If you work with the U.S. Department of Defense, and likely many of you listening do, then you already know that there are some requirements in place to implement best practices in cybersecurity. Are those requirements going far enough, though? The federal government is starting to see that, no, they don't. And that is why they are implementing the Cybersecurity Maturity Model Certification Program, otherwise known as the CMMC. OK, so what is the CMMC? Well, you're about to find out with me. I'm Maria Vermazis, and this is T-minus Deep Space. A new policy is about to come into effect here in the United States. So if you are a space company that works with the U.S. federal government, specifically the Department of Defense, then you're going to need to become acquainted with CMMC if you aren't already. And our guest and expert, Jacob Horne, is here to help. I am Jacob Horne. I am the Chief Cybersecurity Evangelist at Summit 7. We are a managed service provider, so essentially the outsourced IT and security department for specifically for defense contractors who need to comply with their contractually mandated cybersecurity requirements. And Chief Evangelist is a purely made up title. It basically says, "I don't have a sales quota, and I'm just here to try to translate all of the regulatory gobbledygook around all of the cybersecurity requirements into human speak the best that I can." Because there's a lot of people affected by the requirements and regulations, and they all sort of speak a different language from the people writing the requirements. And that's my job. I've been working in security now for almost 20 years. I started out active duty in the Navy as a cryptologic technician, doing some cool secret squirrel, high-speed stuff attached to the National Security Agency, which was super, super interesting. I was able to do a deployment, which is pretty rare for somebody, with my job in the Navy, and I hated it, so I got out of the Navy. And then I worked as a sort of standard sock operations, 24 by 7 watch floor out in Hawaii, living the dream. Then I decided I wanted to get back to Southern California, where I was from, and they needed a ton of people doing compliance work. And I was like, "Sure, it's fine with me. I don't mind." And there I was, minding my business, running ATO packages, risk management framework, NIST control stuff, people who have worked with the prime contractors and with the government directly will know what I'm talking about. And one day the supply chain people came into my office, absolutely freaking out, because all of the suppliers needed to comply with this new set of requirements in a document called NIST Special Publication 800-171. They said, "You're the NIST control guy. What is this?" And that was a consulting opportunity, because there were a bunch of people out in the muggle world, you know, manufacturing parts to go on space systems and weapon systems and things like that, that had never needed to interact with NIST controls directly, because they weren't on the federal side. So I started doing some consulting and sort of just explaining how these requirements work, talking to folks at the NIST Manufacturing Extension Partnership Program, things like that. One thing led to another, and the Summit 7 folks came to me and said, "Do you want to do marketing?" And I was like, "You just want me to keep explaining things to folks?" And they said, "Yeah, so here we are." Well, Jacob, thank you so much for joining me today. Regulations and compliance is the bread and butter of a lot of cybersecurity folks. The reason we're talking about this on the space podcast that I am hosting and not my cybersecurity other gig is because there is some very important information that the space industry needs to know that relates to all this. And I don't want to give it away because I'd rather you explain it because I will not do a good job. Sure. What is it that the space industry needs to know that's coming? Yeah, well, just to get everybody caught up, defense contractors, especially folks in the space industry who are doing work with the Department of Defense, you know, doing lots of awesome things, have requirements in their contracts right now to implement cybersecurity requirements to various degrees. Those requirements have been in contracts for a very long time. Unfortunately, there has never been a mechanism in those contracts to make contractors prove that they're doing those things. And over the years, there have been multiple instances, sadly, where the DOD has paid the price as a result of their contractors being compromised. These are specifically non-federal systems. These are systems that contractors owned. And under the DOD's analysis, they found out that if they had been implementing these requirements that they were obligated, then those insurgents would have been a lot harder to execute if they would have been possible at all. And so they created this program known as CMMC, the Cybersecurity Maturity Model Certification Program. That goes into effect on November 10th of 2025. And that program is designed to make you prove, often through third-party verification, that you have, in fact, implemented those requirements that are in those defense contracts. That starts November 10th, and that's the big news. A lot of people have heard that