Understanding CMMC Requirements with DefCerts CEO Ryan Bonner | Part 2

Show Notes

We’re back with Ryan Bonner for part two of his sit-down with Mike Shelah on DTC’s Cyber Savvy podcast. 

In this episode, we breakdown the Cybersecurity Maturity Model Certification (CMMC) and its implications for government contractors. They explore the importance of CMMC, the certification process and the critical role of action plans in achieving compliance. You’ll also hear insights on the challenges companies face during gap assessments and why strategic planning is essential.  Plus, they discuss how CMMC could reshape the industry, potentially leading to major consolidation.   

Whether you're a contractor navigating compliance or just curious about the future of cybersecurity standards, this episode is packed with valuable takeaways  

Key Takeaways: 

• CMMC is a mandate that organizations must comply with. 
• Plans of action can be misleading and should be approached cautiously. 
• Understanding the CMMC certification process is crucial for contractors. 
• Organizations need to justify CMMC certification as part of a strategic plan. 
• Gap assessments should be conducted iteratively to maintain context. 
• Managing bandwidth and resource constraints is essential for compliance. 
• Organizations should focus on the areas that handle controlled unclassified information (CUI). 
• Consolidation in the industry will require a strategic approach to compliance. 
• Documentation and process management are key to maintaining compliance. 
• CMMC is about more than just compliance; it should align with business strategy. 

Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Transcript

Mike Shelah (00:00)
Hello everybody and welcome to the Cyber Savvy Podcast. I am your host, Mike Schiele, technology consultant with DTC. To learn more about us, go to www.dtctoday.com. And remember at DTC, make IT work. Our guest, Ryan Bonner, wrapped up the last episode with something that I love so much. I'm going to get it printed on a t-shirt and wear it everywhere I go.

Ryan, welcome back to the Cyber Savvy Podcast.

Ryan Bonner (00:33)
Thanks.

Mike Shelah (00:35)
I just love, are you getting on the train or are you lying on the tracks? Because CMMC, you know, one of the arguments I've heard from many of the government contractors I've spoken to over the last five years is, I believe it when I see it. Like the government's threatened to do things like this before. And NIST was sort of a volley to that, you know, when it originally was created during the Obama administration.

that they wanted a better structure for government contractors in particular. Now, good for all business. Let's be clear. No business will do a bad thing by following the NIST 800-171 guidelines. But it was really intended from a national security perspective to better harden government contractors, to better protect national security. That was the mindset. And then...

The government very candidly said, we can't have nice things. We asked you to do it. You said you'd do it. You didn't do it. So now, CMMC is a mandate. And correct me if I've got this wrong. December 16th of 2024 was the go live. So we're going to start seeing this now appearing in a limited number of contracts in 2025 and going forward, right?

Ryan Bonner (01:53)
Yeah, as is common in these types of regulatory changes or rollouts or whatever you'd like to call it, sometimes there are multiple moving parts that you have to track. And I think that for most organizations, understanding down to the individual date and things like that don't always translate into action. So probably the biggest things that you could

take away from this or understand is that the CMMC program itself went live in December of 2024. And that's what makes it possible for organizations to become CMMC certified. We also have this other element, which is a new section of regulation that just drives contract clauses. Those are also federal rules. If you're not familiar with federal rulemaking, that's what's pushing all of this. So it's not a person in an office

just making an arbitrary decision, these are federal operating rules, policy effectively, that are being written into the code of federal regulations. it's in the CFR, it's not going anywhere. So from that perspective, it's a lot more durable, and it's not subject to the whims of individual policymakers or things of that nature.

This other component that is headed our way is the rule that will actually set up the contract clause that requires the contractors to have a certification as well. So think of like supply and demand, right? The CMMC program is the supply side. You can now go get the certification and sort of have it in your inventory, if you will, as a contractor. And then on the demand side,

contracting officers are going to start incorporating that clause and writing in what level of certification they want. In this initial rollout phase, a contracting opportunity might come out that says, I'm going to allow people to self-certify for this first batch of awards. And then in a later year when they do a contract option on that award, basically renewing the contract.

They're going to say, I've upgraded. I'm going to require a paper certification in order for you to get this award. As this phased rollout continues, then you'll start to see certifications becoming the default, where no one is entertaining self-certification.

Mike Shelah (04:27)
Now, I'm curious, because one of the things that I have speculated upon, I don't know if you know, if you have any concrete thoughts around this, but one of the pieces of moving towards certification in CMMC is the poem, having a plan of actions and milestones. And depending on the company, that could be six months, it could be 12 months, it could be 90 days. Six to 12 seems to be much more common. But it could be 90 days.

