“CMMC & The Race to Remain Competitive with DoD Contracts” Panel Discussion Q&As

On Wednesday, March 17th, 2021, Gigit hosted an extremely informative expert panel discussion about CMMC. For the defense industrial base, CMMC is a must-do in order to receive and retain contracts in the years ahead.

After our initial 35-minute panel discussion, we accepted questions from our live audience. We had so many questions, we couldn’t answer them all despite even going overtime by 10 minutes! We promised the audience that we’d answer their questions, so here are the unanswered questions and answers:

Q: The DOD has a large investment in Automated Test Systems for repair and maintenance on weapon systems in the field and repair depots. ATS connects directly to the weapon. How do we protect from a threat coming in through test equipment not the network?

A:  Without know more of the details between the systems we can only give general guidance.  We suggest taking as much of a Zero Trust Architecture approach as possible throughout all aspects of the ATS lifecycle.  We also suggest overlaying thorough audit and logging mechanisms via your Security Incident & Event Management (SIEM) solution as possible to look for anomalous behaviors.  Please contact us if you would like a more detailed answer.

Q:  In your opinion, what lessons learned have you seen with this scenario: a DoD contractor wants to use migrate to a cloud-only platform using Microsoft commercial (E5), but also use PreVeil to enclave CUI. Is CMMC Level 3 able to be met this way?

A: We have seen lots of unintended friction. Users are used to the entire suite of Office365 and suddenly they find out the just have email and classic file sharing.  Things like concurrent editing, commenting, etc that you find in O365 are gone with PreVeil. We then walk customers through the need to use other FedRAMP moderate compliant real-time collaboration services that accept the DFARS clauses when discussing CUI are now needed. Once we start to hit these, we start to see more shadow IT kicking in or people just ignoring policies to get things done. The business sees things take longer and operational costs increase.  It is for these reasons we generally recommend Organizations Seeking Compliance (OSC) leverage as much of GCC or GCC High as possible.

Q: When the assessment is done is there not some sort of feedback you give the company other than just, “You Failed”?

A: The C3PAO and Lead Assessor will inform the Organization Seeking Compliance (OSC) of all the the non-compliant Assessment Objectives and parent Security Requirements.  The Lead Assessor will inform them why the objectives were determined to be not met.  The Lead Assessor and their team will not tell you how to correct the issue—that would be consulting and invalidate the assessment. (Assessors must be separate and independent from Consultants in order for the Assessment to remain valid)  The Lead Assessor will also let the OSC know if they are allowing the OSC to attempt to remediate any non-compliant requirements within the allowed 90-day window.  Please contact us if you’d like to go over the formal Conformity Assessment process with your organization if you have other questions.

Q:  If you have SOC 2 and ISO-27001 certifications and a mature ISMS, how difficult will it be to become CMMC? What are the main differences?

A:  It all depends. ISO helps your firm to get a solid ISMS underway while SOC can be very tightly scoped. That being said, having either of those certification does not mean your business is immediately ready for a CMMC Conformity Assessment event. On the other hand, neither of those frameworks are as prescriptive as CMMC and the underlying NIST SP 800-171 are.  For example, neither have the Multi-Factor Authentication requirements in CMMC & NIST SP 800-171. Also, neither have specified protection requirements for FCI & CUI. We do recommend working with an organization with CMMC expertise to optimize re-using other certifications within your CMMC scoped environment.

The below are the questions that were answered during our live panel discussion. To hear the answers to these questions, please watch the panel recording.

  1. How does a company who does not have a government contract yet get access to Microsoft Gov Cloud?
  2. For small DoD contractors, we’re looking at recommending that they implement Microsoft 365 Business Premium and adding a platform like PreVeil or Cocoon to create a compliant environment that’s less expensive to implement and maintain than Microsoft 365 GCC High. Can you provide any comments on utilizing this type of strategy?
  3. How does an organization identify internally generated CUI? Who has that responsibility?
  4. Who at an organization is the driver of CMMC certification — is it someone in the C-suite, and if so, what position?