Interview with NQA's Tim Woodcome
Tim Woodcome is responsible for the fast-growing portfolio of Cybersecurity Assurance Services. His responsibilities range from strategic to tactical in supporting all associated departments with growth and auditing techniques of standards such as ISO 27001, ISO 27701 and CMMC.
Q – We are hearing a lot about CMMC in 2020. What is it and who does it affect?
Tim – CMMC stands for Cybersecurity Maturity Model Certification. It is focused on a series of cybersecurity controls, largely based on NIST 800-171. It is a DoD Program that will eventually be mandated for all prime and subcontractors on all DoD contracts, as it is being rolled out between late 2020 and 2025. As such, it is estimated that it will affect between 300,000 and 350,000 organizations at all levels of the Defense Industrial Base (DIB). There is also early talk that other government agencies may also adopt CMMC in the future.
Q – What effect will CMMC have on companies that are interested in bidding on contracts for the U.S. Government/D.O.D.?
Tim – First off, it is important to note that CMMC will not affect any existing contracts; it will be written into new and renewing contracts. CMMC will begin to be called out in new RFP’s beginning in 2020. The given RFP’s will specifically call out the CMMC level that contracting organizations will need to have achieved third party CMMC certification prior to being awarded such contracts. CMMC requirements will also apply to subcontractors on the given contracts. As such many primes are already getting word out to their subs, as the prime’s success on contractors will be closely tied to their entire team’s CMMC readiness.
Q – How does a company prepare for a CMMC audit?
Tim – There are several ways organizations can begin to prepare. The most hands-on approach would be to simply obtain the CMMC Model and review the practices (requirements) called out for the given CMMC maturity level that the organization intends to achieve. Of particular benefit to this approach would also to be to use the CMMC Appendices as well. Much focus has been put on the Model, but in actuality the Appendices provide much more clarity and guidance on how organizations should be preparing.
The CMMC Model is available at:
The CMMC Appendices are available at: https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf
Another way to prepare would be to engage a knowledgeable third party to help implement practices or provide an independent gap analysis to the CMMC requirements. Of note, organizations should look for alignment to the CMMC-AB, in particular via the Registered Practitioner (RP), Registered Provider Organization (RPO), or a Certified 3rd Party Assessor Organization (C3PAO). NQA is one of those such organizations, pending a C3PAO, and is currently offering gap assessments to CMMC (along with attestations to the underlying NIST 800-171 controls).
Q – ISO 27001 has been a long-standing information security solution for many organizations. What are the advantages, if any, to implementing ISO 27001 prior to CMMC rolling out?
Tim – ISO 27001 brings two key components to the table: the international recognition of ISO certification that may be more desirable for organizations with global customers or those in the private sector; and the ability to add any additional controls to its own Annex A and wrap them into the management system.
Furthermore, many of the CMMC practices overlap with ISO 27001 Annex A controls. As such, organizations can easily incorporate any unique CMMC requirements on top of the Annex A controls and be ready for both ISO 27001 and CMMC certification.
Many organizations have proven this model, by using ISO 27001 as the base cybersecurity infrastructure for incorporating any number of additional controls such as NIST 800-171. Doing so helps organizations get a jump-start on future CMMC compliance along with the benefits of the on-going management, review and improvement of an ISO management system; and of course, the actual ISO 27001 certification recognized by public and private sector organizations globally.
Q – Cyber threats are top of mind with most organizations. For organizations that may not be equipped to handle all the CMMC requirements internally, what should a company look for in a consultant firm?
Within CMMC, consultants will be known as Registered Practioners (RP’s) working on behalf of Registered Provider Organizations (RPO’s). Such organization will have some level of training and vetting by the CMMC-AB. This qualification could be important to ensure that the consultant has at least a baseline knowledge of CMMC direct from the source, but of course the organization should do their own due diligence before hiring a consultant to ensure a good fit. If an organization does chose to use a consultant to implement CMMC controls, it should plan to take ownership of the responsibilities in due course.
Many of the practices are fairly straightforward and likely already employed by many organizations as simple, good cyber hygiene. Having help to understand and set-up some of the more complex controls is acceptable, but does not abdicate the organization’s responsibility to take ownership of their own cybersecurity posture.
Q – ISO 27001, ISO 27701, CMMC, NIST, ISO 20000-1 are some of the many standards related to Cyber Security and IT. How does a company pick the correct standard to meet its needs?
Tim – There are many options to consider, and I think the best options for any given organization should align with their own internal goals and their customers’ expectations. NIST compliance, and eventually CMMC certifications will be a must-have for DoD and other future government contracts.
ISO 27001 is the most established and widely recognized infosec standard in the private sector, and is also used in many public sector instances including DoD and beyond; so it may be the most multi-purpose certification available, and it can serve as a solid platform for additional certifications like CMMC.
Newer to the fold is ISO 27701, which helps address the growing Privacy concerns and requirements that organizations may be grappling with; in fact it aligns well with regulations such as GDPR and CCPA.
ISO 20000-1 is unique insofar that it focuses on the whole host of IT Services provided by an organization, and is a nice complement to the above information security standards.
Many organizations implement multiple standards in an Integrated Management System approach, as well. Often this is done by starting with one standard and adding on others over time; although some will integrate right from the start. Either way, this can eliminate much of the duplication and supports a more well-rounded approach; so it needn’t be just a singular choice.
Q – How does a company maximize the benefits to having a management system in place? Does the benefits go beyond the certification on the wall?
Tim – Continual Improvement is a key requirement of any ISO management system, and I think that’s one of the main drivers to going beyond the excitement of initial certification. A rigorous audit will identify opportunities for continual improvement and help organizations continue to evolve and mature any management system. With a cyber certification, that becomes all the more important to keep the controls up to date and in tune with the shifting threat environment.
A cybersecurity program cannot be stagnant, because the threats are ever-changing. Many of the controls themselves look for that continual situational awareness, but management system aspects like internal audits, management reviews and continual improvements, drive that even further. Embracing those opportunities, and even the occasional audit non-conformance, can really help organizations improve and maintain a strong cybersecurity posture.
This interview is just scraping the surface of CMMC and the related Information Security certifications available from NQA. NQA’s mission is to transfer knowledge to our readers as we receive it. Please join us for our upcoming CMMC webinar on August 5, 2020.