And I'm curious, do you think that some of the bids will use the poem saying, if you have a poem that says you're going to be ready for certification in six months, we'll accept that. I'm curious to what you've read, seen, heard out in the landscape.

Ryan Bonner (05:09)
Yeah, things like plans of action are a logical trap you're going to fall into. It sounds like I don't have to do the thing. I can just defer it and delay it. And because you don't understand the function of the DOD assessment methodology and how these requirements are scored, you could be led to believe that you can just have

a large number of unsatisfied requirements and still roll into a contract with sort of an option period to fix your stuff under a plan of action. But you have to remember that there are some requirements within NIST 800171 that NIST 800171 is the requirements that act as the basis of your CMMC certification. Some of those requirements are non-negotiable. You can't have a

plan of action for those. They have to be finished. And so what I would encourage all organizations do is look at the, they're called the five pointers. You all these requirements are worth five, three or one point in the scoring methodology. The five pointers and also the three pointers, you know, look at those and identify if any of those are not completed. If the

If those requirements that plans of action are not allowed for under a certification aren't done, you're kidding yourself to say that you can have a plan of action. So first address those. But secondarily, if you're just points chasing at this point and you're like, I can just ignore this requirement or that requirement because a plan of action is allowed for it.

You might want to make sure that requirement is or is not load bearing for another requirement. You you're probably going to knock out some of these requirements in small batches. It's silly to not do something that's going to drive a lot of rework later when you could just knock it out, even though it's not worth as many points. Like that's just a silly metric to chase. So from that perspective, I think that

Organizations who are going to roll into a contract award where they do have an open plan of action that they'll need to close out within the first 180 days of award, we're probably talking about one or two unmet requirements. We're not talking about a flotilla of unmet requirements that are,

Mike Shelah (07:36)
You

30 of

the 110 still aren't done yet.

Ryan Bonner (07:42)
Yeah, yeah, when we see organizations who have plans of action, like their SPRS score is like 98 % of the available points already achieved, you know, and then they just had some major thing that they were going to, it's going to cost them money. And so they're just looking to build up the funds to do that last piece to close out that remaining item. And it's the nonconformity is isolated to like just their firewall or just that server or something like that.

So even then, the fact that they don't have the points for that yet probably doesn't indicate that they've never started on that topic. It means that they're also partially implemented as well.

Mike Shelah (08:22)
Yeah, that's fantastic commentary because this is something you and I talked a little bit about before we even got on the show together. But from my experience, there's four phases to CMMC. So you have the assessment, how bad off are you? You have the remediation, get to where you need to be. You have the certification.

You have gotten to where you need to be. You've dotted your I's, you've crossed your T's, you've implemented, you've executed. And then phase four is the maintenance. know, the Bob example I gave you in the last episode, you've hired Bob. Okay, well, what device is Bob being given? What access rights does Bob have? And documenting that. Mary leaves the company. Okay, what's being done with Mary's devices? What's being done with Mary's credentials? How long before they expire? Who's managing that?

who's responsible for that, because all of that keeps you in the guidelines. And I know that you have worked with several organizations that are like, yeah, we're ready for certification. And you walk in and you look and you go, I hate to break this to you folks, but you just paid me a bunch of money to tell you you're nowhere near ready.

Ryan Bonner (09:38)
Yeah, and there's an element of understanding gaps on the front end that I see a lot of problems with. know, most defense contractors are addressing this type of challenge, CMMC, the same way they would their ISO 9001 or their AS9100D certifications for their quality management system. So I go get a gap assessment.

I remediate the gaps, I get a certification, and then I maintain it, right? Just like you said. The problem is that something like your quality management system benefits from the fact that the person being assessed, right, the company, is the preeminent expert in their own system. They understand quality at a subject matter level, and they have a program, and they live it.

So when you walk into an organization and you go to do a gap assessment, and they don't know cybersecurity, they are not subject matter experts in that area.

