Boeing Principal CMMC with Brett Cox

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Brett Cox, DFARS/CMMC Cybersecurity Program Management Office Principal at Boeing. In episode 10 of That CMMC Show Daniel & Brett discuss what type of CMMC requirements to expect as a subcontractor, certification or self-assessment, and so much more!

---

Transcript

Daniel: Hello everybody, and welcome back to That CMMC Show. Today I’m joined by the DFARS/CMMC guru himself, CUI expert Brett Cox. He’s joining us from his lovely home office, and he supports the Boeing CMMC/DFARS PMO. He’s had years and years of experience on the DFARS, on the FAR, on CMMC, on CUI — you name the acronym, Brett’s going to be able to talk to us about it today. Brett, I didn’t want to steal all your thunder, so I’ll let you do a little intro yourself. Who is the great and magical Brett Cox?

Brett: Very kind words, Daniel, I really appreciate it. I cannot claim to be any of those things, but my title is that I’m the principal and team lead for what we call our DFARS/CMMC program management office. We handle all of the cybersecurity regulatory requirements for the US government contracts that the Boeing company has — the FAR 52.204-21, the -25 clause, or Section 889 is in our office as well, plus everything that is DFARS cybersecurity-related, and NASA and other government agencies that have requirements. We also operate as what we’d call the information authority for CUI at the Boeing company. So in our policies, we list all of the subject matter experts; our program office is the go-to place for controlled unclassified information at the company. I kind of joke that some people call me the DFARS guy, some people call me the CUI guy — but it’s not just me. We’ve got a team of 13 people who are real rock stars and make Boeing look good.

Daniel: That is amazing, because here’s the thing a lot of people new to this space don’t understand. You and I, we’ve taken our lashes over the few years we’ve been in this.

Brett: That’s right.

Daniel: A lot of people don’t understand there’s a significant need for what I’ll call CUI program managers. I’m seeing more organizations start deploying that as a resource, because of data flow — either I’m overmarking something, or I’m getting something overmarked and I need to challenge that, or I might get something undermarked and I also need to challenge that, or, hey, I might want to descope CUI appropriately or decontrol it down to my supply chain. People don’t understand the importance of an office like that. No matter the size of the company — you could be a small business — someone needs to be the CUI czar, if you will, to make sure you’re following and implementing all the correct controls and that you’re pushing back appropriately on when something is or isn’t CUI, because that’s what can help this process along. So the fact that you have a team of 13 people all working hard on this — that’s very encouraging, because you’ve got a lot of bases to cover. Boeing’s a big company; a lot of contracts to cover. And FAR CUI hasn’t even happened yet. So just wait — I bet it’s going to get even crazier.

Brett: It is. And it’s such a difficult spot, because, as you know, in the upcoming 48 CFR Part 204 that we’re expecting, the prime is going to have responsibility for determining what type of information gets passed down to the tier one, and then to tier two, tier three, etc. So the prime is going to have that responsibility — as far as we know from what we saw in the interim rule published last August — that we as a prime will have the responsibility to say, “Tier one, you’re going to get CUI that will require a C3PAO certification. This other tier one will only require a self-certification, because they’re not going to be handling anything in the Defense organizational index grouping. And we may have a tier one that’s only getting FCI — federal contract information.” And we’ll have to make that call. So we’ve got to be spun up. The companies that hold the CUI have to completely understand it and know what they’re passing to their supply chain, because they’re anticipated to be responsible for those requirements. The security classification guide — and, if you happen to have a DD Form 254 — is not going to specify what is what in every case. You’re going to have to make some of those judgment calls. You’re going to have to be knowledgeable on CUI and have that relationship with your programs to understand what level of information you’re dealing with and what protection requirements there are.

CMMC Level 3, based off NIST Special Publication 800-172, is going to be even more complex, because now we have something that’s still marked exactly the same as the other CUI but has different handling requirements — different requirements out of 800-172 that must be followed. So they’ve created this critical CUI category for Level 3, and people are like, “Okay, I know I need to handle it differently, but what exactly is it — like critical technologies? How’s it going to be marked?” That’s a whole other fun rabbit trail to go down.

Daniel: Because you have two different types of CUI at that point.

Brett: Absolutely. But you still only have one type of CUI, because you’d have to convince NARA and ISOO — as the executive agent for the entire federal government — to change the rules to add that. So DoD has gone above and beyond what the ISOO rules are for protecting CUI, saying, “Well, we’re going to have some things that are a little more sensitive. They’re not going to quite reach confidential as far as a classification scheme — they’re still going to be unclassified — but we need to make sure the protections around them are even more robust than what 800-171 has to offer.”

