In this episode of "Regulatory Phishing," Government Contracts and Cybersecurity attorney Eric Crusius is joined by Stuart Itkin, a senior vice president and the chief marketing officer at NeoSystems. Their conversation covers the overall cybersecurity landscape, especially the Cybersecurity Maturity Model Certification (CMMC) program, and discusses the important role manage service providers (MSPs) play in the ecosystem.
Podcast Transcript
Eric Crusius: Welcome back to the latest episode of "Regulatory Phishing." This week, it's my pleasure to welcome Stuart Itkin to the program. He's the senior vice president and chief marketing officer for NeoSystems. He is focused on bringing managed services, software and consulting to address the compliance, cybersecurity and back office needs of small and medium businesses. Prior to his time at NeoSystems, he was the CMMC and FedRAMP Assurance at Coalfire Federal and helped them lead them through their DPTAC assessment to become one of the first authorized C3PAOs. Before that, he was vice president of product management and marketing at Exostar, a Boeing, Lockheed Martin, Raytheon Technologies, BAE Systems, Rolls Royce formed joint venture company where he had responsibility over the company's compliance management, supply chain, risk management and secure collaboration platforms and for establishing its CMMC practice area. He served in leadership roles with cybersecurity companies, PivotPoint, Risk Analytics, Safe and Threat tracked security. As a lead mentor at the Virginia State government-funded Mark 37 Cybersecurity Product Accelerator and as an advisor and board member to several early and growth stage cybersecurity companies. He earned his B.A., M.A. and an ABD from the University of Illinois at Urbana Champaign. He spent a lot of time at that university with those degrees.
Stuart Itkin: I did.
Eric Crusius: And personally I've known Stuart for a number of years now. It's always a pleasure interacting with him in the CMMC ecosystem, for lack of a better term. He's one of the folks in the ecosystem who really knows what they're doing. He knows what they're talking about. So always appreciate his opinion on things and that's why he's here today. Thanks, Stuart.
Stuart Itkin: Well, great, Eric, thank you. And thank you for the time today.
Eric Crusius: Of course. So the first thing I want to start off with is that NeoSystems is a managed service provider. Of course, they're, NeoSystems is not the only one who does that, but they're one of the prominent ones out there. What is a managed service provider?
What Is a Managed Service Provider (MSP)?
Stuart Itkin: A managed service provider is a third party company that remotely manages a client or a customer's information technology infrastructure and their end users systems. And again, these are primarily smaller and midsize organizations that look to a managed service provider to be able to support them and provide services that they may lack the expertise internally to be able to provide for themselves.
Eric Crusius: The managed services is something that a lot of small, like you said, medium-sized businesses can really utilize in different kind of compliance area with respect to data retention and just running their IT systems in general. We had CMMC come out or, you know, version 1.0 come out a number of years ago, we had 2.0 come out in late 2021. As people are listening to this, we've either about to see or have just seen the proposed rule from DOD for CMMC. What kind of role do you see MSPs play kind of with CMMC?
The Role MSPs Play with CMMC
Stuart Itkin: I think they play a very important role, and they play a very important role for the small and medium enterprises that make up the defense industrial base. Again, if we looked at the DOD statistics, you know, they've said before Level Two of CMMC, that's those that handle CUI, about 80,000 companies, about 73 percent of them are small and medium businesses, meaning that majority of these businesses don't have either the technical depth or the compliance depth or understanding that they need to really understand the requirements to satisfy the requirements and to be able to maintain their environment in a way that stays compliant, so to speak. The role of the managed service provider can start with bringing in or creating an infrastructure that is secure and satisfies the technical requirements. It can involve bringing in best practices, policies and procedures that satisfy the technical requirements for CMMC, and it can provide the ongoing management of that IT infrastructure for an organization to ensure that the policies that they've created are being followed, that the processes that they've elaborated to support those policies are being strictly followed into the letter of the law and really providing the depth that is needed. I've seen some small organizations that have an IT guy. Well, you know, it's important that you have coverage in some, cases 24/7. You don't know when an incident may occur. You don't know when something may come up where truly needs IT to be able to respond to something, whether it's simply help for a user or whether it's a potential incident that needs immediate investigation and response. And if the IT guy is sick, if the IT guy goes on vacation, how is that organization able to function? And what the MSP provides is again, it's, it's a shared service. So there is a large pool of people with varying degrees of capabilities that are on call and shared by a number of clients that MSP has. Benefit to the small organization is that there is always somebody available to help. And more important, there is always the appropriate person who is available to help. If it's a security person to help with a potential incident, if it's merely a HelpDesk technician to help with a password reset, MSP is ensuring that an organization has the coverage and to support, to ensure business continuity and resilience.
