EPISODE 58: DHG's Tom Tollerton rejoins Growthcast to talk about the Cybersecurity Maturity Model Certification (CMMC), why it is important for government contractors and what DHG is doing to become a CMMC Third-Party Assessor Organization (C3PAO).
[00:00:09] JL: Welcome to today's edition of DHG’s GrowthCast. I'm your host, John Locke. At DHG, our strength lies in our technical knowledge, our industry intelligence, and our future focus. We understand business needs and are laser-focused on company goals. In this ever-changing world, DHG's GrowthCast provides insights and thought-provoking conversations on topics and trends that address growth opportunities and challenges in the current and future marketplace. Thanks for joining us as we discuss tomorrow's needs today.
[00:00:42] ANNOUNCER: The views and concepts expressed by today's panelists are their own and not those of Dixon Hughes Goodman LLP. Always consult the advice of your legal and financial professional before taking any action.
[0:00:58] JL: Today's topic is cybersecurity and specifically the value of having the Cybersecurity Maturity Model Certification. Our guest today is Tom Tollerton, Managing Director of DHG's cybersecurity practice unit. Welcome, Tom.
[00:01:12] TT: Hey, John. Thanks for having me.
[00:01:14] JL: It's my understanding, Tom, that the CMMC framework released in early 2020 was adopted by the US Department of Defense to enforce protection of federal contract information and controlled unclassified information throughout its supply chain. CMMC certification will be included as a requirement in new DOD contracts starting this year. So in the last few days of 2020, DHG has achieved CMMC accreditation from the CMMC accreditation body. Tom, what is the CMMC and why is it needed?
[00:01:50] TT: Yeah, absolutely. As you mentioned, CMMC is the Cybersecurity Maturity Model Certification, and it is DOD’s emerging standard for protecting federal contract information and controlled unclassified information, which is information associated with the performance of DOD contracts that does not rise to the level of classified information. It's secret or top secret. It's really important for DOD to protect this type of information because there have been a number of supply chain breaches over the years that have revealed pretty sensitive information about mission-critical operations that could potentially damage national security. So DOD has tried to come up with ways to better protect their information that they provide to contractors throughout the supply chain.
As you mentioned a second ago, DHG is now a registered provider organization. That means we are registered with the CMMC accreditation body that oversees the framework, and we are registered to provide consulting and advisory services to our clients, which we've been providing for a number of years now with regard to cybersecurity and data protection.
[00:03:02] JL: Well, that's a great accomplishment. Congratulations to you and your team for getting to that level. I think that it brings up another question when it comes to this certification process. What is that actually like? What could our clients and some of the folks listening today expect?
[00:03:23] TT: Absolutely. Well, a lot of clients, a lot of contractor clients that we have are sort of struggling with understanding, “All right, what does this mean for us from a data protection standpoint? We’re going to see this in our contracts? What do we need to be doing right now to prepare for it?” CMMC will require a third-party assessment and certification sometime in the next five years. The rollout of CMMC is expected to take five years, and what we're doing with our clients is helping them to understand, okay, where are you right now from a data protection standpoint. What do you need to do to achieve the appropriate CMMC certification when you start to see that in a contract or in contracts?
We're helping sort of fill that gap. We're providing advisory services, consulting services, system security, plan enhancement and development, and making recommendations for cybersecurity control to make sure that, as I say, when the contract requires certification that they're prepared to undergo that assessment.
[00:04:28] JL: Let's talk about the timeline for the rollout. We just are now experiencing a new administration. With all of the changes taking place in government regulations, etc., do you feel like the administration might change this timeline?
[00:04:45] TT: Well, DOD, the Office of Acquisition and Sustainment within DOD has explicitly stated that CMMC is full steam ahead right now and that the change in administration will not have any impact on the timing or expected rollout plans and phases of CMMC. They're taking right now what they call a crawl-walk-run approach, which there are a number of pilot contracts right now with CMMC in it, in them. Over the course, as I say, of the next five years, we'll start to see more and more contracts containing the CMMC clause. So contractors need to continue to expect that this will roll out as scheduled.
[00:05:26] JL: We talked a little bit earlier about DHG attaining accreditation. Explain to us what that really means for our clients.
