Search
Close this search box.
EPISODE 138
What’s With NIST Special Publication 800-171, Revision 3 and CMMC

EP 138: What’s With NIST Special Publication 800-171, Revision 3 and CMMC

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

August 15, 2023

How is Revision 3 of NIST Special Publication 800-171 and the Cybersecurity Maturity Model Certification (CMMC) related to each other? Let’s find out with our guest Jacob Horne. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K and L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: Hi everyone, this is episode two out of three that I'm flying without Kip. Today, on episode 138 of the Cyber Risk Management Podcast, we're going to be discussing CMMC, the release of NIST SP 800-171R3, what that means and what it all means with a guest, Jacob Horne. Jacob, welcome to the podcast. It's taken us quite a while, but we finally made it happen.

Jacob Horne: Yeah, yeah, absolutely. Thanks for having me. Big fan. Been a fan for a long time and-

Jake Bernstein: Ditto. Likewise.

Jacob Horne: Yeah, thank you. So I always love hearing the intros whenever I show up to speak somewhere and people immediately get slapped with acronyms, so I apologize.

Jake Bernstein: They do, for sure. That's okay though. It's pretty common on this podcast and I think people are used to it. But before we dive into whatever I just said at the beginning, why don't you go ahead and introduce yourself to the listeners?

Jacob Horne: Sure. So I'm Jacob Horne. I am the Chief Cybersecurity Evangelist for Summit 7. Summit 7 is a managed service provider that specifically focuses on facilitating cybersecurity and compliance for defense contractors, specifically with the bouquet of acronyms that they have to deal with, DFARS contract clauses and the cybersecurity obligations that come with it, NIST standards and all of the controls that fall underneath of those, as well as programs that assess those requirements like CMMC, which we can get into later on. I've been in cybersecurity now for a little over 15 years, started my career in the Navy doing some high-speed cool guy stuff at NSA as a CTN, if anybody of the listeners know what that job code is, got out of the Navy.

Jake Bernstein: I see we're sticking with the acronyms.

Jacob Horne: Oh yeah. Oh yeah. So as a crypto logic technician doing secret squirrel cleared kind of stuff back in the day with the Navy. Yeah, basically which just exposed me to a very large array of different disciplines within cybersecurity. I always tell people it's crazy to see how the cybersecurity world has evolved because things like cyber threat intelligence that you can do as like an entry level job or subscribe to for money, used to be the domain of, maybe, a few dozen people inside of the NSA 15 or 20 years ago.

Jake Bernstein: So it's evolved-

Jacob Horne: It's evolved pretty crazy over the years.

Jake Bernstein: It certainly has.

Jacob Horne: Yeah. But I got out of the Navy, did some time as a SOC analyst living the dream, shift work and cut my teeth doing that, and I'd always had a peculiar and bizarre interest in security controls, and I know that sounds crazy, but I'm just fascinated by the idea of something as amorphous as cybersecurity. How do you describe it in a standardized way? We're all doing very similar things, but we can't all seem to agree on how to describe what those things would be in a security control.
So long story short, we ended up coming back to Southern California where we were from, and there was a very large market at large defense contractors for people who were interested in and familiar with security controls. This had a lot to do with the 853 ecosystem and the NIST risk management framework, if anybody's familiar with.

Jake Bernstein: I was going to ask about the RMF, but you just brought it up.

Jacob Horne: Oh yeah. So that was what I did, and I was just minding my own business and doing my job and having a great time. And then one day somebody came into my office and slid a document across my desk called NIST SP 800-171, and they said, "What is this? Our suppliers are freaking out." And I opened it up and I said, "I don't know. What is this? It seems like a weird mutated miniature version of 853, who wrote this, and why is it?" Fast-forward a couple of years and now all of a sudden I'm the CMMC guy because it is the program that is very focused on that one missed standard.

Jake Bernstein: So let's back up a second and start with some basic questions. CMMC, nobody said CMMC 1 because it was just CMMC, but then I started hearing about CMMC 2.0, and frankly, a lot of this was from your posts on LinkedIn, but you're, by far, not the only one talking about this. I get the impression that it's a big deal. Why don't you explain to the extent that it is possible to explain CMMC and just give a brief history of it, why it matters, et cetera.

