November 7, 2023

Podcast - The When, Where, Why and How of CMMC with Fernando Machado

Regulatory Phishing Podcast Series
In this episode of “Regulatory Phishing,” Fernando Machado joins Government Contracts and Cybersecurity attorney Eric Crusius for an episode focused on the Cybersecurity Maturity Model Certification (CMMC) program. Mr. Machado is the Managing Principal and Chief Information Security Officer for Cybersec Investments as well as the author of CMMC Simplified. Mr. Crusius and Mr. Machado discuss the current state of the CMMC, how companies can come to terms with this new certification program and strategies for compliance. They also walk through Mr. Machado's book and highlight some key insights into the CMMC program.

Eric Crusius: Welcome. With me today is Fernando Machado. He is the managing principal and chief information security officer at Cybersec Investments. Hey, Fernando.

Fernando Machado: How are you today?

Eric Crusius: I'm doing really well, thanks, and really appreciate you joining us today on Regulatory Phishing. I really appreciate you coming here. First of all, because you've written probably, I think, the only book that has been written on CMMC. So I wanted to talk to you about that and what made you do that and how much effort that was. Especially it's really time-consuming, writing a book on a subject really that has changed a lot and is continuing to change. So I think you've found the right balance on being timely and having something that it's going to kind of time out and be old and a relic in 30 days or so. So we'll go through that. But I first wanted to kind of just get your background a little bit and where you're from and what you're doing. So tell me a little bit about what Cybersec Investments does.

Fernando Machado: So Cybersec Investments is an authorized CMMC third party assessment organization. We're preparing for the DOD's upcoming CMMC rules, so we went ahead and began that process. We also provide CMMC advisory services to very few select clients. We're trying to stay within the CMMC assessment ecosystem.

Eric Crusius: Great. And I see you're Managing Principal and Chief Information Security Officer. They're also known as CISO, so I'll just go with that. It's easier to say, but what does a CISO do?

Fernando Machado: A CISO basically combines the cybersecurity portion of the company and meets with the business stakeholders to make sure that everybody is meeting compliance and that the company's information security resources are protected.

Eric Crusius: And is that something you've done for a while?

Fernando Machado: I have. So I have over 15 years of experience working primarily within the DOD. I've worked for the DOD my entire adult life. When I was 19, I joined the Army as an infantryman, and then in 2003, we ended up leading the invasion into Iraq. When I got back, my team was getting ready to exit the military. Then a year later, after I got out, I was a Border Patrol agent and I did that for a little bit. And then I decided to go back to school for my GI Bill and get my cybersecurity degree, and the rest is history. I've worked for large prime defense contractors. I was a department of the Army defense contractor, and like I said, my entire adult life has revolved around government.

Eric Crusius: Awesome. And I guess that naturally leads to the latest innovation in cybersecurity in the DOD space, which is CMMC, which we've talked a lot about in previous episodes. But nobody I've talked to or talked about has written a book on CMMC. So before we get to the book itself, what made you become interested in the CMMC ecosystem?

Fernando Machado: So the entire time working for the DOD contractors, a lot of the work that we had to do was in classified environments, which surrounds this 853. And when CMMC started to come around, I started to notice that there was a lot of similarities between 853 and CMMC. And then lo and behold, I found out that it's list 8171, which is a subset of the 853 controls, and I'm like, oh, I can do this. And it was an easy way to help contractors get into compliance. I can certainly sympathize with some of the small businesses that are out there. We're a small business ourselves. So I told myself, if I can implement these controls myself as a small business owner, then anyone else can do it with the right help.

Eric Crusius: Right. And that's probably what led you to write this book. So I know of nobody else who's written a book on CMMC. What caused you to decide to write it?

