Perhaps you have heard of CMMC, the Cybersecurity Maturity Model Certification program. Now in its 2.0 version, it is supposed to lay minimum cybersecurity standards on contractors doing business with the Defense Department. But it is like a storm on the horizon that never really arrives. Some company executives are skeptical. Federal Drive with Tom Temin spoke with one such skeptic: Matt Hodson, the Chief Information Officer of Valeo Networks.
Tom Temin And Matt, I guess you’re kind of Mr. Everyman in the world of federal contracting that is looking at CMMC and wondering what it’s going to mean to your company.
Matt Hodson Yeah, as you know, CMMC version one, I mean, the whole point of it is to protect the data, right? And as we’ve seen with CMMC version two, you know, the government’s trying to be a little more lenient with the contractors and give them some flexibility. But they’re kind of missing the mark on the whole point of it, right? So we see under CMMC 2.0 right on the CMMC website that it’s supposed to simplify compliance. But by doing that, they’re getting away from the actual goal of securing that data. That’s what we’ve seen.
Tom Temin Right. So you think they’ve gone too lenient with 2.0?
Matt Hodson Correct. Yeah, They’re just kicking the can down the curb. We’ve got to secure the data. I mean, we’re hearing now with everything with critical infrastructure, we see things, with Russia attacking Ukraine and of course, different countries attacking our critical infrastructure. If we don’t take the time and get this done, it’s just going to be a bigger problem down the line.
Tom Temin Now, you’re a technology company, a technology vendor, and there’s a lot of those in the government and presumably they have the expertise to follow all of the NIST controls. National Institute of Standards and Technology controls that are part of this that those are in place. But what about all of these small vendors, the mom and pop vendors, the people that might be in manufacturing, services, supplies, that kind of thing, that simply don’t have the expertise? It’s costly and expensive for them. What should they do? What should be the approach for them?
Matt Hodson That’s a great question, Tom. To your point, they’re small, so they don’t have a large budget. Even if they understand and see the value of securing their network or their infrastructure, they just don’t have the budget. So it’s good to partner with a MSSP and a third-party compliance company that works hand in hand, because as an I.T. company, we can only put in place the technical controls of a certification. Right. So we have a third party that audits our work and certifies the company trying to get certified. And to that point, if you look back at what the definition of certification is, it’s a third independent body or a company that’s doing this testing, this inspection, the certification. So that’s the other big challenge with CMMC 2.0 self-assessment. I mean. Right. Ok, I’m certified. Well, that doesn’t really make me feel warm and fuzzy.
Tom Temin Right. But wasn’t there supposed to be a cadre developed nationwide of people that could fan out do these certifications? The companies would pay them and everyone would be set to go. We haven’t really seen that materialize yet then, have we?
Matt Hodson Correct. We have not. And with 2.0, if you’re going for level one or two, you can self-assess, which again, no one’s checking your work.
Tom Temin Right. So you would suggest then changing the program, how?
Matt Hodson First of all, I would recommend not having self-assessments. If the whole point of the certification is to protect the data, whatever levels you put in place, the government decides on three levels, five levels. There should be a third-party auditing entity to verify what you say is so before you get certification. And I understand why they’re doing it, but to allow them to bid on contracts and win contracts and not even have the certification yet. How is that different from today? We’re speaking with Matt Hudson. He’s the CEO of Valeo Networks. And just for a company to say, get the basic list controls in for level two, say, I mean, there’s a lot to do there and then to get certification by a third party that those are in place. What could that cost? Are we talking thousands? Tens of thousands? What’s the order of magnitude of dollars for a company? As you know, there’s a lot of variables in that question, right. The size of the company and the complexity and whatnot. But you can easily spend for a small or medium sized business anywhere from ten, 20, $50,000. It just depends, you know, one, the current operational maturity level of that company. What controls do they already have in place? Right. So there’s always that first initial assessment, that gap assessment, to see where they’re at and where they need to be. And usually that second project is, making sure they meet those requirements. And that’s, like you said, just the best requirements. But then you have to pay that third-party auditing company to go in and double check the work that a technical company like ourselves have completed on your behalf.
Tom Temin Right. Sure. And then there is the ongoing maintenance of that, because software changes, controls change, operating systems change. And so what was secure one day, you know, that’s why they have Patch Tuesday. Could be great on Monday. By Tuesday, you’re out of date and there are vulnerabilities. So it’s an ongoing cost, right?
Matt Hodson Yes, it is. And that’s that’s the value of prop-up companies like ours, is you pay us that fee where we help you maintain that ongoing compliancy versus trying to bring it in-house.
Tom Temin The Defense Department would need that assurance that we certified you six months ago. Now the contract comes and, are you still safe? Is our data still safe with you?
Matt Hodson Sure, yeah. Usually with a compliancy is once you achieve it, you know, it stands until it needs to be reviewed again, which is usually annually. So in that scenario, they would most likely win that contract. And then in six months when it’s time to be reviewed again, they would check everything.
Tom Temin And there is plenty of hacking, There’s plenty of phishing that takes place, there’s plenty of ransomware attacks. But when you look at the really, really big, horrible breaches like what’s been going on with the Defense Department over the last couple of weeks, it’s not cybersecurity measures or technical controls at all. It’s bad actors that should know better. So the what they call in the automotive field, the nut behind the wheel, the employee, that seems like something that CMMC could never get at, either the deliberate or inadvertent misconfiguration or misuse of data. There’s no control for that.
Matt Hodson No, that’s true. And like we said, if we didn’t have employees, we wouldn’t ever be attacked, right? Because that’s the low hanging fruit. So, you know, you’ve got these nation-states that are trying to infiltrate our infrastructure. And to your point, that’s the easiest thing is going after and phishing the employees. It just happened to us yesterday. Supposedly, our CEO sent several of our employees text messages and it was customized to each employee with their first name. And it had a sense of urgency. I need to join this meeting. And so they are always trying different approaches to see where they can get somebody to click something to give them access, or they could, you know, get into the system, get the lay of the land, and they use the same toolsets that we use to manage the infrastructure. So it’s hard to identify when they’re in the network sometimes.
Matt Hodson No, thank goodness. Everyone was sharp enough to ask, this doesn’t look correct. So we all kind of talked about it and, you know, nobody clicked on anything. But, well, we’re I.T. company, so, you know, we do our best to educate our employees, but even more so for companies that are in this industry, it’s something that, as you bring out, it should be probably part of this is that training, not just the technical controls, but training of the employees.
Tom Temin All right. And as someone who follows CMMC closely and I presume you are also a federal contractor yourself, what signals are you getting that this program is going to become widespread 1.0 or 2.0, regardless?
Matt Hodson I mean, it has to we got to do something right? I mean, every link in the supply chain has to be secure.
Tom Temin Do you get the sense from the Pentagon that this is moving along towards implementation?
Matt Hodson Yes, but not fast enough in, as you know, hackers work at a insanely fast pace and now they’ve got AI working for them. And so the longer we kick this can down the curb, it’s going to be a bigger problem. So it’s just not happening fast enough. I mean, what is this, the third year since this certification has been made available, but there’s still no actual certification. Contractors come to us, hey, we want to get CMMC certified. It’s like, great, we can help you up to a point, but it’s still not solidified as a certification yet, so there’s really nothing to achieve yet. It’s been three years.