Eric Crusius: So a couple of things I just want to break down because I think there are some really important points in there. First, the 80,000 companies — and I've heard the same stat that you did — will be seeking a Level Two certification because they handle some kind of CUI. My theory of the case is that in order for CMMC to work, in order for the third party certifiers to come in and look at each contractor, we need to have MSPs as part of the ecosystem, or else there's not going to be time for these folks to review 80,000 bespoke systems. Whereas if you have, the largest may have their own, or even maybe some of them use MSPs, but those small, medium-sized businesses uniformly use a dozen or two different MSPs to provide their back office support, so to speak. But the whole idea of what you were talking about, I feel like that would make CMMC assessment easier.
Stuart Itkin: Absolutely. I think that's an important point, that if you look at cloud services, for example, if somebody is using a cloud service for file collaboration, for secure sharing of information, that cloud service will have gone through a certification to demonstrate that it satisfies the requirements of the FedRAMP Moderate Baseline, and as a consequence that you as the organization using that inherit the security that is built into that. You don't need to worry about, is there a lock on the door of the data center? You don't need to worry about whether backups are being done. You inherit all of those things from the cloud service provider as a consequence of their achieving FedRAMP Moderate equivalency. Similarly, with a managed service provider, there is a set of responsibilities that the managed service provider is taking on in, which you directly inherit as an organization, engaging or hiring a managed service provider. What it means is that it makes the burden that you have to satisfy those compliance requirements smaller. But to the extent that a managed service provider like a cloud service provider has a standard shared responsibility matrix, it makes it easier for the assessor to simply say this managed service provider has been vetted. We understand what the services are. They provide and already know what is inherited by the individual company without needing to go through and assess every single one of those controls.
Eric Crusius: Right. I think that's a great point. There will be some controls that still have to be assessed because there's some that are physical-based, company-based, locality-based, but there's a lot of them that would be based off of the managed service provider's already received certification, whether it be FedRAMP or a CMMC certification. We had a discussion on the podcast, it was really a monologue for me, on August 25, talking about the leaked documents, CMMC documents, they call them 2.1, and they talk about those cloud service or managed service providers, what kind of certification they need to have, and they seem to indicate, at least in their draft forms, that a FedRAMP Moderate would be enough. So if you have a cloud service provider or managed service provider that has FedRAMP moderate, then they'll be they'll be permitted to, I guess, absorb those controls that are in the assessment.
Stuart Itkin: You really hit on an important point. The leaked documents, I mean, they were out there for like 24 hours. I happened to scrape a copy of them. And talk about for a cloud service, the minimum requirement being satisfying the FedRAMP moderate baseline. For a managed service provider, the requirement was that they simply satisfy the CMMC Level Two requirements or meet all of the requirements of 800-171 plus the additional DFARs requirements that exist. And we kind of look at that and say, well, that's a good start, but in some respects it's really not sufficient. We look at that 800-171, and the CMMC requirements are about ensuring confidentiality of information, but there's so much more that a MSP is responsible for. It's for data integrity, it's for availability of that information. And you really feel that, that the standards that an MSP should be held to really need to reflect their ability to ensure data integrity, to ensure data availability. And to that end, you know, systems, along with a number of other managed service providers who focus on the defense industrial base and satisfying CMMC requirements, have formed a 501(c)(6) called MSPs for the Protection of Critical Infrastructure. And one of the tenets of our platform is specifically to see that an appropriate set of requirements is developed for managed service providers that recognize the important role that they play within the ecosystem. And think about it, that an individual company, small manufacturer, certainly the information that they have is valuable, but it's one piece of a puzzle. But if you look at a managed service provider, and if a managed service provider is able to be breached by an adversary, the responsibility that that managed service provider has is over a number of different companies. And so whether it's the security of their information or the ability to continue to do business and so forth, MSPs just are, in some respects, represent a higher value target to our adversaries, hold a higher level of risk in a sense, really do need to be held to a higher level of standard with respect to the assurance that they can satisfy these requirements. So again, there are a lot of MSPs that are out there, a lot that are really very good, but it's important that an organization, in evaluating an MSP, truly understands whether that MSP understands the requirements under 800-171, can satisfy those on behalf of their client, those that are shared. But more important, I mean, have they achieved a level of cyber maturity themselves that is going to provide assurance for that company?