Fernando Machado: So one of the biggest things that every time I would go to conferences or go to different events, I would always get asked the same questions. Well, we're waiting for the CMMC requirements and we're waiting for this, we're waiting for that. And to have to explain to contractors that CMMC is nothing more than a third party validation program of their existing requirements. And so I would get a lot of the same questions. You know, "what is CMMC, where is it headed, who's spearheading it?" So I'm like, you know, I'm going to write a book and basically break it up into who, what, when, where, why and how format and just talk about, at a very high level, the foundation of the CMMC program, all in 30 pages to be able to get somebody who doesn't know anything about it up to speed on the program.

Eric Crusius: That's great. In fact, that very point that you make is the very last substantive page of your book, which I think is really interesting and something I've tried to tell people. And as we've mentioned on this podcast before, is you say CMMC is not a new set of controls, rather it is a third party verification program of your existing requirements. When I try to tell people that they need to get ready for CMMC, I try to explain, look, this is not new. This is something you already have to do. It's just a third party verification of what you're doing already or should be doing. So I think it's a great point. Well, let's talk about that book. CMMC Simplified. Find it on Amazon. I think I saw it at Target also through their website too, but I like how you start it in the beginning where you start off with the five stages of grief. When thinking about CMMC, I always think it's important to kind of do something kitschy or funny to start to get people's attention. So I — and I think a lot of it's true. So the first step, of course, phase of grief is denial, not just a river in Egypt. And a couple of the quotes here in the denial, which I think, you know, we've all heard in one shape or form, I'll just call my congressperson, senator, a lobbyist to make this go away. And another quote, CMMC is going away, as a denial. What do you think? Do you think CMMC is going away?

Fernando Machado: Absolutely not. I think one of the things that I always tell people, is I tell them if you look at the CMMC program, when it first started, the ecosystem with the CMMC accreditation body all the way to where it is now, the growth of the assessors, the growth of KPIs, the growth of registered provider organizations and authorized CMMC third party assessment organizations. The question that I asked for, that I asked them is, what about all of that growth makes you believe that this is going away? Being in the military, we call this, the troop buildup prior to a large event. We saw this in World War II. We saw this, you know, during the Iraq invasion, where there was a big troop buildup in the Middle East. And the same, CMMC is no different. What we're seeing now in the CMMC ecosystem is a "troop buildup" in anticipation for the CMMC rule.

Eric Crusius: I think it's a great point, and I think a lot of the folks who think this is going away are just not familiar with how rulemaking is and how slow it is sometimes. And what we've seen here is not unusual from a rulemaking perspective. I mean, we've had the Chinese tech ban, which came out as final interim. We're still waiting for a final rule, and that was in the 2019 National Defense Authorization Act, which was written in the late 2018. And we still have a final rule there. So the length of time it's taken CMMC to get implemented through rulemaking is not unusual. So people should not take comfort in that, I think. But that's a great point about the troop buildup. I think that's really true because the CMMC came out two years ago. There would have not been the resources to, to meet the challenge to get these certifications. And then we have anger. I think we could skip anger. So we don't know. This is a, this is a PG podcast. Then we have bargaining, and a few of these are pretty good. Our IT guys will take care of it. We'll just put our data in the cloud. Our managed service provider handles that. We'll handle that. Can't we just accept the risk? That's a good one. I think that's a misnomer a lot of people have where it's just IT that can handle it or the cloud service provider can just handle it when, because the controls are not just cloud-based controls, there are controls to do with physical space and things like that.

Fernando Machado: We tell them on the bargaining stage, you know, our IT team will lead it, and we always tell them CMMC is not an IT problem, it is a business problem that you have to have administrative, physical and technical controls that you're going to have to consider.

Eric Crusius: I think you're speaking the language right there, Fernando. And then we have depression. The last quote there, I can't take this to my management. And two points with that I think. One is, some people feel burned by CMMC 1.0. I try to point out that the core is still there. 800-171 for Level Two for CUI. And two, if you don't take it to management now, you don't want them to find out a year later that they can't bid on a contract because they weren't certified.