What quality or fidelity are you expecting to get out of that gap assessment? You're asking them a question about something that they are not experts in. And so in a lot of cases, you almost need someone to come in and read their mail for them, like tell them how bad off they are, to supplement that gap assessment process. The other major problem that we see in the gap assessment process is that

If you assess too much of the environment at once, you don't have a lot of time to allocate to some of those areas of inquiry. So you end up doing most of it as an interview rather than actually poking around and looking at the tangible elements of their environment. And so as a result, you know, it's all hearsay. And the other problem is that it goes stale very quickly. You know, the, gap assessment that,

covers all of 800-171 that was done in two days or three weeks or whatever, a few months from now, you won't remember the context under which those gaps were assessed. And so from that perspective, we're big advocates of going into organizations and saying, can we all just agree that we probably have gaps in a lot of places? I mean, I can probably point to a few requirements.

that if you've got gaps there, you're gonna have gaps elsewhere, right? You do you have a baseline configuration for any piece of technology that you have in the company now? No? Okay. Hey, thank you for telling me that, but I'm gonna go ahead and assume that your configuration management family of practices are not strong. Can we agree on that? Great. So instead of going through and turning this into a brow beating where I'm just telling you how bad you are, let's...

Mike Shelah (12:14)
Yes.

Ryan Bonner (12:36)
start to pull out smaller sections of the requirements and assess that so that we can maintain context together and that we can maintain situational awareness and this won't go stale as quickly. And let's move through this in smaller batches iteratively. So that's one way that sometimes you can really help organizations. I think another thing that we see as a common problem is assessing gaps org-wide.

you're probably not handling controlled unclassified information everywhere at all times in all your business processes. In the same way that your quality management system doesn't address, you know, how you refill the water cooler, you know, there's, there's going to be areas of the business that don't need to meet these requirements. so scoping can be a really powerful tool to help reduce how big of a gap assessment you need to do.

You really only want to apply your energy and your thought to the systems that deserve it. so understanding scope can be a really good input for gap assessments. And then just choosing to do batches of gap assessments over time, even though that's not as easy or convenient, will absolutely pick up progress and help build momentum. A lot of the defense contractors we work with are manufacturers.

One of like the Bibles of how to run a manufacturer is a book called The Goal by Dr. Eli Goldratt. It was written back in the 80s and it introduced something called the theory of constraints, which is if you get really productive in one part of the shop floor and the part after that can't process all the things you just did, it's fake productivity because you've got a bottleneck.

Mike Shelah (14:08)
Okay.

Ryan Bonner (14:28)
And in reality, implementing your 801 71 requirements are definitely something where you need to manage bandwidth and resource constraints. So if you're going to go write a bunch of policies that no one can act on for six months, cause they're busy, that's fake productivity. If you're going to gap assess a bunch of things that you can't possibly fix this quarter or next, that's fake productivity. So release work into the system.

for implementing your 800 and 171 requirements at a rate you can actually digest it and do the work.

Mike Shelah (14:59)
Yeah, I think you hit on a real bingo there, particularly for government contractors that are not exclusively government contractors, ones that have commercial business as well, because you've got a strategy to harden. These are the people that are dealing with CUI. That's 27 % of your staff. So we're going to build our strategy around that because it doesn't make dollars and cents.

to implement it for everyone. Now, maybe it's a little more than those 27 % people because you probably want the CEO and the CFO and the COO. You you probably want those people also hardened, but Mary at the front desk, probably not. You know, we probably don't need that. know, bill and intake, you know, maybe bill and intake doesn't need it. But these people do, but we're clearly defining that, which gets back to the value.

of the documentation because it's not just tools, it's not just technologies, it's very clearly not just the individual but the job title and what comes with the job title. And if that changes then we need to quickly document that to maintain our compliance.

Ryan Bonner (16:16)
Yeah, one of the biggest things that we do early, like when we'll work with a defense contractor, for example, is to say, like, what do you call this? NIST in their infinite wisdom is trying to use vendor agnostic terms for everything and not take a position on anything, which is not helpful in some cases. So when someone's talking about authorizing people's physical access to the building,

Mike Shelah (16:34)
Sure.

Ryan Bonner (16:46)
What do we call that facility? it, know, whatever the, you know, the West Campus warehouse, like whatever, what do you call it so that we can start to snap into your context and start to inject the right, you know, pronouns and adverbs and reference points so that this makes sense all of a sudden for these organizations. And a lot of times what we will learn is,

Mike Shelah (17:05)
War!

Ryan Bonner (17:14)
Yeah, you don't have to solve this for every part of the business. But when you think about controlled and classified information, think of it as toxic waste. If it moves into an area, the whole area has to adjust to its presence. It's now kind of an EPA brownfield that you have to do cleanup on. And so I might find that only 27 % of my employees handle CUI, but I've got a

Mike Shelah (17:29)
Hmm.

