AEC & CMMC w/ Christian Schleipfer

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Christian Schleipfer, Director of Information Security, Gilbane. In episode 14 of That CMMC Show Daniel & Christian discuss AEC & CMMC, challenges people face in the industry on their compliance journey, and so much more! Be sure to tune into the full episode to hear everything they have to say.

---

Transcript

Daniel: Hello everybody, and welcome back to That CMMC Show. Today we have a special guest. I got to meet him a couple weeks ago in Chicago at an Advancing Construction Cybersecurity conference, where he was one of the lead speakers on CMMC and how it impacts the construction industry. What’s great about this is — you guys hear me talk about CMMC all the time, but I’m not necessarily in your industry. Christian is. He’s done this. He’s made the organization move in this direction — getting things compliant using the resources he has, and developing an overall strategy so they can continue to pursue defense contracts. So, Christian, it was a pleasure meeting you a few weeks ago. I’m so happy you had time to join the podcast today. Tell me a little about yourself — who you are, who you work for, what the organization does.

Christian: Absolutely. Pleased to be here — thanks for having me. I’m Christian M. Schleipfer, the Director of Information Security for Gilbane, a construction company. We are a $7.7 billion annual revenue general contractor. We work all over the world — I think we have some 45-plus offices worldwide. General contracting is our main focus; we also do some real estate development. And, as it happens, we have a division dedicated to supporting our federal government and Department of Defense work, through Gilbane Federal — that’s their sole task and purpose.

My background is in cybersecurity. I actually worked, prior to coming to Gilbane some nine years ago now, in and around the Department of Defense. I started as a configuration manager — did that for six months, and then my boss said, “Hey, you seem like a security guy,” because I had prior law enforcement while I was in the military. I said sure, and that started a long career in cybersecurity, which was called “information assurance” way back in the day — so that tells you how old I am. I did security technical engineering through multiple frameworks. We went from Orange Book to DITSCAP, DITSCAP to DIACAP, and DIACAP to RMF — and for those who are now the Department of War, that’s a whole lot of transitions. So when CMMC came up for the defense industrial base, that was pretty much right up my alley. I’ve been in and around certifying systems and frameworks for a long time, so it’s kind of old hat.

Daniel: Did you think that legacy knowledge you’ve collected over the years would show up at your doorstep at a construction company years later?

Christian: Not like this. In fairness, there’s also a national security infrastructure component that goes along with defense — that’s where you handle and process classified information. I did expect some of that, obviously nowhere near the depth and level of my prior work, but at some point you’re going to get what’s called a DD Form 254 along with a classified construction contract — key personnel cleared up to whatever the security rating is. That was pretty simple — a very small picture. When CMMC came out, I looked at it and said, “Boy, that looks like classified-light. It’s the CUI format.”

Daniel: Yeah.

Christian: Light — same certification format and structure. You have to go get something akin to an approval to operate before you’re authorized to process that level of information. And CMMC is right up there when we’re talking about the frameworking. What people sometimes mix up is that CMMC is just the Cybersecurity Maturity Model Certification. All that program is really doing is taking the existing standard — NIST Special Publication 800-171 — and adding an attestation and/or certification component to it. That’s it.

Daniel: Yep.

Christian: So if you’re already compliant with 800-171, you’re golden. You just have to take the certification to prove it. No more “scout’s honor,” “Hey, yeah, we’re compliant.” That’s really the major difference. The rest — I think there’s more shock that people are actually having to dig into what some of those controls mean, versus actually getting certified. But it’s not an easy stretch. You have to want to do this as part of your business strategy.

Daniel: So let’s talk about that a little, because the CMMC journey — a lot of people, and I see this all the time, I’m talking to people right now who are like, “Hey, I’m just now starting my journey.” And I’m like, “Well, November 10th is pretty close for this to start coming into solicitations, so you’re cutting it close to the wire.” Actually, you’re probably very late to this, because we all know the burden of time it takes to do this — and the budget, ironically. It’s like, “Hey, we’ve got to have the money to be able to spend the time.” So when people look at it — and to your point, CMMC is just a verification mechanism of DFARS 7012, which has been around since 2015–2016 — you’re like, “Okay, why is CMMC such a burden now?”

And this is through the DoD’s eyes, I can tell you firsthand. They’re like, “Why is CMMC such a big deal? All you have to do is pay for a certification.” The DoD estimates those somewhat high, at about six figures — close to $100,000 — and they’re like, “You should be able to do this.” The problem is — and I think you’ve probably seen this talking to people in different industries — no one actually did the thing. So now everyone’s playing the fun catch-up game. Because of that, they’re having to meet the DFARS 7012 requirement of implementation and validation, and then potentially pay for a certification to validate that implementation. So this is kind of eight years in the making for a lot of people — we’re finally coming to a head.

