How to achieve the Defense Department’s CMMC compliance with Frank Smith

By Test Guild
  • Share:
Join the Guild for FREE
Frank Smith TestGuild Security Feature Image

About this Episode:

Did you know that the Department of Defense (DOD) is mandating that suppliers have Cybersecurity Maturity Model Certification (CMMC) to a prescribed level? In this episode, Frank Smith, Manager of Security and Consulting Practice at Ntiva, shares all you need to know about CMMC. Discover what CMMC is, why you should care, the requirements needed for certification, who needs to be certified, and more. Listen up!

About Frank Smith

Frank Smith TestGuild

Frank brings over 25 years of expertise and experience to Ntiva. He is a Certified Information Systems Security Professional (CISSP) and a Registered Practitioner (RP) with the CMMC Accreditation Body.

As the Manager of our Security and Consulting Practice, Frank currently supports Ntiva clients with CIO, CISO and security consulting services, incident response and forensics, and management of Ntiva’s security suite.

He and his team have helped dozens of government contractors identify and address their requirements under DFARS Clause 252.204-7012 and -7019, developed their System Security Plans and set them on the path towards implementing their POA&Ms and eventually CMMC Level 3 compliance.

As CIO, he managed the IT and Security infrastructure to support an 8(a) business growth from under 100 to over 500 employees. Frank also led numerous federal programs to develop the security and IT controls for infrastructure and modernization projects, and directed a business unit focused on custom, enterprise-level software development activities.

An expert in the FAR and DFARS, he successfully managed the technical and business requirements of RFPs and RFIs and developed solutions that resulted in over $400M of funded contract value.

Frank’s Federal experience spans all DoD departments and many civilian agencies including DHS (TSA, USCG, FEMA, CBP) , FAA, FDIC, GSA, GAO, DoE, DoEd, DoS, DoJ (ATF and FBI), among others.

Connect with Frank Smith

Full Transcript Frank Smith

Intro: [00:00:01] Welcome to the Test Guild security podcast, where we all get together to learn more about security testing, with your host, Joe Colantonio.

Joe Colantonio: [00:00:11] Hey, it's Joe, and welcome to another episode of the Test Guild security podcast. Today, we'll be talking with Frank Smith all about how to achieve Defense Department's CMMC Compliance. Frank has over 25 years of expertise and experience. He currently works as a manager at Ntiva in the security and consultant practice. He's a certified information systems security professional and registered practitioner with the CMMC accreditation body. He and his team have helped dozens of government contractors identify and address their requirements, develop the systems security plans, and set them on the path towards eventually obtaining CMMC level 3 compliance. As you can tell, Frank has a lot of experience in this area and he has experience in all levels of security. So I'm really excited to have him on the show today. You don't want to miss this episode. Check it out.

Joe Colantonio: [00:01:00] It's no secret that the number and complexity of applications are growing, but what is alarming is that 90 percent of security incidents result from exploits against defects in software. The need for better application security has never been higher and MicroFocus Fortify is here to help. Fortify is the recognized market leader in application security, and it is the most comprehensive and scalable application security solution that works with your current development tools and processes. With Fortify, you could start security applications in a single day, including custom code, opensource or commercial components, and scale as your needs grow with an on-premise as a service or hybrid implementation. Check them out, head on over to

Joe Colantonio: [00:01:48] Hey, Frank, welcome to the Guild.

Frank Smith: [00:01:51] Joe, thanks for having me.

Joe Colantonio: [00:01:53] Awesome to have you. As I mentioned in the pre-show, I'm kind of a beginner to security, especially with CMMC. So I thought we take it at a high level and drill down into it because at a high level, what is CMMC?

Frank Smith: [00:02:04] So DoD basically got tired of having unclassified information leaking out of defense company systems because quite frankly, they just were doing the bare minimum and sometimes not even that. So they established a framework that says these are the 334 Level 3 requirements in order to meet and get a CMMC Level 3 certification. So you meet all the requirements. A third-party assessor comes in and verifies that it's good to go and you get a certification for three years. That's an entry point for being able to bid and work on defense contracts that have a CMMC Level 3 requirement. It's actually not very new. December 2017, DOD put in a mandatory NIST 800-171 compliance, and it was a self-attestation. It was a trust model. Basically, say roughly 80 percent of the defense industrial base didn't do it. They either didn't even know the requirement was there or they ignored it. And so three and a half years go by and you say, well, now we have a third party assessed. Somebody is going to come in and prove that you're meeting the requirements model so nobody has, can complain about it. Really. You can't say that the opportunity wasn't there under the self-attestation model. So now we have CMMC.

