The State Department recently fined Honeywell $13M for cybersecurity shortcomings. In this episode, FD’s Sabrina Serafin interviews Scott Edwards, CEO and Founder of Summit 7, to discuss CMMC and what companies working with the US Department of Defense need to do to achieve compliance.
Culture of Compliance | Defense Providers: The Cybersecurity Maturity Model Certification (CMMC)
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice.
Today, we’re excited to talk to Scott Edwards, Chief Executive Officer and one of the founders of Summit 7, a leader in security and compliance with Microsoft Cloud Services. Scott has a fascinating background; after graduating from West Point, he started his career in the United States Army, followed by a stint as the NASA Data Center’s Chief Engineer. Through his leadership, Summit 7 Systems has been recognized by Microsoft with the 2020 US Partner Award for Security and Compliance, received the CMMC RPO accreditation in 2021, more on that in a moment, and gain the trust of hundreds of Department of Defense suppliers as contracts.
Today, we’re talking about those federal contracts and how organizations become qualified to serve the federal government. Scott, welcome to the podcast.
Scott Edwards Thank you so much, Sabrina, it’s really great to be here. I’m looking forward to talking through this very interesting and sometimes complex topic that has been out there for a couple of years now. But there’s lots of questions out there, and I am very happy to be here speaking with you about it.
Sabrina You mentioned a couple of years, it’s only been a couple of years. I breezed through it in your introduction, but today’s topic is the Cybersecurity Maturity Model Certification, or CMMC. For the benefit of our listeners who are not familiar with CMMC can you explain what it is?
Scott Sure, so CMMC is the Cybersecurity Maturity Model Certification, and this is a process that is being put in place by the Department of Defense under Secretary for Acquisition and Sustainment that really focuses on the cybersecurity posture of the DOD supply chain. What happened in 2016 is that the DOD released, if you’re familiar with the DFARS, the Defense Federal Acquisition Regulation Supplement, there was a clause released in 2016 called DFARS 252.204-7012, that specifically put in place cybersecurity requirements for DOD suppliers that handled what is called Controlled Unclassified Information. This started rolling out in 2017 and there was a deadline of December of 2017 for all of the suppliers to be “compliant” with this DFARS 7012 requirement.
Well, what happened was the inspector general for the Department of Defense went out and started auditing or assessing DOD supply chain members and found out that essentially nobody was following it correctly. They thought they were compliant, but they were nowhere close. And because of this, they wanted to move away from this self-assessment standard, which is what it was under DFARS to a third-party assessment, which is what CMMC is. That’s where CMMC got its start. It was essentially the failure of the DFARS 7012 clause led to the implementation of this CMMC requirement.
Sabrina I understand CMMC details different levels of certification. Specifically, we’ve had many discussions of level one versus level three. Can you explain the significance of the levels?
Scott There’s five levels of CMMC, level one to level five, level one being the lowest, level five being the highest. The majority of companies in the defense supply chain are going to be either level one or level three. That’s where the majority of companies are going to land. There’s different kinds of data that the DOD suppliers work with, you have what’s called Federal Contract Information or FCI, and then you have Controlled Unclassified Information or CUI. And then there are subcategories of CUI, things like Export Controlled information like ITAR and EAR and other types of data that fit inside CUI.
So, if you are a company that deals only with this FCI content or this Federal Contract Information, which is not public information but does not meet the threshold for Controlled Unclassified Information, then those kind of companies are going to typically be what’s called CMMC Level one, and CMMC Level one is a baseline basic cybersecurity level. There’s 17 practices that you have to have in place, and all of these 17 practices are based on what was initially called the FAR 15 Practices or the Federal Acquisition Regulation 15 practices that were put in place back in 2015.
So, they’re really basic cybersecurity requirements, they’re not super difficult to meet. They’re not going to be super expensive for you to meet. But it puts some basic things in, like change your password, make sure that you don’t have group accounts, that kind of stuff. When we step up to level three, though, that’s where things get really dicey for a lot of companies. The reason is because it’s a level of cybersecurity that many DOD suppliers have not been meeting up to this point. Level three is based on the requirement that was in DFARS 7012 to meet a standard called NIST 800-171. So, NIST 800-171 was a list of one hundred and ten cybersecurity controls that had to be in place to meet DFARS, and then CMMC added to that an additional twenty controls. So, we have a total of one hundred and thirty practices plus maturity level processes and policies that have to be put in place for you to be able to meet CMMC Level three. That is a significant lift from either CMMC Level one or from not having a CMMC certification at all.