But I always like to ask organizations, especially in the construction space — because construction has some of the more unique challenges of any industry, because of the amount of supply chain, subcontractors, and dependencies, and even the platforms and tools you guys use, a lot of which don’t meet FedRAMP. So you have all these fun tensions and dances to find solutions. Before we get into the actual solutioning of all-in and enclave: when did you guys start this journey? How long has it taken you? Was executive buy-in fairly easy to justify — “Hey, we’ve got to do this thing”? Tell me a little about that journey.

Christian: Wow. Yeah, so our journey actually started in 2019, when the rules came out. Leadership was very aware — certainly in the upper reaches — that something was coming, like, “Well, what does this look like?” Through the iterations — because at first it started out with five levels, and we were trying to figure out where we were going to be. Remember, it was a whole bunch of levels, a much more granular gradient of what your maturity was. But yeah, 2019, when the rules started coming out, our legal team’s spidey senses were tingling — “Well, this might be something a little different.” That’s where we really started evaluating.

But once the rulemaking process came to a close, that’s when the bells went off — not necessarily this year or last year, but the year prior. When we actually made the decision to say, “You know what, this is something we have to do if we want to stay in business doing work that’s been our bread and butter for the federal division for a long time” — I put together all the information and marched it up to my federal leadership and said, “Look, here’s what it’s laying out to be. They’re not just saying you have to comply with 800-171 while handling CUI — controlled unclassified information — they want you to prove it. And how we’re going to prove it, typically, if you’re handling CUI, is through a third-party assessment.” That caused some consternation, admittedly, because it’s like, “Well, how much is this going to cost? What do we have to do extra that’s different?” And really, it was not too terribly different from what we were already doing, because you’re supposed to be handling information in accordance with 800-171 anyway.

But the real kicker was looking at how the rule is going to be implemented. Basically, you have to be certified before you get on a contract at some point in the future. I literally spelled it out to them: this is going to be our ticket for competition. Either you do the thing and you remain competitive for the future, or you don’t, and you won’t be able to bid on these contracts. It’s not a question of whether you bid on it and then do the certification — certification is part of the qualification. By 2026–2027 there are going to be a lot more contracts coming down in the construction industry especially that have those pre-quals: the requirement that you go out and have that certification and/or successful attestation — whether you’re talking about Level 2, or Level 1 for FCI, basic cyber hygiene.

But to get here also required that hard look: our business strategy is to stay within the DoD and the defense industrial base and handle CUI. And the government is notorious for overclassification — whether you agree with it or not doesn’t matter; the government is going to hand these contracts down and say you have to be CMMC compliant. So either you’re in and you have your certification, or you’re out and you go find work elsewhere. Even folks know that CMMC is a DoD — I say DoD, now it’s Department of War —

Daniel: Yeah.

Christian: Do I— I worked in it for 30-plus years, I just can’t quite— I like it, though. But yeah, if you want to be in this space, that was really required. So that journey started two — actually three — years ago when we set it up. This was the final egg. Then we had to start allocating resources, and the decision for us was an enclave. It was an easy decision to make, and the only reason why is, looking at much of the information and seeing what was in scope versus out of scope for a CMMC certification — remember, where information goes, requirements follow. So where CUI is going, those CUI requirements follow. And within our standard corporate network, there’s no way we should or would have all of those hard-nosed CUI-environment controls for our corporate network, because that’s not what’s required for the rest of the company — they’re not in a federal division. So an enclave was made easy, and the reason is there’s no way I’m going to impose that level of cost on the entire corporate network. And we’d never certify anyway, because we’re a Microsoft E5 Azure shop — and Microsoft themselves has said, in their commercial world, the E5 world, they just do not support Level 2 CUI / CMMC certification plans. So that’s what made the enclave decision really easy.

Daniel: And a lot of people don’t realize that. I was actually on a call this week, and they were like, “Hey, we hope we’re good to go, we’re very excited.” They wanted a gap assessment, and I was like, “Fantastic, happy to help.” I just started general discovery on the call: “Okay, so you’ve implemented all 110 controls?” “Absolutely.” “Okay, what cloud providers are you using?” “Oh, we’re using Microsoft commercial.” And they were unaware — to your point — that Microsoft had stripped away their FedRAMP authorization from their commercial cloud almost a year ago to the date, ironically, of the recording of this episode. So they were like, “Wait, so we have to redo everything in a completely different environment?” And it’s like, “Yeah, I’m so sorry — you built all the controls on a cloud provider that will fail your CMMC certification.”

