The CMMC 2.0 Sh*t Show (EP 840)

Hello friends, Uncle Marv here with a special edition of the IT Business Podcast. And today I am going to chat about CMMC. Well, let me rephrase that.

I'm going to chat with somebody who is going to help me understand CMMC. And hopefully he will do that for you as well. And the reason we're doing that is the Department of Defense has finalized and enacted the CMMC 2.0 rule in December of 2024, with requirements starting to appear in contracts throughout 2025.

Full implementation is expected by October 2025. And all defense contracts will require CMMC compliance by 2028. Now, there's been a lot of confusion around CMMC.

I know that some of us have talked about running our businesses as if we are doing CMMC, but yet we don't have any government contracts. We don't have any of that. But hey, why not do that and make our clients do that? But that may or may not be the way to go.

So helping me to chat about that and explain all of that, I'm bringing in Ryan Miller of RootPoint. He has been on the show before. He is the chief information security officer and virtual CISO at RootPoint, based here in Miami, although Ryan is actually based himself out of Pennsylvania.

Ryan, welcome to the show. Thank you. I'm very happy to be on again.

All right. So I always bring you on to talk about these concepts that most MSPs don't understand. And of course, CMMC kind of falls right in the middle of that.

You guys are big into CMMC, correct? Yeah, yeah. We tread carefully. I'll put it that way.

Okay. All right. Let's do a quick primer what CMMC is.

I know that it's easy just to say, oh, it applies to government stuff. But what is CMMC and what is the actual real-life application? Okay. So CMMC is the Cybersecurity Maturity Certification that was originally developed for the defense industrial base.

So little caveat here, there's actually 19 other government agencies that are going to fall under CMMC once everything is done. However, CMMC for them will not go on effect until they finish their program. So all those other agencies are in a different timeline than what the DoD is.

So as you said, 48 CFR is expected to be published around October of this year, which will begin the phased rollout. The phased rollout will begin likely, right? Likely with the highest priority projects that are out there, which is going to be like your weapons systems and other sensitive war-based projects. Okay.

Now, does this really only apply to those types of government agencies that they have to be in defense? Or if you are tied to any peripheral sector, you mentioned 19 others, but is it just the defense side of government? No, no. On the list, I had it up in front of me, I think the Department of Transportation is on there. Okay.

Department of Homeland Security. I think DHS, Department of Homeland Security, yeah, there's 19 total. Okay.

Now, how would that affect, like, if you're an SP and you're working with local governments, that may not specifically be those 19, but they have ties to those 19s, would that apply? So, if the local government is fulfilling a federal contract, you would have flow down requirements, just like if it was from a prime contractor. But what is starting to shape up is what's called state ramp. And so, individual states are adopting a FedRAMP, CMMC-like program for people that are awarded contracts.

Okay. It's going to get complicated. Yeah.

Yep, very. All right. So, this rollout that was approved in December and, you know, coming out in phases, I guess the first thing we need to understand is that CMC 2.0 is three levels or five levels? It was five levels, it's now three, right? Yes, yes.

Your level one is going to cover your federal contract information. Which is basically anything not labeled CUI and not labeled public. There's no label for it, which is what really muddies the waters here.

Right? Yeah. And then CUI, which is your level two at a minimum, is supposed to have header footer with CUI in it and a distribution statement A through F or B through F. And then level three is still CUI, but level three is reserved for companies that have a large aggregate of CUI, like your Megaprimes, Lockheed Martin, Honeywell, and any companies that would be handling sensitive CUI. So, if it was intellectual property that was created on the behalf of a government contract for laser targeting systems, it would likely be level three.

And level one, of course, is kind of, I guess, the entry level point. So, most people are going to be at level one. That's the way the program's designed.

Okay. That's the way it's designed. Is that not the way it actually works? Probably not.

Because in CMMC, which is 32 CFR part 104, which has been live since December, I think it was published sometime November, late October. And then you have a period to where it's published before it actually goes live per se. So, the publishing isn't it being live.