Then, we get into level four and level five, those are more advanced cybersecurity postures. Those kinds of postures are typically meant to deal with things like advanced persistent threats and other kinds of more advanced attacks that happen against DOD supply chain members. But you’re not going to find the majority of companies are going to have to do that level either Level four or Level five, unless they are working in a highly technical, borderline classified weapons system program, say, maybe a hypersonics or missile defense or maybe the F-35, some of these really high end programs that have unclassified content. Yes, it’s unclassified, but it still would be very damaging if that information got out, if China was able to get access to that information.
For example, you look at all of China’s new weapon systems, they basically are carbon copies of the United States weapons systems, because all they’ve done is stolen all the plans and then built it themselves. So, what we’re trying to do is protect that from happening from both Russia, China, Iran, all the bad actors out there are our adversaries. We’re trying to protect the DOD supply chain by ensuring that they have some basic cybersecurity measures in place to stop this from happening.
Sabrina Thank you, Scott. What type of organizations need to comply with CMMC Level three? And are there trends that you find in areas that present the biggest challenges for these organizations?
Scott Sure, that’s a great question. What we see is, well, first of all, any company that is going to be dealing with Controlled Unclassified Information is going to have to be at least CMMC Level three or higher because CMMC Level three is the lowest level at which you can deal with Controlled Unclassified Information. If you have that kind of content, then you know that CMMC Level three is going to be your baseline. So, what types of companies are these that deal with Controlled Unclassified Information? That’s kind of the follow-on question, right? Well, these are going to be companies with many manufacturers, because any time you’re talking about building a bolt or an airframe or the electronics for the inside of a weapon system or anything like that, you’re going to have designs and specifications that are going to be a target for adversaries to get access to.
So, that content, if it’s not classified, it’s going to be Controlled Unclassified Information, potentially even Export Controlled Information. Companies that are dealing with that kind of information are going to have to meet CMMC Level three or higher. When you think about Controlled Unclassified Information, we’re not just talking about the actual drawing or specification, it could simply be a part number. Literally a part number can be considered Controlled Unclassified Information. If you think about everywhere that part numbers may exist of these types of materials, then that’s in a lot of different systems and a lot of different companies have access to that kind of information. It gets very broad very quickly.
The DOD has estimated that there’s about three hundred thousand DOD supply chain members out there. Of those three hundred thousand, the DOD has estimated that about sixty thousand of them are going to be CMMC Level three. My expectation is that I believe the number of CMMC level three companies is actually going to be higher than that, and the reason is because CUI content finds its way to places that it might not necessarily should be. Content gets flowed down to providers or DOD supply chain members that don’t necessarily have a reason to have that content or they don’t have to have the content.
There’s a couple of things that you have to do here as a DOD supply chain member. You have to be very careful about who you flow content to. Don’t flow CUI content, don’t flow export control content as part of a contract to a subcontractor that doesn’t have a need to have that information. That will save them from having to be CMMC Level three, they might be able to be CMMC Level one instead, which is going to allow them to be more efficient with the dollars and their pricing to you is going to likely be lower because they don’t have to meet these high level security requirements.
Now, if the content has to be flown, then you have to flow down the CMMC requirement to those suppliers, it has to go all the way down the chain. The requirement follows the information, it is a data centric requirement. So, whoever has CUI anywhere in that chain, they’re going to have to be CMMC Level three or higher if they have CUI content.
Sabrina I understand there are some implications for Microsoft Office 365 or any cloud offering for the organization seeking CMMC and what they need to understand. Can you give us some insight into the issues there?
Scott Absolutely. So, Microsoft has been very forward thinking on the whole CMMC requirement. Microsoft built out back in the mid-teens a US government sovereign cloud offering that was meant specifically to handle things like Export Controlled Information or ITAR information. And then as DFARS came out and as CMMC have come out, they have continued to improve that platform to be able to handle Controlled Unclassified Information, Export Controlled Information, the DFARS 7012 requirements and those capabilities as the platform has grown, which is great because there are not a lot of cloud platforms out there today that can really handle all of this content correctly.