Joe Colantonio: [00:03:30] Great. So it's CMMC a requirement as of now, I thought I read somewhere. It's not going to be like official requirements at 2026 or something like that.

Frank Smith: [00:03:38] It's phasing in. There have been no contracts released yet that have the requirement. There's up to fifteen for this fiscal year may come out. It'll probably be significantly less than that, given that it's already coming up on Memorial Day. But there will be some of them starting to come out. It will not be retroactive. It will only be on as new contracts come out. So that's why there's this basically five, six-year phase-in period.

Joe Colantonio: [00:04:08] I guess what I'm also confused by, as I just assume, if you work for the government, you need to have security clearance. So why did the government create CMMC? Like, what is the security concern that they have with contractors?

Frank Smith: [00:04:19] Got it. CMMC is designed specifically to address unclassified work. Not every company that does business in the federal government, in DoD in particular, works with classified information. But there's a ton of stuff out there. It's all generically now called controlled unclassified information or CUI. It's sensitive, but it doesn't meet the requirements for being classified. The flip side to that, though, is, is that if you take enough CUI, you can paint a pretty good picture of what's going on. You come up with a lot of details that may be otherwise aren't there. But some categories of CUI are just basic things, Social Security numbers, dates of birth, you know, lots of privacy information. There are actually like one hundred and twenty-five categories that were identified. They came out during the Biden administration in 2010. There was an executive order that defined it. National Archives is the executive agency. You can go to their website and get the entire list of one hundred and twenty-five categories in every one of those are considered CUI.

Joe Colantonio: [00:05:22] I guess how is this different from other cybersecurity standards?

Frank Smith: [00:05:25] It's related, say 90 percent of it derives from the NIST 800-171. NIST 800-171 is a, I'll call it a subset, it's not the best way to describe it, but a subset of the NIST 800-53, which covers Fed ramp and data processing on federal systems. And ultimately they all kind of share a basis back in the ISO 27000 series of kind of cyber standards. So while they are cyber-centric, there are a lot of things about CMMC that are not really cybersecurity. You're not going to go out and buy a tool and deploy it and it's going to magically fix a problem. It's a lot of processes. It's policy. It's how your H.R. department interacts with I.T. and how people get their background checks done and who determines who has access to what systems and how do you maintain, you know, crosschecks so that when employees leave that their accounts are terminated and they can no longer access data. So it's fairly broad. There are plenty of things, though, that can be done with IT, obviously, to address the CMMC requirements.

Joe Colantonio: [00:06:37] All right. So Frank, I guess my next question then is, if I'm a contractor, do I need to be certified or does the company I work for need to be certified, like it does a whole organization need to be certified, or is it just groups within the company, is it just the contractor themselves?

Frank Smith: [00:06:52] Yeah. So the CMC structure allows what's known as data enclaves. So if you have a very large company, you can say only this portion of the company. These are the guys that touched the defense contracts or even within the defense contracting group. These are the company or these are the business units that maybe will touch CUI, and you can isolate it and say this portion of the company will be CMMC certified. Smaller and midsize businesses are going to have a tougher time making a determination on how to set up a data enclave, though. And the folks that will be touching the data, you know, obviously anybody who's performing work on the contract. But does the data go into the contracts folders and do the contracts managers have access to it? And how can they effectively operate the business without touching the data or at least potentially having access to it? If an RFP comes from the government in the statement of work would have typically been classified with a for official use only designation or something like that, it probably in the future will come out with a CUI Node on it. So now your business development people have to have access to CUI and so smaller and midsize companies like I said, are probably going to basically do the entire company. Larger organizations may segment them and come up with these enclaves and structure it in such a way that the CUI and the certification only apply to a certain portion. It's kind of like most certifications, really. You get to define the scope. If you want to do an ISO 27001, you work with the auditor and say, here's the scope. It covers these facilities. It doesn't cover those, you know, those kinds of things.

