August 15, 2023

Podcast - Third-Party Assessments and NIST SP 800-171

Regulatory Phishing Podcast Series

In this episode of "Regulatory Phishing," government contracts attorney Eric Crusius is joined by Tom Tollerton, a partner with FORVIS, a Certified Third-Party Assessment Organization (C3PAO). In this episode, Eric and Tom discuss the role of the C3PAO in the Cybersecurity Maturity Model Certification (CMMC) process and what to expect with the new version of Special Publication 800-171 from the National Institute of Standards and Technology (NIST). NIST 800-171 is used as the baseline for a number of existing and forthcoming regulations in addition to Level 2 of CMMC.

Listen to more episodes of Regulatory Phishing here.


Eric Crusius: Well, welcome, and today we're with Tom Tollerton, who's a principal at FORVIS. FORVIS is one of the biggest accounting and consulting firms in the country, and Tom has a large role there in helping clients with cybersecurity policy and compliance, specifically the Cybersecurity Maturity Model Certification, CMMC. Tom, welcome, and thanks for being here. 

Tom Tollerton: Thanks, Eric, appreciate you having me. 

Eric Crusius: Sure. Tom, I wonder if you could start with kind of going into what you do at FORVIS just for a minute or so, and then talk to your role as what they call a C3PAO and maybe explain what a C3PAO is. 

Tom Tollerton: Yeah, absolutely. As you mentioned, Eric, I'm a principal with FORVIS. I'm based in Charlotte, North Carolina, and lead our cybersecurity and data privacy compliance services, of which CMMC and NIST 800-171, which we'll talk about, is a big part. As you mentioned, we are what's called a C3PAO or CMMC third-party assessor organization. It's part of the CMMC ecosystem that the accreditation body now called the CyberAB instituted a number of years ago, and effectively, we are to be the assessors, the external assessors for CMMC certification once the certification program by DFARS rule is finalized. We were the sixth — we were very early on — we invested early in CMMC and NIST 800-171 consulting with our government contracting services practice. And, to this point, we've done a good bit of consulting work and readiness work, which there are a lot of C3PAOs that are doing that as well as CMMC registered provider organizations, another class of organization in the ecosystem. And we've worked with Fortune 500 prime contractors in various industries — energy, weapons, manufacturing, logistics, technology services, all the way down to small and medium-sized startups in the government contracting space way down the supply chain for DOD.

And most recently, we’ve been working on what they’re calling the Joint Surveillance Voluntary Program, and it’s effectively a voluntary assessment program, not for immediate CMMC certification because, as I mentioned, that’s not finalized, but there is expected to be when the rule is finalized, a mechanism by which these early joint surveillance assessments with DOD and DIBCAC will become a CMMC certification. That’s the expectation. We look forward to seeing that in the rule. But right now, it’s a voluntary assessment alongside of DOD’s DIBCAC assessment arm. 

Eric Crusius: And it’s funny you mentioned the rule because fairly recently, DOD announced, and we saw that the rule had been sent from DOD to the Office of Management and Budget for their final review, specifically the Office of Information Regulatory Affairs, OIRA, and that is the last stop before release. You know, they have 90 days to review and release it. I wouldn't be surprised if that 90 days slipped a little bit just because of the complexity, but I expect we'll see by the end of the year. And I guess you'll be looking for that part of the rule to see whether those folks who have gotten the early assessment will benefit from that.

Tom Tollerton: Right. Yeah, that's hot off the presses here with doing this podcast — just got done last week. But, yeah, we are looking forward to that. There are, you know, upwards of, I think, 30 or 40 contractors who have gone through a joint surveillance assessment with DIBCAC. The DCMA arm does an assessment alongside of a C3PAO. So, either way, those organizations that have gone through joint surveillance, the voluntary program, will at least get a DIBCAC confidence assessment, which they can do at their discretion anyway. But yeah, we'll be looking forward to that for sure once we see it. 

