Joe Coleman, cybersecurity officer at Bluestreak Compliance, discusses critical aspects of NIST 800-171 and CMMC with host Doug Glenn. Joe touches on how to become compliant, how long compliance takes, compliance pricing, and the limitations companies may face if not compliant. Learn more in this episode of Heat Treat Radio.
Below, you can watch the video, listen to the podcast by clicking on the audio play button, or read an edited transcript.
The following transcript has been edited for your reading enjoyment.
What Is CMMC? (03:34)
Doug Glenn: Let’s jump in. Cybersecurity, while it’s not unique to heat treaters, is across all manufacturing sectors. But there are some unique elements of it that tie into the metal treating industry.
Let’s start with some basic definitions for those who don’t know: What is CMMC and what’s the purpose of it?
Joe Coleman: CMMC stands for Cybersecurity Maturity Model Certification. And we’re currently on version 2.0. It’s a verification program to ensure that defense contractors and subcontractors are able to protect sensitive information from the DoD (Department of Defense). That includes FCI, which is federal contract information, and CUI — or some people call it “coui” — which is Controlled Unclassified Information.
It’s going to affect about 300,000 companies in the U.S. Also, it’s going to start impacting companies later this year or early next year. That’s when it’s said to be fully released, and they’ll start adding it to contracts and RFQs and things like that.
Doug Glenn: So, in CMMC 2.0 version, the DoD is asking companies, “Do you comply with CMMC 2.0?”
Joe Coleman: Rather, it is saying you must comply by 2025 and at a certain level; there are three levels.
Doug Glenn: What are these requirements based on?
Joe Coleman: DFARS 252.204-7012 was implemented in 2016. In it, they were saying that people must be NIST 800-171 compliant by December 2017. If you’re not, you’re way behind the ball. They just haven’t pushed it until recently. Now they’re really pushing it. It’s based on NIST 800-171 recommendations — that’s Rev 2, and a subset of NIST 800-172.
Doug Glenn: You mentioned DFARS. Can you just briefly explain that?
Joe Coleman: DFARS is Defense Federal Acquisition Regulation Supplement.
Doug Glenn: Also, I’m kind of curious about this: Who’s actually pushing it? Is it the Department of Defense, or is it government in general, or is it controlled by (kind of like Nadcap and things of that sort) an independent organization outside of the federal government?
Joe Coleman: No, CMMC does cover other things, but it’s mostly by the DoD. They are the ones pushing itbecause of foreign adversaries stealing our information and ransomware attacks and things like that.
Doug Glenn: Right, okay. So that’s CMMC 2.0. Is NIST 800-171 is a sub part of that, or is NIST 800-171 something different?
Joe Coleman: That’s something different. NIST 800-171 is published by the National Institute of Standards and Technologies. DoD doesn’t have a lot to do with NIST. They are two different standards; the DoD is just borrowing NIST 800-171 for CMMC’s requirements.
Doug Glenn: I see. They’re using NIST’s package that’s already there as part of their requirement.
I think you’ve already kind of hit on it, but let’s just be explicit about it. What started the push by the DoD to require CMMC or require any type of enhanced security?
Joe Coleman: The DoD finally realized just how vulnerable defense contractors are and how vulnerable their computer systems and networks are to cyberattacks and to sensitive information being leaked by the DoD or contractors, that kind of thing. They’re trying to pull everything together to improve national security and to help secure this important data.
Doug Glenn: So, in a sense, it’s really the DoD just trying to cover their rear end, so to speak, and protect sensitive, national defense type information.
What Is DFARS? (08:45)
We talked about DFARs briefly. I’ve heard a DFARS interim rule mentioned. What is that?
Joe Coleman: That came about in November of 2020. It plays along with the DFARS 7012 — 252.204-7012. They came up with three new clauses to improve how cybersecurity is handled and enforced.
The first one is clause 252.204-7019. It mandates that you when you do your assessment: you come up with an assessment score based on 110 controls, and your score can be from a positive 110 (the perfect score) to a negative 203. That score needs to be turned into the SPRS, the Supplier Performance Risk System, so other companies can see what your score is.
So, 7019 mandates that you do turn in your score and that it can be no older than three years old. They are requesting that if they say you’re DFARS-required on a contract, things like that, you need to be NIST 800-171 compliant.
