Podcasts
Caveat
Ep 248
Caveat 1.30.25
Ep 248 | 1.30.25

Where are we going with warrantless searches?

Show Notes
Transcript

Max Shier: You know, the requirements to protect that information have been there for several years. It's just now being ratified in a sense that you're now going to be verified that you are meeting those requirements. And that's what CMMC is -- is really doing, is just putting that certification, that validation piece in place as a requirement.

Dave Bittner: Hello and welcome to "Caveat," N2K Cyberwire's Privacy Surveillance Law and Policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, Ben discusses a federal court's decision holding warrantless queries of the Section 702 database unconstitutional. I look at a murder case in Cleveland that's been derailed by the prosecution's use of AI. And later in the show, my conversation with Max Shier, Optiv's CISO. We're discussing the newly released CMMC 2.0, that's the Cybersecurity Maturity Model Certification, how you can ensure compliance. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben, exciting news in the world of privacy and Section 702 searches, right?

 

Ben Yelin: Sure, yes.

 

Dave Bittner: It's been a big week.

 

Ben Yelin: We have a very interesting federal decision from a district court judge, federal district court judge in New York State. Do we need to go through the whole background of 702, or should we assume that our listeners are Section 702 literate?

 

Dave Bittner: Just give us the Cliff's Notes, just real quick.

 

Ben Yelin: All right, it is the government surveillance program that allows the government to surveil non-US persons reasonably believed to be outside of the United States, through the use of either the Internet, the companies that control the Internet backbone or our Internet service providers. The big problem as it relates to U.S. persons is that incidental collection can happen. So, if the U.S. person is speaking with an overseas target, that conversation is eligible for collection. It goes into a database and relevant to the case here, and this is kind of the new issue that was at least potentially resolved in this case, that database can be queried, and there is no, or prior to the holding in this case, there had been no warrant requirement for querying that giant database.

 

Dave Bittner: And when you say queried, by federal law enforcement, yes? Okay.

 

Ben Yelin: Exactly, so it would generally be the FBI who would be conducting the query.

 

Dave Bittner: Okay.

 

Ben Yelin: So, the case actually relates to an individual called Hasbajrami. He was arrested in 2011. He was involved in terrorist activities and was going -- traveling to Pakistan to join some type of terrorist organization, and he was arrested at the airport. So, he goes to trial. This is literally a proceeding that has taken 14 years, because he had been arrested in 2011. He goes to trial. The government informs him that some of the evidence used against him came from Section 702 surveillance. He seeks to suppress it. The District Court originally held, at least as it related to the collection, the original collection of that data, that it was a constitutional search. That decision went up to the Circuit Court, the Second Circuit Court of Appeals, which held that this was a constitutional search. Because the original search of the overseas target is legal, and non-U.S. persons do not enjoy Fourth Amendment protection, so warrantless searches -- searches of overseas targets are illegal. Anything that we -- any information we glean incidentally is admissible in criminal court.

 

Dave Bittner: And this gentleman is a U.S. citizen?

 

Ben Yelin: He is a -- yes. He is a U.S. citizen. So --

 

Dave Bittner: So, he was communicating with someone of interest overseas.

 

Ben Yelin: Exactly.

 

Dave Bittner: And that's how the information -- got it.

 

Ben Yelin: This is how they obtained the data. Now, what's really interesting, and this is kind of beyond the scope of what we're going to talk about is, for at least part of the proceeding, the federal government was under the mistaken impression that he was not a U.S. person --

 

Dave Bittner: Oh.

 

Ben Yelin: -- which I think adds additional confusion to this case.

 

Dave Bittner: Okay.

 

Ben Yelin: So, the Second Circuit Court of Appeals basically said, "The one issue we're not sure about is whether it is constitutional to query the Section 702 database." So again, this is not the initial collection of the communications or the data, it's once that data is held at rest, in this large Section 702 database, can the government query that database without a warrant?

 

Dave Bittner: Okay.

 

Ben Yelin: So, the Second Circuit Court of Appeals said to the district court, "I'm -- we're handing this to you to -- to figure out this -- this issue. It's a relatively narrow issue, but like, take your time, go through all the evidence, and let us know what you think."

 

Dave Bittner: Had this been pondered before?

