, the governance of a security program. You may determine that you have other—you define other things that you want to outsource, right? So, you maybe have an MSP or an MSSP who’s going to take on some of the IT burdens that come from this and IT practices that have to be deployed through this. I don’t think bringing in a practitioner is necessarily replacing some of the other third parties that you use for other components.

Yeah, depending on what you use from a tooler’s perspective, the level of sophistication of your infrastructure, I worked with a company not long ago where we determined that, hey, they need a lot of network segmentation. There’s a lot of work that needs to be done. And they went out and found a network expert that came in, and we worked with them to build out a spec. And then these guys came in on-prem for a couple of weeks and built a really strong infrastructure that they’re now managing in-house. But you may need some other technical expertise, depending on what you have in place and that skill gap analysis of your team.

Greg: Sure. So basically, I get my initial assessment done, whether that’s DIY, whether that’s help from my e-vendor, whether I have IT expertise in house, or whether I engage in outside security firm. So, now I know I have my gaps, I’m going to go through this process, but ultimately, one of the things that we all are going to need to move towards is this third party certification. So, what is that ultimately going to look like?

Darren: Yeah, the third-party certification is going to… it’s going to be an auditor. And like, when I look at some of the companies that are already registered for this program, like, they’re auditors already. They’re auditing for ISO, they’re auditing for PCI DSS, they’re auditing for SOC2. So, I think, conceptually, I don’t think the audit is going to be much different than any of those auditors, in terms of an audit process. The difference is going to be predominantly just that it’s going to be against the specific control set of the NIST 800-171 framework.

And I can actually roll in—I saw somebody asked a question about control map—and I’m not familiar with control map. I believe it’s a GRC software, but yeah, this is where GRC software can be really helpful. So, with GRC software, you can run your security program, which can include your CMMC program and your ITAR program, quite effectively, and then when it comes to audit, generally what you’re going to be doing is your auditor is going to come in, you’re going to have to walk them through and share with them what your business is, some network diagrams, things like that. They’re going to want to see what you’re doing to implement each control.

They’re going to want to see evidence samples. They may be required to come on prem to view a lot of that stuff. There may be a way to do it over a camera. Some of those things where you have to see where that’s going to go. The pandemic has made things a little more flexible in a lot of ways because traditionally, before the pandemic, just about any type of cybersecurity audit required an on-prem component.

We’re seeing a lot of audits, like, 27001 audits from ISO that are happening remotely. But yeah, the auditor is going to have to go in there, and they’re going to have to look at each one of those controls, and they’re going to have to see some validating component of evidence, whether that’s interviewing employees, seeing logs, getting a tour of systems, virtually or physically, and they have to make sure that they have a re—without a reasonable doubt, that they can say that these controls have been effectively implemented into the organization. And then you will get your audit, you will get your certification, and that will be what you’ll be able to share with your customers.

Greg: Got it. So, no one’s done this yet.

Darren: Correct.

Greg: We started with that, but that’s what the process is, ultimately.

Darren: If you’ve done an audit in any other cybersecurity framework or standard before, it’s going to seem quite similar to that process.

Greg: Got it. Okay, potentially the scary part of this, I do my gap analysis, I get my assessment, I’m trying to prepare for my audit, and what remediations am I likely to need? What kind of things are going to show up after that gap analysis takes place?

Darren: Yeah, these are some great examples up on the screen right now, for sure. Some of the things—

Greg: The first one’s my favorite, by the way. We can’t have ERPRP as the login anymore on the computer on the shop floor. That one’s got to change, guys.

Darren: And I laughed when I saw that. It’s funny, I can actually recall going through, several years, ago into a manufacturing company, and one of the practice I noticed they were doing is they had, like, generic logins for certain machines so that anybody could walk up and log into the machine, or fairly large sets of people could walk into the machine and do that. Something like that’s going to be really problematic because you need to be able to track who has access to what, who accessed what. If I think of some of the challenges we’ve had working with manufacturing is we’ve seen where there’s some legacy technology where we actually can’t do what they want to do. So, there’s a login and there’s a password for this tool; we can’t have 50 of them, so what are we going to do?

We started to get creative with coming up with some creative solutions. And that’s again, if you pick a good consultant who has experience—in cybersecurity in general, not just the CMMC side—that knows how to can come up with solutions that aren’t just the straight textbook, what the control says, the control says your password needs to be this long. What if it can’t be? How do you get by that? That’s where the experience of a really good cybersecurity consultant is going to be a huge asset in this process.