Jacob Horne: Yeah, actually, it's funny because the concept of CMMC is actually very simple, but DOD is never going to let that fly. So they do their best to make it as complicated as possible. So the best way to understand it is that CMMC is a DOD program that assesses the cybersecurity requirements that contractors have to implement according to their contracts. And so DOD contractors have had contractual obligations to implement cybersecurity requirements going on a decade now, originally back in 2013.

Jake Bernstein: And those STEM from D DFARS, correct?

Jacob Horne: That's right. Yeah.

Jake Bernstein: So the contractual requirements STEM from DFARS, right?

Jacob Horne: Yeah. The universe of contractual obligations specific to DOD contractors is contained in a gigantic dusty tome known as the Defense Federal Acquisition Regulation Supplement or DFARS. So the FAR is the complete set of all contractual obligations for all federal contractors. Each agency has a supplement to that very large tome with their own tome of supplemental information. One of those contract clauses in a universe of thousands is the contract clause that says, "If we give you sensitive information, you need to protect it with cybersecurity requirements." That originally started in 2013, and it was updated in 2016, and as we went along over the years, the DOD noticed that no one was implementing their requirements-

Jake Bernstein: What?

Jacob Horne: And a lot of this sensitive information was flying out the door, and all of a sudden fighter planes in China looked very similar to fighter planes in the United States and the defense industrial base, the set of contractors working with this information are just hemorrhaging all of this information, basically unchecked, whatsoever.

So that gave rise actually in Congress. They said, we got to do something about this, so create a program to assess and verify that contractors are implementing the requirements that we have set out for them, and that eventually became what we now know as the CMMC program.

Jake Bernstein: And what does that stand for, by the way?

Jacob Horne: So CMMC stands for Cybersecurity Maturity Model Certification. It is the assessment program for your contractual cybersecurity requirements. Now, to connect a couple dots here, the contract requirements are contained in a document known as NIST SP 800-171, NIST, special publication 800-171. So you have a set of contractors with existing obligations to implement that set of cybersecurity controls. CMMC comes along several years later, says, "We know that people haven't been implementing them. We would like to verify that you are implementing them. Hint, hint. So please implement those requirements and we're going to come up and assess, verify, certify that they are implemented. The problem was most people didn't know they had this obligation. The government had never really asked or cared about this obligation, though-

Jake Bernstein: It was in the contracts. I have seen them during due diligence. I know that they're there.

Jacob Horne: Oh yeah. And that's a big problem because, and we've talked about this, I think, a while ago individually, is I don't know of another situation where you had a dormant, essentially contract clause that carried this gigantic obligation with it, and then several years later, the government pulls it out from the stack of thousands and goes, "Haha, we know that you didn't implement it. You signed the contract saying you implemented it, and now we're coming to check your work." Whether you agree that that's the right thing to do or not, that is what they are doing. That is what the CMMC program is.

A lot of the confusion, I think, comes from the fact that nobody knew that these obligations existed. The first time they found out they had the obligations was when they heard about CMMC. So everyone is associating the NIST requirements with the assessment program, if that makes sense.

Jake Bernstein: Even though it's not. And as a lawyer, I have a hard time with this because the defense industrial base, I mean, yes, let's be clear, there are companies that are relatively small that may not have any lawyers on staff and may not even use outside counsel-

Jacob Horne: Oh, yeah.

Jake Bernstein: ... But there's also a lot of bigger companies out there as well and plenty of medium-sized ones that probably should have known.

Jacob Horne: Yeah.

Jake Bernstein: And certainly the law would say you did know whether you-

Jacob Horne: Yeah, it's a tough situation, man. It really is because-

Jake Bernstein: It is.

Jacob Horne: ... You can go back and back and back and it is true. It is objectively true that yes, the clause was in the contracts. Yes, you sign the contracts, the American society lives and dies by contract terms, you signed it. I mean, I was in the military. I know all about people that got signed up for all kinds of stuff that they weren't anticipating when they enlisted in the military. You know what I'm saying?

Jake Bernstein: Probably should read those.

Jacob Horne: Probably should read those. But you already signed it and be like, so now you're chipping paint on a ship and you thought you were going to be flying fighter jets. Right? Now you're evaluating cybersecurity controls and you just wanted to make parts that go on the fighter jets. The problem is that yes, it is true. However, we're now in this situation where we know that the defense industrial base has not implemented the controls. Whether you want to point fingers or not, that's just the way that it is.