 

Ben Yelin: Absolutely. I mean, there are interest groups out there, including groups like the Electronic Frontier Foundation, who have been calling for Congress to enact reforms to Section 702 to require a warrant for all queries into the Section 702 database. Congress reauthorized the program last year through the middle of 2026. And there was a debate on including a warrant requirement for search queries. It was actually proposed as an amendment in the House of Representatives. The amendment, I think, was defeated by one vote. So, this is certainly a -- a live issue for debate.

 

Dave Bittner: Okay.

 

Ben Yelin: So, this district court judge, an Obama appointee, held that warrantless search queries are unconstitutional. And there are a bunch of different layers to this case. There are exceptions to the warrant requirement. So, any search done not pursuant to a warrant is per se unreasonable, unless it falls into one of those exceptions. There is a recognized exception. It's never been recognized at the Supreme Court, but it's been recognized by lower courts that there -- one of the exceptions to the warrant requirement is for foreign intelligence or for foreign intelligence information. So, the government is arguing here that this warrantless search of the database, any query of the database, is done for that foreign intelligence purpose, therefore a warrant is not required. And what the judge here says is, "You can't just pull out the foreign intelligence card and get free access to U.S. persons' communications. You have to actually show proof that the search is necessary to protect our national security, and there's nothing on the record in the case. Now, most of the record is redacted, so I -- I can't really judge that for myself.

 

Dave Bittner: Right.

 

Ben Yelin: But there's nothing on the record in this case indicating that this was necessary for national security purposes. The foreign intelligence exception is intended for circumstances that go beyond mere law enforcement actions. And here, it's unclear that Hasbajrami, the defendant, was connected in any way to people overseas who were seeking to do us harm. He had communications with them, but at least the record that was presented in this case doesn't indicate that this was a broader threat. So, really, what they were doing in searching the database was trying to get evidence to convict him. And to do that, you need a warrant. That's basically the rationale here.

 

Dave Bittner: Okay.

 

Ben Yelin: Foreign intelligence applies when you're really trying to piece together, you know, let's try and stop the next 9/11. Who's talking to whom? I don't want to be burdened by these cumbersome warrant requirements. And that certainly makes sense. Then the judge said, even if this foreign intelligence exception did apply here, just because the exception applies doesn't mean all Fourth Amendment considerations go out the window. The government still has to prove that the search is reasonable. And to do that, when you're using one of these warrant exceptions, you weigh the invasion of privacy on the individual against the government's interests. And here, this is a massive invasion of people's privacies to have the government having access to this giant database, being able to search it at any time, being able to find all of these discrete communications. And while the national security interests are robust, again, there's not enough on the record saying that these were exigent circumstances where we needed this information on Hasbajrami to stop a terrorist attack, imminently. What she did say is there will and may be some circumstances where a warrant is not required. Those circumstances would be some type of emergency situation where there's a new active threat, the government does not have the time to go secure a warrant, then it may be permissible to conduct a warrantless search of that database. But that is not the issue here. As a general rule, unless there is some exigency, this judge says, a -- a search of this database has to be done pursuant to a warrant. So, that now is a new precedent. It's the first time a court has come to that conclusion. Technically, it only applies in the Second Circuit. So, any FBI search of the 702 database that takes place in that Second Circuit's jurisdiction, which is basically New York and a couple of other states, they are now bound by this decision.

 

Dave Bittner: So, are FBI agents calling their buddies and in other regions [inaudible 00:09:32]? I mean, I don't mean to be flippant about it, but is it that -- is --?

 

Ben Yelin: Well, no, it -- it can't really happen that way, because now, because this opinion is out There --

 

Dave Bittner: Yes.

 

Ben Yelin: -- now I think there's an understanding that it's unclear whether warrantless searches are unconstitutional. It's -- as you can tell by the fact that this case took 14 years, we're not going to get a lot of clarity on this for a while. You have to have a bunch of different things to even get a case on the merits on the Section 702 database. So, in some other jurisdiction, it would probably be Washington, D.C., somebody has to be arrested. And the information used to arrest them has to have been obtained from Section 702 surveillance. Not only that, it has to have been obtained from a query of the database, and that query has to have been done warrantlessly. There just aren't that many cases. I mean, I think there's just a very limited number of cases where we use foreign intelligence surveillance information to effectuate criminal prosecutions. I mean, they're out there, obviously, but there just aren't that many cases. So, there's uncertainty, now that we have this decision, how courts will look at future instances of warrantless searches of the database, whether that's in the Second Circuit or elsewhere. So, at least we have this kind of shot across the bow, saying, "Oh, some judges see this as an unconstitutional search, everybody should be on guard. If the FBI wants to conduct searches of this database, they should know that at least one judge has held this to be unconstitutional."

