CMMC & Supply Chain Requirements

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Bo Birdwell, Supply Chain Director, Elbit America. In this episode Daniel & Bo talk in depth about what CMMC level should you be or expect as a subcontractor, small businesses meeting CMMC requirements, subs hearing from primes & so much more!

---

Transcript

Daniel: …making the rounds talking about CMMC and supply chains. Bo, it’s great to have you. We’ve got a rolodex of questions — they’re going to be a surprise, I’m pretty excited about that. Bo, tell us a little bit about yourself. Who are you? Who’s Elbit? What do you guys do?

Bo: First, thank you for inviting me to talk today. I know a lot of people say, “I’m talking as an individual.” I am very blessed that my company is very aware of what I’m doing and is very interested in our supply base — and very supportive of the concepts behind CMMC. I had the privilege to actually get both us and a subsidiary CMMC compliant over the last couple of years, and now I’ve transitioned to helping our supply base for the next, hopefully, six to 18 months. And by then we should have everything figured out and be ready for the next challenge. My background: I’m retired military. I had the privilege of doing some really neat stuff on the cyber side for the U.S. Air Force for 20 years, and then got out — and I’ve been here for a little over seven.

Daniel: Wow. So you’ve seen both sides. You’ve seen the implementation, you’ve seen the remediation with bad cyber practices, I’m sure. And now you’re on the front lines trying to protect the supply chain downstream — which, thank you for your service, by the way. You’re almost enrolled in yet another form of service, trying to make sure the war fighter’s protected from, you know, China stealing IP, North Korea, all the fun foreign adversaries, right?

Bo: I think one of the best things about being part of the defense industrial base is that you’re building stuff that saves lives — whether it’s American or our allies — or you’re conversely holding our adversaries accountable for their actions, often in a violent manner. The truth of the matter is there’s a lot of job satisfaction. I’m really proud of the company I work at; Elbit Systems of America has a very strong veteran presence and is very supportive of the veteran community.

Daniel: That’s awesome. Well, we are too. We were actually on a veterans award list. Scott, our CEO, is a retired veteran. We employ a lot of veterans as well. And I think it’s important — I’ve served so much, and there are so many skills on the table. So everyone listening, support your veterans. It’s worth doing. I can attest — my dad’s a veteran.

All right, here we go. First question out of the gate — I’m going to start with some softballs. I’m supplier ABC, Bo, and I’ve heard about this CMMC thing. I don’t think it’s going to impact me, because it’s just for primes, maybe. So in plain-lane terminology: how does CMMC apply to supply chains?

Bo: The short answer is contractual obligations. I’ve had several conversations with our supply chain and with vendor suppliers, and everybody understands contractual obligations. Everybody understands terms and conditions. Well, the DFARS — the Defense Federal Acquisition Regulation Supplement — or the FAR, the Federal Acquisition Regulation, those are basically the terms and conditions to doing business with the U.S. government. And they have the right to refuse service if you don’t meet their terms and conditions.

This is not the first time the government has given a “thou shalt do something.” Where CMMC is a little different from some of the other “thou shalts” is they’re actually testing your math. That’s the whole — everybody keeps talking about how CMMC gets blurred between CMMC and the 7012 requirements, which are the “thou shalts.” But CMMC is the unique part, because there are plenty of other DFARS regulations that say “thou shalt do this, thou shalt do that” — but very few of them say, “Now send us an Excel spreadsheet with the CMMC unique identifiers saying that Billy is certified.” Most other “thou shalts,” or the terms and conditions, are more implicitly expected to be followed, whereas CMMC is one where — if there’s controlled unclassified information — they’re going to no longer trust, but verify, through a third-party assessment. That’s the 30- or 45-second answer, and we can go as deep as you want.

Daniel: So the contractual mechanism — let’s say Elbit’s a prime, you guys are a large prime. Does that contractual mechanism flow down? And if so, as a subcontractor, what CMMC levels do I have to meet? What does that look like one, two, three, four levels down the supply chain?