So, Microsoft built this US government sovereign cloud, and you may hear it referred to as Office 365 GCC High and Azure Government, that’s the platform that Microsoft built to handle Controlled Unclassified Information and Export Controlled Information. Now, they have a separate environment that is really built on the commercial cloud that’s called the Government Community Cloud. It was built initially for state and local governments but Microsoft has recently opened it up to be able to be used for control of classified information, but not export controlled information. So, if you have Controlled Unclassified Information, but not Export Controlled Information, it may be possible for you to use the GCC platform instead of the GCC High platform. However, if you have Export Controlled Information, the GCC High platform is the only place for you to really be with that content.
So, you have to understand your data really well to be able to pick the right platform, both of these platforms are undergirded by an infrastructure that has been FedRAMP certified at the FedRAMP high level, and this is another certification that is important when we start talking about cloud services. The government came out, started this FedRAMP program back in 2010 – 2011 time frame to essentially certify cloud services that can be used for government data. The DFARS clause that came out in 2016, basically specified that any cloud service that was going to be used for government data, for Controlled Unclassified Information, had to be at least FedRAMP moderate equivalent or higher. So, Microsoft built these infrastructures, not just to FedRAMP moderate, but they built them to FedRAMP high, going above and beyond the requirement so they could ensure that they met the necessary needs. Microsoft has been very forward thinking with these platforms to ensure that they’re able to handle and support both the DOD supply chain as well as the federal government directly, that’s why they built these environments.
Now, there are other providers out there that have cloud services that meet these requirements, one that comes to mind that most people think of or know of would be Amazon Web Services, their GovCloud platform. It has a great following out there, great services. The challenge with AWS platform is they simply don’t have a SaaS based offering that does things like Exchange and SharePoint, OneDrive, Teams and those kind of capabilities, the kind of back office core capabilities that people are looking for in email, they don’t really offer that. But if you’re looking for an IaaS solution, an Infrastructure as a Service solution or a Platform as a Service solution, then Amazon GovCloud can provide that as well. Microsoft has built this all encompassing solution with the US Sovereign cloud that gives you the O365 capabilities and gives you the Azure, Infrastructure as a Service and Platform as a Service capabilities, which is really great.
Sabrina I imagine we have a number of CISOs listening whose companies may be looking to grow by entering into an area that will cause them to handle Controlled Unclassified Information or CUI. What advice do you have about the actions that these CISOs need to take to prepare to be certified?
Scott Edwards Sure. It’s actually a pretty long journey, to be honest. Most companies are not able to do this in a very short period of time. It takes anywhere from I would say, absolute minimum with all the necessary resources a year to do it, and then most companies are taking 18 months to two years and sometimes even longer than that to get through everything that needs to be done. The first thing that you really need to think about, if you’ve been under DFARS before and you’ve had those requirements levied on you and you just haven’t finished that, then I would say the first thing you need to do is meet your DFARS obligations, the DFARS 7012 obligations.
If you’re brand new to the DOD supply chain and you haven’t had any of these requirements in the past, then you’re going to need to take an overarching look at your IT infrastructure. You’re going to need to determine how you want to meet these services, these requirements. Are you going to try and build this in-house or are you going to leverage external third-party service providers to do this? You’re not going to be able to say, give this as an additional duty to somebody you already have on staff and say, “Okay, go make this happen.” It’s not going to work. You just can’t do it. You’re going to have to have a dedicated staff to focus on this or you’re going have to bring in third party providers to come in and assist you with it. You may end up having to do both, because it is a lot. You have a lot of documentation that has to be built about your infrastructure, you have to build out what are called system security plans, you have to build out an entire policy set, you have to build out procedures on how you do everything from a security standpoint within your IT infrastructure.
But you need to be careful and not think that this is an IT problem, this is not an IT problem. Don’t hand this to your CIO and say, “Okay, CIO, go make this happen.” This is a business problem because business processes that are impacted, it’s your ability for your business to pursue contracts are impacted. If you don’t have this in place and you’re not putting the appropriate leverage on this at the C level, then you’re going to have challenges getting it adopted through the organization. It’s going to have to be something that has to be championed and pushed in the C suite. Otherwise, you’re going to struggle for a long time trying to make it happen. The IT team cannot push this up the chain. It’s very, very difficult for IT team to do that.