The next one is 252.204-7020. And that one states that you have to give full access to your company — your internet system, your IT, all of your information, and your employees, if they decide to come in and do a medium or high assessment or just an audit. You will have to turn over that control to them.
Doug Glenn: Who is “them” in this case?
Joe Coleman: It would be a DoD official.
Doug Glenn: All right.
Levels of Assessment (10:59)
Joe Coleman: There are three different levels of assessments that can be done under NIST 800-171. There is a basic level which you attest yourself. It’s all self-attestation for NIST 800-171. There’s a medium level which means you have to have a DoD official come in and do your final assessment. And then there’s a high, which you also need a DoD official to come in and do that. The majority of them are basics, which you can self-attest to.
Doug Glenn: How does a company know if they need to even have the CMMC?
Joe Coleman: If your company is a defense contractor, subcontractor, vendor/supplier, or if you’re in the DIB (the defense industrial base), you will need to be compliant if you process, store, transmit, or handle FCI or CUI in any way. If you handle CUI or FCI, you must become CMMC certified at one level or another.
Doug Glenn: Let’s just take an example. Say I’m almost third tier down in a supply chain, and the guy I’m doing business for is obviously doing defense work. Do I need to be CMMC certified at that point, even on the basic level?
Joe Coleman: Well, it depends on what type of data you’re handling. There is a flow down process. It starts with the prime contractor. Then it goes to the contractor and then on down the line. And if you are dealing with CUI or FCI, you need to have that same certification level as your client or as your contractor.
Doug Glenn: Would my client in that case, the person I’m doing business with, would it be incumbent upon them to tell me that I am dealing with FCI or CUI?
Joe Coleman: Yes. It would be in your contract.
Doug Glenn: If someone listening has a specific question about whether they’re required, I’m sure they could contact you and you could probably help them on that just to make sure.
Joe Coleman: Anytime. I also have an ebook that I made that is ready to be sent out, so I can always send them a free copy of that.
Doug Glenn: Now, I think you’ve already answered this question, but how many maturity levels are in CMMC and what are they?
Joe Coleman: A little, there are three levels. There is level one, which is the foundational level, and that is for contractors or vendors or suppliers that deal with only FCI. They do not deal with CUI. So, there’s a much smaller set of requirements for level one. And about 60% of the 300,000 companies will be going for level one.
Then there’s level two, which is advanced, and that is for contractors and vendors and suppliers that deal with CUI in any way. It can come in an email and leave. But as long as they have access to CUI, they need to be at least a level two certification. And there are about 80,000 companies that are going to be impacted by that of the 300,000.
Level three is expert, and level three is based on the 110 controls in NIST 800-171 plus a subset of controls that are in 800-172. Level two mirrors NIST 800-171. It’s borrowing all the requirements from NIST 800-171, enhancing them a little bit, and putting them into CMMC. So, there are a few more hoops you have to jump through to be CMMC certified.
Doug Glenn: We’ve talked about two different sets of levels. We talked about a basic, medium, and high. And then we talked about level one, two, and three. Are these things the same or are they different? Can you help me understand the difference between those?
Joe Coleman: The basic, medium, and high is an assessment level that assesses your whole system and facility, and that’s based on NIST 800-171. CMMC, you have three different maturity levels, and that’s level one, level two, and level three.
Doug Glenn: When you say maturity levels, that shows the degree to which your company has gone to implement these things.
Joe Coleman: Yes. It is a certification.
On CMMC level one, you can self-attest your own certification. Level two and level three, you will have to have it’s called C3PAO (or a CMMC third-party assessment organization). They will have to come in and do your final assessment. Bluestreak Compliance can take you all the way to that assessment audit ready. But then you’ll have to have a C3PAO come in and do the final audit and the certification level.
Doug Glenn: That was going to be one of my questions because you guys mentioned that you’re a registered practitioner organization. You don’t actually do the assessments, but you can get everybody up to the door, right? You prepare them for it?
Joe Coleman: Yes. You would need a CMMC certified assessor to do that.
Doug Glenn: All right. And when is all this going to be required? Right now, it’s not required but it will be required?
Joe Coleman: CMMC is not required currently. It’s in the last phase of being released for approval. Either late this year or early next year, it’s going to be a phased rollout. Later this year or early next year, you’re going to have phase one, which is that if you need to be level one certified, you will need to become certified right away. That’s the one you can self-attest.