It’s so hard, because a lot of people, to your point, think, “Oh, I just have to do the 110 controls — the 110, the 320 assessment objectives.” And then they’re like, “Okay, I’ve done that.” I’ve talked to so many companies who tried to do the right thing in earnest — they really wanted to solve the problem — and then realized they either built it on a cloud that doesn’t support incident response, doesn’t support FedRAMP Moderate or moderate-equivalent, and sometimes, depending on their data, doesn’t support export control, which is a completely separate can of worms. I don’t know any construction companies doing all-in — aka the whole company in scope. To your point, it just makes sense to have a separate environment — have job site trailers be part of that scope, a certain virtual desktop, a mix of physical workstations and mobile devices in scope, just a small subset of the federal practice of the organization. And then you have to train all your subs and suppliers on how to operate, because — as we both know — wherever the CUI goes, things are in scope, including subs and suppliers. So flowing that down through contract clauses can be a large burden on the supply chain too, and being able to help and assist by doing it yourself — “Hey, this is how you interpret this control; make sure you don’t put this information in these cloud providers that don’t meet these requirements.”

Anyway, it’s really interesting. I’m curious — outside of enclave and all-in, are there any other unique problems facing the architecture, engineering, and construction (AEC) space? Are there tools that become more complicated because of the requirements, going on site? Any insight there?

Christian: I think the real challenges — there are a couple. First and foremost, obviously, is our subs. There’s a lot of confusion and consternation about having to share building plans with our subs. Well, what if our building plans are CUI? That means they also have to be Level 2 certified. Now, I did hear a couple of creative workarounds for that from some of the others at the conference. I thought that was great — I’ve actually shared some of that stuff with my team. But long and short of it, the subs are absolutely going to have to either pony up or become Level 2 compliant within this scope.

And again, the 800-171 controls are good — they tend to be scalable. Some of them, the smaller you go in enterprises, just don’t apply. The simpler the system, the easier it is to get certified. But people balk at the certification expense, or balk at the standup expense. That’s where, to overcome some of those challenges, leadership buy-in is absolutely critical, and it has to be a strategic assertion. If you want to be in this space, you have to get into the space and buy into the idea, no matter where you’re at in the supply chain.

And the big contractors — the contracting companies that go out, I’m sure many of you have seen — we’ve seen companies like Northrop Grumman (that’s one of my former companies), or General Dynamics, or Lockheed. They get these contracts that have a construction or build component, and they have to sub that work out to contractors, and they’re in the same boat. They’re like, “What construction company do I have to work with?” Because those big companies have been doing 800-171 and CUI protection — and passing audits — for years. That’s within their scope of opportunity. Construction, not so much. We’re obviously latecomers to a very complicated game. But we are here, and we certainly have to learn the ropes.

The other thing is the tools — actually the easiest part of all the CMMC setup. When you’re going for a tenant — we set up a cloud tenant in GCC High, because we anticipated working with our defense partners, who are going to be putting CUI on a bunch of stuff, and because we also work internationally, there are probably going to be limited dissemination markings, such as NOFORN, that get attached — which makes it CUI Specified, and that comes with the export controls you’d expect. That’s where GCC High comes in. For anybody who doesn’t know, that’s a Government Community Cloud High, run by Microsoft on behalf of the government. GCC High is for federal contractors that work with the Department of Defense and also get export-controlled CUI. That’s what it’s for. So putting that in scope — okay, if we’re going to have a bunch of CUI, and some of it is going to be CUI Specified with export-control dissemination requirements, then we might as well go with the highest tenant we can within our budget scope. That’s where that decision came from.

That also limits some of your software opportunities. For example, if you’re doing your ERP for your federal jobs, does that remain on your corporate network, wherever that exists in situ? And if so, your people are going to be jumping between the tenant and the corporate network. Is that within your business capability? Is that what you want? So figuring out what you want your tenant to do at that stage — “You want ERP in here? Well, that puts a much smaller parameter around your qualified candidates for ERP, or project management, or whatever tool you have in your environment.” The upside is that GCC High is a Microsoft product, so if you’re in Azure and you’re an E5, you can buy G5 licenses. You have to be on a program — you can’t just go out and buy GCC High. You have to be, as you well know, assigned to or participating in a contract with the DoD. But if you’re in that space and you’re like, “Hey, you know what, GCC High makes sense for us,” you stand up your tenant just like you would in a regular environment — it works mostly the same way. You buy your licenses; they’re roughly twice as expensive — if you buy a G5, it’s twice the cost of an E5. So whatever you’re paying, double it. Pretty simple. Then plan out for what you actually want to do inside your tenant. That’s a big challenge, because — especially in the last two years — the CMMC model was still changing, so a lot of companies were like, “I don’t know what it’s going to look like.” So now they’re coming in with their compliant posture. That, to me, is some of the bigger challenges: subs, definitely, and tools outside the ones offered by Microsoft.