Jake Bernstein: Yep.

Jacob Horne: So now what do we do?

Jake Bernstein: It doesn't matter, is what we're saying.

Jacob Horne: Yeah, it effectively doesn't matter except for the fact that the defense industrial base, for the most part, I mean, I've been working in this space now for many years. Pretty much everybody you talk to says, "Okay, we get it. You got us. We have no problem implementing these controls, but we work on a contractual basis, so pay us and we'll do it." And the DOD says, "Well, you already submitted your rates according to what was in those contracts, so we have already paid you, and since you didn't implement them, now you're underwater in terms of the implementation." And this is really where the irritation with CMMC comes around because people go, CMMC is so expensive to implement, but remember, you're not implementing CMMC. You are implementing 171. CMMC is just assessing you.

Jake Bernstein: Yeah. And we should just make sure that that's... To me, that is probably the single most, the most important and best takeaway from this episode so far is CMMC is a certification. It is unfortunately similar in acronym to the Carnegie Mellon Maturity Model, but we'll ignore that.

Jacob Horne: Based very heavily on the Cert RMM, based extremely closely.

Jake Bernstein: It is. Yep, it is. But it's a test, right? I don't want to use the word audit because that has connotations, but it is a certification, a verification of implementation of certain controls. And those controls are 171. And I know we're going to talk about this in a second, but these are all related to 853 RMF, FedRAMP, et cetera.

Jacob Horne: That's right.

Jake Bernstein: A lot of this stuff ties together.

Jacob Horne: But I think what's, and as I always do on every episode, go off script briefly. We, Kip and I did an episode or maybe even two, I forget, on the Aerojet Rocketdyne case under the False Claims Act, and that is an interesting case study. It doesn't directly deal with CMMC because CMMC wasn't in place at that point.

Jake Bernstein: But it's very close though.

Jacob Horne: But it's very, very, very close. It essentially was a lawsuit, really a whistleblower enabled lawsuit against a massive defense contractor basically saying, "You're not doing any... Your cybersecurity representations, what you're telling, the government are just not true. And we don't know it was settled, but at one point it was like $2 billion lawsuit or some ridiculously large number. And I think this is real, right? This is not hypothetical.

Jake Bernstein: And in the situation with Aerojet Rocketdyne, it had specifically to do with 800-171.

Jacob Horne: It did. So it predates CMMC, but effectively the defense contractor pressured their cybersecurity guy to say, "We have implemented all these controls." He said, "No." Allegedly, they terminated him. He pursued wrongful termination during the course of figuring out what happened. A false claims Act issue came up in which he was able to blow the whistle, and then it went through the process. And then as the cybersecurity world isn't getting increasingly crazy, the DOJ announces their cyber civil fraud initiative. And sure enough, they file their sudden interest in this case and it goes to trial. And within 24 hours of them explaining the situation, they settled, right? Because-

Jake Bernstein: It was suspiciously quick.

Jacob Horne: It was incredibly fast. And so it's very interesting, although the False Claims Act is like a whole other conversation. I think maybe as we're talking about its relation to 853, all of these things that are happening in the regulatory legal enforcement sector, risk management, national cybersecurity policy space, they're more closely related than I think people understand. And the thing that I always tell folks is, even if you are not a defense contractor or interested in CMMC is very important to pay attention to what's going on in that space because it is the canary in the coal mine for what is going to happen across sectors and across industries. Because as we move forward, regulators are going to want, and large companies in their supply chains are going to want increasing amounts of assurance that your requirements are implemented eventually.

Jake Bernstein: I completely agree, and I think what's going to happen much faster than even the private sector getting together and doing this is right now we talk about the DIB, Defense Industrial Base, CMMC is for defense contractors, but it is not much of a leap for the federal government to just say, eh, everyone who gets money, everyone who takes money.

Jacob Horne: And in fact-

Jake Bernstein: ... From the Feds.

Jacob Horne: And in fact, so we talked about the DFARS as the DOD supplement to the FAR.

Jake Bernstein: There is a FAR rule that is coming that will require all federal contractors to implement 800-171. See where we're going here.