Six months after that, they’re going to start requiring that CMMC level two is implemented. This means you’ll have to go through the process of getting a C3PAO. And that’s when it comes time to hire an RPO (registered practitioner organization), because they’ve got the training and the certification to get you there.
Now, one thing on the C3PAO: there are currently only 54 C3PAOs in the entire country. So, there’s going to be a huge backlog. You could be talking a year backlog, so plan accordingly.
Finally, at level three, an enhanced version of level two because it has more requirements, you’re also requiring a C3PAO for certification.
What’s Involved in Becoming NIST Compliant? (21:14)
Doug Glenn: Joe, let’s talk for a second about the process, if you will. What’s involved in becoming CMMC certified?
Joe Coleman: That all depends on if you are NIST 800-171 compliant already. If you are not NIST compliant already, you need to get NIST compliant as soon as possible. That has a big impact on your CMMC implementation.
Doug Glenn: Can you address that then: What do you have to do to become NIST compliant?
Joe Coleman: To become compliant, you have to do an assessment on your network and your facilities to come up with an assessment score. So, it’s the same as CMMC.
Then, you will have to do a gap analysis. You will come up with a POAM list (a plan of action and milestones); that is your to-do list based on your assessment, your shortcomings, or what you’re not compliant to. And you’ll need to come up with a system security plan (an SSP). That’s mandatory; you cannot be compliant without an SSP.
Once you get your SSP and your POAM list, then you need to take your score, your beginning score/baseline score, and submit that to the SPRS. And that is the library that holds all of the scores and shows your level.
From there, you start remediating and implementing your POAM list. But that also includes coming up with policies and procedures, plans, and a lot of documentation — everything gets documented based on where you stand and where you’re going, until the end when you do your final score.
Now, the SSP is a living document. It’s going to constantly change. If you have a change in your network, a major change, you’ll need to go in and update that right away.
How To Become CMMC Compliant? (23:46)
Doug Glenn: So that’s how you get to be NIST compliant. For CMMC, is there more to it?
Joe Coleman: There’s a few more requirements in CMMC, but the major difference is that with NIST 800-171 it’s all self-attestation. CMMC you will need to have a C3PAO.
Doug Glenn: That is, somebody’s going to need an outside validator, so to speak.
Joe Coleman: And they’re very expensive.
Now, another reason they came up with CMMC is because people were saying that they were compliant to NIST 800-171, and they really weren’t. That gets into the False Claims Act and things like that. They really go after people that do that.
Doug Glenn: Yeah. Any sense of the time frame for either becoming NIST compliant and/or CMMC compliant?
Joe Coleman: If you are not NIST compliant yet, that can take up to 6 to 12 months. I’ve seen it take more. You can do CMMC and NIST together if you need to because you’re using the same documents. If you’re not NIST compliant, that can take up to 18 months or more. If you are NIST compliant already, you’re talking 6 to 12 months to be CMMC certified.
Doug Glenn: Okay. You just alluded to it, but I just want to make it clear. Can you do them both at the same time in parallel tracks?
Joe Coleman: Yeah, I’m working with clients that are not currently NIST compliant. So, we’re just rolling it into one using the same documents. It’s just that we’ll have to have a different assessor at the end.
Doug Glenn: Let’s say a company just decides they’re not going to be either NIST or CMMC compliant. You can still be a company, right?
Joe Coleman: Oh yeah, you can still do business; you just can’t do business with the DoD. A lot of companies base it on how much of their workload or how much of their business percentage is based on DoD work or from a contractor or subcontractor. If it’s 1%, 2%, 3%, 5%, you need to take a good hard look and say, is it worth putting a lot of money into?
Cost of Certification (26:52)
Doug Glenn: So, they can still be in business and doing well, but they just can’t do any DoD work. So, any ballpark figures? And I realize this probably varies widely depending on the size of the company and everything, but any ballpark sense of how much change we’re talking about here?
Joe Coleman: There’s no official word from the DoD on this, but there are some guesses out there. For NIST 800-171 compliance, depending on your current cybersecurity program that you currently have and how involved it is, I’ve seen it from $15,000 to $60,000.
Doug Glenn: Okay. That’s just for NIST?
Joe Coleman: Just for NIST. For CMMC, and again depending on if you’re NIST compliant, if you are not NIST compliant you’re going to do them together, it could be over $200K (probably easily) to become CMMC certified because you’re also becoming NIST compliant.
Doug Glenn: I’m curious. How come it’s going to cost you maybe 3x as much?
