A (4:55)

Well, Jacob, thank you so much for joining me today. Regulations and compliance is the bread and butter of a lot of cybersecurity folks. The reason we're talking about this on the space podcast that I am hosting and not my cybersecurity other gig is, is because there is some very important information that the space industry needs to know that relates to all this. And I don't want to give it away because I'd rather you explain it because I will not do a good job.

B (5:20)

Sure.

A (5:21)

What is it that the space industry needs to know that's coming?

B (5:24)

Yeah. Well, just to get everybody caught up, defense contractors, especially folks in the space industry who are doing work with the Department of Defense, doing lots of awesome things, have requirements in their contracts right now to implement cybersecurity requirements to various degrees. Those requirements have been in contracts for a very long time. Unfortunately, there has never been a mechanism in those contracts to make contractors prove that they're doing those things. And over the years, there have been multiple instances, sadly, where the DoD has paid the price as a result of their contractors being compromised. These are specifically non federal systems. These are systems that contractors owned. And under the deity's analysis, they found out that if they had been implementing these requirements that they were obligated, then those intrusions would have been a lot harder to execute if they would have been possible at all. And so they created this program known as cmmc, the Cybersecurity Maturity Model Certification Program that goes into effect on November 10th of 2025. And that program is designed to make you prove, often through third party verification, that you have in fact implemented those requirements that are in those defense contracts. That starts November 10th. And that's the big news. A lot of people have heard that this is coming over the years. There's been various iterations of it which we can probably get into later on. But November 10th is the big day. That is the day that the regulation officially goes into effect and can start showing up in defense contracts. So if you are planning on bidding on work that will go out as a solicitation in, you know, FY 2026, well, once everything opens back up in FY 26 and later on, then you are going to see these requirements in your contracts and the requirement to prove that you have implemented them, that's in order to take award of the contract. And this is not a thing that you can do after you have taken award of the contract, which means you need to be strategizing what you're going to do before you bid on those things. So realize that it's going to happen now and, and that this is, this is the red light going off to tell everybody to start thinking about it now, not when it shows up in the solicitation.

A (7:43)

Okay, so just to address the. That what you also mentioned about the currently ongoing government shutdown. This is not being delayed by the currently ongoing government shutdown. November 10th is for realsies.

B (7:54)

Yeah. Yeah. So the November 10th date is the day that the regulation goes into effect. And so that's after 60 days of essentially a waiting period. The regulation was published in its final form. 60 days later it goes into effect. That is not stopped or slowed down or delayed by a government shutdown in any way. The only way that this thing in particular would be delayed is just like any other contract clause would be delayed in that a new solicitation wouldn't go out in, you know, on the street because people aren't at work. But it doesn't have anything to do with this regulation. Specifically, the government shut down does not delay the effective date of the requirement. You can even go on sam.gov right now and see some of these things Trickling out in, in new solicitations or even just notices of upcoming solicitations that they're letting people know, hey, this will have a CMMC requirement in it, just so you're aware. Yeah, government shutdown doesn't affect it.

A (8:51)

Okay. That just, we're, we're clearing that one out. So in case someone thinks they got some extra time or something. Nope. Okay, so the CMMC requirement, what is it? What do we need to know?

B (9:02)

Sure. So the CMMC program is one program that is implemented by two different regulations. So the first regulation actually went into effect in December of 2024. It actually went into effect almost a year ago. And that regulation outlines all of the policy, all of the roles and responsibilities, all of the different levels of the CMMC model, what the requirements are, how assessments will work, how scoping and environment will work. All that ticky, tacky, detailed stuff is codified at Title 32 of the Code of Federal Regulations. That's primarily the reason why people have heard about this program coming along for a long time, but they haven't seen it, because creating a new regulation at Title 32 of the Code of Federal Regulations is a massive bureaucratic effort. Takes a very long time to do it. But it was always the signal that the DoD was very serious about this program, because that's not the kind of thing that you just do. That's not the kind of thing that a department or an agency just kind of picks up in their free time. That's a massive commitment. So when they announced that they were going to do that, they were going to do this, Title 32 rulemaking is what they call it regulation making. When they announced that they were going to do that at the end of 2021, that was the signal to me that this was just an inevitability. It might be two years, it might be four years, but. But it will happen eventually. And now here we are, less than four years later, and that rule went into effect. Like I said, it's implemented by two different regulations. So we've got this program that's live, but the process of actually requiring it in contracts is another, of course, another process. Contract clauses themselves are regulations. And so if you want to create or revise a contract clause to, let's say, be in line with a new regulation, you have to go through another round of rulemaking in order to make it. And sure enough, the way the Pentagon works, the office in charge of that Title 32 rule is not the office in charge of the contract clause rule. So literally the left hand and the right hand are doing two different things and they, even though they like share a break room and park in the same parking lot, they don't talk to each other. So we had the program go live a year ago, and now in November, literally almost a year later, we will have the contract clause language, the specific contract clause language show up in contracts. So we've had this weird gap where the program went live in December of 2024, so people could, of their own volition, go pay for a third party auditor to certify their environment against the requirements and have a live, real, bona fide CMMC certification right now. But the DoD couldn't require it in contracts until their contract clause language was. So now that it's final, they can put it into contract. So there's somewhere around 400 companies so far that have their CMMC Level 2 certification. The model has three levels, Level 1, Level 2 and Level 3. So there's about 400 companies that have voluntarily gone to get their CMFC Level 2 certification. But starting November 10, the DoD will start to require at least one of those levels in all new DOD solicitations and contracts.