Jacob Horne: It's actually ironic. People say CMMC is taking forever. The DOD is actually years ahead of the rest of the government-

Jake Bernstein: It is.

Jacob Horne: ... In this experiment of if you try to make your suppliers prove that they've implemented these requirements, everything breaks and there's no real easy way to put the pieces back together. So that's why I say pay attention to the conversation, even if you're not in the industry, because there's a good chance you're going to end up in a similar situation in a few years.

Jake Bernstein: I would say it's 90% plus chance.

Jacob Horne: Yeah.

Jake Bernstein: Okay. So let's, man, we have used a lot of acronyms and a lot of specific phrases. So let's briefly talk about the relationship between special publication 800-171 and how it relates to 853, the RMF, FedRAMP. We already know that the relationship between CMMC and 800-171 is that 800-171 is the... How do I say it? The course syllabus, like the required knowledge and the required implementations and the controls, and then CMMC is the final exam, right? That's some kind of mixing metaphors and just slaughtering them.

Jacob Horne: Yeah.

Jake Bernstein: But that's the basic idea. But what about these other standards?

Jacob Horne: Sure. Yeah. So just like CMMC is a program that assesses 171, the way that I describe this to everybody is, the way to think about it is that the underlying reference layer is 853. NIST SP 853 is a catalog of security controls. It is a very large catalog of security controls, and it has a cult following, and it has, probably, many more people who can't stand it. It is effectively a dictionary of standardized security controls. It is inert. It is a catalog today as of this conversation of over a thousand, just over a thousand individual security controls.

Now, it's designed to be chopped up for specific situations. So for instance, the FedRAMP program is a subset of controls from 853 for a specific purpose. There's FedRAMP, low, moderate, and high. It is a small amount, a medium amount, a large amount of controls from 853. CMMC is a program that assesses 171. And sure enough, 171 is a derivative of 853, just like FedRAMP is a derivative of 800.

Jake Bernstein: And this is super, super helpful. One of the things that drives me nuts is when people say, "Oh, I'm 853 compliant."

Jacob Horne: Immediate red flag.

Jake Bernstein: That immediate red flag, that doesn't mean anything.

Jacob Horne: Yeah.

Jake Bernstein: Well, actually, no, it's not true. It means that they don't know what they're talking about.

Jacob Horne: That's right.

Jake Bernstein: Yeah. You are never going to implement all of 853. That's not what it's designed for. That's where the RMF, the Risk Management Framework comes in. The RMF is the name that NIST provides to the process of picking up the dictionary, pulling out the words that you need, putting them into sentences for your essay, getting it graded, and then starting over again if you have to change anything. You take 853, you pick out your controls, you tailor them for your environment, you implement them, you verify they're implemented. Somebody authorizes that, that's good to go. And then Bob's your uncle, that's the RMF. It all goes back to-

Jacob Horne: And RMF for those who want to read along at home is SP 837, currently in Revision 2.

Jake Bernstein: That right.

Jacob Horne: Yeah. It's the process through which you use 853, and this is where people start to get into trouble because 853 is designed to fit into that context. It is not an end into itself. It is a toolbox that you select from during this RMF cycle. So when we end up with this large change in the regulatory environment where we're using derivative standards from the federal environment of RMF and leaking them into the muggle world, where now we have to apply it to non-RMF life cycles, things break because you're taking just parts of the toolbox without context and then putting them into a standard and saying, "Hey, you're good, right?" The assumption was, there was that private industry does things like RMF. You have a risk assessment program, you have a fully risk informed and resourced cybersecurity program, and you've got cyber professionals.

Jake Bernstein: Haha. Haha.

Jacob Horne: Who know what's going on. And this shouldn't be a big deal because these are the same standard controls that have existed for 20 years about access control and multifactor and things like that. So it is actually the case where 171 is smaller than 53 because the government wanted to not be bureaucratic. They said, "No, no, we use 53 in the RMF. You do whatever you do, so we're just going to tell you what outcomes we would like you to meet." And when the DOD threw it over the wall, everything burst into flames. And then they said, "Well, we're going to come assess you because you're not doing it." And now the flames are getting bigger.