Ryan Bonner (17:43)
business process that handles CUI. I might choose to implement 8171 for that process. Not everything that flows through it is CUI, but there's some. what I've learned, one of the biggest lessons I've learned from manufacturers in particular is they hate dual process. That's how inefficiencies exist and that's how mistakes happen. So have one process.

Mike Shelah (17:56)
Just enough!

Ryan Bonner (18:12)
that's built to meet the higher watermark of rigor and then just apply it to everything with the ability to accept, know, have certain exceptions for when you don't have to follow it. So yeah, my visitor sign-in process might be a little more robust than it needs to be, but from time to time, I need to admit people into areas with CUI. So there's my process.

making process level decisions can be really important. And then system level decisions. Yeah, my SharePoint online environment isn't pure CUI through and through, but there's some in there. I might allocate some of my 800.171 requirements to specific SharePoint sites and specific groups of users in Entra, but SharePoint itself is gonna receive a skim coat of hardening.

Mike Shelah (18:49)
Yep. Great example.

Ryan Bonner (19:06)
regardless of whether there's some SharePoint sites that are just a collection of our favorite carryout menus.

Mike Shelah (19:15)
Yeah, I love that analogy because SharePoint is one of those things that it really has become universally adopted in the business world over the last six, seven years. And it does so much. And because it does so much, well, can cause some procedural problems for something like CMNC. But when you address it upfront and you say, is the strategy that we're going to use to implement it.

and this is how we're going to document it, well then that mountain now becomes a molehill. So I love that analogy. Ryan, this has been a fantastic conversation, these two parts. So first, thank you very much. Second, I would like you to give sort of a parting thought, and then what's the best way for our viewing and listening audience to contact you?

if they're interested in learning more about Def-cert and you and your services and how you can help. mean, I know we at DTC love you, you know, and we're working strategically to get things done because we see the value in what Def-cert does, but you know, for our audience, how do they engage?

Ryan Bonner (20:32)
Yeah, if we think about like encouragement that I think everyone needs to hear in this space, it's that you need to justify the decision to go get a CMMC certification as part of a strategic plan. You can't continue to just set your transmitter to receive and say, guess I have a new thing to do and then do it with no plan to achieve ROI.

know, organizations should identify whether or not their competitors are as dialed in to CMMC requirements as they are to identify if they started now, whether they would be six months or 12 months or 24 months ahead of their competitors at achieving their certification. And if, for example,

earning sole supplier status for 6 or 12 or 24 months in their industry segment would represent the ROI they're looking for. Or simply winning a certain percentage more contracts. And is the EBITDA achieved from those contracts going to pay for this effort and then some?

Mike Shelah (21:37)
Yes.

Ryan Bonner (21:51)
Or is the additional margin you think you might be able to achieve when there are fewer competitors going to help you claw back some of those indirect costs? Whatever the strategy is you have to have one so that you can create buy-in We're not doing this to achieve moral high ground We're not doing this because we just like IT and security There has to be a unilateral agreement that this is part of our strategic plan for the business

Mike Shelah (22:12)
This is business.

Ryan Bonner (22:21)
where you shouldn't spend the money and you should exit the defense industrial base. Mike, you probably saw this when HIPAA came along and the security rule and electronic medical records. Every small doctor's office had to decide if they were going to spend that money. And a lot of them didn't. A lot of them closed their doors or sold to a PHO group, and they aren't themselves anymore. They're gone.

Consolidation will be coming for this industry. So you have to have a strategy to ride that wave of consolidation and wake up one day and be 2x, 5x, 10x more than you were to begin with because the consolidation benefited you. And that's the play. As far as how to find my team and what we're doing, you can easily track me down on LinkedIn. That's probably.

Mike Shelah (22:50)
Yep, I wholeheartedly agree.

Ryan Bonner (23:17)
The best way to do that, can also find us at defcert.com. We'll often be speaking at events. So you can track us down there as well. We'll usually post upcoming speaking opportunities on LinkedIn or on.

Mike Shelah (23:33)
So connect with you on LinkedIn, follow your company's LinkedIn business page for speaking events, and go to the website to learn more.

Ryan Bonner (23:40)
That should do it, yeah.

Mike Shelah (23:42)
Awesome. Awesome. Ryan Bonner, CEO of DefCert. Thank you so much for joining the Cyber Savvy Podcast and to our viewing and listening audience. I hope you enjoyed these two episodes as much as I did and come back next month because I promise you we have more exciting subject matter experts like Ryan on the docket for the rest of 2025. Thank you. Have a great day.