Eric Crusius: That's great, and do you see the activity kind of continuing to be pretty strong in these voluntary assessments? 

Tom Tollerton: Yeah, we do. You know, there are a number of contractors who are selected by DIBCAC for DIBCAC high confidence assessment, which I mentioned they can do at their discretion anywhere within the supply chain for DOD. And a number of them are saying, well, why don't we just go through, you know, joint surveillance, let's bring in a C3PAO as well to, you know, presumably, once this rule is finalized, to go ahead and count it as a CMMC certification down the road, hopefully.

Eric Crusius: That's great. Shifting gears a little bit now, so I assume all these are level two assessments. 

Tom Tollerton: Yes. 

Eric Crusius: CMMC, so, I think most people listening will probably know the significance of that. Just in case not, there are going to be three levels, at least we expect at this point, in CMMC. The first level will be a self-certification. The second level will be mostly done by a third-party organization, like FORVIS, in conjunction with the Cyber Accreditation Body. And then the third level will be that, plus a review of additional controls by the government itself. At least, that's what we're expecting right now.

What we're talking about is level two. The underpinning of level two and the standard that contractors and folks being assessed have to live by is NIST Special Publication 800-171 Standard, which contains 110 controls. And this stands for the National Institute of Standards and Technology. And they are a government organization also, and they are the ones who kind of are creating these standards, and they're voluntary standards, but they often kind of make their way into rules and regulations, and they become involuntary if you want to do business with the federal government. So, CMMC level two is being graded against NIST 800-171. And we've had some interesting developments there.

We're in the second version of NIST 800-171. But, NIST has been releasing draft versions of the next version of 800-171, version three that we're expecting — at least the latest scuttlebutt I'm hearing — is towards the end of this year, 2023, or sometime first quarter 2024. And NIST has really been on the ball as far as releasing things in a timely manner. Their deadlines don't seem to really slip, so I would be surprised if we went beyond the first quarter of next year, 2024.

Tom, I was wondering if you could kind of talk to the significance of 800-171 and what it means and why this new revision is important. 

Tom Tollerton: Yeah, absolutely. So NIST 800-171, as you mentioned, 110 controls. I

t's actually the existing requirement via DFARS rule 7012. The expectation is that the contractors would be compliant via self-assessment with that framework, and that be the 7020/2021 rule. You know, they would submit that self-assessment score up into the supplier performance risk systems first. A number of contractors, you know, have done that, there's a number that hasn't. But, I guess for your audience, just to know that needs to get done one way or the other right now, some sort of assessment against that framework. But, you know, it's based on what we might call kind of basic blocking and tackling. There's not a lot of rocket science to it, necessarily. There are some stringent controls that impact, you know, small or medium-sized businesses might require some technology changes, some process improvement. A lot of documentation or consulting work has been around documentation of process, but it is what they call the baseline of expectations for protection. Do you have a strong perimeter defense? Do you protect data where it sits, access controls, supply chain process, etc.? So there's a lot to it from a process standpoint, But again, pretty basic blocking and tackling.

And then you mentioned revision three, which, yes, the draft was just released. I would expect that, frankly, to become finalized sometime in 2024. How that impacts CMMC certification in these joint surveillance programs, I think, has yet to be determined because, obviously, the joint surveillance assessments being done now are under revision, too, but we'll see about that. Revision three has brought some clarity, I think, around a number of requirements. It's created some questions as well, but some clarity around cryptography and how you encrypt data, so more supply chain process-focused monitoring of your supply chain, just taking a look down data security protections down the supply chain. Just a number of things have changed over, you know, with this new version. 

Eric Crusius: It's really interesting, kind of the play of this document, these standards and existing requirements and CMMC. You kind of need a full-day class just to go through and understand it. We're going to try to do it in like three minutes here. You've already started doing it. But, DFARS 252.204-7012, as you mentioned, is already a requirement for defense contractors that have controlled unclassified information. They are already required to self-certify compliance with the standard, and by taking a contract with that clause, the government will argue that is a self-certification that you agree to comply with it.