this is coming over the years. There's been various iterations of it, which we can probably get into later on. But November 10th is the big day. That is the day that the regulation officially goes into effect and can start showing up in defense contracts. So if you are planning on bidding on work that will go out as a solicitation in FY26, well, once everything opens back up in FY26 and later on, then you are going to see these requirements in your contracts and the requirement to prove that you have implemented them. That's in order to take award of the contract. And this is not a thing that you can do after you have taken award of the contract, which means you need to be strategizing what you're going to do before you bid on those things. So realize that it's not going to happen now and that this is the red light going off to tell everybody to start thinking about it now, not when it shows up in the solicitation. OK, so to address what you also mentioned about the currently ongoing government shutdown, this is not being delayed by the currently ongoing government shutdown. November 10th is for realsies. Yeah, yeah. So the November 10th day is the day that the regulation goes into effect. And so that's after 60 days of essentially a waiting period after the regulation was published in its final form. 60 days later, it goes into effect. That is not stopped or slowed down or delayed by a government shutdown in any way. The only way that this thing in particular would be delayed is just like any other contract clause would be delayed in that a new solicitation wouldn't go out on the street because people aren't at work. But it doesn't have anything to do with this regulation specifically. The government shutdown does not delay the effective date of the requirement. You can even go on sam.gov right now and see some of these things trickling out in new solicitations or even just notices of upcoming solicitations that they're letting people know, hey, this will have a CMMC requirement in it just so you're aware. Yeah, government shutdown doesn't affect it. OK, we're clearing that one out. So in case someone thinks they got some extra time or something, nope. OK, so the CMMC requirement, what is it? What do we need to know? Sure, so the CMMC program is one program that is implemented by two different regulations. So the first regulation actually went into effect in December of 2024. It actually went into effect almost a year ago. And that regulation outlines all of the policy, all of the roles and responsibilities, all of the different levels of the CMMC model, what the requirements are, how assessments will work, how scoping and environment will work. All that tic-a-tac-y detailed stuff is codified at Title 32 of the Code of Federal Regulations. That's primarily the reason why people have heard about this program coming along for a long time, but they haven't seen it because creating a new regulation at Title 32 of the Code of Federal Regulations is a massive bureaucratic effort. It takes a very long time to do it. But it was always the signal that the D&D was very serious about this program because that's not the kind of thing that you just do. That's not the kind of thing that a department or an agency just kind of picks up in their free time. That's a massive commitment. So when they announced that they were going to do that, they were going to do this Title 32 rulemaking is what they call it, regulation making. When they announced that they were going to do that at the end of 2021, that was the signal to me that this was just an inevitability. It might be two years, it might be four years, but it will happen eventually. And now here we are less than four years later and that rule went into effect. Like I said, it's implemented by two different regulations. So we've got this program that's live, but the process of actually requiring it in contracts is another, of course, another process. Contract clauses themselves are regulations. And so if you want to create or revise a contract clause to, let's say, be in line with a new regulation, you have to go through another round of rulemaking in order to make it. And sure enough, the way the Pentagon works, the office in charge of that Title 32 rule is not the office in charge of the contract clause rule. So literally the left hand and the right hand are doing two different things. And they, even though they like share a break room and park in the same parking lot, they don't talk to each other. So we had the program go live a year ago and now in November, literally almost a year later, we will have the contract clause language, the specific contract clause language show up in contracts. So we've had this weird gap where the program went live in December of 2024. So people could, of their own volition, go pay for a third party auditor to certify their environment against the requirements and have a live, real, bona fide, CMMC certification right now. But the DOD couldn't require it in contracts until their contract clause language was final. So now that it's final, they can put it into contracts. So there's somewhere around 400 companies so far that have their CMMC level two certification. The model has three levels, level one, level two and level three. So there's about 400 companies that have voluntarily gone to get their CMMC level