 

Dave Bittner: So, does that mean that, I -- I guess what I'm trying to get at is, at what point does this become the law of the land, either officially or in practice? Is this a case where if the FBI is trying to run down something because of this decision, they're going to go get that warrant now?

 

Ben Yelin: That's a sigh. I -- I know I'm very cynical about these things, but --

 

Dave Bittner: Right.

 

Ben Yelin: -- the government has been given an opening even in this decision. They can say, "Well, we had exigent circumstances." And that's probably what they're going to say if a proceeding ever makes it this far. You know, one of the things that happened in this case is Mr. Hasbajrami is not going free because of something called the Good Faith Exception. Basically, law enforcement followed the rules as they believed them to exist at the time they conducted the search. There was no indication at that time that you needed a warrant to query the Section 702 database. And because they conducted that search in good faith, that evidence will not be suppressed. Therefore, Hasbajrami doesn't get to be released from prison --

 

Dave Bittner: I see.

 

Ben Yelin: -- at any sort of new trial proceeding. So, I kind of think that's how this is going to go. Like the government in a future case could say, "Well, we read that decision from the Second Circuit and we thought in good faith that we had exigent circumstances. You know, maybe they didn't turn out to be exigent, but we're -- we're the FBI. I mean, we're -- we're trying to connect dots. We're trying to stop terrorist attacks. It was exigent to us, and you can't really prove otherwise, because otherwise we'd have to reveal a bunch of classified information.

 

Dave Bittner: So, what -- what has to happen for this to no longer, to -- to not be ambiguous?

 

Ben Yelin: I think we need to have a robust warrant requirement that's written to statute --

 

Dave Bittner: Oh.

 

Ben Yelin: -- and that warrant requirement has to come with only extremely narrow exceptions, and you have to properly define an exigent circumstance, so not every single search query is done pursuant to an exigent circumstance. It has to be like an actionable, particular threat that is time sensitive. So, it's not that hard to go to the FISA court --

 

Dave Bittner: Yes.

 

Ben Yelin: -- and get a warrant for these types of searches. The FBI does it all the time. For most of its history, the FISA court has basically been a rubber stamp of approval, 99% chance that when you present the evidence, you're going to be permitted to conduct the surveillance. I assume that would be the same for the Section 702 database. So, just get the warrant, unless there's something that is really, really time sensitive. So, I think we'd have to see Congress pass a law when this is up for reauthorization in 2026 that says, "A warrant is required for searches of this database, except for in exigent circumstances, and exigent circumstances have to be very narrowly defined."

 

Dave Bittner: Does this decision perhaps light a fire under Congress to do that?

 

Ben Yelin: I think the fire will be lit only when the program itself is about to expire. That's the only time they ever do anything related to surveillance. The threat of the expiration of Section 702, which everybody recognizes is the crown jewel of our intelligence apparatus, supposedly will motivate lawmakers to put this on more solid constitutional ground. And because there -- it's not like there are a million Hasbajrami cases running around out there with similar fact patterns, I don't think there is the same level of urgency. I think this is just really a warning that the constitutionality of the search queries are in question. And Congress, when it gets around to reauthorizing the program, should take that into consideration, because we don't want to get into a circumstance where we are no longer permitted to search this database at all, even in exigent circumstances, because judges start to get angry that there are all these warrantless searches. So, I think it is incumbent upon Congress to try and find a solution there. And as I've said, they've tried. Every time this has been up for reauthorization, they've tried, and it just has not -- it's fallen short of passing.

 

Dave Bittner: Yes. It's fascinating to me how, on the one hand, this is a big deal, this decision is a big deal, right?

 

Ben Yelin: Yes, absolutely.

 

Dave Bittner: On the other hand, what changed?

 

Ben Yelin: Yes, I mean, that's kind of true for a lot of these decisions.

 

Dave Bittner: Right.

 

Ben Yelin: It's like very interesting for legal nerds like myself.

 

Dave Bittner: Yes.

 

Ben Yelin: You're going to get a lot of different articles and blog posts. But asking what changed is a great question, because Hasbajrami himself is still behind bars. So, it doesn't change anything for him personally, because of that good faith exception. And in terms of policy changes, I just think it's -- it's too early to know. We have to have a case that's ripe, that's going to test this premise in other jurisdictions, and we have to know if other judges are willing to adopt the same reasoning that this judge adopted for this case. And it'll take a while to understand the answers to those questions.