So, you can get certifications now. But then 48 CFR is going to be rolled out starting probably sometime in October. And in CMMC, essentially, the DOD says, hey, look, we don't have full visibility into our supply chain.

We don't know if we're going to be able to. So, what we're going to do is we're going to make the prime contractors responsible for the flow down requirements. Keep in mind, the estimate for the total number of contractors in the DIV is right around 300,000 based on the prime contractor numbers that have come out.

The DOD came out with numbers in the low 200,000, right? But they also admitted that we don't have full visibility. There's a handful of these prime contractors that are going to be level three because of the aggregate CUI. They work with hundreds, if not thousands of companies through their entire supply chain.

They have to manage that. Or you have CUI then. So, what they're going to do is they say, hey, you know what? This is too much risk for us.

It's too complicated to say you're level one, you're level two. Make sure we have body of evidence and certifications. They're likely just going to be like, you know what? I want everyone level two because it makes it easier on me and it mitigates my risk.

I can say, hey, everyone I work with is level two. I have their body of evidence, certification. I did my part.

So, there are a lot of companies that right now are handling FCI that to continue getting contracts are going to have to go level two. And there's a significant cost and operational difference between level one and level two. Okay.

Now, I know that CUI is Controlled Unclassified Information. And the other one you said is FCI? Yes. What is FCI? Federal Contract Information.

Federal Contract Information, which is more critical than the CUI. No, no. So, it goes CUI, FCI, and then publicly releasable information.

Okay, got it. Yeah, yeah. So, FCI sits in kind of like a weird zone to where it's not public information, but it's not necessarily classified or private.

Yeah, yeah. It doesn't have a higher sensitivity like CUI. Okay.

Typically, FCI, you're going to see things for like small individual components, like a motor, like an electric motor. It could be a fan, a solenoid. And the idea is that a prime contractor says, hey, I need a case that has fins on it machined and produced for an electronic component, right? So, CUI goes to one subcontractor that makes the electronics.

And then FCI, because they just need to make the case. They don't need to know what's in it. They just need to know how long, the surface area with the number of fins, right? The width, all the dimensions for it, and the type of material because of the operating conditions, right? Heat, humidity, and even elevation.

So, CUI for the electronic components would go to one subcontractor, and then FCI with the housing would go to another. Because that housing producer doesn't need to know what's in it. They just need to know what the thermal performance needs to be in order for whatever that is to run.

But they're going to say, you know what? Both of you are level two because I'm going to hand you the same documents. You're just making one part of what's in this document. You're making the other.

Interesting. So, this all gets a little complicated. And I want to look at some of the misconceptions that MSPs have because of one of the things that you and I had talked about is the fact that MSPs themselves don't need to be certified in CMMC, correct? Correct.

And that is a recent change. However, not being certified will increase your customer's time to get certified because that C3PO auditor has to go and fully assess you as an external service provider. So, it has to look at your SSP, your inventory, and there's a number of other documents that they have to look at to basically do a full assessment that would result in a certification without actually doing the certification.

So, if you have more than a couple customers, and depending on your own internal operations and operational load of your employees and expertise, say, hey, you know what? We can get away with saving the cost of being level two certified. Let the C3PO auditor for our customer just fully assess us because we can optimize that process and they can get through it quickly. But if you have 10 customers, right, you might as well just say, you know what? Let's get certified.

And then when the C3PO auditor comes to us and says, hey, you're an ESP, that's within scope because you provide security protection assets and you have administrative access to CUI systems, you can provide the body of evidence that the auditor would ask for and then your certification. Now, is certification, I know CMMC talked about being more closely aligned with NIST 800-171. Is that going to be, you know, the biggest framework that we would need to worry about or how many more things come with that? So for FCI, it is a subset of NIST 800-171 controls.

It is 15 basic controls with, I believe, 25 total controls. So you have another 10 that are derived. Level two, you're looking at 110 requirements with 115 controls.

So that's the entire document. And you not only have the 171 document. Okay, I'll put it this way.

CMMC does a nice job of giving you answers to the test. So you have 800-171A, which is what the auditors use to assess the controls. So as you're implementing your controls, you can go through 171A and say, okay, this assessment statement is asking for these controls.

