Construction & CMMC w/ John Kronick, CISO, Tutor Perini Corporation

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Steven A. Casazza, President, Defense Trade Solutions. In episode 13 of That CMMC Show Daniel & Steven cover CUI vs ITAR, industry horror stories just in time for Halloween and so much more!

---

Transcript

Daniel: Hello everybody, and welcome back to That CMMC Show. Today I’m joined by a GOAT — greatest of all time in the industry when it comes to CMMC: John Kronick, ladies and gentlemen. And not only does he know CMMC, he’s gone through this journey for quite some time, in an industry that’s very hard to navigate CUI requirements in — the AEC, the architecture, engineering, and construction industry. If I hear woes from any industry about CMMC requirements, it’s that one, because of so many different nuances and unique cases. Well, today we’re talking to the expert. So, John, thanks for being on the show. I want to open it up: who are you? Tell us a little about yourself, and who is this amazing company you work for, Tutor Perini?

John: Sure. Good morning, everybody. My name is John Kronick. I’m the Chief Information Security Officer at Tutor Perini Corporation, and also Director of IT Compliance — which is how I got thrown into the CMMC effort. My background: I started out as a CPA. I was with Deloitte, and then I got into information security over time. I was a CISO at many companies — Citibank, Estée Lauder, Gartner Group, Prime Healthcare, and a few others. I did a lot of work in the federal space while I was a consultant on the other side of the table, and, surprisingly, a lot of 800-171 assessments early on — this is before CMMC — so I was familiar with it. When I was approached for this position, the number one priority was to deal with CMMC and the coming storm, and this was three and a half years ago. So you have to think — they’d made some initial efforts.

So who is Tutor Perini? Tutor Perini is the 24th largest construction company. We have about $5 billion in assets, about 10,000 employees. We construct everything from bridges and subways to airport extensions, military housing units, missile battery housing units, and things like that. We don’t deal with ITAR, so from a CMMC standpoint we’d only need to be a Level 2 compliant entity. I was brought on about three and a half years ago. Let me also say, Tutor Perini is about 18 companies combined into this one company, and there are four of our companies dealing with CMMC requirements. When I was brought on, they’d started working on CMMC — they actually did a self-assessment and got up to about 42 controls compliant. They’d submit that score, we’d submit our bids, win the bids, and everything was fine. We’re a big Pacific Ocean building company — Guam is our big… there’s a lot going on in the Pacific these days.

Daniel: There’s a lot going on in the Pacific these days, isn’t there, John?

John: Right. And that was really the big push, because with all the requirements for CMMC, when you’re out in the middle of the Pacific, close to China, and you have to be CMMC compliant, you need suppliers and subcontractors out there too — and that’s a challenge. We looked at Tutor Perini as a corporation and said, “Is it possible for us to be CMMC compliant across the company, with about 125 locations where we’re doing projects?” We said, “No, we can’t — not possible in the timeframe needed, and to keep it secured the way it’s required.” So we said okay, let’s think about an enclave. Let’s zero in on two of these companies that we know have active projects with CUI information, or that are going to be awarded contracts that have CUI. So we said let’s look at building an enclave. We went early with the Microsoft Azure GCC High cloud — thank God we went with a high cloud.

Daniel: Right. Right. You saved a lot of effort there.

John: But the company we used didn’t do a very good job. And as we looked at the evolving requirements of CMMC — we’re looking at 7012 before this, the 252.204-7012, those requirements, and looking at 800-171 Rev 2 — we said, “Okay, here’s how we’ll build the enclave, with these various tools.” Well, when 32 CFR was published, they said, “No, if you’re going to use these tools, they have to be FedRAMP’d. If you’re going to use a cloud provider, they’ve got to be FedRAMP Moderate authorized, or equivalent.” And we looked at our tools and went, “Oh, that’s got to go. That’s got to go.” We had to replace about six tools.

Daniel: Six tools. Wow.

John: Yeah, it was something else. What we were going to use for scanning, we had to get rid of. What we were going to use for our SIEM tool, I had to get rid of. We had a product similar to Teams that would give us more control over anything we shared — we had to get rid of that one because it wasn’t FedRAMP’d. And one after another — file storage that wasn’t FedRAMP, had to get rid of that. So we said, “Okay, what can we use?”

Daniel: What’s left at that point, right, John?