 

Dave Bittner: Yes. All right. Well, interesting. We will have a link to that story in the show notes.

 

Ben Yelin: Can I quickly just say two other 702 related news items that are --

 

Dave Bittner: Please. Yes, yes. Please. Yes.

 

Ben Yelin: -- interest, just very quickly?

 

Dave Bittner: Yes.

 

Ben Yelin: The first is that President Trump's nominee for the Office of the Director of National Intelligence is Tulsi Gabbard, who has been an opponent of Section 702 surveillance back when she was a liberal Democrat in the House of Representatives.

 

Dave Bittner: Yes.

 

Ben Yelin: And she has been asked at private meetings prior to her confirmation hearings, "Do you support Section 702? We need a director of national intelligence who's willing to use this crown jewel of national intelligence." And now she seemed to have shifted her opinion and is telling senators, at least, that she believes in this program and its existence. I think her confirmation hearing is coming up as we record this in a couple of days. This is going to be a major issue at her confirmation hearing because of her past positions. Then the other thing is there's this entity called the Privacy and Civil Liberties Oversight Board. A lot of the information we have about Section 702 comes from this board. It's an independent board with members of both parties appointed by leaders of both parties in Congress and the president. They've issued comprehensive reports on all of these surveillance programs. When President Trump got into office, he requested that the democratic members of the Privacy and Civil Liberties Oversight Board resign, and that is within his right to do. They were resistant to resignation, but as of a couple of days ago, they did end up resigning their positions. The result of that is that the P Club now has vacancies, enough vacancies, that they will not have a quorum and they cannot conduct business. So, we won't have this oversight board, at least temporarily, while we're having a really interesting public discussion about these programs. And I think we would really benefit having one of these boards up and running and with a quorum. But that was the -- the choice President Trump chose to take here.

 

Dave Bittner: All right, well, as I said, we will have a link to that story in the Show Notes. My story this week comes out of Cleveland, and this is about a gentleman named Blake Story. The story is about a man named Story. And tragically, Blake was robbed and fatally shot while he was walking home one day. Cleveland police did their investigation and were not coming up with, I guess, satisfactory leads. The Cleveland Police, with some other local law enforcement organizations, they have a fusion center, you know sort of a combined place where they can do specialized work like this. And they turned to Clearview AI, which we've spoken about many times here.

 

Ben Yelin: Yes, our data-scraping friends.

 

Dave Bittner: So, Clearview AI's facial recognition tool helped them identify a suspect, a gentleman named Qeyeon Tolbert. And this person was in the area at the time. They had -- and actually I should say, the -- the robbery and shooting was captured on surveillance video. That video was not good enough to ID the suspect, but other surveillance footage nearby, specifically from a convenience store where Mr. Tolbert had made a purchase, they had a clear view of his face. No pun intended, Clearview AI. They had a clear view of --

 

Ben Yelin: All these puns, we have story. We have clear view.

 

Dave Bittner: I know. So, they had a good image of his face, which they ran through the Clearview AI software. That brought up the hit on Qeyeon Tolbert, who lived in the area. They had other surveillance footage of him in his driveway right around the time of the robbery and shooting. So, all of this evidence pointing towards him certainly being a suspect. This led to the police searching his apartment, where they discovered a handgun that they believe was used in the crime. There's a catch.

 

Ben Yelin: Fruit of the old poisonous tree.

 

Dave Bittner: Clearview -- Clearview AI's disclaimer says that its results are not admissible in court. And the warrant affidavit, when the police went to get the warrant to search the apartment, did not disclose this. And it also did not disclose that Clearview AI had returned photos of multiple individuals, not just Tolbert. When the police went in front of the judge, they said, "We have evidence that leads us to believe that this is our suspect." The judge ruled that this evidence was inadmissible. They -- said that the warrant was misleading and was relying on unproven technology. And the prosecutors admitted that without the gun that they found because of this warrant, the case would probably fall apart. So, this has really shone a light on, first of all, the Cleveland law enforcement's lack of oversight and training for using AI.

 

Ben Yelin: Yes. I mean, I think that's the main story here is --

 

Dave Bittner: Yes.

