A CMMC Christmas Carol: A Small Business Story

In the past few weeks, I have run into several small business manufacturers who do work for the Department of Defense (DoD). When we learn what each other does, I feel as though we're sharing a secret handshake. If you've been around for a bit, we have been through the ups and the downs of the industry - from recessions to the pandemic challenges on the shop floor, to the ever-present search to find a qualified workforce to managing flow down and risk management mandated by our Prime customers.

The latest in risk management? The Cybersecurity Maturity Model Certification, or CMMC. CMMC's intent is to protect national security and Controlled Unclassified Information (CUI).

So, Small Business reader - what are you doing to protect CUI and take your role in national security seriously?

I have gathered some of the most common questions I'm seeing shared among small business manufacturers and answered them from (hopefully) an entertaining perspective.

This is all from my point of view, and the suggestions made are a result of my own trials and obstacles. These are not "approved" by any individual or company mentioned in this article.

However, I hope this overview is helpful for those needing to wrap their brains around something that is complex and is poised to cause business and supply chain challenges if implemented in its current context.

We're approaching the holiday season, so let's talk about this in "Ghost of Christmas Past," "Ghost of Christmas Present," and "Ghost of Christmas Future," shall we?

We begin the story as you, a Small Business Owner, opens your email inbox on a Monday morning to find that one out of five emails mentions this "CMMC" thing.

You've delayed it long enough. You sigh deeply and decide to stop putting this off.

PAST

Let's go ahead and be honest. While CMMC might be 200 pages of "new" practices, they're technically not that new. You should have been adhering to NIST 800-171 all along - in fact, by accepting contracts with this flow down, you were confirming that you were following its requirements.

On one of the 4,923 CMMC webinars I've attended in the past two months, it was mentioned that 80% of small business manufacturers admitted to not even reading NIST 800-171. Suffice to say, I'm guessing, that means they also were not following NIST 800-171.

Look, I'm not pointing any fingers, but I can tell that you're avoiding eye contact with me right now.

So, you ask the Ghost of Christmas Past:

How do I fix this?

First, you must recognize "the fix" doesn't happen overnight, and it never actually ends, either. You know, kind of like the Walking Dead series.

So, you'll start with doing the next best thing: Establish a Systems Security Plan (SSP).

Unless, of course, you already have one.

If the answer is "no" on an SSP, I suggest you call your family and tell them you won't be home for dinner tonight. Or tomorrow. Get that done. Yesterday.

There are lots of versions out there, but here is one from NIST.gov that will get you started. At a minimum, you should have a network map and hardware and software inventory (no, "it's all in my head already" is not an acceptable answer). This particular template asks where you are in the 110 controls and their implementation.

Be honest when you answer these questions. Your business depends on it.

PRESENT

You're done with the SSP now, right?

Now what? Now you feel like you woke up from a nap only to realize you have the lines from the pillow on your face, you don't know what day it is, you're not wearing pants, and someone is ringing the doorbell.

So, you ask the Ghost of Christmas Present:

I have this SSP filled out, but how do I know if I have CUI?

First, put some pants on.

If you're working on contracts that have DoD flow-down, just assume you have CUI. No, it's not always clearly marked (I can see that like me, you are stunned that the government has not clearly identified something that is the subject of this monster initiative).

Now, for the tough part: I challenge you not to get too far into the weeds. Don't zoom in yet.

Take a step back and ask yourself some basic questions to get the lay of the land:

• Who accesses CUI (blueprints, specifications, engineering files, etc.) at your company for the purposes of doing their job? Is it everyone? Is it just a select group of people?
• What does your computer network infrastructure look like right now and where does that CUI "live" (rest) and how is the CUI shared ("in transit") to get the work done? Is this an efficient way of doing things, or is it just the way you've always done it?
• Do you have a physical server sitting in a room with limited access? Or are you in the cloud? Do you have an "IT guy" (or gal) or do you outsource this?

BONUS: If you have a giant dry-erase board in a dimly-lit basement where you can sketch out a network map or some indecipherable systems maps, while some cinematic theme plays in the background and you end the scene collapsing into a ratty old office chair, reaching for a cup of coffee - that'd be great.

Ugh. This is a lot. How do I know where to begin?

