Home >> October 2021 Edition >> A Constellations Conversation With... Justin Padilla, Director, Cybersecurity Service, Kratos Defense
A Constellations Conversation With... Justin Padilla, Director, Cybersecurity Service, Kratos Defense
The interview was conducted by Kratos’ podcast host, John Gilroy.
 

What you need to know about CMCC... Critical information protection and contracting with DoD


In light of the data breaches that have hit government and commercial organizations, the U.S. Department of Defense is enacting CMMC, the Cybersecurity Maturity Model Certification. This new unified security standard and certification process is designed to significantly enhance cybersecurity and protect critical information across the DoD supply chain. It will also impact contractors in the satellite industry, requiring them to achieve certification in order to do business with the DoD.

John Gilroy
This is a space and satellite podcast, however, the Department of Defense is a key component in this discussion. The DoD does not manufacture anything. Instead, it relies on more than 300,000 suppliers for its goods and services. While the Pentagon is a hardened target, our adversaries understand that DoD’s suppliers are not. To improve the security for the defense industrial base, a relatively new concept called CMMC, or Cybersecurity Maturity Model Certification, is being put into place that will affect companies looking to do business with the DoD, which of course, includes the satellite industry. 

To break this all down is Justin Padilla, the Director of Cybersecurity Services at Kratos. Kratos was recently named as one of the first two authorized CMMC Third-Party Assessment Organizations, or C3PAOs.


Justin is going to walk us through what CMMC is and how it will impact your organization. Justin, to start this conversation, what’s the crux of CMMC? 


Justin Padilla

Justin Padilla 
CMMC is an evolutionary step in the DoD’s goal of ensuring that the defense supply chain is protected at a commensurate level with the type of data that a company processes, stores, transmits, and ultimately protects. CMMC is intended to certify that organizations doing business with the DoD meet a standard for cybersecurity processes and practices deemed critical to protecting our country’s economic and national security. 

John Gilroy
What precipitated this whole move to CMMC? 

Justin Padilla  
It seems as though every week we hear about major data breaches, ransomware and other targeted attacks on organizations that have become integral components, not just for DoD, but our daily lives, as well. The troubling thing is those are just a small portion of the cyber threats and attacks that we actually hear about. There are more than 300,000 companies that now comprise the defense industrial base. For years, organizations doing business with the DoD have been self-attesting that they meet the majority of the requirements that are within the CMMC. This evolutionary step is now moving away from that self-attestation model to a third-party assessment model that provides greater assurance that organizations holding this critical DoD data are doing what they say they’re doing and protecting it. 

John Gilroy 
What is the role of the assessment organization, the C3PAO, which Kratos has been authorized to do? 

Justin Padilla 
A C3PAO is a CMMC third-party assessment organization. It’s a trusted, vetted organization that specializes in assessing compliance of companies against a specific framework, in this case, the CMMC security practices and processes. 

John Gilroy 
Instead of relying on a company’s own self- examination, which have been found wanting, they decided to bring in a trusted third party, to assess their security, their maturity in cybersecurity, correct? Plus, to be one of these trusted organizations, there must be significant requirements to be authorized as a C3PAO? 

Justin Padilla  
Exactly and, yes, there are. There are a number of things that aligned for us. Kratos is a substantial contributor to the defense industrial base, which means that as an organization, the delta or difference between what we were previously attesting to and what we had to obtain from CMMC was rather minimal. For many companies that have been doing business with the DoD, they should really be in that same boat, where they’ve been working towards or have already implemented the NIST SP 800-171 requirements that were part of the DFARS, and now they’re doing that delta to get CMMC compliance. A C3PAO itself has to meet whatever level that they’re going to be assessing against. In this case, it was level three, so we had to validate that our organization, as a whole, was a level three. Another main factor was that Kratos was an early adopter of CMMC, not only from the requirements but also as part of the program itself, working with the accreditation body and helping the community understand CMMC. There are also requirements around the company and staff being vetted from a security standpoint, all playing key factors in becoming a C3PAO. 

John Gilroy 
We’re tackling this topic because companies doing business with the DoD are going to be directly impacted by CMMC.
Can you explain how this process works? 

Justin Padilla  
It is fairly straightforward. If you go to the cmmcab.org, there’s a marketplace that identifies different people and resources that help organizations get prepared. It also points you back to the Office of the Undersecretary of Defense’s website, which has documentation that leads people through the process for getting certified or meeting the requirements to get certified. But in order for an organization to get certified, there’s a number of steps that they have to take, including making sure that they actually implement the requirements, and then working with the C3PAO to undergo that process. 

John Gilroy 
Is the process the same for everyone or are there different levels for certification? 

Justin Padilla  
CMMC has five levels of maturity that have increasing security requirements commensurate with the level of data that’s associated with the contract. Levels 1 and 2 focus on federal contract information, and that information is provided by or generated from the government under contracts that’s not intended for public release. Levels 3, 4, and 5 is Controlled Unclassified Information. The National Archives and Records Administration goes into great detail defining those various categories. From a definition standpoint, there’s very specific information that would be better looked up than for me to explain here. However, levels 1 through 3 are the only ones that can be assessed right now. Levels 2 and 4 are eventually going to be steppingstones from what I’ve heard from CMMC-AB. That will allow organizations to not necessarily make that big jump from 1 to 3, because there’s a big difference in security requirements between those levels. Level 2 is there as a steppingstone. Level 4 and 5 are not fully finalized yet as far as the requirements. It’s expected that’s going to focus on specific types of Controlled Unclassified Information (CUI), that is deemed sensitive to a certain level — CUI has very military or space applications. 