 

Ben Yelin: -- you have to develop policies if you are going to use this as evidence, and this is going to be the piece of evidence that eventually leads you to your criminal suspect, you have to have policies. Internal policies, you have to have them checked by the county or city attorneys to make sure that any use of -- of this evidence can be held up in court, because otherwise you're going to get a tragic situation like this, where the evidence is here and it's -- it's available, but you're just not allowed to use it.

 

Dave Bittner: Right. What would have happened had the police done a little more leg work here? Had they taken the AI results, which gave them the lead on Tolbert, and they had pounded the pavement, asked around and interviewed Tolbert, right? Just -- where were you on this day? You know, if they had done more work and gone in front of the judge then to get the warrant and said, "Hey, here's the evidence we have. One of them is AI, but we also have X, Y, and Z." Does that make their case?

 

Ben Yelin: It generally does not because of the fruit of the poisonous tree doctrine. If you were only able to become aware of a suspect due to some initial illegal search, and anything that comes downstream from that is going to be unconstitutional and therefore suppress at trial. There is an exception, though, for inevitable discovery, meaning if there was evidence that would have inevitably been discovered, and that was extremely obvious, that would have been discovered absent the use of Clearview AI, then perhaps you can still go to trial using that evidence. So, it's unclear in this case whether this was a case of inevitable discovery. The facts as they're described here would lead me to think it's an unlikely inevitable discovery case, because they actually had to do a good deal of investigatory work and like go into his apartment and find his handgun and all that stuff. So, it's not like, you know, there was a smoking gun at the scene, and it would have been discovered no matter what. I think they really did proceed with this investigation downstream from their initial illegal search through Clearview AI, and it came back to bite them.

 

Dave Bittner: So, the use of Clearview AI to establish this person as a suspect, that's the initial problem. That -- that is an illegal search.

 

Ben Yelin: It is, yes. Because it says so in Clearview AI's policy, or in Clearview AI's terms of service, that this is inadmissible in court and because the jurisdiction didn't have any governing policies around the use of this type of evidence. So, it's illegal, and then everything downstream from that initial legal evidence also must be suppressed at trial. Prosecutors hate the fruit of the poisonous tree doctrine, because it's like --

 

Dave Bittner: Yes.

 

Ben Yelin: -- we know the guy did it. It's just that our original search, it -- it is a real pain, but there's a reason for it, and it's to disincentivize the use of illegal search tools on the part of law enforcement. That's why we have the exclusionary rule and that's why you're punished if your initial -- even if just your initial search, not subsequent searches, but your initial search was illegal.

 

Dave Bittner: Right.

 

Ben Yelin: And that's kind of the impetus behind this doctrine.

 

Dave Bittner: So, for example, hypothetically, if the police force had used Clearview AI, again, did a bunch of other work, they went in front of the judge and neglected to mention that it was Clearview AI that had led the -- their initial suspicions, they'd get busted for that.

 

Ben Yelin: Oh yes, you'd be busted for that, because in a criminal case, you have to disclose all that to the criminal defendant's attorney. So yes, you -- you've been busted and potentially disbarred. So, you know, if you care enough about that and you're willing to get disbarred and, you know, you take your chances, I am not advocating for this.

 

Dave Bittner: Right.

 

Ben Yelin: I don't want to be disciplined by my own bar. Then, you know, maybe you make that decision. But otherwise, no, you can't do that.

 

Dave Bittner: Where do you think this is heading? I mean, I hope this motivates jurisdictions who are interested in using Clearview AI as a means to do facial recognition and lead to criminal prosecutions, to work with Clearview AI to come up with some sort of policy framework that would allow them, in whatever circumstances, to use Clearview AI as evidence in a criminal trial. Develop those policies, work it out with the company itself, whether it's a local jurisdiction or whether it's state governments, allowing the use of facial recognition software gleaned from the type of data scraping that Clearview AI does, come up with some policy, so that this can be an investigatory tool. Because until you do that, you're going to run into constitutional problems if you use evidence from Clearview AI. Yes. All right. Well, I -- I thought this was a really interesting one. We'll have a link to that in the Show Notes. And of course, we would love to hear from you. If there's something you'd like us to discuss on the show, you can e-mail us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Max Shier. He is the Chief Information Security Officer at a company called Optiv, and our discussion focuses on the newly released CMMC 2.0, and about how you can ensure your compliance with that policy. [ Music ]

 