A (12:25)

When I'm thinking through compliance regs, there is the whole stereotype of it's, oh, check the box, not a big deal, done. But then there's the flip side of people sweating bullets because they're going, I don't know what I don't know, I don't know what I need here. Or I have a vague idea, but I'm missing something. So what are you seeing?

B (12:45)

Good news and bad news. Right. The good news is that, remember the CMMC program is just the verification program. Right? So it isn't. The thing I always like to say is it's not making you do the requirements. CMMC is just making sure you did the requirements. So a lot of people conflate the verification process with the requirements themselves. The requirements, like I said, exist whether CMMC got delayed forever or went away entirely and never existed, you would still have these cybersecurity requirements in your contracts. They've been there since 2013.

A (13:16)

But how seriously were you taking those requirements?

B (13:18)

Exactly.

A (13:19)

Yeah.

B (13:19)

Now the, the good news about these requirements is that they are written by nist. And so they are, you know, very clear and standardized. You know exactly what the requirements are. Those requirements are in a document called NIST Special Publication 800 171A. And the even better news is they give you a standardized set of verification procedures. So this isn't like an ISO audit This isn't like a SOC audit where maybe you know what the cybersecurity requirements are, but how they will be verified is just based off whatever the auditor had for breakfast that day. Like I don't know, like who knows what they're going to ask you? It's horrible. It's not consistent at all. NIST has a standardized set of verification procedures so we know what questions are on the test. The problem is there is a standardized set of verification procedures and they're pretty long. So you have 110 requirements in NIST SP 800 171. But in order to verify that they are implemented, in order to prove that they are implemented, you have 320 questions that have to get answered. That's contained in a document called NIST SP 800 171A as in Alpha. The good news is that the CMMC assessment guides for Level 1, Level 2 and Level 3 put both of those documents together. This has been a blood feud between me and NIST over the years. They refuse to put these documents together into a single document. So for the last four years I've been begging people to look at the other one. 171A. If you just look up the CMMC Assessment guide, you'll find everything in a nice tidy package that's only a couple hundred pages long that gives you all the verification procedures. So this is good because we know what questions will be asked. And so if you go through the requirements and their verification, then by the time theoretically you get to a third party audit, they are asking you the same questions that you asked you. They are looking at the same evidence that you used to prove to yourself that you had implemented these requirements. So we wouldn't possibly have been cutting any corners when we were doing our self assessment versus our third party assessment, right?

A (15:28)

No, definitely not.

B (15:30)

When the DoD sent out their team, which is very small, of actual, you know, DoD employees who are cybersecurity auditors, they found a massive disparity between self reported scores and the scores that they, you know, had as a result of their assessment using the exact same questions. That led to an IG audit. That led to a big report. The Senate Armed Services Committee got wind of this. That led to an actual provision in the FY20 NDAA that said you will DOD create a framework that will hold contractors accountable to prove that they have implemented these requirements. You toss in a couple of compromises for, I don't know, submarine based hypersonic anti ship missiles and that's enough fuel on the Fire for them to say, we're going to come audit these contractors. Because not only is this super important, but they also told us when they accepted the terms of the contract that they were implementing these things, which means they got paid to implement them. They clearly didn't. And that's fraud. So whichever way you slice it, whichever way you look at it, the deity is very serious about it. Now, if you wait until you see this thing show up in a solicitation and your customer is going to award that contract 45 days later, even four months later, that's not a lot of time for you to get familiar with the requirements, overhaul your environment, new architectures, map out your data flows, do all this stuff. It's a lot of work. It's a lot of work. This isn't just an IT problem where you flip a button. Trust me, if you could flip a button, we would sell you the button to flip. And we wouldn't. I wouldn't even have to make all these podcasts.

A (17:09)

I don't even hear if it's just the button.

B (17:11)

No, if it's just a button, we wouldn't need to be explaining it. Right. Yeah. This is a. A serious thing. It's a framework that goes around how the business operates, right?

A (17:21)

Yes. Processes. Lots of processes.