Eric Crusius: All great points. It's not often you hear somebody in an industry that says, please regulate us more.
Stuart Itkin: Absolutely. I mean, I think, you know, that we're in this — I mean, obviously, you know, for all of us, this is a business. But we're in this business because of a belief in the mission of CMMC and the security of critical infrastructure and the defense industrial base. And we feel it's important, for that mission to be satisfied, for it to succeed, that those that are providing services really are capable of delivering services that meet the objective.
Eric Crusius: Right. And I think that's smart because you want — if managed service providers are not held to a higher standard and there's a significant breach, it could really put the whole industry in a bad light. And maybe deservedly so, because there was lax or not sufficient security guards in place and not just one company's information was leaked, but, or breached, but dozens and dozens.
Stuart Itkin: Or even, it may not be a breach. It's simply a ransomware attack that may affect that MSP's ability to support its customers. And now those customers are no longer able to function. So, again, it is a very important role that the MSPs play. But again, they have a higher level of responsibility at the same time and need to be prepared to handle that responsibility.
Eric Crusius: Right. And for folks listening, the website for that is mspcollective.org for more info on that. So you've made a lot of interesting points. And one of the things I wanted to kind of touch on was we know about Level One, Two and Three and the Cybersecurity Maturity Model Certification program. And I think Level One is kind of being ignored right now because there's a lot of ink being spilled on the Level two third party certification that's going to be required once Level Two gets up and running. But, you know, Level One is a self-certification in CMMC 1.0. It was a third party certification, and I think once CMC 2.0 came out, a lot of folks viewed it as a step back and CMMC is not being taken seriously anymore because Level One was no longer a third party certification. I disagree with that. I think self-certification is in some respects riskier because you're putting your neck on the line to the government when you're a self certifying, whereas if you have a third party coming in and kind of blessing what you're doing, really the the assessor, if information given to the assessor is accurate, it's really the assessor that's blessings of the company.
Stuart Itkin: And, absolutely, and I think, you know, with respect to the Level One self-assessments, one of the changes that we anticipate in the new CMMC rule is that the self-assessment is going to need to be signed and attested to by a corporate officer, making that corporate officer individually liable at the same time. And if you kind of dial the clock back and if you remember when Sarbanes-Oxley came into effect and all of a sudden CEOs and CFOs needed to sign their financial statements, it created a whole industry for Ernst & Young and other accounting firms. And in the same way, it's not just the the liability. And while there are a reduced number of controls under Level One, that doesn't mean that they're easy, and ensuring that, again, you have the proper support and help to see that those requirements are satisfied is really important. Access control seems like it's simple, access control, and if you understand the requirements, there are some very specific responsibilities that need to be satisfied. And an organization that doesn't have somebody with either compliance expertise or technical expertise may not understand those and say, yeah, I think we're good enough, we've satisfied that, when in fact, they haven't, putting themselves at risk. The same thing with multifactor authentication, seems pretty simple. Again, more organizations fail to satisfy multifactor authentication completely than almost any other controls. So having that support of a managed service provider, you have to come in with the expertise and to come in with technical solutions that are known to satisfy those requirements. Again, you do two things. I mean, they assure the organization that it has satisfied the requirements and has really made itself secure, that it's protecting its own information, not just the odds. And on the other side is certainly providing a cushion for whoever is signing their name on the bottom line, saying, you know, yes, I attest that we have satisfied these requirements. Having somebody else who is an expert who can attest and say, yes, you know, we've supported this activity and believe that they, in fact, are in compliance, certainly provides a lot of value.
Eric Crusius: Yeah, absolutely. I've told people for a long time now that just because you don't have controlled unclassified information doesn't mean you can't get a third party to come in and do an assessment to those Level One standards just for your own edification and to give comfort in certifying when that annual certification comes around that you were talking about, Stuart. And there's nothing that says that those folks can't use a managed service provider. Also, I'm sure some of your clients are folks that would be in a Level One arena instead of Level Two or a Level Three.