Daniel: I love that. The DoD is — we call it the canary in the coal mine. In lieu of FAR CUI being a real thing for such a long time, DoD is basically saying, “We can’t not protect this data. We’re going to come out with DFARS 7012.” And then they realized people weren’t really following it, so now they’re going to make it more mandatory with third-party certification requirements at certain levels. And, to your point, they’re also going to raise the bar a little — maybe it’s controlled technical information, but it’s extra-sensitive controlled technical information, so we might throw that into a higher-level certification requirement with CMMC Level 3.

Some of this gets to my first major question — which actually caused me to reach out to you, Brett. Boeing sent a supply chain newsletter out with your name all over it. I was like, “Who is this Brett Cox guy? I’ve got to talk to him.” You were quoted on two things. One was a quiz — basically the top 10 things to know about CMMC, a great primer for people who don’t know anything about it. And the other was you saying, “Hey guys, the line’s getting kind of long out here to get certified. If you’re going to require that for CMMC Level 2, you probably want to go ahead and get in line.” Can you tell us more about what you’re seeing in the industry — potential blockers, or things people downstream in the supply chain should be concerned about, from a capacity or cost standpoint?

Brett: Well, it’s really about the conversations happening in the industry — you see a lot of them on LinkedIn. The CMMC quiz was kind of fun: do you have the basic understanding? The only problem is there was no banana option for each one.

Daniel: I love the banana option. Jacob, shout-out to you, my friend.

Brett: There was no banana option, so you couldn’t say “I don’t know what CMMC is” or “I don’t know the answer.” And that’s one of the big problems right now — we’re still seeing it in the Cyber AB town halls and at events, where people are putting in the chat, “What is CMMC? What does C stand for? Why am I going to be required to do it if I have contracts with the Department of Defense?” So it’s still very much a challenge: how do we ensure we reach everyone and make sure they understand what these requirements are going to be?

Because, to your point — we had the 252.204-7012 clause come out in 2016, had to be implemented by December 31st of 2017, and then it was self-assessment, and everybody said, “DoD, we’re good, we got this, you don’t have to worry about it, we’re 100% good. We’ve got some POA&Ms out there, but we can fix those.” Well — we didn’t tell you the POA&Ms are 10 years out, but we’ll get there, we’ve got it covered. And that was the birth of CMMC: well, is everybody ready? Is everybody ready to face a nation-state attacker? And the answer is, that’s very difficult, because they’re called an advanced persistent threat for a reason — the advanced part: advanced tactics, methodologies, etc. By the time 2019 rolled around, DCMA DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center; anybody who went through that assessment knows exactly who they are — started with the primes. Boeing was one of the companies in the initial first couple of that in-depth assessment against the 110 requirements of 800-171. And that was on a three-year cycle. Then, when they started seeing that not all these companies are ready, even though they said they were — “We’re not going to be able to touch everybody, we don’t have enough people in government, so we need to stand up a mechanism for doing this” — hence what was at the time the CMMC-AB, the Accreditation Body, was stood up to start issuing and creating C3PAOs to go out and perform these assessments on behalf of the Department of Defense.

As we all know, CMMC was 1.0, then became 2.0 — and now they’ve said, “No, we don’t use numbers anymore, it’s just CMMC.” They put in extra requirements that weren’t in NIST 800-171, so they didn’t exactly follow the standard the Department of Commerce, through NIST, had stood up as “this is how you protect CUI.” We were going a little far afield from the intentions of NARA and ISOO. So NASA isn’t going to come out with exactly the same requirements, because their needs are different. By consolidating and focusing just on NIST 800-171 in CMMC 2.0, in my mind, that was one thing that really made this go forward — and that’s why we are where we are today.

And the interim final rule that came out — the 7021 clause at the end of 2020, which went into effect at the end of November — even still says in it today, they haven’t changed it yet, even though we know it’s not real, that there are no CMMC requirements starting October 1st of 2025. That was from several years ago. You don’t have to panic. As they would say: keep calm and CMMC on. Keep working on it. You’re not going to have a bunch of assessors showing up at your door with contracts on October 1st of this year. But that evolution has really brought us to where we are today. And it’s a really hard thing, because not everybody has heard of it — even though we’ve been talking about it for five-plus years since CMMC 1.0, it’s still a bit of a shock and surprise to people. Even at CMMC Level 1: “I’m supposed to have a firewall? Well, that’s news to me.” Well, when you signed that contract, you were attesting that you were compliant with the FAR 52.204-21 clause, which included those 15 requirements that became CMMC Level 1.