Daniel: Now, one of the things I hear about all the time — I’ve heard of these challenges before — one of the major ones is, “Okay, I’m going to do an enclave, a separate compliant environment. Well, I’ve got my team, but my team has to support the enterprise, not just the enclave.” So when you were building this out, how many people did it take? How many to maintain it? Did you move to a dedicated staff model for the enclave — is it that volume of support? Or did you do part-time resourcing, like, “Hey, 80% of your job is enterprise, I’m going to stick 20% on the enclave”? Because resourcing seems to be one of the largest concerns, for primarily two reasons. One, there just aren’t enough people in this space to help. And two, if there’s export-control data, especially for large international organizations, there’s the U.S.-person requirement around administering an environment that has that kind of data. So did you look internally? Did you outsource any elements? And what’s the best recommendation to balance all this out?

Christian: It was a mix. By that I mean, it’s kind of a traditional model — if you don’t have enough people, or can’t afford so many people… For example, if you want to stand up a 24/7 operations center, it’s not just hiring three people; you’ve got to hire like 11 or 12 — you’ve got to account for holidays and all that. It’s a lot of work. That’s why a lot of people just outsource the SOC, but you still have to have somebody running it — being the product manager or the incident response team that can work with them. It’s the same way inside the environment.

I took a couple of guys, threw them at the problem, and made them accountable, said, “Look, your job is this — essentially build the GCC High.” But it wasn’t just those two. You have a whole team of engineers that supports the corporate network, and they’d also been supporting whatever small infrastructure we had prior for the federal government folks — it wasn’t really built out that much. But since we’re an Azure shop and we had some Azure-literate engineers, they were naturally the first tasked — already established, with citizen verification in line — to go help us build the container, the environment, and whatnot. So for the build process, we requested help from some of our engineering staff for setting up domains and all the Azure bits and pieces. My security staff — the people actually dedicated to those folks — had to go out and learn security-technical implementation. One of them knew what it was; the other was good at security but not necessarily within the technical realm, so there was a little bit of introduction to security technical implementation.

Now, you don’t do that so much for a cloud environment, but, man, if you’re going to do an on-prem or all-in environment, you’d better learn those STIGs, because they are in-depth and they can break systems if you don’t do it right. The cloud tenant is much more forgiving, because a lot of those security technical implementations are already answered for you, simply by virtue of the cloud — you just have some configuration settings to do.

Daniel: Yeah. It breaks all sorts of things — for everyone listening, once you flip that switch, applications don’t… what you can do with cryptography…

Christian: Oh yeah. Cryptography by itself — if you’re doing on-prem, you have to worry about your crypto, and then if you’re going overseas, you have to make sure your exemptions for your export licenses are in place. You don’t have to do that so much if you plan it out — like, we’re using Azure Virtual Desktop so they don’t have to carry two devices. Even so, some of those folks working on DoD projects are usually on military or DoD installations, so a lot of the physical security components are already solved for you. So that’s the long answer for what it looks like in terms of “is it all internal or all external?” — it’s a mixture of both. You’re putting people in charge of the entire process, accountable for onboarding, standing up, and then running the thing. You have to have an in-house company person responsible for the oversight — you can’t dual-hat that stuff. Running a compliance environment for the federal government, especially when you have anything in a cloud or tenant, is not a dual-hat. It’s not a secondary duty. Somebody should always be in charge and have a full grasp on it.

Now, where we did hire outside help is MSSP and help desk support, because our current help desk doesn’t meet that requirement. So we said we’re just going to extend that container and keep all the help desk support and incident response within the same container. We hired a company specifically to do that for us. So we do a lot of outsourcing where we need to, but a lot of the stuff inside — for example, incident response — the MDR/MSSP will not pass off an incident, but we retain full decision authority on what to do with it. That just goes with the territory. My third— I’m here, wait, I’ve got something weird on my screen. Long story short: you outsource where you need to, and certainly where you need the expertise. That’s kind of where my guidance is. I’m not going to stand up a standalone SOC for a CMMC attestation environment, especially when there are companies out there more than willing to do that for a good price.