If you can answer that with documentation and get that done ahead of time, you're going to speed up your auditing process. Interesting. Now, you mentioned timeline.

So what would be the typical timeline if you were audited versus or if you were certified versus not certified? That depends. I hate that answer, but it rings true. It all depends on what's in scope, right? Right.

And scope, scope, scope. So if a system as an ESP, which an MSP would be an ESP, external service provider. Any system that touches a CUI environment, whether it's an employee logging in to do administrative tasks through an RMM, that employee's in scope.

That RMM's in scope. Your EDR, XDR's in scope. Your firewall's in scope.

Hopefully you're not processing CUI or possessing CUI on behalf of the customer. Because let's say you have a rack and a data center to where you have a server that's virtualized, right? Well, now you've become a cloud service provider and now you have to do FedRAMP moderate. Okay.

Yeah. However, if you have a server in a rack, that's just like server 2025 installed. It's not virtualized.

It's just a single host server. You're still an ESP. So it makes a difference where the physical server is.

So if it's on-prem, not so much to worry about. But if it's in your data center, yeah, you got to worry about it. Well, it can still be in your data center.

It's just that the way NIST describes a CSP is if you can provision resources quickly inside of a data center. So, so let's say you have VMware as a type one hypervisor, right? You, and on, and you have multiple servers virtualized. That makes you a CSP because you can create and destroy virtual machines that are resources on demand.

Hmm. Okay. You, right.

You can't do that with a single host. A single physical host with no virtualization. Gotcha.

So, so if you're virtualizing and you possess CUI in that virtualized environment, you're a CSP or a cloud service provider. Hello, FedRAMP moderate. Goodbye, your margin for like 25 years.

Okay. So going back to, to 800.171. So, so I know from working with that, there's a lot of things in there that is on the onus of the client and some of it's on us. So, I mean, technically we're not responsible for all of 800.171 ourselves.

And that some of that stuff has to be done by the client. So in terms of, you know, documenting, you know, our work and compliance and stuff, how do we balance that? That's, I'm sorry for these questions. No, it's, it's, it's one of those questions that's a forever battle, right? There's, there's, there's really no answer to that.

You have to know your employees. You have to know your process. You have to know your tooling.

You've got to know your limits of your expertise. One thing I do want to point out is that the, the, there's an OSA or organization seeking assessment, and then there's an OSC or an organization seeking certification. So your OSCs are level two and for certification, and I mean, holds true mostly for level one.

For certification, it's the customer that is responsible for their compliance. Us as an ESP, we're just helping and advising. They really have to do it themselves.

We can say, hey, we can give you the tools, right? We can help you build the processes. We can help you with the documentation, but it's on you to make sure that your day-to-day compliance is met. And also, fun fact, right, is if there's a major change to your CUI environment, you might have to get certified again before the three years.

So before the three years. So on a regular schedule, it's every three years, but if you change something significant, that just restarts the clock. Yep.

Wow. Hello, $90,000 certification process a year and a half after getting certified the first time. Yeah, yeah.

Your, for small, medium business, I've seen the average with control implementation, right? So ESP labor, and this is for initial certification, right? Tooling during the certification period and preparation phase, labor by the ESP to assist the OSC in getting ready for the audit, and then the certification process itself is around $150,000 in the S&P space. Level one with FCI, just self-assessment, you're probably looking around $60,000 average. $50,000 to $60,000.

Okay. So these numbers don't sound enticing for most MSPs. I mean, there's got to be a huge return on the backside if I'm going to put out that much money to go through certification.

Right. Yeah, yeah, yeah. And so it's, well, the numbers I quoted are more for the customer that the ESP is serving.

Okay. That's what those numbers were for. Of course, when you do your own internal calculations, you're just looking like total cost of employment without margin, right? Because it's labor bill to yourself.