John: Right. A number of those products we were going to look at were in the middle of, or almost complete with, their FedRAMP authorization. So we were like, “All right, let’s continue building our program, building our enclave, knowing we’re going to have to change out some things and bring on somebody else who can take us to the next step, because the company we were using wasn’t really well-versed in CMMC.” I’d gone through the training for CCP, etc., and I realized, yeah, we have a lot of shortfalls, and we don’t really have the staff internal to do this. We’re relying on our cybersecurity and infrastructure teams, but they were full out supporting the business. With 18 companies, we have a centralized IT staff, so they have to support all of them — we have an eastern region, central, and western, all across the U.S., plus the Pacific. So we said, “Okay, we don’t have the resources — let’s go find a company.” We looked at four different companies, and we chose Summit 7.

Daniel: Right there.

John: And we really vetted them — went through the whole nine yards. We looked at the services and said, “Okay, we want help to get compliant, but we want continued service beyond that, obviously. We want to take a lot of this burden off of us, but we still want to manage.” So we started going down that path. As we were building the controls and putting these tools in and swapping things out — the connection from our desktops into the enclave in the Azure cloud was initially through a VPN connection, then we swapped that out to a VDI, because we couldn’t get multifactor authentication working with it. That’s another thing we had to swap out — the MFA tool we were using, we had to get rid of and get a different one. So we finally said the best way to do this is RDP directly, with MFA, into an AVD host pool.

Daniel: Yep.

John: Worked beautifully. And then, as we built that, each company had their own AVD pool in the enclave. So we had four separate companies in the enclave, but none of them could overlap or touch each other’s data. So it was great.

Daniel: That’s perfect. That’s awesome.

John: Yeah, and we could replicate those. So we replicated the pools by company, did some sizing and optimization so no one would have contention for storage, processing, or any other activities. We had DLP implemented. We had everything that’s needed, and we finally got all the FedRAMP products in place. The first thing was helping to build all the components, so we got three different services from Summit 7 — Vigilance, then Guardian, and then the last one, which came later, Commander, to help us maintain our compliance once we got it. So we worked that through, and then I said, “Okay, as we’re building this, and I know this control is now covered internally, we’ve got all the evidence and everything.” I wanted two different companies to come in and do a gap assessment — and we weren’t quite finished, still going through changing out some products. I had the first company come in, and they did a decent job, but there were things they missed.

Daniel: Okay.

John: I also had S7’s compliance team come in and do their gap assessment — that was the final one before our actual C3PAO assessment. They came out with a few more things we had to take care of. Then it was time for our assessment. We’d gone out to the market and looked at about four firms known to be reputable C3PAO companies — in fact, some of these I’d done personal work with outside of this company, in prior positions. So the company we chose — we talked about some of the controls and said, “What’s your take on this? What’s your take on that?” I thought we did pretty good. They answered the questions, and we said okay.

Daniel: I call it speed dating your assessor, right? It’s good to get a few rounds in before you pick somebody.

John: Yeah. And even then — when you think you’re talking to maybe the director of CMMC services, the salesperson, and somebody else — when you actually get the assessors assigned, they may not have the same exact opinion as those who sold the assessment to you. So anyway, we started going through that. Now, while we were about to have the assessment, the final piece we had to swap out in our enclave was a remote printer for one of those locations. We’d gone through the whole industry to figure out if anybody out there had gotten remote printing of CUI through an enclave, and we scratched everybody off the list, you know.

Daniel: Oh yeah. People— by the way, John, that’s a hard one.

John: Right. So the week we started the assessment, we’d just put in the final piece of that remote printing. We had to swap out the firewall, swap out the printer, add the access control cards into that whole process for facility access control, cameras, everything. We got it just as they were starting the assessment — final documentation the day they started. Three days of documentation review: policies, procedures, artifacts, and evidence that we’d accumulated. By the way, we used a GRC tool to capture all this — the FutureFeed tool. I’d tried two other products: one wouldn’t work at all for CMMC; the second was good for CMMC but too complex — you just couldn’t follow the path. So we chose FutureFeed. We put all our evidence, all our policies and procedures, everything in there. There’s a user-access level for assessors, so they can go in, view all the information, read-only — they can’t change the data. So they started the assessment, and it was going pretty good. Every day, eight hours a day — it was a lot. “Show me this, show me that. Show me the schedule. If you said you’re doing it monthly, show me you’re doing it monthly. If you’re doing it quarterly, show me you’re doing it quarterly.” This is probably the most intense audit I’ve been through in 20 years.

Daniel: That’s fascinating.

John: It was. And I used to do audits — I was on the other side of the table.

Daniel: Because a lot of people think this is the same as an ISO audit. And I’ve heard multiple people say it’s very different — CMMC seems way more invasive of an assessment than something like ISO, and people just aren’t really prepared, John, for the full burden and weight of what an actual CMMC assessment feels like until they go through one like you did. It’s hard to even articulate.

