Episode 3: Navigating CMMC: Self-Assessment to Certification

Christian Reyes (00:00)
Your prime emails, we can't award the PO until your CMMC status shows up in SPRS. If that sentence spiked your blood pressure, you're not alone. Today on the QCAST, we'll demystify CMMC, what it is, who it applies to, and how the levels and assessments work. And whether companies like QT9 should pursue certification now or wait. Our guest is Rhia Dancel from NSF, an information security leader and CMMC veteran. Let's jump in.

Welcome to the QCAST, the show for leaders navigating quality, compliance, and security in regulated markets. I'm your host, Christian Reyes. Quick reminder, this podcast shares general information, not legal advice. Always verify requirements in your specific solicitations and contracts. Today's guest is is the Senior Manager of Information Security and is also Lead CCA at NSF, where she has been for over 11 years. NSF is proudly the first C3PAO in Michigan

and one of the few C3PAOs that also operate as a certification body, working with standards such as ISO 27001, 9001, AS9100, and NISD frameworks. Rhia, it's great to have you. Thank you for joining us today.

Rhia (01:06)
Thank you. Thanks for having me, Christian.

Christian Reyes (01:07)
Our pleasure, our pleasure. NSF is actually our own certification body here at QT9. You've been to our facility, right?

Rhia (01:15)
It's beautiful, yes. ⁓ I can see how you guys all stay there and not work from home.

Christian Reyes (01:17)
Awesome.

It definitely makes it easier when you have a golf simulator, a gym, a basketball court. It definitely takes the sting off of going in. But unfortunately, I did not have a chance to meet you the last time you were here in person, but perhaps next time when re-cert comes up. But to get started here, very top level, what problem is CMMC trying to solve?

Rhia (01:42)
Great question. Well, you know, back in the day, the contractors in the Defense Industrial Base were expected to self-assess their NIST 800171 compliance, you know, because, you know, nothing says secure like good intentions, right? And so no one, to the surprise of no one, that didn't work, you know, which underscored the need for formal certification framework. So that's where...

CMMC entered with accountability and there are 320 assessment objectives.

Christian Reyes (02:10)
That's quite a lot. That is more than a handful. What does your day to day look like at NSF supporting clients on CMMC?

Rhia (02:17)
Okay, that's a good one. Supporting clients on CMMC, we really just give them the information that they need in order to go through a successful assessment. That's really just providing them the resources that is available either through the Cyber AB website or through DOD. And after that, it's really just a matter of going through the phase one and phase two with them and... ⁓

because we were the certification body, so we don't do any consulting. But we will be able to provide mock assessments to OSCs, which is organization seeking certification. So we do provide that. But other than that, we are really just going through that certification with them and hopefully issuing that cert to them at the end of it.

Christian Reyes (03:01)
Fantastic, fantastic.

Rhia (03:02)
that.

Christian Reyes (03:03)
And you were saying that the DOD moved from self assessments or self attestations to verified status. And that's mainly because the self assessments weren't working, correct?

Rhia (03:15)
Absolutely,

yes.

Christian Reyes (03:16)
Well, so there are different levels, correct, within CMMC? ⁓ Level one, two, and three, correct? How do those differ at a high level?

Rhia (03:21)
the world.

Yes.

Well, so level one is really, it's if you handle federal contract information. And that requires implementation of 15 basic cybersecurity requirements. If you ⁓ handle controlled unclassified information, that's level two, and that addresses the protection of CUI and implementation of all 320 assessment objectives. And then level three, that also addresses the protection of CUI

in addition to the protection against advanced persistent threats, APTs, and that's outlined in NIS 800 172, which is the supplement for NIS 800 171 for enhanced security requirements.

Christian Reyes (04:08)
Okay, okay. Is CMMC more of a security framework or a contract gate? Or both?

Rhia (04:14)
Both, yeah, that's a great question. It's definitely both. You want to make sure that you're in compliance with all 320 assessment objectives, but also in order to even be eligible for contracts, you will need to have some sort of level of CMMC depending on what type of information you handle, whether it's FCI or CUI.

Christian Reyes (04:36)
Okay, so if I'm understanding correctly, level one maps to basic safeguarding for FCI. Whereas level two aligns to NIST 800171 for CUI. And level three adds the NIST 800172 controls for the most critical programs.

Rhia (04:49)
Yes.

Absolutely. Yes.

Christian Reyes (04:59)
Got it, got it. We're making progress. I'm learning. So now that I understand that, let's try and unpack scope and evidence a little bit. But before we get into that, who actually needs CMMC status?