Joe Colantonio: [00:08:39] So I guess how does someone know they need to be certified? I guess like if you're a contractor and you work for the DOD, I guess it's obvious. But other companies are there situations where people aren't even aware that maybe even though they may not work with the DOD yet or directly, that they would need to be certified?

Speaker 3: [00:08:54] Yeah. So DoD's official position so far is that, you know, roughly 20 percent of the defense industrial base will need a CMMC Level 3 and 80 percent would need a CMMC Level 1. And Level 1 just covers federal contract information. Level 2 exists, but it's not ever going to really be used for anything. It's considered a transitional level. My personal opinion is that DoD has that exactly backward, that in fact, it's going to be 80 percent of the companies are going to go after a Level 3 and only 20 percent that does the most basic types of things are going to go after a Level 1. There are a couple of reasons for that. One is the natural tendency to air on the side of caution. And if in doubt, if something is considered CUI, the program offices are going to air on the side of caution and say it's CUI. The other part of that is, is a tendency, I think, on the defense industrial base itself that says I'm going to potentially want to bid on CUI work, and that's going to require I have that Level 3. Therefore I'm just going to go ahead and do it right now. It's not a huge lift from being compliant with the NIST 800 standard that was put out three and a half years ago to CMMC. If you're going to try to meet the one, you might as well meet them both. And it's not going to stay just in DoD, especially with all these supply chain attacks that have been happening. The Colonial Pipeline won last week, I mean, drove it home to everybody. The supply chains are vulnerable. Everybody has to up their game. And you're going to see the large you know, the big defense contractors, the Lockheed, the Raytheon's, the General Dynamics. They're going to force some of these requirements deeper into their supply chains that maybe they have to and they're going to do it over an abundance of caution, too, because they're ultimately responsible for problems that happen in their supply chains, too. So I think you're just going to see all of this go. But I'll put in this plug for compliance and just good cyber practice. If I were to go through the one hundred and thirty requirements that are part of CMMC Level 3, most companies should be doing most of those things anyway. There are some things in there that I call or form over function, and that happens, by and large, if you're doing any kind of business, don't you want to protect your systems? I mean, your proprietary data? You don't want that getting out do you, right? So up your cyber game, put some of those minimums out there and I'm shocked day in and day out when I see companies and go, you don't have MFA, you're sending account information, clear text, emails. It's shocking sometimes what companies do and it's like put compliance aside, you need to up your game.

Joe Colantonio: [00:11:49] Absolutely not. You've spoken on different levels, 1 and 3, I believe there are 5 levels to CMMC compliance and I don't mean we go through each one. You've touched on a few just to get people what it means to go from 1 to 5. So I think one is performed is the process. And there's like a practice like basic cyber hygiene? Could you talk a little bit about step one?

Frank Smith: [00:12:09] Yeah. So Level 1 is literally the most basic. It actually is just pulling requirements out of the federal acquisition reg that has been there forever. And it says if you want to do business with the federal government, you have to meet the 17 most basic requirements. If you're not meeting the 17. Shame on you. You know, turn your computer off and go home. That will be a fairly easy bar for companies to meet. As you move up the chain for CMMC, the number of requirements increases but you also have to demonstrate more maturity. And that's the, one of the Ms, it is the maturity model. Right? You're basically saying I'm doing the minimum, I'm getting by, I'm putting some more structure around it. I'm making it a more repeatable process. I'm putting a level of formality into it. And at the same time, I am upping my technology. Level 2, as I said, is really just a transitional level. DoD doesn't really intend to issue any requirements at Level 2. Level 3 is the minimum level for controlling CUI. And as I said, I think that's where most companies are going to target. 4 and 5 are considered additional controls and requirements to protect high-value programs. Now, when the model was announced, they were estimating that that's going to be somewhere like if my memory is right like 80 contracts might come out with a Level 4 or 5 and 4 is considered, I think, more transitional. Also, if you're going to go towards 4, you're going to basically go to 5. But the number of companies that will meet that level is pretty small and they are probably already in pretty good shape because they may even already be processing classified information. So for them, it will be a structural kind of change, but not a huge lift for them, I don't think. 