Bo: Absolutely. I do not speak on behalf of every prime, but I’ve talked to most of the big ones, and I’ll tell you: no one wants to push controlled unclassified information to someone who doesn’t need it. The message smaller and midsize suppliers should receive is that the larger companies are looking at ways to shield their supply chains so they don’t have to. However, if you’re manufacturing something that’s tailor-made for a specific product, there aren’t a lot of cards you can pull out of your hat to protect you.

Most larger primes have an in-house VDI solution they can share with a supplier. Many are looking at the potential of onboarding a person from that company and giving them a laptop. There are all these mechanisms always available to share the information if the company is not CMMC compliant — but, not to get too legalistic, those are more mitigations than remediations, Daniel. Those are things that might buy you time, but they will not work in the long term. I have it on pretty good authority that most of us are reaching out at some level to our supply chains, trying to figure out who the tier-one suppliers are — not tier one in the sense of who we’re doing business with, but the critical suppliers, the sole-source suppliers, the ones tied to large product lines — and working with those as soon as possible.

You’d be surprised — there’s probably some immaturity across the defense industrial base on this. Even large companies that have talked to over a hundred companies, maybe a thousand… I have programs in our company with over 300 suppliers on one program. The numbers can be misleading — “we talked to 500 suppliers” might be two programs. So you have to work through some kind of algorithm: maybe it’s the largest dollar amounts, your biggest contracts, your sole source. Every company is looking at it in different ways. But if you’re a sub to multiple primes, you will be hearing from people. If you’re not hearing from them, at least go to their website, because almost everybody has something that says, “This is real today.” We are maybe more vocal than others — I’ve been authorized to speak on behalf of our company and say: we like CMMC-compliant companies. We look forward to working with those that have already gone through the C3PAO process. This is not me looking for a job — this is just trying to get the word out.

Daniel: So, a bit of a pivot. I’m a subcontractor. Let’s say you have to be CMMC certified — which, in one of the first letters on your website, you guys addressed; you saw a solicitation within 30-something days, right? Pretty quick for certification requirements. Me as a sub: if you’re certified Level 2 and that’s what the contract requires, do I also have to be certified Level 2? Can I self-attest? What kind of evidence do you need to collect from me as a sub?

Bo: Great example, and I’m going to take it in two directions. Let me start by answering it, then come back to that specific one, because there’s a great lesson there.

In general: when we’re the prime, or we’ve gotten this from a larger prime — we’re under two billion annually, and our parent company is around 10 or so; we’re publicly traded, it’s no secret. We’re around the top 20 globally as far as defense contractors. The way it works is the customer makes the determination, at the end of the day, of what is controlled unclassified information, what type of CUI, and what level of CMMC certification. Some people make it sound mystical, but it’s not. Most defense contracts can expect to see controlled technical information, which is a specified type of CUI, and it’s specified in 7012. It’s not rocket science. It’s specified that you have to report in 72 hours; it’s specified that you can’t use anything below FedRAMP Moderate. That’s what’s specified about controlled technical information — it’s in 7012.

So let’s say it’s the U.S. Air Force — I’m an Air Force veteran. They want to buy some bombs. They tell us, “We want to buy these bombs,” and they say the fusing information is CTI, or the specifications on the canards — the fins, sorry, probably the fins — that the fins are CTI, or that the type of metal you use is CTI. They make those decisions, we don’t. Or, conversely, they could say everything regarding this contract is CTI. They have the legal authority to do that, and sometimes people are like, “They can’t do that.” Well, yes, actually they can — because you don’t have to take their money. But if you take it, you’re kind of in the boat of, “I know more about the law than you do,” even though it’s their money.

The best thing that could happen — believe it or not — is to have a classified program, because those are the ones most likely to have a security classification guide; then you might not get “everything is CUI.” Most unclassified contracts I’ve seen are more likely to say everything is CUI than to say “the fin length is CUI” or “the sensor is CUI.” It’s just simpler for them. I call it CYA with CUI — everyone’s playing the CYA-with-CUI game right now.

To continue the thought: if we can figure out, working with the customer, that the information I need from Acme Tool isn’t CUI, that’d be great. Generally, though, bombs are not commercial off-the-shelf — I’m not trying to make a joke. If it’s not COTS, you’re going to have to figure out with the customer what’s FCI, because everybody’s excited about the term “federal contract information,” but if the customer says everything is CUI, there really isn’t a lot of wiggle room. That’s where you go through your contracting officer. As a supplier, somebody does your contracts — maybe the same person does your supply chain. Generally the contracts person talks up channel and the supply chain person talks down channel.

