CMMC 2.0 Masterclass: Where We Go From Here

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] all right ladies and gentlemen we are going to get started um i will start us off here and then we'll get right into the content again thank you very much for attending the artalist webinar series my name is john schofield and i direct marketing and communication efforts at our list my screen name might say charisse but i guarantee you i am not nearly as talented or able as she is um thank you for joining us on this our cmmc 2.0 master class where do we go from here first a little bit about artillest artel's primary goal is to help clients protect and expand their competitive edge to succeed in a highly competitive digital world by challenging common wisdom sharing best practices and looking at problems differently we help educate public and private institutions on how best to mature workforces processes and technologies to thrive and succeed in a rapidly changing environment our delist in short replaces uncertainty with understanding and the announcement of the cmnc 2.0 has certainly led to some uncertainty on thursday november 4th the department of defense announced significant changes to its cybersecurity maturity model certification program everyone knows it as cmmc their implications big or small for the defense industrial base and we are going to to discuss what this news means for you joining us today is robert metzger an attorney in private practice at rogers joseph o'donnell a firm that specializes in public contracts matters he represents leading technology companies in several different industry sectors in litigation as well as in regulatory matters bob is a co-author of the 2018 mitre deliver uncompromised report considered highly influential on u.s cyber and supply chain policies and practices including dod's cmmc initiative joining him is michael specka the president of our company michael has more than 20 years of experience in startups including several government contracting companies and started artelist with our cto and fellow webinar panelists today josh o'sullivan they started our list in 2018. both michael and josh are graduates of the mba program at the university of maryland robert h smith school for business josh o'sullivan served in the united states navy initially as an information warfare officer before transitioning to the private sector as a cyber combat systems engineer with mitre before founding our delist with michael josh is an established subject subject matter expert in cyber security and operations michael has a range of experience in starting and managing companies to success in the federal contracting world and the collection of all three of these voices today promises to be informative and enlightening please feel free to submit your questions during the webinar at any time and they will be addressed during the q a session at the end also please note that if we do not get to your question during today's session an article representative will be there as they always are to reach out and answer you directly should you need it this webinar is being recorded and will be shared with you after today's session if you have any questions after today's webinar please email marketing at artelist.com michael i'm going to turn it over to you thank you for doing this uh lead us off thanks for the introduction john and thanks bob for joining us today i'm going to make an assumption that most of the folks on the session today were either present at the cmmcab webinar last night or have taken a look at the dod announcement online but just to cover off on a couple of points in terms of the entire structure of the change and then we can get into some analysis of what's changed and why and so if i if you're not aware the there's a couple major changes to the program the first is the consolidation of levels so dod made the statement that you know the five levels were maybe a little too complex cmmc 1.0 had a level two and a level four that were meant to be intermediate levels those levels have been removed now so we're from a five level model to a three level model and they also mapped those models much more closely to existing nist documents so your level one foundational level is pretty much unchanged from cmmc 1.0 uh and covers the controls that are present in the far level two now there's a commitment to map that one to one to nist 800 171 that level two formerly level three and cmmc 1.0 had previously contained additional controls that uh dod is now saying will not be part of the model and their former level five is level three and they said that's going to be partially mapped to 800-172 the other major change is in the assessment and enforcement model that goes with cmmc prior to the change in cmmc 1.0 all levels were going to require an assessment performed by a credentialed assessment organization those credentialed organizations were going to be managed by the cmmcab now level one is a self-attestment level um level two is being split between prioritized contracts that will require third-party assessment and non-prioritized contracts that will allow a self-assessment with and we'll talk about this a little bit more a senior official affirmation and level three will be assessed by the government the third major change is in the space of poems and waivers so dmd has said that they're going to add some flexibility to the program by allowing poems in certain instances those poems will need to be time-bound and enforceable uh i think dod mentioned in the webinar last night that kotars will be responsible for enforcing the completion of poems of failure to complete a poem uh could be considered breach of contract and they're also going to add an unspecified minimum score and number of controls that are not permitted to be on the poem uh and in certain cases they going to add uh waivers uh improvements