John: Yeah. And I’d already been through our DCSA audits and things like that — nothing compares to this. This is more like a FedRAMP audit, if you want to know. Not quite as much as FedRAMP, but very close in the way they dug through the evidence, mapped it back to the policies, mapped it back to the control and their interpretation of the control. Boy, we had to swallow hard on some of those, because they were pushing it to the nth degree. We had to make sure we gave them the evidence to show that it complied. We had a couple—

Daniel: It feels like you’re in court, doesn’t it? It feels like you have to be a lawyer with your defense case ready to go, because they come out and challenge so many things. And to your point, the person who sold the assessment might not be the same assessor delivering it, and they might have a different interpretation. So preparing like you’re going to court is probably the closest I can recommend going into a CMMC assessment. You’ve got to be firm in your boots: “This is our position. This is our justification.” And I know, even through your assessment — because we talked about it a little while ago — there were some unique controls you almost had to arm-wrestle about, that they wanted to deep-dive on. Do you mind going into some of those at a high level?

John: Yeah, I’d say a couple things. Number one, they really dug into policies and procedures. If you don’t have policies and procedures really defined and communicated to your users, and show they’ve been trained in those things, that’s going to be a ding against you. Number one. They also asked for things that may not have been explicitly defined in some of the requirements — they wanted the disaster recovery plan, the business continuity plan, the business impact assessment, the security impact assessment, the risk assessment. All these things they asked for — thank God we do them — but for these other companies out there, I don’t think they’re going to have those. I’ve been in that business where I had to do all that. So they said, “Wow, your policies and procedures are really well done — we haven’t seen that in other assessments.” That’s great. But then they went in and started mapping that policy or procedure to the controls, and made sure we had the evidence and artifacts to back it up.

But then we came into some issues. I’ll give you one, for instance — 3.1.20, was it 3.1.22… oh, no, sorry — 3.13.12. That’s the collaborative computing devices one.

Daniel: Oh yeah. That’s a touchy one, funny enough.

John: Yeah. So the argument was, we use Teams in our enclave. We don’t allow collaborative computing devices like whiteboards, conference-room audio, and things like that. But we utilize Teams, and they said Teams is a collaborative computing device. Other assessors and other companies said, “No, we don’t consider that a collaborative computing device.” And some of this C3PAO’s assessors initially said it’s not a collaborative computing device, because it’s a SaaS, right?

Daniel: Wasn’t that the justification? It’s a SaaS — it’s not hardware, not a [physical] thing.

John: Yeah. We gave them a lot of evidence and support for that. They came back with other evidence and support — for instance, the 800-171 Rev 3.

Daniel: Ah, okay. And by the way, it’s not fair to bring that definition into a CMMC assessment. That document might as well not exist.

John: Right. And so — now, I have to say, the CISO of the C3PAO we were using happens to be the chairman of the Cyber AB. So whatever he was going to say — okay, I guess we’re going with your definition. So what we did to get around that control issue was just disable microphones and cameras on Teams in the enclave, and keep with our definition that says we prohibit collaborative computing devices in the enclave. That solved the problem. That was one.

Another one you don’t think is going to happen is 3.1.20 or 3.1.22 — who’s monitoring websites and social media for CUI or FCI data. Boy, did they go into that in detail. Fortunately, three months before our assessment, I read through all this documentation and contacted our legal and our marketing. I said, “We’re going to have to make sure we’re monitoring this stuff, and that we have one funnel to review this before it gets posted, and periodically review it to make sure nothing gets posted that shouldn’t be there, so we can take it down.” We put in policy and procedure, got evidence, got our marketing people to be signing off — a very structured approach. And the auditors were still sticklers on that: “Well, let me see your evidence of sign-off on that review.” We had to provide that. Fortunately, we had it, and we’d had it long enough. So they signed off on it, but again, it took a bit of negotiating.

Daniel: You’re going above and beyond. No one looks at all that.

John: No. And there were some things the auditors asked for that were outside the scope of CMMC, and we said, “Why are you going down that path? You need to stick to the audit.” And they said, “Oh, it’s just for our benefit.” I’m like, “Okay, forget that, we’ve got to get back on track.” So part of that was some push-back. But they weren’t bending on anything. They said, “This is what our interpretation is. We’ve done a number of these assessments. Everything we’ve done went through according to Cyber AB, and we have the best track record. We don’t let anything go that isn’t according to CMMC.” So that was a blessing and a curse—

Daniel: Because of the meaning — you passed at a very high bar.