If you can get the information that something is not CUI, you’ll be ecstatic, and you’ll work with those vendors accordingly. But if the government says everything on this contract is CUI, and it’s CTI, then all of your suppliers — before you can issue them a dollar from a purchase order — must demonstrate their certification. And that becomes an issue, because generally people won’t supply you a part until they’re at least guaranteed they’re going to get paid. So it’s a friction point for both the supplier and the prime: we want to build the parts to meet our contractual obligations, but the suppliers justifiably don’t want to build anything unless they’re guaranteed payment. So we have to work through that, and I’m hoping the whole defense industrial base is having these conversations today, because you don’t have enough runway once you get a proposal.

Now I’ll circle back to the 31-day one, with a caveat. In the first 90 days or so — I think we’re around 90 days since it went live — the ones I’ve seen requiring CMMC Level 2 C3PAO have been white papers for us. A white paper is basically saying you’re a year out from a proposal. It’s starting the conversation, doing due diligence: “When you get ready to write a proposal, don’t be surprised when we come back and say everything has to be Level 2 C3PAO.” That’s what I’ve seen in that 31-day one and a couple of others. If you went through the free Defense Acquisition University training, it’s very clear: the Chief Information Officer’s office — the PMO — is asking the contracting officer, “Please don’t put in the requirements early,” because if you do, you’re probably not going to get a result you want, since everybody is working through their tier ones, and the more advanced ones might be considering their tier twos. Most companies, unfortunately, are doing this in a very serial manner: “Let me get my house in order before I even think about my supply chain.” And most people are still getting their house in order.

Daniel: I’m seeing that a ton right now. The major industries we work within are manufacturing, of course; regulated research — a lot of higher ed doing crazy stuff for DARPA; and construction is a huge industry in the defense industrial base, larger than I ever assumed, which makes sense — we’re building crazy things in Guam right now, bases, all sorts of stuff. One interesting thing: somebody in the AEC world said, “Daniel, we’re not hearing anything from our primes. We don’t work with Lockheed or Boeing, we work with the large construction primes, and they’re not communicating anything.” I’m seeing this a lot — a lot of the large construction primes, outside of a few, aren’t certified at the prime level, because they’re getting their house in order. One I can mention, because John’s joined us on the podcast before — Tutor Perini. Outside of a handful, there aren’t many certified primes, so they’re not going to start the supply chain conversation, because they feel like that’s backwards. In reality, it should be a multi-pronged approach: the CIO’s office should be tackling internal, and the COO — or whoever the supply chain reports to — has to be able to have this conversation, because it’s a huge corporate risk.

Bo: I’ll offer that part of that is just because the Department of War has telegraphed this over such a long period of time. Many people were willing to do it internally, but not willing to go through the challenges of engaging their supply chain until they really knew it was going to happen. And unfortunately, some people still are flat-earthing this. I don’t encourage people to flat-earth it, but a lot of people are of the mentality that there’s no way they’re going to break the DIB. And we’re like, “Dude, they’ve been telegraphing this for 10 years.” At some point you’re playing Russian roulette with a derringer and not a revolver. That’s something everybody’s got to deal with. The companies that have gotten themselves in order are now starting to look externally. And I really believe the companies that are Level 2 compliant today are probably six to 18 months ahead of — I don’t want to throw out a huge number — maybe 75% of their competitors. That clock is very conservative.

Daniel: That’s a very conservative number, and we’re seeing the same thing. One of the leading questions we get — because we work a lot in the SMB space and a lot in the enterprise space, we kind of cover the gamut — subs are like, “I haven’t heard anything from my prime, so maybe I shouldn’t be worried.” They’re really trying to figure out: “Does this mean I’m not critical enough to them, or that I’m not going to have to meet the requirement?” There’s this interesting tension. When they hear about CMMC through a conference, they’re like, “If I ask, I’m afraid they’ll require me to show up tomorrow certified. If I don’t ask, maybe that’s okay and they’ll just keep sending me work.” Kind of flat-earthing it. So what would be your response to somebody in the supply chain who hasn’t heard from their prime about the requirements?