two certification. But starting November 10th, the DOD will start to require at least one of those levels in all new DOD solicitations and contracts. When I'm thinking through compliance regs, there is the whole stereotype of it's, "Oh, check the box, not a big deal done." But then there's the flip side of people sweating bullets because they're going, "I don't know what I don't know. I don't know what I need here." Or, "I have a vague idea, but I'm missing something." So what are you seeing? Good news and bad news, right? Good news is that, remember, the CMMC program is just the verification program, right? So it isn't, the thing I always like to say is it's not making you do the requirements. CMMC is just making sure you did the requirements. So a lot of people conflate the verification process with the requirements themselves. The requirements, like I said, exist. Whether CMMC got delayed forever or went away entirely and never existed, you would still have these cybersecurity requirements in your contracts. They've been there since 2013. But how seriously were you taking those requirements? Right, exactly. Now, the good news about these requirements is that they are written by NIST. And so they are very clear and standardized. You know exactly what the requirements are. Those requirements are in a document called NIST Special Publication 800-171A. And the even better news is they give you a standardized set of verification procedures. So this isn't like an ISO audit. This isn't like a SOC audit where maybe you know what the cybersecurity requirements are, but how they will be verified is just based off whatever the auditor had for breakfast that day. Like, who knows what they're going to ask you. It's horrible that it's not consistent at all. NIST has a standardized set of verification procedures. So we know what questions are on the test. The problem is, is there is a standardized set of verification procedures and they're pretty long. So you have 110 requirements in NIST SP-800-171, but in order to verify that they are implemented, in order to prove that they are implemented, you have 320 questions that have to get answered. That's contained in a document called NIST SP-800-171A as in alpha. The good news is that the CMMC assessment guides for level one, level two, and level three put both of those documents together. This has been a blood feud between me and NIST over the years. They refused to put these documents together into a single document. So for the last four years, I've been begging people to look at the other one, 171A. If you just look up the CMMC assessment guide, you'll find everything in a nice, tidy package that's only a couple hundred pages long that gives you all the verification procedures. So this is good because we know what questions will be asked. And so if you go through the requirements and their verification, then by the time, theoretically, you get to a third-party audit, they are asking you the same questions that you asked you. They are looking at the same evidence that you used to prove to yourself that you had implemented these requirements. So we wouldn't possibly have been cutting any corners when we were doing our self-assessment versus our third-party assessment, right? No, definitely not. When the DOD sent out their team, which is very small of actual DOD employees, who are cybersecurity auditors, they found a massive disparity between self-reported scores and the scores that they had as a result of their assessment. Using the exact same questions, that led to an IG audit, that led to a big report. The Senate Armed Services Committee got wind of this. That led to an actual provision in the FY20 NDAA that said, "You will DOD create a framework that will hold contractors accountable to prove that they have implemented these requirements." You toss in a couple of compromises for, I don't know, submarine-based hypersonic anti-ship missiles. That's enough fuel on the fire for them to say, "We're going to come audit these contractors because not only is this super important, but they also told us when they accepted the terms of the contract that they were implementing these things, which means they got paid to implement them. They clearly didn't, and that's fraud." So whichever way you slice it, whichever way you look at it, the DOD is very serious about it. Now, if you wait until you see this thing show up in a solicitation and your customer is going to award that contract 45 days later, even four months later, that's not a lot of time for you to get familiar with the requirements, overhaul your environment, new architectures, map out your data flows, do all this. It's a lot of work. It's a lot of work. This isn't just an IT problem where you flip a button. Trust me, if you could flip a button, we would sell you the button to flip, and we wouldn't, I wouldn't even have to make all these podcasts. Why don't you even hear if it's just the button? No, no. If it's just a button, then we wouldn't need to be explaining it, right? This is a serious thing. It's a framework that goes around how the business operates, right? Yes, processes, lots of processes. Absolutely, yeah. Just like a quality management system and a manufacturing environment is more than just one department doing their thing over there. It's the exact same idea with this. It