Joe Colantonio: [00:14:01] As you mentioned, if someone's already doing some sort of security program at the company, Level 1 seems like it's just basic cyber hygiene. So is it most likely a lot of companies already have this in place and it's just a matter of validating it or getting, you know, DoD to recognize that they actually meet Level 1?

Frank Smith: [00:14:17] Yeah, they will need to have a third-party assessor come out and actually do a level one audit. They should be fairly quick and easy. We don't really know what any of this is going to look like yet. There are no certified companies. There are some provisional assessors. Defense Contract Management Agency operates something called the DEV (CAC) out of Fort Lee. And the DEV (CAC) is doing the first assessments of companies that want to be assessors. And so they are just starting down that path. They will be Level 3 assessments. So once the infrastructure comes out a little bit and we see what the training curriculum looks like, I think we'll have a better idea of the complexity of what all those will look like. But I think a Level 1 audit should be fairly quick, maybe a couple of assessors a couple of days tops come in. Yes. Validate what you're doing and move on. A Level 3 assessment, probably, you know, 4 people for a week, maybe two. That would be on the extreme, I think. But, you know, the market price is going to dictate what all that looks like. So but if you look at the other assessment methodologies that are out there now, SOC audited at an ISO27001 audit and ISO 9000. I mean, these things are all thirty, forty, fifty thousand dollars to have the assessments done. So that's where the defense industrial base has been kind of pushing back on DoD, saying this is going to cost me a lot of money to get well and it's going to cost me a lot of money to have my assessment done. In DoD's defense, the amount of money to get well should be pretty low for companies because they've been certifying that they've been doing this since December of 2017 and under that self-attestation model. So you kind of can't say I have to go spend a lot of money to fix things because you should have been doing most of it already. But we are where we are and the assessments are expected to be good for three years. That's the current plan. I haven't heard anything that there will be the, you know, the annual touch with like a mini-assessment or anything. So three years they're considered allowable costs in the government's accounting standard, but they are not direct costs. So companies will be allowed to include them in their overhead. But it won't be something where you can simply turn around and pass the bill on to the government. That said, though, there are a ton of programs out there, the Small Business Administration has money available, DoD has been sending money to various state agencies, you know, to help especially manufacturers. I think they're going to have a tougher time meeting some of the compliance things. So there is money out there to help offset some of the costs.

Joe Colantonio: [00:17:04] So how descriptive is CMMC? See, the reason why I say this, I know there's a lot of companies, as you mentioned, the cost is very expensive to get audited manually. There's a lot of solutions coming on the market that automate some of those to make you compliant. Is this something that could be automated or is it like, is it that hard in stone? Exactly what needs to be to get compliance? Is it more like you actually need an auditor to manually go through all your assets to, to see if you've achieved compliance?

Frank Smith: [00:17:28] So when the assessors come on to actually do your assessment, they're going to be looking at the process, policy, and technology and they're going to be validating that in a bunch of different ways. So they will interview the folks that are responsible for implementing something. They're going to look at your written policy. They'll look at the technology and make sure that that policy is implemented. They may, in fact, look at it and say, OK, you have a process that says on a monthly basis IT sits down with HR and validates that everybody that left the company has had their accounts disabled. And we're clear on all of that. The assessors then are going to turn around and say, OK, show me the meeting minutes, prove that you've, in fact, done what you said you have done. You can go in and say, well, here's their account. You can see the boxes checked, it's been disabled, but you have a policy and a process. You need to also validate that that's being done correctly too. There is not going to be simple automation that's going to make CMMC easy. I'd even go one step further that it's a little disingenuous for some of the companies out there that are guaranteeing some type of a pass because it just isn't going to be possible. Most of the tools out there will help you with assessments, but you're still having to fill in and say, here's my policy, here's my process. And that's sort of part of that concept of maturity, right? It's written down. I have a defined process. I follow it. I can prove that I follow it and I have the technology to enforce it.