John: Little— yeah. And finally, the director called us and said, “Congratulations, you’ve passed on all 110 controls. We’ll be delivering that letter.” I then had to hash all that data and give them the hashing algorithm. They posted that to eMASS. I got an automatic reply from the eMASS system: “You’ve passed all 110 controls. Your score has been updated automatically into the SPRS system. Congratulations.”

Daniel: That is— and you’re good. Now, here’s what you just scared everybody about. I’ll tell you right now, John — you said this journey began two and a half, three years ago in earnest around CMMC. The question I know a lot of people watching have: there are a lot of people who haven’t started this journey yet, which is problematic, because the pending 48 CFR and the contractual obligation to do CMMC is likely to be published around the October timeframe — meaning you will not be able to be awarded work unless you can meet whatever the CMMC requirement is on the contract. So, talking to an audience in the construction, in the AEC space — when should they start planning to do CMMC, and what’s the best way to approach this on an accelerated timeline?

John: Yeah. We had this argument with our management for quite a while, and it wasn’t until the last year and a half — literally a year and a half — that we put the fear of God into them: “Look, if we don’t get this, we won’t be awarded contracts. Do you understand that?” We had to show them in writing — “This is what it says.” And then the president says, “Okay, if we throw more money at it, can you get it done sooner?”

Daniel: That, by the way — I literally, when DFARS 7019 came out in 2020, had a 300-person construction company, a lot smaller than you guys, call me and say, “Blank check. Make me compliant in 30 days.” I was like, “I don’t think you understand how this works. We would love to take your money, but 30 days is unrealistic to implement all 110 controls — and it doesn’t necessarily solve the problem.”

John: Yeah. And that reminds me of something else. One of the things they look at is security awareness training. We’re using a computer-based learning management system, so it was easy to show we push out this training. And, by the way, we require everybody in the company to go through CUI training through the DoD eLearning site — you get a completion certificate, and we added that into our program, so it’s automatic. Every new employee that comes on, boom, gets through that training, I get the certificate. So we got that for CUI training, insider threat training, and cyber reporting — all covered. That was an easy one for us, but it took a lot to get in place. This is the second year we’ve run through that program, and it’s been very successful. That’s something a lot of companies don’t have in place.

So if you’re starting now — I was just talking to a construction company bigger than ours, up at the top, and they’re just now trying to get going with an enclave. October! We started two years ago, or whatever it was, and said, “We think this CMMC program is going to be published at the end of 2024” — everybody thought that — “so we’ve got to get it done by then.” Well, we realized we couldn’t get it done by then, so we said, “Okay, we’ve got to get it done by the first quarter.” And we kept pushing — first quarter, first quarter. And again, it wasn’t going to make it, because we still had to change out tools, couldn’t get the remote printing. Fortunately for us, CMMC got pushed out, and then we said, “Okay, drop dead October 1st.” So we said September. Then I said, “Okay, let’s have a one-month cushion.” So I said to the CEO, “We’re going to get compliant by 8/31. That’s our date. We’re promising you.” Because we knew we were real close. So every two weeks I had to report to him on our progress, and I kept saying, “We’re still on target for 8/31.” And I knew our C3PAO was going to be on the job July 14th through the 28th.

Daniel: Okay.

John: So I knew if there was a POA&M, we’d have 30 days, maybe — because I didn’t see too many things they could come up with that we’d have a POA&M on and not get complete. So I said, “Okay, August 31st we’ll be compliant.” And we got in August 14th.

Daniel: John, so what I’m hearing is, you can plan for something, but you need to have an understanding that it will likely get pushed?

John: Yeah, you definitely need to plan if you’re starting now and you’re a smaller company. I would still think enclave. Think enclave — because if you have multiple locations and no idea what CMMC is, it’s going to be impossible. You’re going to have to put physical security controls in every location where you’ll have FCI or CUI data, additional protections for the CUI data — and you may not have the staffing. I know a company that had 20 people allocated for CMMC and still couldn’t get there. 20 people! I’m like, “What are you guys doing?” I had four people here — it was actually myself and a teammate, and then I used two people from infrastructure to help with the enclave stuff. Other than that, it was just two of us. And this other company’s got 20 and hasn’t gotten all their policies and procedures written yet.

Daniel: That’s wild.

John: So you’ve got to have those. Number one — if you don’t have policies and procedures, and training, and proof you’ve done those things, and everybody’s aware of those policies, and they’re published on your internal website or whatever — they won’t even come do the assessment. They’re going to say you’re not ready. And if you don’t have the artifacts, if you’re not doing the things your policies and procedures say, they’re going to say you’re not ready.