Let's play pretend for a moment. All of this screen time has stifled your creativity. Pick up a book, for Pete's sake.

Pretend a Prime customer has just sent you data to manufacture a part for them, along with a contract. BAM. It's in your hands now. How did it get there? Did they email it to you via secure file share? Or was it just done through a .pdf in a regular ol' Office 365 email? (you can't see me, but I'm cringing)

Now that you, Mr./Ms. Person-Who-Has-Been-Tasked-To-Get-Past-The-Final-CMMC-Boss have this data, what do you do with it?

Does it go on a shared server? Does it get put on some sort of external device and physically handed to someone? Now, how does that person access the data?

Don't overthink this. Your answer may simply be: "Everyone logs into Windows using a unique account and accesses the info on a shared file server."

Oh, I get it! It's all about allowing access on a Need-To-Know-Basis. This is very James Bond. So, how are YOU handling multi-factor authentication (MFA)? FIPS? Encryption?

Woah, there, partner. You're getting into the weeds. Is there bigger picture stuff that you can tackle before jumping into something that even the medium and big guys are struggling with?

You wouldn't vacuum before you dust, would you? ...WOULD YOU? You weren't raised in a barn.

It is very easy to fall down the rabbit hole with many of the more challenging requirements that are debated in Reddit and Discord channels all over.

For your sanity, don't go down that yet.

Yet.

All right. So I need to put together an SSP. That's it?

No, that's essentially the backbone of what's next.

Let's assume you're using the SSP I linked to, above. That will help guide you on where your weak spots are. Here's where you may notice that your weak spots are in Access Control, or Audit Logs, or Training.

There's good news, and there's bad news.

First, the bad news: As of right now, CMMC Certification, if you choose to go down that path, is an all-or-nothing thing. You can't get Certified on something "with the exception of that pesky Audit Logging list o' requirements."

The good news: As you tackle some things, others may, in effect, be checked off, too.

For example: If you migrate to a cloud-based server that checks the box on some of the requirements of encryption, chances are, that same service may also offer some automation as it pertains to audit logs. So, there's work on the front-end, but it's likely overdue, and once you implement a big step like this, you can begin to prove growth in your cybersecurity "journey" towards maturity.

I keep reading about that November 30th due date. Does all of this have to be done before then?

Omigosh, for the love of all that is holy and good: It's not a due date.

You will need to upload your score into the Supplier Performance Risk System (SPRS), if you intend on accepting any DoD-related contracts after December 1, 2020 that include the flow down of DFARS 252.204-7012.

Basically, this flow-down requires a score to exist for the supplier. Get it now?

Kind of. So, I just need to log-in to some website? Seems pretty simple.

Ha ha ha - you are hysterical! How long have you been in the DoD space? Not long?

If this website is new to you, I suggest getting an account set up in tandem while you work to analyze your score. Don't wait until you have a contract in your hand, pending acceptance, before you knock out this step.

In order to set up an account in Procurement Integrated Enterprise Environment (PIEE) with an SPRS-role related to your business' cage code, the Business Point of Contact in SAM.gov must authorize you.

Clear as mud, right?

I personally had to call to get some tech support, and they were very helpful. Don't be afraid to call them, but remember that you are one of many people who have waited until the last minute. Be patient.

All this talk of a score and you haven't told me how I score myself. Honestly, if we include personality, I'm a solid 8.

Um, okay. I'll take your word for it.

There are a few helpful tools out there to conduct a DoD Self-Assessment. Personally, I used the one found on Peerless.

And guess what? That particular SSP template I linked to during our time in CMMC-Past, and the link to the Scoring Tool with Peerless, above, match! Working with them in tandem will help you stay organized and focused.

Do this in manageable chunks. There are essentially 14 categories or topics. Break it down into what you are comfortable doing at a time. Consider sitting down with the person or team responsible for the section you're working on. Remember: What you complete you are self-attesting to. In the event you're audited, you will want to be prepared to prove why you answered the way you did.

Wait. I thought I was already going to be audited for CMMC?

You will. Eventually. Think of this as a stop-gap while the government gets assessors ready to roll.

So, how long do I have?

Honestly, it's up to you. Want to accept a new contract from the DoD on December 1, 2020? Does that contract reference DFARS 252.204-7012? Then, you need to have a score submitted to SPRS by November 30, 2020.