But yeah, if you’re going out level 2, you’re going to have a whole set of policies, procedures, you’re going to have an internal audit program on your security controls, you’re going to have network segmentation, you’re going to have firewalls, you’re probably going to need IDS/IPS technology in the network. Like, you may have to get rid of things you have. Like, I’ve seen cases where it’s like, “Guys, you can’t use this email tool anymore. Like, you either have to upgrade this and that’s going to be expensive, or you’re going to have to outsource this component to another vendor, like, a cloud provider or something like that.” This is why, you know, I say to everybody, it’s like, the self-assessment sooner than later because you don’t really know what the lift is for your business until you’ve done a qualified self-assessment. When I say a qualified self-assessment, the person conducting the assessment has the experience to be able to interpret this stuff very clearly and very well.

Greg: Got it. I summarized this one as, “We’re going to need to be able to definitively show who has access to what, and that nothing inappropriate can happen there.” And then, from a devices standpoint, networking side, what has access to what? So, who logged into the ERP, what can they see? People with access to G-code, prints, billing information, purchase orders, part numbers, et cetera, we need traceability and auditability around all of those, and that’s where those vendors that we use should be ahead of the game on that, and taking risk out of that process.

Darren: 100%.

Greg: And then on the networking side, really the terms that everyone should be able to turn to their internal IT team or their third-party IT team, and say, “What do we have for VLANs? What do we do for vulnerability scans? And what do we have for whitelists?” If those are terms that are out there that your team is talking about that there’s policies around, you’re going to be on the right track because those are the mechanisms that are used within the networking world to control how devices have the ability to interact with other devices, and ultimately gain access or not gain access to the data on those devices. So, that’s a super important takeaway here.

And you mentioned cost right? Might have to upgrade software. Might have to upgrade systems. A good segue to what really should I budget for this activity, and when should I plan to be doing which elements of this process?

Darren: Yeah, these are obviously estimates because who you work with, how you go about it, is going to be a big piece. I think the hard way is going to take more time, have more error, save on the front-end costs, larger on the other side of things. Really, do that gap—if you’re thinking about doing it internally, do a true and honest gap analysis on the, like, skill gap analysis to make sure that you have somebody who has the skill set and has the time to dedicate to it. All of the tools, any tool, you’re going to see a slew of tools. The cybersecurity industry loves nothing more than one of these, like these externally-forced needs for [toolage 00:47:13] and help, so you’re going to see a slew of tools. I would estimate that they’re going to be designed around helping you run these self-assessments.

There is still—I’ve never seen a tool—and I’m saying that as a software vendor—we build—everybody builds GRC software; we build solutions to help solve all kinds of cybersecurity and data privacy challenges, including this challenge. A tool without skilled practitioners is not going to solve the world’s problems. It’s like saying that you just go buy Salesforce and then all of a sudden the leads are going to come flying in the door. It’s a tool. It helps professionals execute, but you need the professional guidance to do this in a safe and an optimized way.

But I think, yeah, I think you’re looking at—you should be budgeting pretty high. I don’t know for the audit. I love 10 to 100,000. Nobody’s ever done these audits. I wonder if there’s going to be a supply-demand at the front where the big guys are going to spend a lot of money, and that’s where the focus is. I wouldn’t be surprised.

I don’t know if DOD they’re going to try to regulate this, but there’s going to be an off balance of supply-demand. And then, I would say by the year three and onward, you’re going to see the price of audits go down substantially.

Greg: My takeaway from this is, number one, the self-assessment, whether done DIY, through a third-party professional, or through a tool, that’s something that we should plan to do by the end of the year. That’s at least going to give us a baseline. Going through the 110 controls, yeah, the more we know about where we stand versus those 110 controls, how much we’ve done towards that already is really going to be the biggest thing that determines how much cost we likely have to plan for next year because we’re going to do an assessment, figure out what the gaps are, and then if you’re behind the curve on firewalls, port scanning, your routers, your access control, your software vendors, yeah, that’s where you’re probably going to have to spend your initial money. And then ultimately, after you work towards implementation and compliance, then there’s going to be the check for the auditor, at the tail end of this—

Darren: You got it.

Greg: When you actually have to get to the point of having that audit there. So, it’s probably two years of five-digit money to get yourself to full compliance, is what it’s feeling like.

Darren: Yeah, I think that’s a good average. Like, it’s going to be unique for each organization. Like I would do the self-assessment on level 1, and then if you’re not standing strong against that, then obviously start closing those gaps. If you are, then that I would move along to start doing the assessment against the level 2. And until you do a gap analysis, really look at the business, understand the requirements, that’s when you’re going to know what your timeline, what your spend, and what overall resources you’re going to need to apply to this to get through it.