Sabrina This podcast specifically addresses compliance expense and really tries to communicate how compliance expenses can be truly an investment in a business. So, from a budgeting perspective, what should companies be expecting or preparing for as they determine whether this is an area that they want to either continue or enter into?
Scott What I always tell everybody is that CMMC and DFARS is a six figure problem. It doesn’t matter if you’re a five person company or if you’re a five hundred person company, it’s at least a six figure problem. You get larger than that, it becomes a seven figure problem. The challenge is you’re not just putting together some documentation and making some changes to some IT infrastructure. In most cases, you’re ripping and replacing the majority of your IT infrastructure is part of this effort in many cases. Because many companies are sitting on commercial infrastructure or infrastructure that is not FedRAMPed or they have on premises infrastructure that they don’t want to deal with trying to bring up to spec, you’ve got all of those requirements.
Then, you have the cost of the on staff people that are going to have to help you through the process and then the cost of the third party people that are going to be helping you. And then you’ve got the ongoing costs, the ongoing costs of supporting this environment long term. And so once you put it in place, you have to support it and it’s not going to be the type of IT support that you’ve done in the past because there’s a lot of ongoing requirements from a security standpoint that you have to do on a regular basis. You now have to have change control processes in place, you have to have risk management processes in place. All of these are part of the CMMC requirement, it is a significant investment.
Now, I say investment and the reason I say investment is because it can also benefit you on the back side of this. If you get through this process, let’s say you weren’t a CMMC Level three company before and you had not been doing these things but you get in front of it and you get your CMMC Level three certification done quickly, then you’re going to be in a position where your competitors may not be there and they’re not going to be eligible for contracts that are going to be awarded in 2022 and 2023 because they have not put the investment in to be able to be awarded contracts.
These contracts go anywhere from a $500,000 contract that maybe one or two people on a contract or it may be a $10 billion contract and it’s going to go everything in between. If you’re wanting to pursue those contracts and you see the federal government as a growth area for you, then you need to be on the front end of this, make that investment so that you are eligible to capture this business as it is released. That is something that the C Suite is very interested in hearing, because what your business capture teams really hate hearing is, “Oh, sorry, we can’t pursue that contract. We’re not CMMC Level three yet.” You start telling BD teams that they can’t pursue contracts because you don’t have a specific certification level, you’re going to have some very unhappy BD teams and that CEO’s going to be hearing about it really quickly. That is how I typically present the problem to businesses.
Sabrina Scott, what have you seen or what do you expect to see in the marketplace as a result of CMMC being introduced?
Scott What we’re going to see, and we’re already starting to see some of this, is you’re going to start seeing a lot of merger and acquisition going on in the industry. The reason is because the super smalls are going to have challenges getting certified in many cases because of the cost, because of the focus required. You’re going to see a lot of the super small companies start banding together to essentially spread the cost and the compliance challenges across multiple companies by merging together to form larger companies. Then, you’re going to see other companies just being acquired by large companies that have already been able to meet the requirements. So, I think we’re going to start seeing a lot of merger and acquisition activity in the DOD supply chain over the next couple of years due specifically to CMMC.
This poses a real big challenge for the federal government as a whole, though, because the federal government as a whole is very focused on small business development. They’re very big into making sure that you have 8(a) companies, women owned small companies, veteran owned companies, service-disabled veteran owned companies and all of these different types of companies that typically start as very small companies. One people, two people, three people. Well, how do these one person and three person companies get to a level where they can afford a CMMC Level three certification to be able to handle Controlled Unclassified Information? Many of them are going to have a significant challenge with that. They’re going to only be able to do CMMC Level one type activities for a period of time until they grow.
That’s why I think you’re going to see a lot of merger and acquisition going on, and that’s going to open up our opportunities for those companies that are able to get CMMC Level three. If you make that investment, you may have the opportunity to acquire and grow through acquisition as well of some of the smaller companies that have specific capabilities that you’re wanting to bring into your team.
Sabrina Scott, thank you so much for being with us today and helping us understand more about CMMC. And to our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.