And yes, in case you're wondering, DFARS 252.204-7021 adds the CMMC phased into a rollout over the next 5 years.

There are lots of DFARS call-outs with some riveting reading, terrific plot twists, and great character development. I suggest printing out the .pdfs, grabbing a comfy blanket, and curling up by the fire to read them.

Ohhhhh, so I still have time?

We're three-quarters of the way through this movie, and you don't get it yet, do you?

What if my score stinks?

Then, there's nowhere to go but up, now is there?

I'm half-kidding.

Once you have that SSP and Scoring Tool in front of you, completed, you will likely see which of those 14 categories need drastic improvement. Grab some low-hanging fruit. Take baby steps. Just move forward - that's what's important. Get your team motivated to keep at it.

Update your score in SPRS when you improve. It's not out of the question that you will be audited, so be prepared.

Remember: This is about risk. What risk do your Primes carry by providing you with CUI?

Document, document, document. What's your game plan? How are you improving your grasp on securing CUI?

This is a maturity model, after all.

I'm not sure this is worth it. Maybe I'll get out of DoD work and stick with commercial work.

Hey, fine by me. Less competition for my business. Perhaps you could send me the name of your buyers so I could introduce myself? Don't let the door hit you on the way out.

I kid, I kid.

Come on: You've managed far tougher challenges. You're a small business manufacturer. YOU put the planes in the air. YOU make the satellites that go to space. Heck, you make the things that send the satellites up.

Remember the time you scrapped all of those parts your customer was paying expedite on because your lead machinist read the print tolerance as +/- .005 instead of +/- .0005?

Yeah, you can do this.

FUTURE

Let's look into my crystal ball and observe you in the future.

Your CMMC Level 3 certification is official and the DoD just gave you an order that will quadruple last year's revenue, and you just bought a flying car.

Okay, wait. Not that far ahead. Back up a little. Let's look at, oh, 6 months from now.

You have an SSP and a score uploaded to SPRS (in fact, you've changed it twice as you've improved), and you are looking at all of your notes, pleased with the amount of work you've invested but getting discouraged because this never seems to end.

I have no clue what split-tunneling, FIPS or GCC-High is, or if it's even applicable to me.

Find someone you trust in the CMMC space - and do your homework to find them! Do not, I repeat, do not, go with the first company that spams you on LinkedIn. Get on message boards. Search keywords on LinkedIn. Watch archived podcasts like DIB Tech Talk. Read. See who the "usual suspects" are and ask for references.

I'm more than happy to private message some great contacts I've met over the past few months, many of whom I'm working with on our own next steps in the CMMC process.

Ah, a happy ending! So, we're all in this together?

No. We're not. Not even a little.

There are a lot of companies out there who are taking advantage of people like you. You aren't stupid, but this isn't your expertise, and they know it.

Watch for companies that promise to get you compliant in just weeks (or days). The CMMC-AB is not a business - it is run by volunteers. Where you see "CMMC" in a logo or business name, dig. And when you're done digging, dig some more. Ask questions within the CMMC community.

There are plenty of businesses well-meaning that may not be a good fit for you. There are others that may duplicate services that your current third-party IT department may be doing - and that's okay. You may have to make decisions on a company you hire based on its certifications.

Talk to people. Get quotes from consultants and MSPs. Yes, it's tough to compare apples to oranges with all of this stuff, but if you can find someone who comes recommended among your peers, they will help you filter through the noise. Get ready, though - that will cost you. Just like you can't walk into a doctor's office for free advice on that rash, you shouldn't expect IT and security professionals to get you in the catbird's seat for free, either.

That said - there are some truly wonderful people in the IT/Security/CMMC community who have offered templates, resources, and analyses to the world - just because.

Just like in the original "A Christmas Carol," I feel awakened! Alive! Ready to change my ways! Ready to take on CMMC!

Wonderful!

Now, for real. Get started on that SSP.

Allison Giddens is President of Win-Tech, an aerospace small business machine shop outside of Atlanta, Georgia. She welcomes constructive criticism of her interpretation and understanding of the CMMC, but encourages the critic to recognize that this article is not meant to be "official" IT advice. She's not an IT Cybersecurity professional, nor does she play one on TV.