Greg: I think you had a stat at the beginning: the DoD is potentially estimating it’s going to take three years to get 80%-plus of the companies to the point of compliance and proof of audit. So, just what are the things I should be doing sooner rather than later to maximize my odds of success?

Darren: Don’t wait. Go forward to understand where do you need to be, where are you going to fall in this? Is a level 1, level 2, level 3? And get a sense of where you’re at. And back to that point, we’re probably already seeing people ask your plan. I think it’s a very reasonable question to be like, “Hey, what’s your plan for CMMC?”

And a, you know, really good answer would be, “We hired a registered practitioner, and we’ve conducted where we meet the compliance requirements of level 1, and we’ve recently done a gap ana”—like, that type of language is where you want to be right now, or very soon. Yeah, sooner the better because, like I said before, until you do the gap analysis and you know where you sit and where you need to be, you don’t know what this looks like and what it’s going to take for you, right? So like, I’ve seen a company where they realized they had to replace a bunch of computers because they don’t have supported software. Like, the OS is not supported on a particular piece of hardware, and that’s a problem. And as an example, you don’t want to get blindsided. And then, like I say, when you do get—make sure, if you don’t have the people in house that understand the stuff and can really do this effectively, and assess things in a qualified way, that you get the help sooner so you know what the lift is.

Greg: Yeah, I think one of my observations in certainly talking to customers of ours is every manufacturer is very proud of their capability statement. And I think articulating your position relative to what you’re doing on CMMC should absolutely be in your capability statement, right? So, when I go look—

Darren: One hundred percent.

Greg: I see you’re already ITAR, you’ve done this, you’ve done that, and oh, wow, okay, you’re already self-certified on the 17, you have an assessment available on the 110 controls, and you are prepared for an audit when the time comes and when we have clarification on what an audit actually means and when we’ll really be doing them, that seems to be the strongest possible position that you could get yourself into sooner rather than later.

Darren: Yeah. Look, I’ve had calls from my manufacturing customers as, like, far back as, like, 18 months ago, being, like, oh my God, we got to figure out the CMMC thing. And that all comes from that was in their subcontractor of a subcontractor, and that was part of the buying process already.

Greg: Right.

Darren: Yeah, you want to be able to answer this preemptively. You want to have a good answer now, really. You know it exists, you know what it is, you know where you are and you’re on a road, you have a plan. And that’s trust. That’s confidence. You want to be able to tell your customers right out of the gate, “Don’t worry. We’re on this,” right? You want to tell them that, you want it to be true, and you want them to be able to believe you and trust you on that. Or they’re going to opt to a vendor—this is back to sales basics, right—they want to work with you. They want you to be easy. They don’t want their security department to shut down the deal, and they might ask that right at the top.

Greg: Exactly. So, in closing here, some tools that can help. So, there’s going to be the free assessment. That’s a tool that Carbide is building the free assessment on level 1. Some other options that are out there, if folks have not historically been familiar with either GRC software or the registered practitioner concept, I’ll do the plug here for you, Darren, so it doesn’t sound so shameless, but we as a vendor have used Carbide to work towards our security preparedness assessments, SOC2, ISO 27001, and then ultimately the preparation for CMMC 2.0 level 2, which is what we are going to be required to have as a vendor.

And I can just tell you, even as a software company, as a technology company, not having to think about these things, having a project plan, having a project manager who is an expert, who helps create the policies, procedures, and does those assessments is fantastic. Definitely, GRC tools are out there. GRC is Governance, Risk, Compliance. There are lots of vendors, lots of opportunity to leverage that expertise, and not try to do this yourself. This is worse than trying to do your own taxes. I can absolutely testify to that. When I first started looking at this stuff over a year ago, that was my initial analogy.

It’s been fantastic to have some good help. And now here’s the part where I have to be shameless, and if you’re looking for help with managing your G-code, specifically traceability, auditability, control, revision control on your G-code, Datanomix does have a platform that we launched at IMTS that is available to help folks with that, so definitely feel free to reach out to us. And Darren, really appreciate you having you on, and your expertise and depth of knowledge on this topic. I know it’s been a massive help for us, and certainly for other customers of ours that you’ve been working with. And glad we could do this for a larger audience.

Darren: Awesome. It’s been great chatting with you all.

Greg: Thank you for listening to Manufacturing Mavericks. If you’d like to learn more, listen to past episodes, or nominate a future Maverick to be on our show, visit mfgmavericks.com, and don’t forget to subscribe to and rate this podcast on iTunes, Spotify, Google Play, or your favorite podcast app.