And you've also astutely mentioned the other DFARS clauses that came out more recently, 252.204, 7019 and 7020, which require a contractor to proactively go in that supplier performance for systems and say, hey, we're compliant with 80 of these controls or 90 or 100 or 110 or 10 of these controls, because there are some people who are receiving negative scores.

The interesting thing I found with the new version of 800-171 is that there is a control — now, we don't know if this will be in the final version, of course — but one of the controls is that third-party certification requirement where you have to get yourself a third-party certification under 800-171, irrespective of whether CMMC exists or not. And that's really interesting because DFARS 252.204-7012 says you have to comply with the version of 800-171 that's out at the time of solicitation. So, it's altogether possible that folks in the spring will have a third-party certification requirement before CMMC rolls out because they have 800-171, the new version out, and the DFARS clause requires the use of that version in the solicitation unless DOD issues a class deviation away from that. And I guess that would make your practice really busy also because people need third-party certifications. 

Tom Tollerton: Yeah, I leave that to the legal scholars like you, Eric, to figure out how all that stuff works. But you're absolutely right. There's an independent assessment requirement in revision three, and we see this in other frameworks that we work with. ISO 27001 has a similar component, SOX 404 as well, and this is often in larger enterprises accomplished to be an internal audit department, an IA department, sometimes outsource, but the larger enterprises typically have a way to address this.

But small and medium-sized businesses will need to probably have some sort of third party come in. It doesn't necessarily have to be a C3PAO, but you want to have a qualified potential organization that knows what they're doing, conducts that assessment and then delivers results up to executive management on what needs to be improved and enhanced. This is, of course, outside of that actual certification expectation as well. So that, as I mentioned, revision three has, I think, has answered some questions, but it certainly created some others as well. 

Eric Crusius: That's right. It's interesting the way the language in that one control is written, where it does seem to require somebody outside the organization to do the assessment, as you were saying, because it can't be somebody who's essentially on the payroll. That's not the language that they use but essentially is on the payroll of the contractor doing the assessment. So, and like you said, it doesn't have to be a licensed C3PAO, but I imagine that's where a lot of contractors will go to because you want whatever you do to kind of not be under dispute. You want to do Jack and Jill, as you know, C3PAO assessment company, you know, with one month in business and no particular credentials. And apologies to all the folks named Jack and Jill out there — I was not specific to them. Before we go, Tom, because I think we're just about out of time here, anything else on the horizon that you're seeing or anything that people listening should be aware of?

Tom Tollerton: Even now, with revision two having some level of independence, doesn't necessarily have to be an independent assessment, but some level of third-party help with getting ready. Most organizations have struggled somewhere in getting ready for NIST 800-171 compliance, CMMC certification down the road. It can be Systems Security Plan, which is the foundation security policy, if you will, program document. You know, that's that pretty hefty document that needs to be completed. Sometimes organizations struggle with that. Process improvement can be a struggle. I mentioned technology implementation cloud management. There's typically some level of struggle, and then having a third party help you with it that knows what they're doing, that's gone through this process, that has seen, you know, various environments of diverse complexity, I think, is really helpful. So I would certainly encourage, you know, I don't encourage people to spend money for no reason, but I think having some level of third-party help can bring some confidence to an organization moving forward. 

Eric Crusius: Absolutely, and I think it really helps kind of when you think about the False Claims Act context that I think we're seeing a lot more activity in, if you have a third-party assessor organization come in, is much less of a chance that a whistleblower will get any traction or DOJ investigation will get traction because you've relied on an expert. 

Tom Tollerton: Doing due diligence with a third party is definitely of value. 

Eric Crusius: Absolutely. Well, Tom, appreciate the time, appreciate you joining us and look forward to hearing from you soon.

Tom Tollerton: Thanks, Eric. Good to see you again. 

Eric Crusius: You, too. 

Related Insights