Jake Bernstein: Yep. It's funny. Talk about timing. I had a little meeting the night before this podcast was recorded, and it was with a guy who was former NSA, various other three letter agencies coming out, and he'd spent a bunch of time helping develop RMF projects inside the government. And according to him, a given military command or military base, if they don't get it done, the DOD will pull the plug on their internet, each individual command. You just have to do it. Right?

Jacob Horne: Right. Right.

Jake Bernstein: And in the military, as I was talking about with him and I've talked about with others, there is no, "Well, I don't think I'm going to do that." "No, you follow the orders or there's consequences."

Jacob Horne: Yeah.

Jake Bernstein: And in the private sector... In the private sector, I think what really surprises folks, well, actually here's the full context of this conversation, was, I said to him that, "People coming out of," there's two types of government, and I'm going to paint with a broad brush. Please forgive me. Remember folks, I worked in the government, but there's the stereotype of the state DMV, and I mean, we know it's a stereotype because there's been TV shows about these types of things, where it's like, "Haha, look at the either lazy or incompetent government worker. There's no efficiency. There's no efficiency because... they just take tax money. They don't have any private sector efficiency requirements... or not even requirements, just efficiency needs." And then there's the private sector, which is capitalism and efficiency and all this stuff.

But what people forget is there's another level of government, which is the National Security Firm, State Attorney General's Offices, all of the three letter agencies where it is not like a state DMV. And I think what happens when folks come out of the high level functioning government is they assume that the private sector operates in an efficient manner because that's the stereotype.

Jacob Horne: Yeah.

Jake Bernstein: And to some degree, yes, but the thing is that it's a very specific efficiency. It's a profit maximization efficiency. They don't care about security unless it directly affects the bottom line, and historically it hasn't.

Jacob Horne: Well, speaking of efficiency, to use the language from the National Cyber Strategy directly, I talk about this on LinkedIn all the time, and from an economic perspective, cybersecurity is what is known as a market failure. And this is something that the security community is known forever in that the market does not correct for security problems. And so as a result from the government's perspective, let's say you're the DOD, you're flowing your information that needs to be protected into the supply chain, and the market doesn't care because the market doesn't care about security. So what are you going to do? You're going to have to make the market care, and that leads to a bunch of unsavory trade-offs because in the economic domain, I'm not a formal economist, but having studied market failures within this context, there's really only three things the government can do to correct a market failure. They can tax the behavior, they can subsidize the behavior, or they can regulate, and we ain't taxing bad security anytime soon. We're not subsidizing good security anytime soon in a meaningful way, which leaves regulation like DFARS and CMMC, which is why I say it's a precursor to what's coming.

Jake Bernstein: Yes.

Jacob Horne: It's the only tool that they have. And from a practitioner's perspective, I would say this is why I find 853 familiarity to be so important because it is what I would say it's like the Latin of the GRC World where-

Jake Bernstein: Yes, that's amazing. It's totally true.

Jacob Horne: FedRAMP, RMF, CMMC, 171, the CISA CPGs, the NIST CS, all of these things are variants, either abstractions or derivatives of the same 853 catalog because they are all coming from the federal space. And the unifying reference layer of the federal space is 853. So if you know 853, you can put on whatever hat you want to and you can walk in and know what's going on.

Jake Bernstein: Absolutely, and I'm trying to look it up real fast. The original 853 was, the revision one was 2006.

Jacob Horne: The original came out just after FISMA 2004, so I think it would've been 2005.

Jake Bernstein: 2005, yes.

Jacob Horne: So they updated it pretty quick with Revision 1, but we're up to revision 5. And by the way, what's interesting to me about 853R5, I think in R4, they started it, but in R5, it's very explicit. There's also now so-called privacy controls-

Jake Bernstein: Yes.

Jacob Horne: ... Which is an interesting subtext, probably a different episode. But let's continue.

Jake Bernstein: Yeah.

Jacob Horne: So I know we're running off time here. 800-171, we haven't even talked about it. What is it?

Jake Bernstein: Yeah.

Jacob Horne: So effectively right, like we said, 800-171 is a derivative of 853. So like we said, 803 is a gigantic catalog, something known as the controlled unclassified information program at the federal.

Jake Bernstein: That's what I was going to ask.