Joe Coleman: One of the main reasons is that with CMMC, you’ll want to hire a registered practitioner organization to guide you through the process and to do the documentation for you. The other is the C3PAO. There are only 54, and they can name their own price.
I can imagine it’s going to be over $100K just for the final assessment.
Doug Glenn: Right, that’s helpful. I think that gives everybody a pretty good sense of what we’re talking about here with CMMC 2.0 and NIST 800-171.
What Can a Registered Practitioner Do for You? (29:02)
Your division of your company, which is Bluestreak Compliance (you’ve already mentioned you’re a registered practitioner), can you give a brief summary of what it is? What do you guys bring to the table?
Joe Coleman: A registered practitioner organization has been certified by the Cyber Accreditation Board (Cyber AB), or CMMC accreditation body. A registered practitioner organization (RPO) works with and hires RPs (registered practitioners) or RPAs (registered practitioner advanced). I happen to be an RPA. And we’ve gone through all the training that we need to have so that the Cyber AB says, okay, you are qualified to do this.
So, when I quote a job, I usually quote it two different ways. One way is just guiding you through the process, so you’re going to do all the heavy lifting. I can supply you with templates and things like that for your documentation and guide you through each step. Or I can quote it where we manage the whole process. We will do all your documentation for you.
Your team will have to be involved in the implementation process. And that’s true both ways. But we normally quote it two different ways, and they choose which one they want based on their budget and things like that.
Doug Glenn: It sounds like what you’re bringing to the table is the ability to get that company from where they are now, wherever they self-assess to start with, up to the point where they can bring in one of the third-party auditors and actually have a reasonable shot at passing the CMMC 2.0 assessment.
Joe Coleman: Correct. And it’s going to take a lot of input from the client or from the companies, too, because you’re going to have at least 1 or 2 full-time employees doing nothing but this. You’ve got to build that cost into it.
That’s what I tell people when we say we can quote it either guiding you or leading the project. It’s not as much work if I am leading the project. But if I’m not leading the project, you’re going to need a team of people to do this. It’s a lot of work.
Cybersecurity Areas To Be Aware Of (31:48)
Doug Glenn: I’m not sure there is an easy answer to this question, but can you give a list of top 3 to 4, or 4 to 5, areas that a company needs to look at when they start doing the NIST and CMMC checklists? Where do you see most companies falling down, or what are the areas they need to be aware of?
Joe Coleman: A lot of the smaller companies do not have a robust cybersecurity program. That is going to be a big pitfall. That’s going to be a big jump for them, not just the work that they have to put into it, but the expense; a lot of small companies just can’t afford that.
Doug Glenn: So, for example, what does that program involve? I mean, is it best practices for handling emails?
Joe Coleman: Everything.
Doug Glenn: What are some of those things?
Joe Coleman: Some of the things are making sure that your network is totally secure and locked down, firewalls. Along with that, you’re going to need endpoint protection on all your devices, mobile device manager. You’re going to have to track every device that has access or could have access to CUI. You have to have a full inventory of that. Your IT system has to be locked down.
Now, this also includes your facility; it includes physical security. That’s talking about your door locks, your alarm systems, things that are going to protect CUI. Camera systems, your server rooms have to be locked down. It’s a lot of physical security, too.
Doug Glenn: Interesting. As well as the protocols for how you handle emails, how data is transferred, where it’s stored, and backups, stuff like that?
Joe Coleman: Yes. And you need to have a policy and a procedure for each one of those. They have to be fully documented every step of the way.
Doug Glenn: Wow. Okay. Sounds like fun, Joe.
Joe Coleman: It is. I enjoy it, but it’s a lot of work.
Doug Glenn: I’m glad somebody enjoys it. I think I’d be swinging from a rope somewhere; you know?
Joe Coleman: I eat, sleep, and drink it.
Doug Glenn: Well, that’s good, I appreciate it. The columns and things that you’ve written for our publication have been helpful to people, I know. And I think this podcast will also be helpful to them. But do you know, for those who are listening and might be attending Furnaces North America, do you know when your talk is?
Joe Coleman: It’s going to be on the 16th at 8:50 a.m., and it’s in room 222.
Doug Glenn: All right.
All right, Joe. Thank you very much. I appreciate your time. We’ll look forward to more of your input.
Thanks everyone for listening.
About The Guest
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2024) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0.
Contact Joe at joe.coleman@go-throughput.com.