Rhia (05:01)
you

Yeah, well, that is actually a really great question. So applicability of CMMC, really the primes are the first one to feel the impact of CMMC. So we're talking, Lockheed, Boeing, General Dynamics, Raytheon, they've already flowed down these requirements to their subcontractors. So really, if you handle any type of FCI or CUI or even admire it from afar, you will need to comply with a level of CMMC.

Christian Reyes (05:40)
Okay, it's a pretty wide range. A lot of people fall under that, a lot of companies. So it applies to to primes and all tiers of subcontractors that touch FCI and CUI.

Rhia (05:53)
Absolutely, yes.

Christian Reyes (05:54)
What's a quick way to tell if a contract will require CMMC? Is there a specific clause or section that people should keep an eye out for?

Rhia (06:03)
Well, so CMMC is governed by two rules. The first one is the 32 CFR rule, and that really was the implementation ⁓ of the CMMC program. And then the 48 CFR rule, will become effective November 10th. And that is where you will start to see CMMC as part of contract clauses.

So really if you are by November 10th, we're expecting to see the CMMC requirements in new contracts and there is a rollout period. So we'll start to see the new contracts and then option periods

So by the end of November, 2028, you'll start to see CMMC requirements in every single contract dealing with the defense space.

Christian Reyes (06:47)
Okay, so it'll be a little bit clearer come November of 2028. And just to take it back a second, I know you did mention these earlier, FCI and CUI, but for the sake of our listeners, FCI is federal contract information and CUI is controlled unclassified information.

Rhia (07:04)
Yes, yes. So here I could give you an example, Christian. So FCI, that is really, you know, like it says, it's federal contract information. So that's really contract details, communication about, you know, contract execution. So all things contract related. And CUI, it's sensitive, but it's unclassified information. So it's, you know, it's basically the government's version of, you know, don't post this on Instagram, really.

Christian Reyes (07:29)
You

Rhia (07:31)
So it's, you know, it's sensitive, but unclassified. ⁓ So we're thinking, you know, engineering drawings or technical data, anything really that's labeled or marked CUI, you know, it's CUI.

Christian Reyes (07:44)
And generally speaking, is that stated on those types of documents themselves?

Rhia (07:50)
No, that'd be too easy, Christian. No, not at all. You pretty much, know, there's no fun in that. You have to really make your own CUI conclusion. You know, going with your gut instinct is really what contractors need to do. But not a lot of information is marked or labeled CUI. But if you think that you have CUI, then you should really be safeguarding it as it is CUI.

Christian Reyes (07:52)
Hehehehehe

Gotcha. In my research for this podcast, the acronym COTS kept coming up, commercial off the shelf. I've never heard that before in this context. Could you define that for me?

Rhia (08:30)
Yes, so COTS, you know, it's exactly right, commercial off the shelf. if it's really anything that you don't, that is not modified, so you can just go to Best Buy and buy that software or just go anywhere and buy the software if you're just getting it directly from the shelf, then that does not have to comply with any type of CMMC requirements.

Christian Reyes (08:54)
Okay, so COTS are truly excluded from CMMC.

Rhia (08:57)
It is, yes, because

it's commercially available.

Christian Reyes (09:00)
So do individual software companies within a company's digital ecosystem need to be CMMC compliant? Or is it more of a function of like the ecosystem as a whole?

Rhia (09:10)
So if really, you need to be compliant if you think that you're going to handle CUI. Or if someone, if your ⁓ tier above you is flowing down that requirement to you. But really, if you don't handle CUI, is no requirement to comply with CMMC.

Christian Reyes (09:30)
Okay. So if your work processes or stores or transmits FCI or CUI for DOD, you can expect CMMC in this solicitation. ⁓

Rhia (09:41)
Absolutely.

Or if anyone above you, like a prime or a contractor, will flow down that requirement to you and provide you CUI, then you do need to comply with level two.

Christian Reyes (09:55)
Okay, so the flow down reaches subs.

Rhia (09:58)
Yes.

Christian Reyes (09:58)
Gotcha, gotcha. So I'm still rounding out my knowledge here. We're definitely making progress. But let's go from theory to practice as talking, namely scoping and assessments. At level two, how do you scope the environment? What's in and what can logically be out of scope?

Rhia (10:18)
Yeah, so scoping really that that is extremely critical. It's primarily based on details that are provided in your system security plan, your network diagram and your asset inventory. So really whatever information that you put as part of those documents, that is that is part of the scope of your level two assessment. And that's really something that will be determined during phase one of your CMMC assessment.

Christian Reyes (10:44)
Okay, and you did not mention, you did allude to this earlier, but what does a C3PAO actually do and how is it different from a consult?

Rhia (10:54)
A C3PAO, we are the assessors. So we're the ones that evaluate your environment. We look at implementation of the 320 assessment objectives. We're as a consultant, they will help you with remediation. They provide help prior to your CMMC assessment.