[00:05:37] TT: Yeah, absolutely. Right now, we are providing consulting and advisory services with that RPO accreditation. DHG is also a C3PAO applicant company, so we are planning to become a certified third-party assessor organization. The difference between our RPO accreditation and our expected C3PAO accreditation will be that we will also perform the assessments for the certifications when they roll out, which is expected later this summer. It's expected that C3PAOs will begin to perform those assessments later this summer. DHG, as I say, is currently undergoing our background check to become a C3PAO organization.
[00:06:23] JL: Great. Give us a little insight into what the process is when we are actually coming alongside a contractor to help them with the CMMC certification process. What can they expect? What are we doing? Kind of fill in the blanks for us a little bit there.
[00:06:43] TT: Sure, yeah. The primary help and assistance that we're providing is around gap assessment, so understanding the cybersecurity maturity level that the contractor needs to adhere to or expects to adhere to. We're helping identify the gaps in cybersecurity controls that will help meet the full maturity level they're planning to achieve. We're also doing a number of projects frankly around where contractors have maybe done their own gap assessment.
We're also kind of providing advisory and some project management assistance to actually remediate the gaps that have been identified. That can include anything from policy and procedure development enhancement or changing operational processes. We don't actually implement controls. We're not a managed security services provider but we do help design those controls and make recommendations for specific technologies or specific providers and help advise on the integration of them to meet cybersecurity maturity model requirements.
[00:07:52] JL: I’m sure some of our listeners are up to speed on what it takes to get started in this certification process, but if you could just maybe come up with one or two recommendations. As far as first steps for some of our government contractors that are listening today, what might be the first couple things they should be thinking about or doing as they ramp up to prepare to go through this certification process?
[00:08:18] TT: We always start with the data and understanding what data the organization has, where it is, who has access to it, whether that's internal employees or third parties. Paint the full picture of what the IT environment and operational environment look like. Then from there, communication with contracting officers, with primes if a contractor is a subcontractor to a prime. Understanding what the expectation is going to be, given the nature of data and access to that data that the contractor has. Helping kind of flesh that out opens up clarity around what the maturity level that a contractor will likely have to certify against, whether that's maturity level one, maturity level three, or maturity level five which, of course, are requirements get a little bit more stringent with each increasing maturity level.
Once an organization has understood, A, what information that they have, where it is, and then what the expectation is likely to be, from there it's the gap assessment, understanding, “All right, cybersecurity control. Here's what we do. Here's what we don't do,” and from there remediate the gaps.
[00:09:38] JL: Great. This is all relatively new both for us and for our government contractors. If you could look into the future a little bit, kind of your crystal ball, what is this process going to look like for you and your team and others going forward?
[00:09:56] TT: Yeah. The protection of CUI, I'll just say, has actually been an expectation in the DFARS, DOD’s acquisition rules since 2015 and 2016. The entire reason that we're moving to CMMC from the previous expectation in the DFARS is that contractors need that third party validation. I will call it an attestation but third-party validation and assessment and certification to make sure that they are doing what they are required to do.
Frankly, what we see for our team is we're growing around getting people certified and registered with CMMC to be able to provide these services because we continue to see contractors ask for help, and we certainly want to be helpful. This is an extremely critical initiative for DOD both from a compliance standpoint but just from a data security standpoint, the actual intent of CMMC. We've got to secure for national security purposes the defense supply chain.
[00:11:03] JL: Well, there's not a day that goes by in the news where we aren't listening to commentary about some of the issues surrounding our security on a national level. On behalf of all of us, thank you for the work that you're doing, and I’m sure the contractors that are listening today are going to be very comforted by your words that this process is going to not only help them but help the communication that they have with the government and the security for all involved. So thanks to you and your team and congratulations, again, on your certification.
[00:11:39] TT: Absolutely. Thanks so much, John. Appreciate it.
End of Interview
[00:11:43 JL: Thank you for joining us today to discuss the Cybersecurity Maturity Model Certification with Tom Tollerton, Managing Director in DHG's cybersecurity practice unit. I’m your host, John Locke, and I look forward to connecting with you again soon on an upcoming episode of DHG GrowthCast.
End of Episode