Jacob Horne: Yeah. So 9/11 happens, the post 9/11 commission report says we don't share data very well at the classified or unclassified level. At the unclassified level, they started looking into it and they said, all of these agencies have 2,600 different authorities for protecting unclassified information. There's 150 different markings. Of course, no one can share the information. We're not speaking the same language.

Jake Bernstein: Yeah.

Jacob Horne: The CUI program says, "Okay, standardize the markings deduplicate the authorities, standardize a minimum set of security controls so that all controlled unclassified information is marked the same, protected the same. It can flow freely across the agencies we won't have this problem. So that's how we got 800-171. NIST takes the 853 catalog. They say, "Okay, we're looking for data protection. We're going to take a subset of 853 controls, and then we're going to carve them up and tailor them is how they would describe it for this specific use case.

That gave us a set of about 160 of these 853 controls. They then tried to take out as much information as possible from those controls to not be too burdensome on industry, remember? And they called the remaining information 800-171. As we talked about, industry actually needs all that information because nobody's ever really done this stuff before. And that put NIST into... Just to wrap up, that put NIST into a bad situation because now the only way to get out of this corner is to make the standard bigger and go back to that set of a 150, 853 controls for which you took all the information out of.

Jake Bernstein: Right. Yeah. So let's talk about, so 171, and what finally triggered us to get this podcast scheduled is, or I should say at this point, was the release of 800-171R3.

Jacob Horne: That's right.

Jake Bernstein: And when was that?

Jacob Horne: That was in April.

Jake Bernstein: That was in May?

Jacob Horne: Yeah, it was in May 2023. So this episode's going to publish.

Jake Bernstein: This is the initial draft of-

Jacob Horne: The initial draft. So it's not final. I don't know how long it will take to get finalized. We'll talk about that at the end, but it probably won't be final by the time this episode publishes.

Jake Bernstein: No, no. But you can assume-

Jacob Horne: You can assume that it will be coming. So what are some of the changes and revisions to 171R3 compared to the previous versions? Yeah, the best way to describe it is, like I said, that corner that NIST got themselves into by heavily abstracting the 853 controls down to 800-171. 800-171 Rev 3 represents the unwinding of those abstractions. So if you look at 171R2, the current version with 171R3, the draft version that's out right now, 171R3 looks very, very similar to 853. The formatting, the wording, the structure, they are unwinding the formatting of 171 because as it turns out, the formatting is just too abstract to be able to indicate what is necessary.

So some of the major changes are going from single sentence control descriptions of an outcome to the multi-part word-for-word control from 853. And this is causing a lot of people's heads do explode because they probably don't know much about 853. So when you crack open the new one, you go, "Oh my God, it's like three times as long as the first one, it's increased dramatically."

Jake Bernstein: Even though if you had known, if had questioned about the controls in 171, you merely needed to go reference them in 853.

Jacob Horne: Yeah. There's even a standing internal DOD policy to their contract workforce that says, if you don't know what this 800-171 control looks like, you should go look at the corresponding control from which it's derived in 853. So at long last, NIST has said, just cut out the middleman so we don't have to constantly cross-reference what's going on and just slap the relevant parts of 853 into a document and call it 800-171 from an assessment perspective, under the hood, the actual questions that need to be asked, 171 Rev 3 today represents about a 35% increase above 171 Rev 2.

So putting on your DOD hat, assuming everyone has done what they said they did when they signed their contracts, you aren't really increasing it by all that much. You're increasing it by about 30%. However, most of the DIB hasn't started yet, which means, they are facing an even larger mountain to start from zero because everyone's waiting on the CMMC program. But that's just the assessment program. That's not the requirements. Right?

Jake Bernstein: Exactly. Right.

Jacob Horne: You can see how the confusion-

Jake Bernstein: You can see the confusion there. It's like, "Oh, we don't have to do it until CMMC is "Live," but it's like, "No, CMMC is just the testing, it's just the verification component."

Jacob Horne: Yeah. Yeah.

Jake Bernstein: Summit 7 does a bunch of really awesome stuff in the Microsoft Cloud environment, and the last basically three years, I haven't been able to really play with any of that cool stuff because my entire job has been explaining the difference between DFARS clauses and what they require, and the fact that if it takes the average company 12 to 18 months to implement 800-171 Rev 2, and then you add 30% on top of that. If you wait until the CMMC rulemaking is done and it's in your contract, you will probably be a year or two behind at least before you can start to get an assessment, which here's a massive trap. Because if you think that you're not going to get started on the requirements until CMMC shows up, you're going to be underwater quite a bit.