Christian Reyes (11:13)
Okay, so how are requirements tested against NIST 80017A objectives? What counts as met versus not met?

Rhia (11:21)
Okay, that's a great question. Well, really it is when we go through your, your CMMC environment, we're looking at all 320 assessment objectives. And in order for those control, those assessment objectives to be considered met, you're going to have to provide evidence through either through testing, examination, or documentation that these controls are met.

Christian Reyes (11:23)
Yeah.

Rhia (11:47)
And if a control requires a technical piece of evidence, you can provide ⁓ documentation, it would be, as far as scoring it met or not met, it'll be more definitive if you provide a technical piece of evidence through testing rather than through documentation.

Christian Reyes (12:07)
Okay, it has a little bit more weight to it as opposed. That makes sense, that makes sense. What's unique about Level 3 and who performs those assessments?

Rhia (12:09)
Absolutely, yes.

Level three, so level three does include ⁓ everything from level two, but it also includes the protection against the advanced persistent threats, which is in 172. And so you have to go through a level two assessment with a C3PAO. And then once you pass that, then you can actually go to the DOD and ask them for that

level three assessment,

Christian Reyes (12:38)
OK, OK. And kind of the last question in this piece, if we use a cloud that touches CUI, what's the quick test for acceptability?

Rhia (12:49)
That's a great question. The quick test is really just to go on that FedRAMP marketplace and make sure that they are either FedRAMP moderate or FedRAMP equivalent. If they're FedRAMP equivalent, they won't be in the marketplace, but if they are FedRAMP moderate, then you can see them in the FedRAMP marketplace.

Christian Reyes (13:07)
Okay, okay. So let's get tactical. Companies ask, where do we start and what proof do assessors expect? If a team starts this week, what are their first five tasks?

Rhia (13:19)
Really, you want to make sure that your system security plan is well documented. I'd say, okay, the very first step is really you want to go through a self assessment. you want to go through this 800 171 controls and see what your gaps and your deficiencies are. And then at that point, you want to make sure that

you remediate those gaps and deficiencies, and then you document everything. So you want to make sure that your system security plan is well documented, your implementation is part of that system security plan. You want to make sure that that is all well-defined. And then the network diagram is also another really

critical piece of documentation that you need to have in place. And then also your asset inventory, which categorizes your hardware and your software that is part of your CMOMC assessment scope. You want to make sure that that all is well-defined and documented and it all it aligns with each other and it's consistent.

Christian Reyes (14:18)
If it's not documented, it didn't happen, right?

Rhia (14:18)
Absolutely.

Yes. So even those practices that are assumed or implicit, you want to make sure that those practices are also documented.

Christian Reyes (14:30)
Absolutely, absolutely. What's the minimum viable evidence package that an assessor expects?

Rhia (14:36)
Well, for phase one, we're taking a look at the system security plan network diagram and asset inventory. So those three ⁓ pieces of evidence is really what is going to determine the scope of your assessment. So if that's inconsistent or we're not able to fully align what's in your asset inventory versus what is in your network diagram, then the scope of the assessment can't be determined. And so it's really

back to phase one if you can't show that, you know, that scope is well defined.

Christian Reyes (15:09)
Gotcha, gotcha. Time for a decision lens. For a software vendor like Qt9, where we serve regulated industries with QMS and ERP, when, if ever, does it make sense to pursue CMMC?

Rhia (15:21)
Well, you know, we talked about this earlier that 48 CFR rule becomes effective November 10th. And that's when CMMC requirements will start to appear in contracts. So if a software vendor feels that they are going to be part, that they are going to receive CUI or they will have that flow down to them,

then this is the time to really to start to get a C3PAO engaged and get scheduled because right now with that 48 CFR rule becoming effective November 10th, that's going to increase that demand for assessors and for assessments. so that's going to push back the timeline for everyone. If you're not ready to or if you want to start to engage a C3PAO, that's really going to.

make things the expectations a little longer than what you may have anticipated.

Christian Reyes (16:18)
Okay,

there's, I mean, it makes sense. This is a very timely episode that we're doing and really couldn't be more timely. And so ultimately, when should a software vendor get its own CMMC versus just relying on a customer scope?

Rhia (16:35)
Really, you know, now is the time. Nothing better like the present, Christian. So, you know, if you're ready, if QT9 is ready to go through a CMMC assessment, I say go through it now because really at the end of it, you don't know when something's going to pop up, you know, a contract you'll want to bid on or customers that are asking you for this. So this is the best time to do it now. Really.

you know, before that 48 CFR becomes effective This is the time. C3PAOs have time right now or not, but you know, there could be, you know, there could be a crunch at some point later on after the 48 CFR becomes effective.