Fernando Machado: Yeah, we also we also let them know, right, that they need to start now. I think most of the good practitioners that you see out there that help businesses get ready will tell you it takes companies roughly about 12 to 18 months to get ready because the dirty little secret within the defense industrial base is a lot of contractors haven't been doing this right. Hence why there's going to be a need for a third party validation program in the future. So the longer companies wait, the more they put themselves at risk of losing their contracts.

Eric Crusius: Yeah, that's very true. And I talk about that inconsistent certification because these companies have been taking the 7012 clause in their contracts with NIST 800-171 in it. They're now going into the supplier performance risk system and saying, well, never mind, we're not complying with all those controls, maybe half or a lot of them. And right there, the government has a clear shot at a potential False Claims Act case. But safety and numbers, I think there's so many contractors in that position, thousands and thousands of them, that it's not like DOD is going to go after all of them, but they may try to make an example of a few.

Fernando Machado: We've already seen that with a few false claims cases, most recently, the Penn State case where their whistleblower blew the whistle that Penn State was not meeting D 47012 compliance. And I mean, it's scary. I always say noncompliance will always be a lot more expensive than compliance.

Eric Crusius: That’s right. Front end solutions, cheaper than back end solutions. And I always say if there’s somebody in a company that’s complaining about not complying with some regulation or requirement, really engage with them seriously, like really try to give them the time of day and really run it down the rabbit hole much cheaper. And it may not prevent them from filing a relator case, but more times than not, it probably will. And companies can avoid that, that issue. So I do like the next section, acronyms, because I think a lot of folks, you know, DC is like an acronym, right? DC. But we love acronyms in this space, especially DOD. I don't know the last time I said Department of Defense out loud versus DOD. But another interesting section I think you have is kind of who is pushing CMMC, and you talk to how like the Canadian government, for instance, is really jumping on the bandwagon. And we saw some evidence of that fairly recently where they talked about adopting 800-171 as their standard too.

Fernando Machado: Agreed. Yep. And I believe that they're supposed to be pushing that by December of next year, if my memory serves me right.

Eric Crusius: I think you're right. I think you're right. So they're right behind, maybe even not behind the U.S. government in instituting this. And then the question about who it will apply to. What if you talk to subcontractors, you talk to folks who primarily are subcontractors in their, with their beliefs, mistaken or not, on whether CMMC would apply to them?

Fernando Machado: Yes. So we typically tell folks that if two things kind of have to be present: one, that if the prime contractor has slowed down the DFAR 7012 class to them in accordance with paragraph M, and two, if they're actively handling covered defense information when their subcontract performance is involving cover defense information. And so that's where we start getting those five stages of grief, are like, no, we're just a small mom and pop shop or just a small machine shop, and we're like, the size of your organization doesn't matter. What the government cares about is, are you handling our data, and are you protecting it in accordance with the minimum requirements of NIST 800-171?

Eric Crusius: That's right. And look, if the government had two sets of standards, one for small business and one for others, then the hackers just know where to go. You know, that's not something the government's probably going to entertain seriously now. There is definitely a cost to this, and there are ways to kind of — I do think that the government should step up and help defray the costs to get folks up to speed just because it's important for national security purposes. But I don't think there'll be two standards anyway. And then you talk a little bit about the, you could tell just based on our conversation so far, how comprehensive this book is for being 30 pages. What's been your experience with the cyber accreditation body and the ecosystem there?

Fernando Machado: They've been good. I haven't had any personal issues with the Cyber AD. We meet with them once a week on Fridays for our authorized C3PO, call it to kind of like let us know where, kind of where things are going. And then of course, every single month I always sign up to go do the Cyber AB town halls. There's always good information that's being put out there. So if you're a contractor in the space and want to get caught up on CMMC, every single one of these town halls always has some good takeaways from them.