Jacob Horne: Yeah.

Jake Bernstein: And before we wrap up the episode and talk about what we know or think we know about NIST timeline, I just wanted to summarize this in beginning to end description and tell me if I've got this right. So I'm in the defense industrial base. I sign a contract with the Federal Government to supply widgets that are going to be used in the military of some kind, right? Let's just say that. And within this contract, A pursuant to DFARS, there is a clause that's going to say something like, "You will protect the information with some kind of reasonable cybersecurity controls." Or maybe it'll say something more specific than that, but it says something-

Jacob Horne: It points directly to 171. Points to 171.

Jake Bernstein: What, at this point it does, it points directly to 171. So that requirement is in the contract from the beginning. Now you go, "Okay, so what do I actually have to do?" "Well, I have to go to 171." "Okay, now I'm looking at 171. There's a bunch of controls prior to R 3, Revision 3, if you didn't know what 171 required, you could go to 853 and look at the actual controls. It sounds like with Revision 3, they're allowing you to skip that step just by putting it directly in 171R3.

Jacob Horne: Of course, in R3. Yeah.

Jake Bernstein: And then CMMC will come along. All CMMC is a verification program that the government's going to do to certify that its contractors have actually implemented 171-

Jacob Horne: According to what they said.

Jake Bernstein: According to what they said. And here's the kicker, in my opinion at least, is that when CMMC is finished and they're actively checking, if you can't comply, that is like the world's easiest False Claims Act.

Jacob Horne: That is exactly what that is.

Jake Bernstein: Because what's going to happen is, so a False Claim Act, and you're right, there's a whole other way of doing it, and we've got an episode on that, maybe, even to as a very quick refresher. We call it the Lincoln Law because it literally dates back to Abraham Lincoln time, 1860s, is a very, very old law on the federal books, basically says if you make a false claim, and what that means is really a misrepresentation or if we're going to get even nastier about it, if you lie in order to get money from the Federal Government, the Federal Government can sue you for a lot of money. And not only that, but a whistleblower who finds out about this can also sue, and essentially simplifying things, sharing the reward of whatever judgment there is.

Jacob Horne: Oh, yeah.

Jake Bernstein: So there's a huge economic incentive for whistleblowers to blow the whistle. Remember, this whole thing starts by you signing a contract. That is a claim, that is a representation, that is a legal representation that a defense contractor makes that they are complying. So, you see how this goes, and what I think the government is setting people up for is a whole lot of really simple False Claims Act cases.

Jacob Horne: And we hear this a lot because the majority of the companies that are dealing with this requirement in the defense industrial base are small organizations and they say, "Well, we're small, so we're not going to get the attention."

Jake Bernstein: Oh, that's not true.

Jacob Horne: Even if it were true that they can't arrest all of us, let's do crime. What it certainly affects is the tier of the Aerojetts of the world, the Raytheons, the Lockheeds, the Northrop Grummans, for whom the majority of the defense industrial base is downstream from, and represents a liability to. So even if you don't think that the DOD and DOJ are coming for you, they are certainly coming for your customers who will then turn around and their internal counsel will be like, "What do you mean you didn't implement, right?"

Jake Bernstein: Yep.

Jacob Horne: So there's only so many places. There's only so much time left before-

Jake Bernstein: Yeah, you can't escape it, is really the key.

Jacob Horne: Yes. And so I'm doing my part to try to show people in the coming 853 singularity, right? It doesn't matter which regulatory space you're in, just look at what's happening in the defense space, and you will be able to see the future.

Jake Bernstein: Agreed. Okay, so speaking of the future, what do we know about NIST timeline and plans for future revisions, finalization, et cetera?

Jacob Horne: Well, here's one thing that I will tell you is do not be fooled into thinking that agency rulemaking timelines and delays like DODs, CMMM, are the same as NIST Revision timelines. NIST is very good about predicting and sticking to their predictions for when things will come out.