really hinges around how the data flows around. So the good news is, it's standardized. The bad news is, it's standardized. So if you wait until the last minute, that's a huge bummer. If you study it ahead of time, you know what's going to be on the test, and it's really just kind of a formality at that point. We'll be right back. I'm wondering, is there anything specific? Now, this CMMC applies to defense contractors. Anything specifically for folks in the space industry? I imagine it's pretty standard, but anything that they should know. It's generally standard. So the set of requirements are standardized across the levels. However, for folks in the space industry specifically, in manufacturing environments, there are things to be aware of in what they call scoping. So which assets are in scope for which requirements, which requirements apply to what kind of assets is a little different in a manufacturing environment? Because often on the shop floor, there are ways that you can carve out certain instances. There are ways that you can't carve out certain assets. So it's a little bit more detailed. Manufacturers have a big advantage though over, you know, like an engineering and construction firm or software firm and things like that, in the sense that they have structured quality management systems. And if you empower your quality managers to take time to learn and study the cybersecurity requirements, they're going to see a lot of those processes that they're already very good at rhyme very closely. So the other advantage that smaller environments have is that they're small, right? They're knowable. They have a finite number of assets and people, which makes, you know, getting your head wrapped around what's going on pretty easy. Large environments, you know, they don't know where the bodies are buried and that becomes a huge issue trying to track everything down. In terms of the space industry, a lot of people, you know, will say, hey, we're very special, right? And unfortunately, the more special you are, the more that CMMC is interested in what you're doing. So if you have export control or export regulated, ITAR, EAR regulated items, then you are absolutely going to be included in the set of requirements. So typically what we see is a lot of the scrappy startup space companies are putting ITAR and export regulated information in commercial cloud instances. Big no-no, read your contracts. That is not allowed. That is not a CMMC thing. That is a thing that's already in the contracts. A lot of times we'll see them use managed service providers, sort of external service provider to manage their IT and security. And that managed service provider outsources to foreign nationals to do that work. Big no-no. Again, not a CMMC thing. That's just a thing, part of the export control. So CMMC has done a lot to expose gaps that people have in complying with their export control and export regulated data and things like that. So if you're in the space industry, definitely be aware of that. There are rumors that the Golden Dome program, so if anybody's doing stuff under Golden Dome, the Golden Dome supply chains will be elevated to CMMC level three requirements. That is a big jump over CMMC level two requirements. So ostensibly, I kept saying, "Oh, the requirements are already in the contracts." The only actual new set of requirements are at CMMC level three. And the DoD originally estimated that a very small percentage of the industrial base would be required to comply with these new level three requirements. But that was before Golden Dome. Yeah, I was going to say, there are a lot of companies trying to get on that good Golden Dome dual use. Understandably, and I think a lot of folks were getting at this time. The advantage here is, if I was putting on my management consulting hat, the advantage is that because they are new requirements, the government is expecting new costs to come with your bids. If you are below CMMC level three and you've been working with the DoD, then those are not new costs. The DoD would be very curious as to why your costs have suddenly gone up for you to just prove that you have been implementing the things that you've said you've been implementing. So let's just say among friends here that you haven't exactly been complying with the things that are in your contracts, and you want to go after CMMC level three, you might be able to do the disappearing thumb trick and hide those costs under the new costs of CMMC. We are not your lawyer, do not take this as legal advice. This is not legal advice, I don't recommend that you do this. But it's a big advantage in the sense that it's new, they're expecting it to be new. Hey, look, it's new. Jingle your keys in front of your contract officer and be like, look how new everything is. If you aren't doing that, then you've got some, you need to be a little more creative. Again, not a lawyer. You got to be a little more creative about what's going on. So looming in the background of all of this, when we're talking about maybe we cut some corners, maybe we didn't comply. The Department of Justice is very interested in what's going on here. There is a thing known as the False Claims Act. And the False Claims Act is literally a piece of legislation that goes all the way back to the Civil War that was designed to catch