Eric Crusius: I always try to attend the town halls because I think they always do have good information, and it just is a good understanding of where the ecosystem is. And sometimes they know things from DOD that's happening via the rulemaking or whatever. You have a section of free tools, which I think is really important. So folks can kind of educate themselves in the book with links and what those tools are. So I think that's helpful. And then the "Why" closer to the end of the book and you talk to DFARS 252.204-7012, which is the rule that DOD uses now, and that required requirements for safeguarding to cover defense information and incident reporting. And the interesting thing about that rule is when it first came out, they used 800-53, a subset of 853, like 50 controls or so as a standard. And I couldn't remember if my memory was faulty on that, so I went back to old presentations. I guess I've been talking about this for too long and signed to confirm that it was 853 and it was, but it's come a long way since then, I guess, right?

Fernando Machado: Yeah.

Eric Crusius: And then on the back of the book, you have, you know, you talk about steps to certification. I wonder if you could just kind of talk through, from a high level, if, if somebody wants to get certified, kind of what the steps that they need to take are.

Fernando Machado: So currently CMMC is in quote unquote "a thing" because we're currently going through rulemaking. But DOD has alluded to a program called the Joint Surveillance Voluntary Assessment Program, and it's the DOD's intent that if you go get a joint surveillance assessment, which is an assessment that's conducted jointly with an authorized CMMC third party assessment organization and members of the Defense Industrial Base Cybersecurity Assessment. And so the way that the assessment would work is the authorized C3PAO would conduct the NIST 800-171 portion of your assessment. Once that's completed, the DIBCAC team will pull the contractor aside and then conduct the D 47012 portion of their assessment at the end of the assessment. The DIBCAC team will go into the contractors press record and update it as a high assessment in accordance with D 47020. And it's the DOD's intent that when the CMMC rule becomes finalized that your assessment will convert to a CMMC Level Two certification. And then at that time, your three-year recertification clock would begin. So it's a huge bonus for contractors, that not only do they get to save a lot of time, but they can also save a lot of money because now is where there's not a real high demand for C3PAO, whereas in the future will be it'll end up driving up costs because of availability.

Eric Crusius: Right. And I feel like that would be really a benefit, especially to subcontractors who, you know, a lot of the primes are requiring verification or certification of their cybersecurity standards and that they are meeting those standards. So, you know, that could be a benefit to where they're more marketable to those prime contractors if they want to be.

Fernando Machado: Yep. Agreed. Yep.

Eric Crusius: OK. So we're at this point when this was released, will the proposed or final interim rule may be out. We'll see, because we don't know when it's going to come out exactly. But aside from that, where do you see this whole thing moving? CMMC and the ecosystem?

Fernando Machado: What will end up happening is once the DOD spearheads this and CMMC becomes a rule, I think it's a copycat government agency league. So we'll get to see a lot of other agencies potentially follow suit. We're already starting to see a little bit of that, not necessarily third party validation, but we're seeing, you know, the Department of Education requiring 800-171 compliance for the protection of, I believe it was a student, student loan information. Excuse me. And then you're starting to see a lot of that going on. I believe the Stars three and Polaris contracts have CMMC-type language in them. So I think as the program starts to roll out and all the kinks are worked out of it, I can totally foresee a future where other agencies are going to adopt this type of language.

Eric Crusius: Yeah, and then it would just become ubiquitous, I think, across the government. I mean, I do wish that CMMC launched a little quicker so more agencies could have adopted it sooner before someone out on their own. But it's never too late.

Fernando Machado: The slow churn of government rulemaking.

Eric Crusius: That's right. That's often a good thing, right? Because you want to make sure the rules that are instituted have the input of other agencies and the public and things like that here because of the risk to our national security. Maybe you hope for something a little quicker, but we'll get there eventually, I think.

Fernando Machado: Yep. Agreed.

Eric Crusius: Well, Fernando, thank you for writing this book. First of all, I think it's, it's great for the community. And thanks for appearing with us today.

Fernando Machado: You're welcome. Thank you. And I hope that you guys enjoy this podcast.

Related Insights