So it's, the calculus can be difficult because prime contractors, once again, likely, I want to emphasize likely, are going to require a lot more level one companies to be level two than what's expected now, or what are operating now at level one. So as a customer, what I advise is I say that the environment is changing to where September, October, November of last year, right? You could dip your toe at level one, do two, three, maybe four contracts a year, subcontracts a year, and you'll be okay, right? Your ROI, depending on the size of the contracts, exactly what you do as a business, your ROI could be a year to 18 months, right? Some companies can break even in one contract, more power to them. In fact, the DOD even says, hey, we know this is going to be really costly.

Put it, roll the cost of compliance into the contract, right? So subcontract all the way up to directly contracting with the government. So now that primes are saying, hey, we need our subcontractors that are level one to be level two certified now to mitigate our risk, even though it may not be material risk in the sense of properly practicing the program, it's self-created risk because primes want to be lazy, which really irritates me, because now you essentially have data leakage, right? Least privilege. If you don't need the data, you shouldn't get it, but primes are going to push it down.

So now these subcontractors that were level one, primes are saying, hey, you got to be level two. They're going, oh man, at my current contract rate, my ROI, I'll be breaking even every time I go to recertify. What's the point? Right.

That's why I asked the question, because I think a lot of people are going to look at it that way. And for people that have not yet started their CMMC journey, I mean, how would you even advise them to look at this? Because part of the problem is we don't know what those numbers actually are. Yeah.

I mean, you would have to do a cost assessment. And the thing about cost assessment is companies will go through and they'll do a gap assessment for CMMC. I don't really like doing that because you have to go through the control anyway.

And depending on your operating environment, you may have to add, take away, make changes. So even though doing a gap assessment at a high level, it may seem like you're satisfying the assessment question that's in 800-171-A. But once you get into discovery, really get into the system and onboard the customer and start doing scope, it could turn out completely different.

So I don't even waste time on a gap assessment. I say, hey, we're doing CMMC. Let's set up our scope.

We've done this before. We can give you a rough cost estimate, plus, minus 5%, 10% based on the information we get from the customer. And we say, hey, this seems like it's missing some stuff.

So we're going to cost estimate a little higher here because of a number of unknowns. And then you start going through the controls and answering the assessment questions with documentation. Wow.

Yeah, yeah. And it's all because of the certification process that is so stringent with CMMC, right? C3 POs, if you use passive language in your SSP, they'll tell you to rewrite it. So when you're filling out your SSP and you're answering those assessment questions, you say X does Y, right? Not we have a firewall, so we meet this compliance, right? We have a firewall that performs TLS inspection, IPS, web filtering, right? Do you have to name the firewalls? I mean, I know that there are some FedRAMPs where they actual list which devices are compliant.

Is that correct? Yeah, so from a contextual standpoint, I would, right? But you want to make sure your level of detail doesn't include things that are not in scope. Like if you have a physically separate network, you don't need to list the switches that are coming off the firewall. You just need to list the one switch that's the CUI network, right? Or the one VLAN that is the logical segmentation of your network, not all VLANs in your firewall and switches.

Gotcha. All right. Ryan, we've gone through a lot of stuff here, a lot of changes.

What do you think is going to be the biggest takeaway that we should learn from this? So I went to the compliance summit in DC that Kaseya put on. And Fred stood on stage and said, hey, with our suite of products and the automation we have, you can just do compliance. No hyperbole.

You can just do compliance. No, you can't. So do not approach CMMC with cursory knowledge whatsoever.

This is a large complex program that has multiple DFAR authorities or defense federal acquisition regulations. I think there's like five or six of them that apply to CMMC, including CMMC itself, which is a large document. Eat a slice of humble pie and go, there's a lot I don't know here.

And ask a lot of questions of people that are in the industry and have done it before. Ego has got to go out the door. Nice, nice.

CMMC will humble you quickly. All right. Go ahead.

Yeah, I was just going to say, because errors can result in loss of business and fines, like millions of dollars of fines, depending on what goes wrong. Um, like there have been issues with getting certification because of the shared responsibility matrix between an ESP, that is an MSP, and the customer seeking certification or organization seeking certification. So there have been SRMs that have said, hey, us as an MSP or an ESP, we do all of this stuff.