So DoD is out in front. They were the first to adopt the CUI model, back March 6th of 2020 — I remember that because it was my sister’s birthday.

Daniel: Oh.

Brett: They were the first to require some sort of self-attestation, beyond what you do in SAM.gov, to say “I am compliant with the FAR 52.204-21 clause.” So I’m really looking forward to DoD leading the way in getting a hold of what CUI is. And as you mentioned, sometimes we’re overmarking, sometimes we’re undermarking — and that’s part of the customer still learning to understand CUI themselves. I’ll be giving a briefing to a group of special government employees in September. I myself, in addition to what I do for Boeing, am a special government employee — I’m what’s called an Army Reserve ambassador. “Special” means free, so to the government, “special government employee” means free — but as a volunteer to the Chief of the Army Reserve. I represent the Chief of the Army Reserve to the state of Missouri. It’s kind of fun — I love it. I’ve been doing it for seven years. I get to give kids full-ride scholarships for joining the Army Reserve and serving as an officer for eight years. And it’s also kind of fun, because I have the same protocol as a two-star. It doesn’t get me anything, but I did get a mint on my pillow.

Daniel: A mint on your pillow, though — that’s something, isn’t it?

Brett: Yeah, I did get a mint on my pillow at one of the on-post hotels. So there you go. I mean — it was a Holiday Inn Express, and what’s funny is it actually is an IHG hotel. But there’s a lot of work that still needs to be done, no doubt about it. So anything people can do to help spread the word — such as your podcast — is huge. It’s absolutely huge. What we did with the cyber academy, what I’m going to be doing at a thing called SecureWorld here in St. Louis — I’m going to be speaking about CMMC in the middle of September. Anything we can do to get this out in front of people and get them used to the acronym and understanding what it is and what’s going to be required of them to be part of the defense industrial base is huge.

That’s one of the advantages I have as an instructor at Saint Louis University — which is the oldest university west of the Mississippi, and only one of two Division I universities that teach CMMC. The CCP classes and the CCA classes aren’t usually people who want to take the exam and become assessors — they’re people who want to learn more about CMMC. So that’s how I advertise my class: this is the official curriculum, you can but you don’t have to, but come spend some time with us, learn what the requirements are going to be. As a provisional instructor for the Cyber AB, I’ve had an absolute blast — I’ve been teaching about four and a half years now, the CCP and CCA classes, having a great time.

Daniel: So, Brett — in that newsletter, you mentioned CCAs and CCPs. Obviously you need a collection of these for a C3PAO, and you have to get certified as one. You mentioned a growing backlog in C3PAO assessments, and it’s got a lot of people concerned: “Oh no, if I get a contract that requires CMMC, how fast can I get certified?” It’s kind of a chicken-and-egg problem — they don’t want to get certified until they have the requirements, but if they wait too long, they won’t be able to get certified in time. So one of the questions we talked about: if I’m a subcontractor working with a prime, what questions should I be asking as a sub to make sure I’m well informed of what my prime is going to require of me? Because the DoD requiring something of a prime can actually be different from what the prime can require of a sub — those are private contracts. So a prime could come in and say, “We want you certified,” but the contract might allow them to self-attest. If I’m a sub new to CMMC, what questions should I be asking upstream — to my contracting officer, to my prime — like, “How do I get ready for this thing, and when do you need me by?”

Brett: Well, let’s clarify one thing: I don’t think there’s a backlog yet.

Daniel: Okay.

Brett: But the danger is there. With only 77 C3PAOs and 400 Certified CMMC Assessors — and each assessment now requires three CCAs to complete, two as part of the assessment and one as the QA person — you can see the math doesn’t add up. DoD’s original estimate is there are 300,000 contractors out there that will need CMMC of some sort. Be that a Level 1 — the person who mows the grass at Fort Bragg will have to be CMMC Level 1, because they have to protect federal contract information. But DoD estimated approximately 88,000 they anticipate will need CMMC Level 2. They’ve also come out with some statistics on what they think will be self-assessment versus C3PAO-certified. But in reality, the real challenge is that every contract is going to need both.

The big determining factor — the one thing DoD has said in the memo they published — is that CMMC Level 2 self-assessment will not be able to be the Defense organizational index grouping. Well, that includes controlled technical information, which for a lot of your big primes is the majority of our contracts, because the information is technical — it’s governed by ITAR, or an EAR license is required, and therefore it’s technical. So that’s going to be the lion’s share of what a lot of the large primes are going to be pushing down their supply chain. Now, there’s going to be a ton of things outside of that controlled technical information — such as TRICARE, such as building a hospital on a post, such as things that require access to infrastructure information or critical infrastructure — that’s not automatically exempt from being self-assessed. We’ll have to see what those contract requirements are. So far, DoD has only said the Defense organizational index grouping is going to be a no-go — that’s absolutely going to require a C3PAO assessment.