Daniel: Yep. And that’s a problem. I literally — I think I’ve said this before on the podcast — I was at a conference, and a C3PAO comes up to me and says, “Daniel, you’re never going to believe this story. We had somebody sign up for an assessment.” I said, “That’s great.” They said, “Yeah — we asked for their documentation as part of Phase 1 of the CMMC assessment process, and they said, ‘Nah, just come on site and interview our guys. They know everything. We don’t have to review our documentation.'” And the assessor was like, “What do you mean? That’s the requirement of the assessment process.” And they were like, “Nah, just come on site and interview our IT guy. He’ll tell you everything you need to know.” So, to your point earlier, CMMC is a very robust assessment and certification program. You can’t just fly by the seat of your pants — a cup of coffee in one hand and a good conversation in the other doesn’t get you through the door. You have to be able to show it. I know we’ve talked a lot about the assessment approach and the incredible success Tutor Perini’s had in the construction space — even more so now that, with CMMC, you get to hold that piece of paper in your hand. From a closing-remarks perspective, John, again talking to the AEC space, any words of wisdom or encouragement you want to leave them with — so they understand it’s not hopeless, you can do it, it’s not easy, but if you put your head down and get executive buy-in, you can move the needle pretty quickly?

John: Yeah, you definitely need to get the buy-in. We had resistance from business units to spend the money and allocate it — they weren’t willing to do that. And then the CEO of the parent said, “You’re going to do it. We’re going to fund it. So the money’s allocated; you’ll get charged for it later. That’s the way it’s going to be, because we can’t win the work if we don’t have the certification. Period.” It wasn’t until that CEO said, “I’m going to drive this, I’m going to fund it, they’re going to report to me on this, and that’s the way it’s going to be” — top-down authorization, approval, and direction, communicated out to the business executives in the business units.

The challenge I see going forward is helping suppliers and subcontractors get certified, if we’re going to share CUI data with them. So what we’re trying to do from a strategy standpoint is, when we get an award that may have CUI — and now we’re talking about the construction company — a lot of this stuff is COTS products, which is exempt from CMMC. So we’re trying to separate out the CUI from FCI and COTS products, and make them come into the enclave for the CUI; the COTS and everything else, we keep out there — they can do that all day long without certification. That’s the only way we can do it. We’re still going down that path to figure out subcontractors — actually, we’re working with you guys to see what we can do on a training program for that.

But if you’re starting now: get those policies and procedures nailed down — get that going first. Figure out your scope for CMMC, and once you figure that out, you can try to build an enclave, even as a temporary solution. Get an enclave; it’s so much easier. Right now, the assessors are telling me 75% of all the assessments they’ve been assigned, they’re turning down, because the client wasn’t ready.

Daniel: Wow.

John: So what that means is, there are some assessors available right now, because the assessments they were supposed to do either got pushed off, or the company backed off and said, “Oh, we’re not ready — we know we’re not ready, so we’re not going to do it.” So if you haven’t gotten there already, just know you’re in the same boat as all those others who thought they were ready but aren’t, and have now backed off and are taking more time. I don’t know what that’s going to do to the defense industrial base when new contracts come out and they need bidders. But you still have time. Depending on the size of the company — maybe a 300-person construction company — it should be relatively easy to get an enclave, build out your policies and procedures, get the artifacts going, and train up your people. You could do it in less than six months for a smaller company, but it’ll take dedication, and it’s going to take some money up front. The 32 CFR — one of those articles said it averages about $109,000 to get compliant. That’s ridiculous; it’s going to take a lot more than that. That’s federal-government math. It’s assuming you have infrastructure, applications, security tools, and everything — but if you’re going into the enclave, a lot of those tools won’t work in the enclave, so you’ll have to figure out what tools will. You’re literally going to have two sets of tools — one for the enclave, one for on-prem or whatever is outside the enclave. And just know, unless you get an MSP to manage those things like we did, your folks are going to have to manage two sets, and it’s going to double your work effort. You need to think about the strategy there. You’ve got to staff it somehow — internal or external.

Daniel: Someone’s got to do the job. That usually means hiring internally or finding a really good external partner as part of that, too. So, John, my friend, thank you for this interview. You’ve been able to shed a lot of light. Literally before this podcast recording, I was on the phone with another construction company talking, verbatim, about the same problems you guys were able to knock down. Getting your cert in hand is great — the next challenge, because there’s always another challenge, is the supply chain. You’ve been an incredible partner of ours. We love working with Tutor Perini, and we’re so excited for your future success. Just want to thank you again for being on. And to all the viewers out there, thanks for watching. John, we’ll have to have you back on for CMMC Level 3 certification whenever you guys decide to go after that one. Thank you, everybody, for watching, and have a great rest of your day.

John: Thank you.