Max Shier: CMMC has been a long time coming, and I think a lot of people misconstrue it as, you know, their cybersecurity requirements that they now have to implement as a part of this framework. And it's actually a misnomer because, you know, the DFAR's requirements for, you know, the Defense Federal Acquisition Regulation, actually already has a lot of cybersecurity requirements that are mandated in the protection of CUI or Controlled Unclassified Information. And so, you know, the requirements to protect that information have been there for several years. It's just now being ratified in a sense that you're now going to be verified that you are meeting those requirements. And that's what CMMC is -- is really doing, is just putting that certification, that validation piece in place as a requirement. So, you know, third party assessments, you know, are really going to be, for the most part, replacing self-attestations, which is what we've been doing up to this point to show that we're actually protecting CUIs as we're supposed to per contract. So, I -- I think the -- the problem here is, is that there's, you know, we've been given a pass as an industry, as a defense industry. We've been given a pass for several years and they're now really starting to clamp down on the requirements and show, and force you to show, that you are meeting those requirements. So, that's really what CMMC is in a nutshell, is -- is really that validation piece. And so, that's what really has people worried, right, is that they're now actually having to show that they're meeting these requirements instead of having it on like a perpetual POAM or Plan of Action of Milestones.

 

Dave Bittner: I see. Well, my understanding is that this is going to be rolled out throughout 2025, it's going to be a -- a phased rollout?

 

Ben Yelin: Correct. Yes, it's -- it's technically four phases. So, phase one is going to be 2025. And that's really going to be self-attestations for Level One, Level Two. Level Three is going to be deferred for another year. And so, as you know, the years go by, you're going to have these requirements increasingly put into contracts. And if you don't have the certification or the requisite level and requisite certification, so Level Two, Level Three. And then you're not going to even be able to bid on contracts. And -- and that's going to be putting a lot of people in -- in a lot of hurt just because of the fact that, you know, for a lot of these small and medium sized businesses, you know, these DOD contracts or defense contracts or government contracts are a large portion of their business. And so, it really behooves them to -- to get on board with this early because those requirements are coming quickly, even though it is a phased approach. It does take a little bit to -- to implement the cybersecurity requirements that are required within, you know, in the [inaudible 00:30:49] -- well, 171 and 172. So, you know, it's -- it's -- it's one of those things where we've had several years to implement it. The DOD is -- and the government is no longer giving us that pass, right? The -- the implementation is here. And even though it is a phased approach, you know, it's going to take a little bit to get those requirements implemented. And I say a little bit being probably six to, you know, 12 months at a minimum.

 

Dave Bittner: How have most companies or organizations been handling the fact that they knew this was coming along? I mean, based on the way you're talking about this, it -- it sounds to me like perhaps many people have been kicking the can down the road. Is that fair?

 

Max Shier: That's absolutely what has been happening. And I think, you know, and -- and to be fair, and I will say this, you know, there's been a lot of churn when it comes to the implementation of CMMC and these requirements. And so, I think a lot of people are taking a wait and see approach. But now that the final rule has been published and -- and the comments have -- from the government have been pretty straightforward, it is -- it is here and it's coming. And, you know, there's no more deferments. And so, you know, there's no more kicking the can down the road. And I really think that, you know, even with the new administration, I don't think that this is going to be paused just because of the comments that have been in the final rule, which is, "Look, you've had several years to implement these requirements. The validation piece is now here. You will be required to be certified." And, you know, phase one is upon us, right? And the expectation is -- is that Quarter Two, it is going to be ratified, implemented and -- and it's going to start showing in contracts.

 

Dave Bittner: You mentioned that there's different levels that folks can be compliant with. Can you describe to us what that means?

 

Max Shier: So, Level One is just federal contract information. So, that's -- that's government contract information that is not at the CUI level. Level Two is for controlled unclassified information or what used to be FOUO. So, that is government-controlled information that is critical to be protected. And that can fall under several different information categories. And that's, you know, listed online. You can go and see what types of information that is. But CUI, you will have Level Two compliance as a requirement and that will normally include a -- a third-party validation that you are compliant with those requirements. And then Level Three is reserved for the most critical programs to national security. And those will be mandated by contract and -- and will be very clearly defined. But as it stands right now, you know, that seems to be, from what I understand, to be fairly rare at this point. I would expect that the majority of the contracts out there will mandate a Level Two compliance with a third-party attestation by a C3PAO. And the self-attestation for Level Two will be pretty rare, I would -- I would expect, based on the requirements that I've seen so far.

 

Dave Bittner: So, it sounds like, if you were someone who would need to have that Level Three compliance, you probably know it.