B (17:23)

Absolutely. Yeah. Just like a quality management system in a manufacturing environment is more than just one department doing their thing over there. It's exact same idea with this. It really hinges around how the data flows around. So the good news is it's standardized. The bad news is it's standardized. So if you wait until the last minute, that's a huge bummer. If you study it ahead of time, you know what's going to be on the test. And it's really just kind of a formality at that point.

A (17:57)

We'll be right back.

B (18:03)

What happens when cybercrime becomes as easy as shopping online? Spy Cloud's Trevor Hilligoss joined Dave Buettner.

A (18:11)

On the Cyberwire Daily to explain how.

B (18:13)

A wave of cybercrime enablement services are lowering the barrier to entry and making sophisticated attacks available to anyone. I think it's a pretty good general term that describes kind of an umbrella of tools and services that I would kind of tag as criminal or criminal adjacent. Instead of having, you know, sort of the smaller pool of high sophistication actors that are able to kind of carry out these really vast and costly cyber attacks, you know, we see that being given to much lower sophistication, lower tech folks that are, you know, a much lower barrier to entry. To get into this field, the person that's buying access to this, they basically need a phone and a bitcoin wallet. Make sure you hear this full conversation.

A (19:05)

And learn how the underground economy is reshaping Cyber risk.

B (19:09)

Visit explore.thecyberwire.com spycloud that's explore.thecyberwire.Com spycloud hablas espanol spritz du deutsch Come dul nosk.

A (19:32)

If you used Babbel, you would Babbel's conversation based techniques teaches you useful words and phrases to get you speaking quickly about the things you actually talk about in the real world. With lessons handcrafted by over 200 language experts and voiced by real native speakers, Babel is like having a private tutor in your pocket. Start speaking with Babel today. Get up to 55% off your Babel subscription right now at babel.com Spotify spelled B A B B E L.com Spotify rules and restrictions may apply. I'm wondering, is there anything specific I now this CMMC applies to defense contractors. Anything specifically for folks in the space industry, I imagine it's pretty standard, but.

B (20:18)

You know, anything that they should know, it's generally standard. So the set of requirements are standardized across the levels. However, for folks in the space industry, specifically in manufacturing environments, there are things to be aware of in what they call scoping. So which assets are in scope for which requirements, which requirements apply to what kind of assets is a little different in a manufacturing environment because often on the shop floor, there are ways that you can carve out certain instances. There are ways that you can't carve out certain assets. So it's a little bit more detailed. Manufacturers have a big advantage though, over, you know, like engineering, construction firm or software firm and things like that, in the sense that they have structured quality management systems. And if you empower your quality managers to take time to learn and study the cybersecurity requirements, they're going to see a lot of those processes that they're already very good at rhyme very closely. So the other advantage that smaller environments have is that they're small, right? They're knowable, they have a finite number of assets and people, which makes, you know, getting your head wrapped around what's going on pretty easy. Large environments, you know, they don't know where the bodies are buried. And that becomes a huge issue. Trying to track everything down. In terms of the space industry, a lot of people, you know, will say, hey, we're very special, right? And unfortunately, the more special you are, the more that CMMC is interested in what you're doing. So if you have export control or export regulated ITAR ear regulated items, then you are absolutely going to be included in the set of requirements. So typically what we see is a lot of the scrappy startup space companies are putting ITAR and export regulated information in commercial cloud instances. Big no, no. Read your contracts. That is not allowed. That is not a CMMC thing. That is a thing that's already in the contracts. A lot of times we'll see them use managed service providers, sort of external service provider to manage their IT and security and that managed service provider outsources to foreign nationals to do that work. Big no, no, again, not a CMMC thing. That's just a thing part of the export control. So CMC has done a lot to expose gaps that people have in complying with their export control and export regulated data and things like that. So if you're in the space industry, definitely be aware of that. There are rumors that the Golden Dome program, so if anybody's doing stuff under Golden Dome, the Golden Dome supply chains will be elevated to CMMC level three requirements. That is a big jump over CMMC level two requirements. So ostensibly I kept saying, oh, the requirements are already in the contracts. The only actual new set of requirements are at CMMC level three. And the DoD originally estimated that a very small percentage of the industrial base would be required to comply with these new Level 3 requirements. But that was before Golden Dome.

A (23:21)

Yeah, I was going to say there are a lot of companies trying to get on that good Golden Dome dual use, understandably and I think a of.

B (23:28)

Lot, lot of big opportunities. Now the advantage, the advantage here is, if I was putting on my management consulting hat, the advantage is that because they are new requirements, the government is expecting new costs to come with your bids. If you are below CMMC level 3 and you've been working with the DoD, then those are not new costs. The DoD would be very curious as to why your costs have suddenly gone up for you to just prove that you have been implementing the things that you've said you've been implementing. So let's just say among friends here that you haven't exactly been complying with the things that are in your contracts and you want to go after CMMC level level three. You might be able to do like the disappearing thumb trick and hide those costs under the new costs of cmc.