Bo: I’m going to tell them — and I put this in an article we published a couple of weeks ago — no one cares more about your business than you do. If you’re concerned about how this impacts your business, I encourage you to get smart yourself and not trust that your prime is going to take care of you. That’s a dangerous proposition. As someone who’s been a small business owner: no one cares about your business more than you do. I encourage every defense-industrial-base company, if you think you have to go the CMMC route, to invest a couple thousand dollars and get whoever is going to be your internal lead through the CMMC Certified Professional (CCP) class. It’s a four-day class.

I did mine about four years ago. I’m a lead Certified CMMC Assessor (CCA) — not because I’m looking for a job or want to do assessments, but because I went through the process to understand how we were going to get assessed. There was literally billions of dollars of revenue at stake, so the company had no problem getting me that. I got my lead just because I’d been through so many DoD and ISO audits; it took me 30 minutes to put in my paperwork. But I’d encourage everyone: do not rely on any external organization to have your best interest at heart.

Daniel: That’s the thing — people just aren’t really thinking about it. Out of sight, out of mind, I guess. They think that since it hasn’t shown up on their doorstep, they don’t have to worry about it. But in reality, you need to understand the risk to your business either way — if I stay in the DIB or if I leave the DIB, what does that look like? What are the CMMC impacts, the cost, all of that? A lot of companies work with small businesses, some even micro-businesses. So one of the questions we get all the time — go ahead, Bo.

Bo: I was going to say — some people have gone melodramatic, because it’s an emotional conversation. But generally, when they go back to their CFO, they come back. There’s a whole “we’re going to divorce the defense industrial base” conversation about tight margins. I’ve had some people get pretty emotional on calls, and then after talking to their CFO they come back and say, “Could you explain a little more about why we need to care?” — as opposed to “this doesn’t apply to us.”

It’s always going to be emotional, because we started working this many years ago. We could have done something that would have made everybody’s life easier had they tried to tackle it over years. But when you push it off, you’re now tackling it over months, and the cost is going to be greater — and unfortunately, so is the impact on operations. We were able to schedule out some stuff for FIPS over the Fourth of July, because we could wait six months. But if you have to get it done before the Fourth of July and you’re a 24/7 shop, you’re going to have to figure out downtime that impacts your ability to make revenue — because you don’t have time to do it during Christmas, since it turns out Christmas happens once a year. So does the Fourth of July. You can’t move those dates. People are losing flexibility.

I’m not saying you can’t do it in six to nine months — I’ve had so many people swear you can. I’m saying, from what I’ve seen, 12 to 18 is much more reasonable, because it’s not like you’re getting a whole new IT department to do this — you’re doing it while keeping the ship afloat. Plenty of vendors have told me, “We can get someone ready in three months, or six months, or, God forbid, 30 days.” Whatever those numbers are, it’s the rule of fast, good, and cheap — you only get to choose two. And you can’t avoid “good,” because you have to pass an external audit. Go ahead.

Daniel: I’ll share this story before I move on. A couple of years ago I get a phone call from a very prominent CIO who runs a very large defense contracting organization — tens of thousands of employees. I pick up the phone: “Hey, this is Daniel.” And they’re like, “We need to migrate tens of thousands of people in six months and be CMMC ready.” I said, “I don’t think you understand — the impact and scope of that is so large.” Moving M365, because they were in commercial — and commercial is not compliant, for those who aren’t aware. It’s not FedRAMP Moderate anymore. They were like, “Oh my gosh, we’ve got to move immediately. We’re not going to do an enclave, because all we do is defense work, pretty much.” And believe it or not, in six months they didn’t hit the goal — they’re still ongoing in that process, because it just takes so long.