Stuart Itkin: Yeah. And again, it's not just about protecting the information that the government entrusts you with, whether it's FCI or CUI. It's also, you know, the intellectual property that the organization has developed and created itself that has current value, that has future value. I mean, really what you're protecting is your business. And in securing your ability to, you know, to continue as a business.
Eric Crusius: Right. I've said that Level One, my typical line in a presentation when I talk about Level One is that it's not a weekend project. It's very specific as far as you need to not just master the control, but also document that you've mastered it, whether it be through training policies or something like that. It's not just a check the box scenario where you say, oh yeah, we're fine, we have multifactor authentication, without kind of having something to back it up.
Stuart Itkin: Exactly. You need to have satisfied it. You need to be able to demonstrate how you've satisfied it. Demonstrate that you're following what it is you said. And finally, you have to demonstrate that it's having the intended result, that it's actually working. And if you can't do all of those things, you haven't satisfied the requirement.
Eric Crusius: Yeah, absolutely. Well, now that we've scared folks who don't have CUI enough in this podcast, let's just talk about kind of timelines as far as how long it takes for folks to get up to speed. I've talked to a lot of companies out there and presentations or who were just curious, and I think one of the things that are misnomers or one of the things that they don't understand is, are we starting from zero or starting from the 20 yard line? How long does it take to get all the way to the end zone until we can be confident that we are meeting the goals of Level One or the controls of Level Two? And we don't know for sure what the controls at Level Three are, so we could put that aside for now. But what's that timeline that you've seen, at least in your career?
Timelines
Stuart Itkin: I think the, you know, the simple answer is it depends on the complexity of the environment, the number of users, the number of locations. You know, there's a number of things that will factor into it. You know, there's an average that's talked about, an organization that is starting kind of at the beginning line, at the start line, should anticipate that it could take as long as 16 to 18 months to be at the point where not only have you satisfied all of those requirements, but that you've developed the documentation, that you've institutionalized them such that you're ready to go through the assessment that you need to complete. And there's a difference between satisfying the requirements and being ready to go through a certification assessment demonstrating that in fact you have satisfied those requirements. For Level One, certainly less than that is a smaller hurdle to overcome. But at the same time, you know, the time is generally measured in months, not in weeks and days, to be able to put in place the technical controls, put in place the procedures that are required and to truly kind of operationalize those procedures and make them part of the company culture.
Eric Crusius: Absolutely. I think those are all great points, and I think those timelines are consistent with what I've heard. So if we have a final CMMC rule at the end of 2024, which seems to be the most likely timeline, that means that if folks haven't started now, it's almost too late.
Stuart Itkin: My recommendation is go find a time machine, go back about six months and get started. But you know, really, if you've not started to this point, you really are late and need to get going. I think the good news that there are different approaches to being able to do this. Some organizations will start, they'll go through and do a GAAP assessment. They'll look at their current state. They'll evaluate the current state against the requirements. They'll remediate those gaps that exist. But that can take time and can sometimes be risky. There's others that take the approach of starting with, or an MSP that may come in with a technical configuration or an infrastructure that is known to satisfy the technical requirements, come in with policies and procedures that are known to satisfy the non-technical requirements. And rather than making the existing environment the client has compliant, it's teaching the client how to move into a known compliant environment and to use a known compliant set of policies and procedures. That's not going to work for every organization, but when it does, it certainly attenuates the timeline.
Eric Crusius: Absolutely. And I just think your time machine quip is very well taken because that happens oftentimes. But I think it brings home the point that we just need to make sure everyone is, is aware that this is coming. And DOD hasn't given any hints that they're laying back at this point. They're going through this very rigorous and time-consuming rulemaking process. And they've made public statements saying that they are dedicated to CMMC. What's interesting is that other agencies have taken a different approach from seeing CMMC, but I think I could kind of start seeing how this is all going to tie together and talking with a bunch of folks in the ecosystem itself, I could see we have Homeland Security now released something on the system for acquisition management, which says essentially that they are going to review folks who are submitting offers as to their cybersecurity readiness and a cybersecurity readiness factor when they're doing a best value analysis, and when that contract is going to include CUI, and they're going to grade folks as having a high likelihood of readiness, a likelihood of readiness or a low likelihood of readiness. And that will factor into the award. And I could see theoretically, that DHS will be giving out, you know, they are going to give out questionnaires, and I could see theoretically that those questionnaires may include a question: Do you have a CMMC certification? And if the answer is yes, you automatically get the high likelihood of cybersecurity readiness award, so to speak.