Jake Bernstein: This is what they do. That's like their entire function-

Jacob Horne: This is exactly what they do. They're very, very good. They're very, very consistent. In fact, ahead of government shutdowns in the past, they have accelerated the release of new documents so that people can have them early rather than delaying their release. So NIST has said that 800-171 Rev 3, and its associated verification procedures, a secondary complimentary document, the whole package that you need will be final at the latest by Q1 of 2024. And I 100%-

Jake Bernstein: That is not far away, Jacob. That is not far away.

Jacob Horne: Ron Ross, in my conversations with him, said they would love to have it done before the end of the year. The very latest would be Q1 of 2024. If you zoom out according to what else is going on, that is way ahead of when the FAR rule is supposed to be done requiring this for all contractors. So by the time non-defense space contractors will be looped in, you will certainly have to deal with Rev 3. Within the CMMC timeline, the DOD expects that to be up and running and rolling out by the end of 2024, early to mid 2025. So you can see here, the DOD is going to say, "Okay, we asked you to do 30% more stuff. We gave you about a year, a year and a half to do it. Now CMMC is coming online. It's been 10 years. We told you this was coming in 2020, we're going to come assess you. You know that we're going to assess you. Right?" And you can already tell just off the top, in your minds, people are going to go, "We didn't have enough time. We didn't know we didn't-"

Jake Bernstein: Yeah, that's not going to fly.

Jacob Horne: It's not going to work.

Jake Bernstein: It's just not going to fly. And it's particularly not going to fly in the face of False Claims Act.

Jacob Horne: Well, funny enough, I was just speaking with, I was just interviewing a former federal prosecutor yesterday, and I was talking with her. She was a national security federal prosecutor for 22 years up in Boston. And I said, "Hey," she was talking about the recent case, United States V SuperValu, which has to do with the False Claims Act, which I'm sure you guys will talk about in a future episode. But I was asking her about it and I said, "Well, let me give you a scenario. I'm a contractor and I didn't implement 800-171 because I'm waiting on the CMMC rule. So I experienced a cybersecurity incident and now you're saying, I made a false claim. Clearly, I have a legitimate reason, case closed, right?"

And she laughed. Actually, her initial reaction was laughter, and I immediately knew that if you tell a former federal prosecutor that you are waiting on CMMC to implement 800-171, and she laughs on your face, you should probably be paying attention. Right?

Jake Bernstein: I think so. Absolutely. So, okay, Jacob, thank you so much for being on our show. This has been a great discussion about CMMC, its relationship to 800-171, 853, all of the alphabet soup that we talked about and what it all means. And I think the big takeaway here, again for our listeners is, even if you're not defense industrial base, this stuff is going to become relevant to you in the not too distant future. It's coming. Okay. So Jacob, I know you're pretty active online. I think that's how we met. I started following you on LinkedIn, but you do a lot more than just LinkedIn. So why don't you, here's your opportunity where can our listeners go to find out more about you, about Summit 7? I think you have another podcast. Let us know. Tell us.

Jacob Horne: Yeah, yeah. You can definitely find all I post on LinkedIn about this topic and this space constantly. So if you find me on there, then the algorithm will reward you with a never ending stream of acronyms and their explanations.

Jake Bernstein: I can confirm this is true.

Jacob Horne: Yeah, we try our best to put that information out in a digestible way. So yeah, definitely find me on LinkedIn. You can find us at summit7.us. Our YouTube channel is the primary place where we put out all of our free to consumer explanations of what's going on, sometimes very, very lengthy and detailed videos explaining all of these things in excruciating detail and what it means in terms of the context of implementations, how Microsoft solutions will match up with what's going on.
We also have our podcast called SummitUp, which is obviously an inside joke because they are quite long, but that comes out monthly and it basically is a rollup of anything that is CMMC, NIST, DFARS is related or adjacent to that space going on in the larger regulatory ecosystem. You can find that on basically all podcast platforms. You can find it on our YouTube channel. You'll see me posted about it on LinkedIn. You can find it on our website and blog, and that's the best way to get ahold of us and to find out all the information that we put out.

Jake Bernstein: That's great. Thank you very much. Okay. Well, that wraps up this episode of the Cyber Risk Management Podcast. Today, we explored the CMMC and the new Revision 3 of 800-171 from NIST, and we did that with our guest, Jacob Horne, who is the Chief Security Evangelist at Summit 7. See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.