John Gilroy 
There there any tips that you can share with companies going through the assessment process? Like what to prepare for, and how long the process takes? 

Justin Padilla 
From a tip perspective, I would say that if you haven’t started getting your organization ready, start now, even if you don’t plan on bidding on contracts or getting assessed next year or three years from now. The longer the runway that you have, the easier it’s going to be. Whenever time is constrained and you need to do something in a shorter period of time, it makes it much more difficult for an organization to implement. 

As for what’s involved, there’s essentially four phases involved with the actual assessment. There’s a planning phase, which outlines the scope of the environmentandyourworkwithyourC3PAO.Thatincludesidentifyingpoints of contact, documentation, or demonstrations of what would be needed during an assessment. The C3PAO works with an organization and helps them confirm that they are ready before actually entering into phase two. 

Phase two is when we actually conduct the assessment and that requires both an on-site visit to physical locations, where CUI might be stored or what’s defined in your scope or your boundary. It incorporates in-depth interviews and reviews of documentation and technical testing, things of that nature. The result of that is basically a pass or fail for each security practice and process, which ultimately determines the successful or unsuccessful certification recommendation. For phase three, there’s reporting the assessment results and whether you passed or failed. Note that with CMMC, it is all- or-nothing. An organization has to pass all of the given levels, security practices and processes in order to be recommended for certification. Any one control failure can and will result in a C3PAO not recommending you for certification, which sounds really scary. There is a phase four, which is remediation of outstanding assessment items. That gives organizations up to 90 days to resolve any minor issues that might have been found during the assessment. 

John Gilroy 
Regarding costs, will CMMC put an undue burden on small companies that will need certification? 

Justin Padilla  
Organizations should have been meeting or close to meeting the previous DFARS requirements that incorporated the National Institute of Standards and Technology (NIST) SP 800-171 (an NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled, unclassified information (CUI)). Realistically, there should only be around a delta of approximately 20 security controls in order for organizations to get to a CMMC level 3 requirement. Companies are going to have to invest some money to tie up potential loose ends or Plan of Action and Milestones (POA&M) items that they had on their lists. But from an assessment perspective, I don’t see CMMC assessment costs being drastically different from other certifications that organizations would normally go through. The DoD has also said that it may be reimbursable at some point, although I’m not the one to speak on that, but I do think that’s a possibility. 

John Gilroy 
I understand that there are CMMC assessment services, but also advisory services. What’s the difference? Does a company do one or both? 

Justin Padilla  
Organizations can do both. An RPO is a Registered Provider Organization, and they provide various consulting or advising services to organizations to get them prepared to undergo a CMMC assessment. That can be anything from helping an organization interpret security controls to integrating security solutions, conducting gap assessments, anything of that nature. The intent is to get them to the point that they can pass a CMMC assessment. When it comes to a C3PAO, that function is solely reserved for assessment, period. And that can be readiness assessments or even the full-on certification assessments. The key element is that a C3PAO, when performing in the role as an assessor, cannot provide guidance or recommendations. They’re only there to assess whether or not you are meeting or not meeting a given requirement. And so for organizations that are both a C3PAO and an RPO, they cannot serve in both capacities for the same. It’s either one or the other. 

John Gilroy
What are some of the top challenges here for CMMC compliance? 

Justin Padilla  
CMMC will continue to evolve over the next few years as things get more flushed out. However, as we’ve been working with companies, CUI handling and the protections both from a physical and an electronic standpoint has areas of challenges. In large part, because many times organizations should be receiving information from the government that identify specifically whether it is or it is not CUI. In many cases, that’s not happened and so organizations have a really difficult time with making sure that they are properly handling and marking information that would be classified as CUI. From a technical standpoint, there are aspects that have proven to be difficult. Multifactor authentication is one. Whitelisting and blacklisting of applications are two others. Surprisingly, being able to gather a complete and comprehensive inventory of an organization’s assets has proven to be challenging for many organizations. Then there’s also the aspects of documentation, which in itself isn’t hard, as you’re really documenting what you do as an organization. 

John Gilroy 
Any advice for companies seeking a C3PAO for an assessment? 

Justin Padilla  
As I mentioned, there’s a standard process that all C3PAOs are using so, you shouldn’t see that much variance between one organization or another. I think where it really comes into play is the organization’s experience with the type of business they’re working with. A services organization is very much different than one that manufactures equipment. Working with a C3PAO to make sure you get all of your questions answered, that you feel comfortable with that organization, and that they have relevant experience in assessing environments such as your own, is important. 

John Gilroy 
Are there any special CMMC considerations that companies in this sector should be aware of? 

Justin Padilla 
Yes, I touched on specialized CUI, specifically designating that as Control Technical Information. As I mentioned, that is applicable to military and space applications. While I don’t think that everyone is going to have to meet a higher level CMMC requirement level four and five, I would imagine that many organizations that support the space industry are working on stuff that is highly sensitive, that may not be classified but is pretty close. If you’re in that situation, as you’re working toward your level three certification right now, you should also be planning for those higher level of requirements just to kind of extend that runway, as I mentioned before, so that you have better planning and better options for implementing the solution that’ll get you to where you need to be. 

Want to hear from more thought-leaders? Listen to Constellations podcasts as they become available. See the full list of interviews and subscribe at www.constellationspodcast.com 
www.kratosdefense.com