contractors ripping off the governments and skimming off the top of things that they were getting paid for and then supplying things to the government. But that never happens and none of T-minus listeners would ever do anything like that. Hey, I'm, of course not. Of course not. I'm just saying that if you want to, if you want to do some rubber-necking and look at the car crash on the side of the highway, you can go to the DOJ's website. Every year they announce how many tens of billions of dollars they recover in False Claims Act settlements with defense contractors and all kinds of government contractors. So if you have submitted a claim to be paid for the government and you didn't do the thing, they can go after you for a tremendous amount of money. Cyber security requirements have been found to be material to government contracts. And so in 2021, the DOJ created what they called the Cyber Civil Fraud Initiative, where an entire section of the civil division at the Department of Justice is specifically in charge with going after defense contractors for their existing requirements. Nothing to do with the CMMC program. So if you go look at the press releases, there are small companies, there are large companies, there are space companies, there are traditional defense contractors, and everybody in between, they get hit for millions of dollars. The worst news is there's a whistleblower provision in the False Claims Act, which means your own employees can go tattle on you for maybe, I don't know, not empowering the IT guy to get these requirements implemented. Never kick off your IT guy. That's like lesson number one right there. Your biggest insider threat is your IT guy. IT guy, that's right. Picking up the phone and calling the Department of Justice because when you settle with the government, they get up to 30% of the recovered money. And so many of these whistleblowers make out with millions of dollars for a thing that would have cost you like $100,000 if you had just done it and they wouldn't have ever thought to rock the boat. Every whistleblower that I know, I know you're gonna ask, every whistleblower that I know that has done this is still gainfully employed. So yeah. I was just gonna say, is it one of those, I won't say anything, but there will be signs kind of. Yeah, yeah, exactly. Nick, the IT guy suddenly has a yacht and it's like, don't worry about it. So amongst all of this stuff, you still have the boogeyman looming over there in the corner where the DOJ is very interested in your current level of compliance with the things that you said you've been complying with. But that's not to scare everybody. Just know that the consequences are real. If you don't achieve the CMMC status requirement that's outlined in the contract solicitation, you cannot take award of the contract. And that's starting on November 10th. So whenever the next solicitation is that you plan to bid on and then whenever the anticipated award date is for that solicitation, if you don't have it by that award date, then how many opportunities can you afford to skip until you do have the status? For most people, they can't afford to skip any of them. So take it seriously. Beautifully said. Is there anything else you wanna leave the audience with or should we just leave it there? Well, there's a ton of content. There's a ton of stuff to know. Just very quickly, rapid fire. There are no waivers. Waivers are a pre-solicitation process. So if you see it in the solicitation, there is no mechanism to remove the requirement once it's in the solicitation. The thing that we like to tell people is that waivers are for entire contracts, not for individual contractors. Read the regulation and you'll see the details or ping me on LinkedIn and I'll tell you all about it. The other thing to know is that if you are under a prime contractor, if you are a subcontractor, when they decide to tell you that you need to do this is completely different from when the DOD might tell you, this is when we think everybody is going to be required to comply. That's a separate contract, separate subcontracts, separate relationship. That's between you and the prime. So if you haven't heard from them in a while, maybe call them up and ask them what their plan is rather than just worrying about what's in the DOD press releases. So do your research, call your customer, let us know if you have any questions or you need to get a hold of. Thank you, Jacob. This is super helpful. I learned a lot and I'm sure the audience learned a ton from you as well today. Thank you so much. Thanks. That's T-Minus Deep Space brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing space industry. If you like our show, please share our rating and review in your podcast app. Or you can send an email to space@n2k.com. We're proud that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K helps space and cybersecurity professionals grow, learn, and stay informed. As an access for discovery and connection, we bring you the people, the technology, and the ideas shaping the future of secure innovation, learn how at N2K.com. N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliott Peltzman and Tre Hester with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I am your T-Minus host, Maria Varmazis. Thank you for listening. We'll see you next time. [MUSIC]