 

Max Shier: Yes, you know it's going to be coming, right? And, you know, especially with the requirements and the -- the cost that's associated with it, I would expect those types of requirements are going to be fairly well known and fairly early within the contract process that it's going to be listed as a requirement. So, you're going to know that it's coming. Like I said, the majority I think of -- of the people that are processing CUI, it's going to be a Level Two with a third-party attestation by C3PAO, but I think it's important to note that if you have a contractual requirement where you have Level Two requirement with a C3PAO attestation, that that's going to be flowed down to your subcontractors too, that are going to be processing CUI. So, it's going to flow all the way down the supply chain for anybody that's processing CUI as a part of that contract. And that's -- that's pretty substantial when you look at all of the third, fourth, you know, tier suppliers for a lot of contracts. Especially, for the -- the bigger primes. You know, they may have hundreds or even thousands of suppliers, and a lot of the design diagrams successor that they get are going to have CUI or it is going to be CUI. And so, you know this is going to be a very substantial heavy lift for industry to meet these requirements and I think the government does have somewhat of an expectation that the -- that the primes will be ensuring that the suppliers are meeting those requirements, and that has flowed down to them as a part of the contractual process.

 

Dave Bittner: Yes, I mean that's interesting. I -- I wonder, you know, nobody likes to have additional regulatory burden on them. As this has made its way through and has gotten commented on and the final rules are -- are in place here, what's been the response from industry? Has -- has there -- do they feel as though these are reasonable burdens?

 

Max Shier: Yes, and I think that's an interesting question. And I -- and -- and to me, I think it depends on who you're talking to.

 

Dave Bittner: Yes.

 

Max Shier: And -- and you know, I will -- I will say this, right? The -- the larger companies, the Lockheeds, the Northrop Grummans, the Boeings, I don't think that this is an unrealistic expectation that they've come back and said, "No, we -- we can't meet these requirements," right? They are already meeting those requirements. They knew this was coming. When DFARs enforced these requirements and contracts, they had to go do it and they went and did it. I think the -- the issue that we're having is that the small and medium sized businesses, the second and third-tier suppliers that normally have not been exposed to this level of requirements, those are the ones that are pushing back quite heavily and is -- and partly because, you know, they're not ready to meet this level of requirements. Cybersecurity is a cost center for them in a lot of ways. And being in government and providing oversight for defense contractors in a previous life, I will tell you, the majority of them are not ready for this. I would expect that this is a pretty significant lift for them. It's a significant cost and investment. And I think they are going to suffer because of it. And that's why you've seen some significant pushback, I think, from the smaller businesses. But at the same time, this is a necessity. I don't think that the government can continue to push this off. It's something that is long overdue for industry to protect this information. As I've stated with others in -- in other interviews, etcetera, it's, you know, 90%-plus of projects, classified projects, are actually done on unclassified networks, and the majority of the critical data is actually in the unclassified space. And so, when you see foreign adversaries like China or Russia having a airplane that looks similar to ours, that's, you know, it's -- it's because they've stolen that information from defense contractors that don't have adequate cybersecurity requirements in place. And -- and so, that's happened several times, you know, over the past couple of decades where you've seen similar products come out by adversaries. And that's just because we don't have adequate cybersecurity requirements in place. And so, this is a necessity. We have to put this in place for national security requirements and reasons and -- and to protect the country. And so, yes, there's going to be some complaints and yes, it's going to be hard, but at the same time, we have to put the foot down at some point to restrict the flow of information that's going to our adversaries.

 

Dave Bittner: Is there general agreement and acceptance that the things that have been put in place here are going to move the needle and -- and make things more secure?

 

Max Shier: Oh, absolutely. I mean, let's look at the requirements, right? MFA or multi factor authentication, an incident response plan and the fact that you exercise it, auditing requirements. I mean these are basic cybersecurity requirements. There's nothing in, you know, the CMMC guidelines or in NIST 800-171 that's really above and beyond what you really should be doing in the first place. And so, you know, if you look at what a good cybersecurity program entails, it's these requirements in the NIST guidelines. It's not like you're going above and beyond, right? This is -- these really are the basic requirements to implement a good cybersecurity program. So, I don't think that it's unreasonable to look at these requirements to say, "Oh my gosh, you know, we're going way above and beyond what we should be doing and -- and this is, you know, excess." I don't think that's true. In fact, I think these are, you know, very common, baseline security requirements that should be implemented anyways and are good cybersecurity practices.