Joe Colantonio: [00:19:04] Absolutely. So I come from a health care background, I worked for a large health care company. Almost sounds like an FDA audit where it's actually you define the process, but you need to be able to explain the process so that the auditor is just going through and just seeing what you said you do and asking to validate it. So I guess the company themselves are what define what they're going to be audited for. It's not no got yous really, I'm guessing.

Frank Smith: [00:19:24] I go back and forth on this in some ways. I wish DOD would be more prescriptive and say here's the requirement, but for some of the requirements and I'll use vulnerability scanning as an example. This is a little pet peeve of mine. So I admit that upfront the requirement is that you define a policy for doing periodic vulnerability scans and basically then you need to demonstrate that you do those periodic vulnerability scans. Well, if I have an internal policy that says my periodic vulnerability scans are once a year and I do a scan once a year, and I prove to you that I've done a scan once a year, I've basically met that requirement, but I haven't really met the intent of that. Right. But when you really look at it, if DoD wanted monthly or quarterly or whatever periodic scans, I would have rather have just seen it come out and say do monthly vulnerability scanning and be done with it instead of leaving it up to interpretation. So there's a lot of things in the standard that is kind of I liken them to baseball. I had season tickets and that's park for many, many years. I also am a volunteer baseball umpire and baseball rules from the outside don't make sense, but internally they are consistent. And so within CMMC, there's a similar problem in some ways. You can go through several of the controls and make them internally consistent and I suppose say compliant. But you're still at the mercy of a judgment call of an auditor to say, well, that wasn't really the intent. And for some things, it might be just better to say we want 15 character passwords that change every six months and meet all four of the complexity requirements. You know, just put it down and make the judgment parts of it go away.

Joe Colantonio: [00:21:17] Absolutely. It was like it once again reminds you of an FDA audit. It all depends on the whim of the auditor. You don't know what they're going to call out or what one auditor sees maybe not what another person sees, what is right in the end. So it is kind of.

Frank Smith: [00:21:30] Yeah, and there is fear isn't the right word, but it might be.

Joe Colantonio: [00:21:34] That's fair.

Frank Smith: [00:21:36] Yeah. That because this is expected to be a market-driven environment for assessments that cheap. Assessments which will appeal to everybody might be less rigorous and that some companies that have a longer history of doing these type of assessments will be more in line with what the entire ecosystem expects, but that, you know, smaller companies that are trying to break in are going to come in and do it at a lower cost and in fact, might not have that same, that same level of thoroughness, maybe simply because they are trying to do it for a lower cost.

Joe Colantonio: [00:22:15] Interesting. So I know how you work around that then, because it's third-party vendors that are doing this, right?

Frank Smith: [00:22:21] Yeah. And the thing I haven't mentioned, so DoD established the framework. It has been turned over to a third-party body, which is the CMMC accreditation body. They have a no-cost contract with DoD and the accreditation body in and of itself as a nonprofit will manage this whole process for DoD. So between those two organizations, they're basically saying we're not going to set a price. When DoD published this in the Federal Register, initially they had, you know, it's DoD in the Federal Register, right. And we think the Paperwork Reduction Act costs and all those other kinds of things and they put all their estimates in there were absurdly low, though I don't even they were so low that I think I just discounted them initially. It never really looked again. The cost to do this for companies is much higher than what I think they expect. But the bottom line for a typical DOD contractor that, you know, has a small office, has a back office, staff, contracts, H.R., the president of the company, all those kind of things, has a fair number of people work on government sites because it's a lot of defense contractors do that. The impact on the bottom line is negligible. It's just not going to be that big of a deal. Yes. When you say, oh, I'm going to spend, you know, thirty thousand for an audit and it's going to cost me fifty thousand to produce some new documentation, and I've got to spend 50 grand to do some new technologies and my monthly recurring costs are going up by several thousand dollars. Divide that over the hundreds and thousands of hours of billable time that you have to the government. And it's pennies, right? So it's going to have an impact, but it's not going to be you know, I have to go out of business. Now, that small 10 person company may be just starting out veteran-owned small business kind of working out of the garage. Right. That only has maybe, you know, ten or fifteen employees. Yeah. They're going to feel it much more than, you know, a company, seventy-five to one hundred. And then, you know, and up from there.