Stuart Itkin: Exactly. Because you satisfied and demonstrated to an objective third party that you've satisfied that whole set of requirements under 800-171.
Eric Crusius: I wouldn't be surprised if we saw other agencies doing the same thing. And that I think will make a CMMC certification more valuable.
Stuart Itkin: And again, remember the initiative that started way back in the Obama Administration, was to harmonize across government, how CUI was labeled, how CUI was handled, how assessments were conducted. Been a long time coming, and I think we're taking baby steps, but ultimately for the good of the government, for the good of those that serve different government agencies, there really is a need to be able to harmonize those procedures.
Eric Crusius: I don't know about you, but my feeling is that if you have procedures that are not harmonized, that leads to worse cybersecurity posture because folks are trying to answer to different sets of controls, and that just doesn't lead to anywhere good.
Stuart Itkin: It doesn't lead to anywhere good, and it creates a lot of redundant expense. You've got people in one agency or department of the government developing requirements and people in another agency developing requirements. Why do we need to pay as taxpayers for two sets of requirements when one set of requirements is addressing the essentially satisfying the same framework? And for a supplier, if I'm supplying to those two different agencies, I'm going to need to go through two different processes that are going to cost me money, meaning my prices to the government are going to be higher. So it really seems like a lose-lose in both dimensions. And harmonizing these standards across government is going to make it easier for everyone and certainly better and more secure for the government, better, more secure to those that support the government and sell products or services to the government.
Predictions on When the Final Rule Will Roll Out
Eric Crusius: Right. That's a great point. As we wrap up here, one question I have for you is let's assume that the proposed rule for CMMC comes out in November, December, somewhere in that timeframe. When do you see the final rule rolling out? I know this is just a guess, by the way. And any other predictions for 2024?
Stuart Itkin: I think there's a debate of whether it will be an interim rule or whether it'll be an in-process rule. And I think most people believe that it will be in process so that once it is published, there'll be a 60-day public comment period and then those comments will be adjudicated, kind of the average time the government has taken in adjudicating public comments, then a little bit less than a year. So, you know, 60 days from when it comes out and a year or two, that is when it will become effective. But two things to consider. I mean, one is the point we already talked about, is the time that it's going to take an organization to be ready to satisfy and to demonstrate that they've satisfied those requirements. So you really can't wait. You need to start on that path to make sure that you're ready at that point. And the second, you know, is that there is another group of companies that have a real bearing on this timeline, which are the large primes. And so for companies, hypothetically like Lockheed Martin, like RTX, they could potentially come to their supplier base and say, well, we know the government has set this timeline. However, you know, we're expecting you as our suppliers to be able to satisfy these requirements earlier. There's precedent for this. This is what happened when the initial rule for CMMC 1.0 came out, and a series of large primes did inform their suppliers. They expected them to satisfy these requirements earlier than the government required. So, you know, the government may not be the one driving the timeline at the end of the day.
Eric Crusius: Yes, I see that a lot with clients, where they're getting pushed more by their large prime contractors than the government itself, and I think that's a theme that will probably continue to see because we see these breaches and a lot of these breaches are happening at the subcontractor level, not the prime contractor level.
Stuart Itkin: Exactly. And I'll just mention a book that I recently read because it was very sobering to me being aware of what goes on within the defense industrial base. But there's a book called Battlefield Cyber by MacLaughlin and Holstein, and if people want to get an understanding of just the extent to which we really are at an ongoing cyber war with Russia and China and the extent to which our defense industrial base and our internal government systems have been affected, again, that book provides a very sobering picture of where we are today and really highlights why the effort that we're all going through to see that CMMC is a success, that those efforts are so important.
Eric Crusius: That's a great point, and I think it's a great way to end. Stuart, really appreciate your time today and your insight and a little window in how managed service providers work and how they fit into the ecosystem. I really appreciate it.
Stuart Itkin: Absolutely. Eric, thank you very much for the time today.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