 

Dave Bittner: What's your recommendation for, you know, that organization who's been kicking the can down the road and now they're -- they're in the midst of a little bit of a wake up call here? Any advice?

 

Max Shier: Yes, well, the advice is to start now, right? If you -- if you haven't implemented or started implementing the requirements and -- and getting this into a roadmap that's actionable, you're way far behind the power curve. And then secondly, I would say don't do it alone. You know, look for a consultant or advisory service or, you know, even join communities, blogs, you know, make friends on -- on LinkedIn that are tied into the CMMC community, whether it be a C3PAO or a certified assessor. Get in there and start getting feedback on what you think is right. So, that way, when you do implement it, you're not going back and doing rework. So, that way you do it right the first time. And then lastly, I would say, just make sure that you scope out the requirements and what would be assessed in your C3PAO assessment and certification process. Just make sure you get that scoping correct, because if you don't include all of the assets that are going to be included in that assessment, you're -- you're going to be pretty -- pretty bad off as a part of that certification process. So, just make sure that you scope it right. Get third-party views, right? Make that investment upfront, so that way you know what you are going to be assessing, that what you think is correct is correct, and that you get that second look to make sure that you're doing what -- what you're supposed to. And then start now if you haven't already, because you're already behind if you haven't done so.

 

Dave Bittner: All right, terrific. Well, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

 

Max Shier: No, and in fact, I think you hit the highlights. The different levels, the phased implementation, that is -- is really just a few months from starting. And -- and really just the highlights. Just start now, just make sure you get a third party look at things and that you scope it correctly. I think those are really the big highlights of CMMC and really what does it entail, right? And the specifics, I think, you know, if I could just add something? Just make sure, and -- and I will say this, my second point about getting a third party look at things is extremely important for people to make sure that they're doing things properly. There's some nuance in the requirements for CMMC, such as cloud service providers and data flow diagrams, you know, controls responsibility matrix, things that come with cloud connectivity, which everybody has. Nobody anymore has a true on-prem solution, right? It's -- it's there's always some SaaS out there. Just make sure that they check the box for those requirements and that they do have the controls responsibility matrix. That's probably the most difficult thing that I've seen so far is that cloud vendors are not ready for this, and they're not ready to provide the type of information that CMMC requires. So, that's why I say, just make sure you get that third party look because when you have a bunch of SaaS apps, a bunch of SaaS services, there's some additional requirements that come with that and some additional complexity that I don't think the cloud service providers are ready to provide that type of information, and I don't think that the end users or the consumers of those services, the ones that are actually going to be assessed, really truly understand what those requirements entail when it comes to the controls responsibility matrix, the data flow diagrams and -- and the other types of requirements that are associated with those services. And there is some ambiguity right now on cloud service providers and what does FedRAMP equivalency mean? There is a DOD CIO memo that came out about FedRAMP equivalency and -- and right now the market is not ready necessarily in the CSP space to provide a lot of services, and that -- that levied a ton of additional requirements on the services that are being provided. So, FedRAMP equivalency is something that I think you know, we really need to -- to provide some guidelines around that on what is expected of CSPs. So, there was some clarity in the final rulemaking process and some of the comments that came out. So, companies like Optiv, where you have a managed security provider, you know, they did provide some clarity around that on, you know, what requires FedRAMP or FedRAMP equivalency and what doesn't. And I think that's a good thing. But, you know, if you do have a service that is processing CUI, you just need to make sure that you have your ducks in a row and -- and make sure that you're meeting all of the additional requirements that come with having a service that's processing CUI. [ Music ]

 

Dave Bittner: Ben, what do you think? CMMC 2, the Cybersecurity Maturity Model Certification.

 

Ben Yelin: I thought it was a really interesting conversation. He noted that this is a fundamental shift in how our government is approaching the protection of unclassified information. I personally didn't know that much about the cybersecurity maturity model certification process, so I appreciated hearing him talk about it.

 

Dave Bittner: Yes. All right. Well, once again, our thanks to Max for joining us. He is the CISO at Optiv. [ Music ] And that is "Caveat," brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an e-mail to caveat@n2k.com. This episode is produced by Liz Stokes. Our Executive Producer is Jennifer Eiben. The show is mixed by Tre Hester. Our Executive Editor is Brandon Karpf. Peter Kilpe is our Publisher. I'm Dave Bitner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.