Daniel: Absolutely. All right, Christian — this is the fun part. At the very end, you get the world stage of YouTube and LinkedIn, and all the AEC companies are waiting with bated breath. Closing remarks: any words of wisdom, potholes to look out for, landmines? What would you say to the industry if you could speak to thousands of construction companies about CMMC?

Christian: Oh boy, that’s a no-pressure podcast by itself, man.

Daniel: Yeah, it is.

Christian: For leadership, it’s really: evaluate your commitment to the DoD. There are definitely benefits to working for the government. First and foremost, I’m an old DoD person — I spent the majority of my life around it, so it’s inbred in me to be patriotic, and I support the warfighter; I come from the warfighter class. A lot of companies in construction also support construction — that’s our trade. That’s one good feeling you get out of it. Plus, there’s the ability to make profit — that’s what you do. And if you prove your worth, you get some good long-term benefit, because then the government starts knowing who you are. That’s the other thing — the government is starting to line up the people they can rely on, because so few of the defense industrial base have even demonstrated that they’re capable, or certainly certified or close to certification. I think the stat you quoted was like 1%.

Daniel: Yeah.

Christian: So they’re lining up their A-team, same as we are, because they’ve got stuff to get done. The other thing: if you’re going to commit to it, start early, get it done — don’t mess about. Spend time scoping your system.

Daniel: Yeah.

Christian: You have to do that work, because the more front-loaded your work is, the easier it gets at assessment time. And don’t dual-hat it — don’t treat this like it’s just an extra duty. Put somebody in charge of it, empower them, give them the ability to make those decisions and build the tenant, or move it on-prem if that’s what you’re into. But it’s going to take time and commitment, and then be prepared to run it and maintain those controls. Because every three years you have to go get that certification, and each year you do a self-attestation that you upload into the Supplier Performance Risk System (SPRS). You upload that score and attach to it. And people forget — 110 controls is not the top of the bell curve. It is the standard you meet. If you deviate from that standard, you have to submit a Plan of Action and Milestones to the government — basically establish one to say, “This is what it is, this is when it’s going to be fixed, this is how much it’s going to cost.” And that record lives with the life of the system. Just like in the DoD. So, okay, that’s pretty easy — but that’s why it needs that level of commitment, because you have to be compliant all the time, and when you’re not, you have to document it and then fix it. So running the thing is going to take time and effort. Put some folks who are smart on it — smart in CMMC and 800-171.

And don’t dual-hat it. This is pretty serious business, and it can get you in trouble. You came up with a couple of examples, I think, where some folks got in trouble by attesting that they were compliant with 171 when they’re not. That has penalties, up to and including not being able to compete on contracts. Every major defense contractor I know of has at some point had a corrective-action request — Northrop included — and those were serious; they took them seriously. In fact, my entire time at Northrop, their whole saying was: do not make stuff up. Do not lie to the government. Do not shortchange or cut corners. Be open, upfront, and honest, because the penalties go far worse.

Daniel: Yes. Thanks — that’s spot-on. I absolutely pass that message on to my people. The DOJ is looking for a reason, with the Civil Cyber-Fraud Initiative out here, and such a history of people lying about their SPRS scores. There was a False Claims attorney from the DOJ at one of our Summit 7 live events, and he raised his hand and said, “Hey guys, just FYI, for the room to be aware, I am a lawyer from the DOJ in False Claims.” And he was specifically there to understand what opportunities there are for the Department of Justice to pursue false representation under CMMC. So you look at these things, and to your point, it’s like — whoever is going to be the senior official attesting that yes, your environment is compliant, which is a requirement of CMMC: if you do that half-heartedly, or don’t make sure it’s maintained, someone’s going to have to write a check for the penalties, which could be tens, if not hundreds, if not millions of dollars.

Christian: Right. Absolutely. Or wear orange — especially if there’s export control involved. Somebody said it’s the silver bracelets, right? And that’s not a fear tactic. That’s just what the law says could happen to you if you show negligence of any sort, or misrepresent yourself to the federal government, specifically the DoD.

Daniel: Well, I’ll say this, Christian — those are some incredible closing remarks. Thank you so much for jumping on today. We’ll have to have you back again, because the construction space is really hungry, and they understand regulations more than most industries — which is kind of refreshing. So having those two things mix — although they could be different frameworks and standards, conceptually it’s still the same thing, the same type of resourcing and tasking of how we have to run a project like this. So again, Christian, thank you so much, my friend. And with that, we’ll wrap up the episode. For all those watching, thank you for tuning in. Make sure to like and subscribe, of course, and we’ll see you next time on That CMMC Show.

Christian: Thank you, guys.