Joe Colantonio: [00:24:31] I'm just looking over my notes. I know we covered the five levels of CMMC. I also have seventeen capability domains.

Frank Smith: [00:24:38] Yeah. So the requirements are grouped into domains, you know physical security is one and then there's a bunch of controls in physical security and identity and access control and it's a category and they're grouped like that actually if you really trace it all the way back, the genesis of that is all in the ISO 27000 stuff. That was the first place that it started being group that way. And it's a very convenient way. It puts like controls together for CMMC compliance, I'm telling everybody, you better have a written policy and procedure for each one of those 17 families of controls. And then within there, you're going to implement something specific, but you need an overarching policy and process for physical security. And, you know, that's everything from who manages the key cards, is the building locked, and is your I.T. equipment in separate storage? And, you know, just everything you can possibly imagine is addressed in there. And there's a lot of overlap, too. So one hundred and thirty controls for Level 3, there's 10 or 12 of them that all basically say the same thing regarding access to logs. So every company out there right now has every log turned on they possibly can and never looks at them unless something breaks and the requirements use a variety of words. But it's review, monitor, analyze, store, protect, audit your logs. You don't have to treat each one of those controls separately. You can look at it and say, I'm going to go use a siSIM solution and it's going to protect and it's going to analyze and it's going to monitor my logs and all those kind of things. And then I just have a process for monitoring my SIM.

Joe Colantonio: [00:26:21] Also Frank, in your intro, I mentioned that you helped set the path towards eventually helping companies obtain CMMC Level 3 compliance. So you work for Ntiva, is that something Ntiva does or how do you help companies get to that or get ready to get that kind of compliance?

Frank Smith: [00:26:38] Sure. So Ntiva is a managed service provider. We do outsource IT. And when I joined the company a few years ago, I looked and said, you know, there are lots of small businesses in the D.C. area that would benefit by outsourcing their IT. And then CMMC came out a few months after I joined and I was like, hey, this is an opportunity. So I took the Level 3 requirements and mapped them against the managed service providers' kind of out-of-the-box solutions and said, look, we do vulnerability patching, right, a lot of companies don't. They don't have the ability to push every time Microsoft sends out changes to Windows. Those are just the core functions of a managed service provider. Well, here are the extra things we need to do to help companies meet CMMC requirements. So we kind of structured a plan around it that said we can help you with a lot of these controls from a technology side. And at the same time, we can guide you down a path that says, here's what we think you need to be doing on the policy and procedure side, how we can help with some of those things. But if you want somebody to come in and write H.R. policies and help you with your contracts, you know, flow and you need to involve other people than IT. And there are companies out there that will help you with all that policy stuff. And, and we've been referring folks to some of our partner companies. I am an engineer by training background. You don't want me writing some of your policies because it's going to sound like an engineer wrote them. Right. But at the same time, you can Google CMMC policies and you're just going to get a bunch of blank templates. You cannot just simply substitute the company name in there. I mean, you need to capture what you're really doing so we can help companies, basically, we look at their current environment, we look at their policies or procedures or technologies, and we help them create the roadmap for what they need to do to get from where they are to where they can be a CMMC Level 3 compliant.

Joe Colantonio: [00:28:35] So can you talk Frank, a little bit about the DOD assessment methodology? What, what they use?

Frank Smith: [00:28:39] Yeah. So the NIST 800-171 requirement that I mentioned that has been mandatory since December of 2017, DoD created an assessment methodology, and basically, it's a scoring algorithm that says, give me your system security plan, which is based on that 800-171 and I'm going to start you with one hundred and ten points. And I'm going to deduct either one, three, or five points for every one of the controls that are not fully implemented. And that came out. And then CMMC got this big energy and everybody focused on CMMC and the DoD assessment methodology kind of took a little bit of a backseat. Well, DoD turned around and said, no, CMMC is going to phase in over five or six years and there's enough push back, we're going to reinvigorate this assessment methodology. So starting in November of last year, every company doing business basically has to score their own system security plan, which was that self-attestation model, and upload that score into the supplier performance risk system that the body maintains. And that's basically required before you can get an award. So while CMMC is phasing in, the DoD assessment methodology score started back on November 30th and everybody panicked because there were a lot of companies that didn't have system security plans and they didn't have any method of scoring them. So you need to create that system security plan in the short term. That is your stepping stone to Level 3 anyway. Your score can be anywhere from one hundred and ten, which is a perfect score all the way down to minus two hundred and three. Only DoD could have come up with that as a scoring algorithm, but that score has to be uploaded and that's required right now today. And this is kind of the precursor to the full implementation of CMMC.