Where you don't, right? There have been MSPs that say, hey, you're inheriting all of these controls from us. There's, as of now, within the structure of CMMC, there's no control inheritance from an MSP. You may get some control inheritance from a security protection asset, right? Like an XDR.

But from an MSP, we are there to advise and engineer. We're there to architect, help them document, advise them on creating their internal documents and processes. So it's not as big of a role as people make it out to be for the MSP.

I was going to end off there, but I wanted to go back. You made a comment about we are there to advise and assist. We didn't talk about this here, but I know that there are vendors in our space that will assist with as-a-service programs for these types of certifications, where they will create the plans for us to give to our clients.

It sounds like if you're doing CMMC correctly and 800-171-A correctly, we can't do that. Am I interpreting that correctly? Somewhat. So there are some things we can do.

If a control requires a process, we go to the customer and say, tell us what your process is. We document it, and then we put it in the repository. Let's say they don't have a process.

We can advise them on what it should look like, whether they have to take on a new service, hire a new employee, add an additional role to an existing employee, and then we document all that. What employee does what, and then how they do it. But that's the customer making those decisions and then informing us based on our advice.

We can't write the process for them. We can document it for them, but we can't per se create them for it. This is what you need to do.

They know the current services they have, their employee capability, and then they have to make those decisions. Gotcha. Okay.

Yeah. Um, so yeah, yeah. I mean, it all really comes down to the customer is really solely responsible for their CMMC compliance.

There is some risk with the MSP when it comes to incorrect advising or even poor documentation, but not directly with the government. It would be more of a certification false start is what they call it. Because what happens is they do a certification feasibility, like quick assessment and interview to see if you're even close to ready, if it'd be even worth going through the assessment and certification.

And that's to keep you from wasting money, right? Like you pay $60,000, $70,000, $80,000 for a certification depending on how big your scope is. And then you get to the end and it turns out that, uh, your MSP created your SSP for you. And it doesn't have your S at, uh, it doesn't have your security protection assets in it.

It doesn't have all the locations of where CUI is stored and processed. Um, and not all of the assessment statements are answered correctly. It's missing information, right? You just wasted the tough money.

So there's little checks that they do and they can get a good idea. Yeah, they're mostly ready to go through. We, we, we can probably do some poems on the back end and then they satisfy those points within 180 days.

Right. And then we come in, we do the final assessment on those outstanding items, which were poems. And then we do, and then we issue the certification.

So I've been covering some recent lawsuits where clients have gone after their service providers, uh, for failures when it comes to security and stuff like that. Does this open us up to that same type of thing where even though the client is the one responsible for their CMMC, we're advising, and if they go through the process and like you say, get to the end and they say, “nope, not right. And they've spent all that money.

We've spent all that time. Does that give them the opportunity to come after us and say, you know, Hey, we spent all this money based on your advice. Pay us back.

I'm not sure I could see it in circumstances of outright fraud to where the MSP lied. Right. But if it's omissions and errors, I think that's got to be tested in court.

Okay. Yeah. Um, and not only that you, you should have insurance.

Yes, you should. All right. I'll be looking forward to my, uh, first, uh, news article on that and we'll see how it goes.

So, uh, Brian, thanks a lot. This is a great information, somewhat confusing, but, uh, things that we should pay attention to, especially if, because I imagine that there's going to be an MSP or service provider out there that doesn't realize that they have a client that falls under CMMC, they'll have to do that. In fact, the client might not even know themselves.

We've ran into that to where we took a client on and, uh, we're doing security services. We're doing it management for them. And, uh, they come to us with issues and we're doing our it thing.

And it's like, this is a government contractor. Uh, right? Like your customer, this document I'm looking at that you're trying to manipulate an Adobe and Adobe's not behaving.

This is Lockheed Martin. It's got CUI on it. Uh, oops.

We have a problem. Yeah. Yeah.

And, and honestly that happens all the time because there have been subcontractors that are like fourth, fifth tier that they're so far from the top of the, um, uh, con contractor tip of the pyramid that they just, they, they don't know. They don't have any peers that are in the div space. Um, knowingly at least.