I don’t care if you’re 100 people, 50, a thousand, 10,000, 50,000 — there are economies of scale, but there are also large support burdens and cutovers that have to be planned if you’re 24/7. So many manufacturers run their shops 24/7. Could your corporate IT system have any level of downtime? Probably not. So many people have their corporate systems tied into their OT — that’s a conversation for another day — so one going down, or transforming, impacts the other. To your point, 12 to 18 months realistically for a whole organization is not unreasonable. You can do enclaves faster, but is it truly encompassing the scope of where your CUI is? Enclaves are good for most organizations as what I’d call a stop-gap solution. The problem is they’re typically not the best holistic approach to where your CUI actually is. CMMC is more than just a check — you’re actually protecting the data set, and you have to know where the data is to know where to protect it.

Bo: The one that gets a lot of people — and there’s much weeping and gnashing of teeth — is the concept of ERPs, enterprise resource planning systems. Most organizations upload the drawings into their ERP. And most people are very proud that maybe four or five years ago they moved to the cloud. I will bet you serious money that is not a FedRAMP Moderate solution that company chose. I’m not saying it’s a guarantee, but it’s highly probable that most people who got a cloud ERP did not think about FedRAMP. And yes, you can remove the files — “we just won’t put those up there” — but that’s just asking for a spill, because if you do it for every other program but this one that requires Level 2, that’s a very easy human error to occur.

Human behavior is the hardest thing to change, right? That’s where I get concerned about the whole enclave solution. Most people need to put it in their ERP, or their MES — it turns out you can’t really manufacture in the cloud. There are some things you can do, but there’s generally some kind of on-prem solution involved, even if it’s a 3D printer, let alone a full manufacturing plant. Those are the things that concern me about people who go the whole VDI route — the scoping. They haven’t really… they’re scoping based on cost, not based on use case.

Daniel: That’s very true — and a lot of small businesses have that burden of “I just need something.” So for the small businesses out there, any recommendations on what they can do to become compliant in a reasonable amount of time so they don’t start losing work? Because that’s the other side of this equation: if I don’t do this for some duration, people are going to stop calling me for work, because I’m not compliant. So on the SMB side, any first steps you’d recommend?

Bo: What I do is keep a menu of items I share with our suppliers. Our company does not direct anyone to use anything, but I feel like I’ve been in the space enough. For example, for managed service providers on the implementation side, I recommend everybody go to the MSP Collective. I’m a big fan of that, because everyone in there has been through Level 2. I’m not saying every MSP needs to be Level 2, but I have a lot more faith in the ones that are — I’m a big believer that if you’re in for a penny, you’re in for a pound. When you’ve walked a mile in my shoes, I’m much more comfortable that you’re actually going to be able to do this.

So I start there. I give them a menu that includes the MSP Collective and a couple of folks I like. I include a couple of people who teach the CCP class, because for under $2,000 you can generally get a CCP — I’m a big fan of that. I even offer to meet with their CCP to help, maybe an hour a month, on my own time — turns out we have a lot of suppliers, so I can’t do this with everyone, but I try to meet with our critical ones and say, “If you have questions, I’ll be glad to help as you work through this.” I also include a list of C3PAOs I trust, because I know they’re all certified, but there are some I trust more than others — that’s just my opinion, and they can go with whomever they want. A lot of people say, “I don’t know how to start,” so I give them a menu. And the last one: if you don’t have a lawyer this smart on this, I recommend Eric Crusius in particular — I saw him last week, I love the guy, big fan. He’s the only one where I just put one name, because I really don’t have a strong opinion on any other lawyer. With the others, it’d be misleading to say there’s only one MSP you should use, or only one C3PAO. I recommend two CCP classes because there are two instructors I really like, but there are plenty of good ones. That’s the menu I created, and our leadership, including our legal office, is comfortable with it.

Daniel: Those are great places to start. The CUI Center of Excellence is another free resource — good website. There’s a CUI Discord that’s really vibrant as well. You have to know a little bit going into it, but there are a lot of free as well as paid resources to help cut through “how do I pick the right partner,” which leads, ideally, to a certification.

So you put this in your last letter, Bo: what if there are suppliers listening right now? I’ve interviewed quite a few who are CMMC certified. How do they work with Elbit? Is there a line they can get in, a ticket they can pull? How does this work?