Daniel: And that’s going to be really interesting when we look downstream, because so much of the defense industrial base — manufacturing — is a lot of controlled technical information: drawings, schematics, blueprints, basically anything with a military or defense application. If you boil down that category, it could easily fall in scope. That’s one thing we keep looking at consistently — with the Defense organizational index being in scope for certification, that’s maybe 60% of what a lot of our clients see: that type, you know, DoD distribution statements B through F is another good example. So yeah, I’m with you, Brett — it gets a little dicey out there, which, as a sub, can be confusing. People are like, “What do you mean I have to be certified? I barely know what CUI is, and I’m seeing this requirement come down.” It’s like, “Well, you’ve actually maybe had it the whole time, and you probably just weren’t paying attention.”

Which gets to my next question — which you already answered: certification or self-assessment, how should I plan? Number one, ask your prime, based on the data you have. And to your point, Brett, the DoD came out with a memo in January, February, March of this year giving guidance: anything in the Defense organizational index, certify; anything outside of that, we’re going to allow self-assessment, unless the DoD deems it high-risk and wants to elect for a certification as part of that. So just because you might have self-assessment in that category in that memo doesn’t necessarily mean it’ll be self-assessed every time. The DoD loves the word “discretion” and adds it in a lot, because of the nature of the work — they want to make sure they’re protecting the data appropriately. And you as a contractor should also want to protect that data. It is your customer’s data. That data is not your data — it’s your customer’s, which in this case is the actual DoD.

Now, Brett — the one thing I love talking about, because you mentioned it earlier: DIBCAC runs a report on this all the time, the commonly most overlooked or under-implemented CMMC requirements. I’m a small business, I’m a subcontractor — I’ve seen enterprises of tens of thousands of people down to 10-person machine shops. And you know the irony of all this, Brett? They’re all typically missing the same requirements. There’s not one that’s glaring for small business, not one that’s glaring for enterprise or midmarket. It’s like, how in the world are we all collectively missing some of the most basic controls? So from your perspective, what are some of those controls where it’s like, “For the love of God, people, let’s focus, let’s get these off the ground,” because they’re critical and often either under-implemented or overlooked altogether?

Brett: I would say number one is multifactor authentication — that’s requirement 3.5.3 in 800-171. Now, there’s one loophole: if you are physically touching a keyboard, you don’t have to multifactor authenticate. But that’s actually going to change in 800-171 Revision 3, where multifactor authentication is going to be required for everything. There was a study — I can’t recall it off the top of my head — conducted probably about six months ago, that came up with a number north of 90%, I think it was 92%, of all the breaches in the last 10 years would have been thwarted by having multifactor authentication.

Daniel: Wow.

Brett: It was an amazing statistic — I was completely blown away.

Daniel: We’ll have to see if we can find the reference for that. I can’t speak to 92%, but let’s just say most — most attacks can probably be thwarted with multifactor authentication.

Brett: And I think that’s number one with a bullet — because if you don’t have that, it isn’t, you know, the verb I use is “POA&M-able.” I haven’t found it in the dictionary yet, but we’re using it.

Daniel: POA&M-able. Look out, Webster — it’s coming for you.

Brett: It’s coming. It’ll be the word of the year here soon — forget what you see on CNN at New Year’s. But it’s not an option. If you don’t have multifactor authentication, you fail your assessment right then and there. There is no go-back. And as we’ve heard Matt Travis say, that 10-day period after you complete your assessment is about existing evidence, not creating new evidence. So you don’t even get 10 days at the end of your assessment to fix your multifactor authentication. You either met it or didn’t, right then and there. There is no “not applicable.”

Daniel: People think they have that 10-day window. I didn’t realize he’d said that until he came to our CS2 conference this year and said it from the stage, and I’m like, “Oh.” I think a lot of assessors have been giving almost a 10-day grace period — “Hey, go quickly implement this and then show us your evidence.” It’s like, “No, no, no — that’s for re-evaluation of existing evidence and implementation, not a go-back, not a 10-day get-out-of-jail card.” You have to have implemented it by the time of your assessment.