A (24:16)

We are not your lawyer. Do not take this as legal.

B (24:18)

This is not legal advice. I don't recommend that you do this. But it's a big advantage in the sense that it's new. They're expecting it to be new. Hey, look, it's new. Jingle your keys in front of your contract officer and be like, look how new everything is. If you aren't doing that, then you've got some. You need to be a little more creative. Again, not a lawyer. You got to be a little more creative about what's going on. So looming in the background of all of this, when we're talking about maybe we cut some corners, maybe we didn't comply. The Department of Justice is very interested in what's going on here. There is a thing known as the False Claims Act. And the False Claims act is literally a piece of legislation that goes all the way back to the Civil War that was designed to catch contractors ripping off the governments and skimming off the top of things that they were getting paid for and then supplying things to.

A (25:10)

But that never happens. And none of. None of T minus listeners would ever do anything like that.

B (25:15)

So. Of course not. Of course not. I'm just saying that if you want to. If you want to do some rubbernecking and look at the car crash on the side of the highway, you can go to the DOJ's website. Every year, they announce how many tens of billions of dollars they recover in False Claims act settlements with defense contractors and all kinds of government contractors. So if you have submitted a claim to be paid for the government and you didn't do the thing, they can go after you for a tremendous amount of money. Cybersecurity requirements have been found to be material to government contracts. And so in 2021, the DOJ created what they called the Cyber Civil Fraud Initiative, where an entire section of the Civil division at the Department of Justice is specifically in charge with going after defense contractors for their existing requirements. Nothing to do with the CMMC program. So if you go look at the press releases, there are small companies, there are large companies, there are space companies, there are traditional defense contractors, and everybody in between, they get hit for millions of dollars. The worst news is there's a whistleblower provision in the False Claims act, which means your own employees can go tattle on you for maybe, I don't know, not empowering the IT guy to get these requirements implemented.

A (26:31)

Never kick off your IT guy. That. That's like lesson number one, right?

B (26:35)

Your biggest insider threat is your IT guy picking up the phone and calling the Department of Justice. Because when you settle with the government, they get up to 30% of the recovered Money. And so many of these whistleblowers make out with millions of dollars for a thing that would have cost you like a hundred grand if you had just done it. And they wouldn't have ever thought to rock the boat. Every whistleblower that I know, I know you're going to ask. Every whistleblower that I know that has done this is still gainfully employed. So.

A (27:01)

Okay, yeah, I was just going to say, is it one of those. I won't say anything but there will be signs kind of.

B (27:05)

Yeah, yeah, exactly.

A (27:07)

Nick the IT guy suddenly has a yacht and it's like, don't worry about it.

B (27:10)

So amongst all of this stuff, you still have the boogeyman looming over there in the corner where the DOJ is very interested in your current level of compliance with the things that you said you've been complying with. That's not to scare everybody, just know that the consequences are real if you don't achieve the CMMC status requirement that's outlined in the contract solicitation. You cannot take award of the contract and that's starting on November 10th. So whenever the next solicitation is that you plan to bid on and then whenever the anticipated award date is for that solicitation, if you don't have it by that award date, then how many opportunities can you afford to skip until you do have the status? For most people, they can't afford to skip any of them. So take it seriously.

A (27:57)

Beautifully said. Is there anything else you want to leave the audience with or should we just leave it there?

B (28:01)

Well, there's a ton of content, there's a ton of stuff to know. Just very quickly, rapid fire. There are no waivers. Waivers are a pre solicitation process. So if you see it in the solicitation, there is no mechanism to remove, remove the requirement once in the solicitation. The thing that we like to tell people is that waivers are for entire contracts, not for individual contractors. Read the regulation and you'll see the details or ping me on LinkedIn and I'll tell you all about it. The other thing to know is that if you are under a prime contractor, if you are a subcontractor, when they decide to tell you that you need to do this is completely different from when the dud might tell you. This is when we think everybody is going to be required to comply. That's a separate contract, separate subcontract, separate relationship that's between you and the prime. So if you haven't heard from them in a while, maybe call them up and ask them what their plan is rather than just worrying about what's in the DoD press releases. So do your research. Call your customer. Let us know if you have any questions. We're easy to get a hold of.

A (28:59)

Thank you Jacob. This is super helpful. I learned a lot and I'm sure the audience learned a ton from you as well today. Thank you so much.

B (29:05)

Thanks.

A (29:17)

That's T minus Deep Space brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing space industry. If you like our show, please share a rating and review in your podcast app or you can send an email to space2k.com we're proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, the technology and the ideas shaping the future of secure innovation. Learn how@n2k.com N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliott Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I am your T minus host, Maria Varmazis. Thank you for listening. We'll see you next time.