Christian Reyes (17:07)
Yeah.

So it sounds

like you're least potentially expecting the demand to exceed the supply of C3PAOs.

Rhia (17:22)
Absolutely, yes. ⁓

Christian Reyes (17:24)
You guys will be busy. That's for sure. So if a company doesn't host or touch CUI, is there still a business case for level one as a trust signal?

Rhia (17:26)
Yeah.

Yes, absolutely, because level one is really basic safeguarding requirements. So if you were to go through a level one, that's actually a self assessment. So that's something that you would do yourself for those 15 controls. And you wouldn't get an official certificate, but you can say that you were you self-assessed to level one and you're complying with those basic security requirements. So really, anyone should.

should go through that because they're basic. You wanna make sure that you have certain things in place and there's training done and the personnel is aware of what could be considered a threat. You wanna make sure that all of that is really part of your organization and your business model.

Christian Reyes (18:20)
Absolutely, absolutely. mean, it, like you said, it's a not, I don't want to say basic requirements, but it's, things that, that for all intents and purposes, most companies should be doing. If you're hosting, you know, some type of sensitive data or information, how do primes view vendors without a visible CMMC status in SPRS?

Rhia (18:40)
So primes, when you are eligible, when it's contract award time and there is a sub that isn't CMMC certified, you shouldn't be working with them as a prime because really that is the whole part of CMMC. Everyone who is part of that contract should be some sort of some level of CMMC based off of what it is that you handle.

And if you don't handle and if you aren't certified to that level of CMMC, then you aren't eligible to even have a ward of that contract.

Christian Reyes (19:15)
Gotcha.

So what timeline would you, what's the timeline for a realistic level two readiness for C3PAO assessment?

Rhia (19:23)
if

you're starting from zero.

Christian Reyes (19:25)
Yes.

Rhia (19:25)
So if you're starting from zero, give yourself, I would say give yourself a year to really go through and have implementation. If you want to do it a little quicker, then you can establish an enclave for your CUI. So what that does is it reduces the complexity of your CMMC scope. And so you are only

really when you're going through that CMMC assessment, you're only looking at the enclave and you're not looking at everything else that's part of the enterprise. And that will make implementation of CMMC a little faster because you're only dealing with certain departments or certain software and systems that process store or transmit CUI. And also,

leverage those FedRAMP solutions because that will help you because you'll be able to inherit some of those controls from those FedRAMP compliance and it'll lessen the burden for the team.

Christian Reyes (20:30)
Gotcha, I've actually not heard that term before, enclave. That's good advice. It's basically, if I'm understanding this, like a compartmentalization of what the controls need to control. Got it, got it. So ultimately, it sounds like bottom line, you want to tie the investment to your go-to market. And if your roadmap handles

Rhia (20:42)
Yep, yes.

Christian Reyes (20:53)
If your roadmap includes handling customer CUI or selling into programs that do, then CMSPC becomes a strategic enabler, not just a cost. Now, to kind of wrap up here, we're just going to do what I call a lightning round. And basically, it's just quick hits, or false. So I'm going to throw a couple statements at you and just, yeah, tell me true or false.

off-the-shelf only suppliers are exempt.

Level 3 assessments are performed by DIBCAC, not C3PAOs.

You complete an assessment once and you're done.

Rhia (21:27)
False

Christian Reyes (21:27)
That kind of goes back to what we mentioned earlier where you plan for an annual correct annual affirmations.

Rhia (21:33)
annual

affirmation and then there is three year recertification.

Christian Reyes (21:36)
Got it, got it. All right, well that wraps up our lightning round and that wraps up our time for today. ⁓ But Rhia, thank you, thank you very much for joining us today. We really appreciate you coming on here and really making CMMC practical and taking the time. So thank you.

Rhia (21:41)
⁓ okay. Thank you.

Thank you, Christian. I really appreciate you doing this. It's a really great educational piece for everyone too, who is looking into CMMC. They don't know if they need it, but this has been great. I really enjoyed this a lot. So thank you.

Christian Reyes (22:09)
Awesome, awesome. We've enjoyed having you on. And where can people find you or reach out to NSF if they want to?

Rhia (22:16)
Yes, you can go to nsf.org and you can look up information security and you can see how to get a hold of us. We're also in the Cyber AB Marketplace as a C3PIO, so you can see us there too.

Christian Reyes (22:28)
Awesome, awesome, and we'll put links to those things in the show notes for all of our listeners. thank you again, Ria. We really appreciate you coming on. And thank you to all of our listeners that tuned in today. If you enjoyed our show or if you found it helpful, please like, comment, and subscribe. And please share the Q-Cast with a colleague or drop us a rating. Reach out to me. I'd love to hear from you guys.

So until next time, build equality and stay compliant.