Joe Colantonio: [00:30:35] Okay, Frank, before we go, is there one piece of actionable advice you can give to someone to help them with their CMMC efforts? And what's the best way to find or contact you?

Frank Smith: [00:30:43] Yeah, so the I mean, you got to know where you are. You need a gap assessment. You need a system security plan. Those are absolutely required right now. If companies don't have them, you're putting all your DoD dollars at risk, but you will never get to CMMC, even Level 1 unless you do an assessment and say, where am I today? Here's where I want to be. And you draw a map, phase it in. I mean, it's not like you have to throw a switch and go spend all that money right now today, as you pointed out, it's phasing in. Spend the money over the next 18 months, 24 months, 15 contracts in 2021 was the target. 75 in 2022, that would have CMMC requirements. That's not that many contracts. 450 was the plan for 2023. Now that's a big jump. Right. So let's look at it and say we're partway through FY2021. Realistically you have 18 months to figure out where you are, where do you want to be, close the gaps, have the assessment done and put yourself in a good place. All your competitors are spending the money too. This is a pay-to-play model, right? If you want the business, you will spend the money. That's where the previous model fell apart. Some companies implemented it and basically put themselves at a cost disadvantage because their competitor hadn't spent the money but was saying that they had. And so do the gap assessment, come up with a plan, budget it for the next 18 months, maybe two years even, and go for it from there. We have a ton of stuff on our website at, how to do it, what a Level 3 looks like, where we can help you meet Level 3. We can help you with a lot of things, but I can't help you with physical security because it's your building and you know, you need to maintain a visitor control log and stuff like that. So like I said, not everything is technology, but it's a lot of process and policy stuff as well.

Joe Colantonio: [00:32:41] Okay Frank, the best way to contact you is that through or?

Frank Smith: [00:32:45] would work or you could even send it to And I have that email address available that you can send it to me directly.

Joe Colantonio: [00:32:53] Thanks again for your security testing awesomeness. If you missed everything of value we covered in this episode, head on over to And while you're there, make sure to click on the Try Today link under the Exclusive Sponsor section to learn all about MicroFocus Fortify, which is the recognized market leader in application security. And if the show has helped you in any way, why not rate and review it on iTunes? Reviews really do matter in the rankings of the show and I read each and every one of them. So that's it for this episode of the Test Guild Security Podcast. I'm Joe, my Mission to Help You Succeed with creating end-to-end, full-stack security testing awesomeness. As always, test everything and keep the good. Cheers.

Outro: [00:33:38] Thanks for listening to the Test Guild security podcast. Head on over to for full show notes, amazing blog articles, and online testing conferences. Don't forget to subscribe to the Guild to continue your testing journey.

Rate and Review TestGuild Security Podcast

Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
A person is speaking into a microphone on the "TestGuild News Show" with topics including weekly DevOps, automation, performance, and security testing. "Breaking News" is highlighted at the bottom.

AI for Test Coverage, Why Playwright is Slow, Crowdstrike and more! TGNS129

Posted on 07/22/2024

About This Episode: Do you know how much of real production usage your ...

Mark Creamer TestGuild Automation Feature

AI’s Role in Test Automation and Collaboration with Mark Creamer

Posted on 07/21/2024

About This Episode: In this episode, host Joe Colantonio sits down with Mark ...

Javier Alejandro Re TestGuild DevOps Toolchain

Building a Real World DevOps Pipeline with Javier Alejandro Re

Posted on 07/17/2024

About this DevOps Toolchain Episode: Today, we have a special treat for all ...