So I just, when, when, when 48 CFR starts getting put in contracts, it's going to be can, can I curse on here? Yeah, you can. Sure. It's going to be a shit show, man.

It's going to be, it's going to be, it's going to be an absolute shit show. Um, it's going to be poo hitting the oscillating blades every day for a long time, because there's going to be a mad scramble of these subcontractors that have no idea. And then the prime is going to send, send them an email because the prime isn't even really keeping contract of exactly who their subcontractors are because there's so many of them.

And then an employee one day we'll find, Oh, we missed this one. And then a CEO or project manager is getting an email from Honeywell. It says, Hey, we need your spur score.

And everyone's going, what's that? Well, now you've lost all your contracts. On times ahead on times. Yeah.

All right, folks. There you, there you have it folks. Uh, start planning now for your shit show.

Yeah. Yeah. And I mean, really it's about expectation management.

That that's really most of my job is expectation management. So, you know, what's funny is like, we've tried to end this three times now and it just keeps going because that's how CMMC, right? It just goes on forever.

I could talk another hour on this. Yeah. And I'm sitting here thinking I've got pages of notes and questions I could ask, but I'm like, I don't, I don't want to ask that because it'll, it'll go down, uh, a larger rabbit hole.

Um, there's so much there. Yeah. So, so, so right before we end here, what I did to help myself understand CMMC better is I created an internal SharePoint site and I went from top to bottom of CMMC, where it started with all the DFAR authorities, provisions, and then a timeline to where it led to CMMC and then a high level breakout in sections of what CMMC does based on the document itself.

And that helped me organize mentally the spiderweb that this whole thing is. So a question I was going to ask, and you just answered it for yourself because I was going to ask, where is the best place for us to go and kind of get, you know, guidance as to, you know, how CMMC would work for us? Is there a place or is it really all geared towards, you know, the top tiers and then flows down? So if you want to start to, and, and I say this literally with a sprinkle of hope, if you want to start to try to get a handle on CMMC in the short term, long term, you can do it. You just have to expose yourself to the information long enough and things will start falling into place.

But a great resource is LinkedIn. You have, you know what? I'm going to bring them up because I'm going to mix up their names here. Yeah, there's Jacob Horn from Summit 7. There is, hold on one second here, Jason Sproesser with Summit 7. Okay, so both with Summit 7. And then Jacob Hill, who just came on to Summit 7 recently, but he has a really great website that is, I believe GRC Academy.

Let me find it here real quick. Bear with me here. As we both previously type away and look at stuff here.

Yep, GRCacademy.io. Okay. All right, I will get those links and put those in the notes for us. And if you, you know, if you're bored after the NHL finals or not watching baseball, go take a peek.

Learn some CMMC. Yeah, and be patient with yourself. You're going to get frustrated.

All right, Brian, thank you very much, sir. And ladies and gentlemen, thank you for tuning in to the IT Business Podcast. And as you can see, CMMC is going to provide a lot of opportunities for us and a lot of opportunities to help clients upgrade their cybersecurity, navigate compliance.

However, a lot of us are not prepared. So let's get prepared and take this on head first. I'm just looking at the notes here to see if there's anything else to end with here.

If you are going to do it. I would say timeline. If you're under a 25 person shop and you have a handful of employees that are CUI that are in scope for CUI and the applicable systems at level one, you're probably looking six to eight months to do a full self-assessment.

Level two at the same size customer, you're probably looking 18 months. OK, we map out all your processes and documentation and properly answer those assessment questions. All right.

Well, with all of this starting in October, six to eight months, you should definitely start now to avoid missing any opportunities. So. Once again, Ryan, thank you.

Ryan Miller with Root Point, everyone. And we'll have those links we talked about and some other references to things that you should know when it comes to CMMC. That's going to do it for us today.

And if anything comes up later with CMMC, we'll be back here with another special edition. Be sure to check out anything else you need to know about managed service providing, supporting businesses in our space, cybersecurity. We talk about all that on the IT Business Podcast.

We'll see you soon. And until next time, holla!