Bo: It’s great. We partner with Exostar — I’m not saying anybody else has to partner with Exostar, but we do. Basically, we have an org box. They send us the six or seven things we need, then Exostar — either already knows about them or adds them to their database, which is over a quarter-million companies and growing — and after we go through, it takes us like five minutes, and it shoots out the request to them. This is where it’s on them, because they want to do business with us: they get an email from Exostar saying “please fill this out,” and they basically screen-capture what’s in SPRS. We don’t ask for the certificate — we just ask for a screen capture from SPRS, because that’s what the DoD put in 32 CFR — or 48 CFR, one of those two rules. I think it was 48 CFR that said due diligence could be met by getting a screen capture from SPRS. So we just say, “Give us a screen capture from SPRS,” and that answers the questions we need.

Daniel: So you hear it here, folks — you want to work with Elbit, Bo’s your guy. There’s an onboarding process, and they’re ready and willing to take certified organizations in the manufacturing space.

Bo: We’ve onboarded over 20 in the last 30 days. People have been reaching out. We’re very proud that people are listening to this stuff and taking it seriously — that we’re not screaming against a wall, that people do want to do business. We’re very happy for those who have done it, because I want them to know this is serious. I can’t imagine any other prime wouldn’t be interested in knowing who out there has a Level 2 today. I was not the only one — I got a lot of “amens” from the lobbyist firms like the Aerospace Industries Association (AIA) and NDIA. The number one comment was: we need the ability to surf through SPRS — the Supplier Performance Risk System — so we can just do an “L2” export. And the DoD — or the Department of War — said no. I understand maybe where they’re coming from, but all they’re doing now is forcing us to make 50 of those versus just using SPRS. We’re all building our own database, our own rolodex, instead of being able to query the source.

Daniel: I wish there was a mechanism like other certifications have — CISSP and others — where you show an enrollment number, right? Something verifiable.

Bo: Absolutely.

Daniel: And it’s like, there’s no real verification — screenshots, sadly, are the best we can do right now.

Bo: We have to do the screenshot so we can make sure the CMMC unique identifier is actually associated with that company, because I can make up a random number as good as anyone. L2-3141592-7-9…

Daniel: You just keep going on pi. Right. Keep going.

Bo: Yeah, and it’s a number. So that gives us some kind of due diligence. And I completely respect why the DoD doesn’t want them out there — so people can’t steal the numbers, or steal the certificates, the signatures, all that. Makes total sense. And I’m very optimistic, looking forward to when they actually give out the stamp that all of us CMMC Level 2 certified companies — including Summit 7 — can put on our website, like we can do today for ISO 27001.

Daniel: Yeah, like we can all do. It’s not like these are crazy concepts.

Bo: No — but we’ll get there. The maturity is still early; we’re still in the early stages of this.

Daniel: Well, this has been an incredible show. I always like to leave every episode with closing remarks, Bo. This could be anything from your favorite fast food chain all the way through “please don’t burn out doing CMMC,” and everything in between. So I’ll give you the open mic — the captive audience is yours, my friend.

Bo: I’m very thankful for this chance. My captive-audience point: if you’re trying to figure out CMMC, there’s a big conference coming up in April called CS5 West. I’m not involved in hosting it, so this isn’t me trying to earn money — I’m saying it’d be in your best interest to go. There are going to be plenty of people who want to help you. I’ve been to a couple of them; there are some smart people there. So I’d really encourage anyone trying to get into this: if you’re not ready to send someone to the CMMC Certified Professional class, at least send someone to that conference. I’ll probably be there, and I’d be glad to talk to you if you’re trying to figure out this whole thing as a supplier. You’re not alone — there are a lot of you out there. Take advantage of something like CS5 West, because it’s literally, what, 60 days away? It’s coming pretty quick.

Daniel: I’d be there as well, but I’m getting married that weekend, so I don’t think it would look well if I flew to Vegas and then immediately came back.

Bo: Congratulations.

Daniel: So, but we’ve got a ton of people going as well. I’ve been involved in the speaking agenda — some really good topics coming to CS5. Spend a couple of days, get immersed, meet people, shake hands, and make it a reality for your organization. With that being said, Bo, thank you for your time, my friend — it was lovely. Looking forward to having you on again whenever we start talking CMMC Level 3, which, who knows, might be right around the corner. Bo, have a good one, my friend. Thanks, everyone, for watching, and have a great rest of—

[End of recording]