Brett: No. And if you want to associate it with something, it’s almost the same as the 10-day reclaim period you had during the DCMA DIBCAC High Confidence on-site assessments, where you could have a policy signature replaced, or, if you needed to do another interview, you were able to submit even a rebuttal to a control that was being judged as OTS — “other than satisfied” — so you could explain yourself and submit more information. That’s where I think Matt’s trying to go with this. But up to Matt saying that, it was very much interpreted as “this is your 10-day period to fix whatever you need to fix.” Now, I personally think that’s a good idea, because I don’t care — as long as you’re getting it fixed, that means it’s fixed; you’re protecting CUI now. If you can do it in 10 days, hallelujah, get it done. And maybe that 10-day period is your motivation to get something done that you’ve been on the cusp of — but now you have it, and I’m going to have to do a whole lot less paperwork and I’m not going to have to hire a C3PAO to come back and do a POA&M closeout. So I liked that — call it kicking it in the sides and spurring it along.

But that’s what Matt says — it should not be interpreted that way; that was not its intention. He’s asked DoD to clarify it in 32 CFR, and that they’ll be clarifying it in the CMMC Assessment Process, the Cyber AB’s CAP.

Daniel: Which is definitely going to need an all-hands meeting, right? “Hey, we’ve updated the CAP — FYI, that 10-day period, this is how you actually treat it.” Because that’s the problem: it’s not canon yet. It’s been said from multiple conferences — “Hey, this is the intent” — but until it’s canonized, we’ve got a bit of a problem on our hands. It’s left up to interpretation, which we do not want to continue to happen. So, Brett, with all this being said: if you’re a C3PAO and you haven’t been going to the Cyber AB town halls, you may have never heard of this.

Brett: Yeah, this might be breaking news to you.

Daniel: So go back and watch the episode — we’re not lying, Matt said this from the Cyber AB. This is the actual intent of how it was written.

Brett: Mhm.

Daniel: Well, Brett, this has been an incredible episode. Thank you so much for joining. I always love to leave my guests with closing remarks. You’re talking to the worldwide web of thousands of viewers of this podcast. What do you want to say to the industry — whether it’s a prime, a sub, or the IT guy sitting in a corner scared to death about this thing?

Brett: Well, first of all, thousands of viewers is a lot better than my usual tens of viewers, so I’m glad to reach a broader audience about CMMC, because this is important. The reason I do what I do is because I love the warfighter. That’s why I volunteer — in nonprofit associations, why I volunteer as an Army Reserve ambassador. The warfighter is my passion. As you can see in my toy shop behind me, I keep models of all the programs I’ve worked with. I just got two models I started rearranging — the T-7A, the new fifth-gen Air Force trainer, and I finally decided to buy one of the CH-47Gs, the special operations Chinook. That’s where the Chinook is going, because he’s a big boy. That is a big guy.

Now, I’ll admit — I’ve worked on all these programs, I’m not quite old enough to have worked on Apollo. So that one — that’s my Lego Saturn V. He gets a spot.

Daniel: So it’s funny, Brett — I live in Huntsville, Alabama, and I’m in line of sight of a Saturn V rocket right here.

Brett: I love that. My Saturn V story: I have two bucket lists. One was to see all three of the real Saturn Vs that remain, and all of the remaining space shuttles. I’ve finally seen all three Saturn Vs, and I have one more space shuttle — at the science center in LA — that I have to see, which I think is Endeavour, out in LA. I love Huntsville. I’ve been down there several times; I try to get down at least once a year, if not twice. You’re probably used to the AUSA conference — the Association of the United States Army. I’m actually the president of AUSA for the Midwest, so I have nine states in the Midwest — I’m one of the AUSA region presidents. I love the warfighter. I’m more involved in the Army now than when I was in the Army. And I don’t have to go to the desert — I don’t have to get deployed.

Daniel: Well, that’s what I was talking to a friend about not too long ago. People have a little bit of the wrong mindset about CMMC. This is kind of our modern-day space race. Sputnik was launched, which was a catalyst moment for the United States to say, “Hey, we’re now in a rush to get to the moon — we have to beat Russia right now.” CMMC and cybersecurity isn’t as sexy as building a rocket and going to the moon, but it’s definitely critical in protecting the warfighter and our own critical infrastructure. Cybersecurity is one of those things where it’s our new modern space race, but because it happens in ones and zeros, people don’t think about it that way as often. So that’s why I really like what you’re saying, Brett — we get to protect the warfighter in a way that’s basically just doing business as normal. Let’s standardize and adopt the cyber policies. Let’s do them for the protection of the United States, of the people on the front lines. I really appreciate all your service, Brett. Thank you so much for jumping on, participating, and being a voice in the industry. I’m hoping to have you on again, my friend. And with that, we’ll go ahead and wrap. Thank you, everybody, for watching, and stay tuned for the next one. Don’t forget to like and subscribe. Have a good one, guys.