for waivers so um final announcement a major announcement was just in the change in the timeline 9 to 24 months to get through rule making as opposed to a five-year phase-in period under cmmc one and so with that summary um i think a lot of organizations out there are asking the question of what do i do now how important is it pursuing cmmc um and uh what rules really apply to me so bob if you wouldn't mind could you take us through kind of the existing regulatory framework how 70 12 70 19 70 20 might be impacting decision making today and then what your recommendation would be for an organization who's looking at this 9 to 24 month window trying to decide what to do so you know first i mean it's essential to to recognize that the dod continues to hold its contractors responsible to protect the confidentiality of controlled unclassified information let's just set aside for a minute uh what was announced yesterday in cmmc 2.0 there are three contract clauses that are in place all of which impose obligations and some of which you know present some compliance risks 7012 has been with us for quite a while and that requires that companies deliver adequate security in a dynamic environment relying upon sb 800 171. well the 171 part of it has certainly been reinforced because cmmc 2.0 you know removes what we're called the plus 20 policies and practices that separated 171 from uh maturity level three uh another part of 171 that's getting more emphasis today is incident reporting you know you can't go very far in reading or listening to government officials uh without hearing the increasing importance and attention paid to incident response and that is an important part of the 7012 regulation and i exp and i see no reason to expect it will change if anything i would expect dod will want more reporting and faster now 70 19 and 70 20 you know are not cmmc as such but they're really important to to all of us now 1719 says essentially that you have to perform the self-assessment according to the dod assessment methodology in 7020 says you have to report it and you do that through the supplier performance risk system what do you have to report well first you have to describe the the boundaries of the information system that you're looking at second you have to have a system security plan because it is on the basis of that plan that you perform a self-assessment the self-assessment is in accordance with a particular methodology that dod has put out the dod assessment methodology and uh you have to report that score now in theory it could be as high as 110 meaning a perfect score for many companies it's a lot less and for some companies it's in a negative number but it's not just that you have to report that score you also have to you know provide information on when you expect to close any gaps now at this point there's no you know affirmation of a senior executive behind what you submit to sippers but you know speaking as a lawyer anytime that you are required by a regulation in a contract clause to submit information to the government there is some degree of compliance or liability risk if you knowingly misrepresent what you have submitted and i've been spending a fair amount of time recently wearing my you know hat that's more lawyer-ish than security-ish if there is such a thing looking at this new doj civil cyber fraud initiative and that really does provide a context that we should be considering as we look at 2.0 because if 2.0 seems to be postponing some things and relaxing some other things at the very same time the department of justice has made it very clear that it is intent on using the civil false claims act as a way to motivate encourage or require companies to do a better job in cyber security now that initiative is at its infancy and you know if we got granular i could show you a thousand things that don't quite make sense in what they want to do but the net of it that matters for everybody is that doj wants to use the civil false claims act they have been successful using that act in other areas of regulation healthcare for example they are actively encouraging whistleblowers and one of the reasons that they are is that whistleblowers may actually understand the cyber issues that doj doesn't the whistleblowers of course being insiders are in a position to have information have documents have evidence and know it and so you know many companies face you know some difficult decisions as to what to do when how much to do and which to do and there can be you know mere disagreements and they can sometimes become you know arguments or you know severe or dysfunctions where an executive makes a decision that others don't agree with well now doj is saying you know we want to hear about that stuff and so as we look at cmmc 2.0 it's really important to recognize that if you make if you act in knowing disregard of your obligations if you knowingly misrepresent to the to dod what you comply with and what you intend to do if you are acting in a fashion that would be fraudulent especially if it is egregious and would affect dod's willingness to do business with you you know you could find that you're going to hear not not you know from the fbi but what could happen is that the whistleblower within your own company a new form of insider threat could make that report to that hotline that's been created just for this and that could suddenly you know put you under the spotlight from a lawyer for the whistleblower called the relator council you could also you know be under the spotlight from doj itself or inspector generals where they're who they're going to rely upon and and i can you know wearing my full lawyer hat i've defended a quite a number of false claims act cases over the many years of practice that i can admit to and i can tell you that they are never ever not possibly going to be a pleasant experience for any company that is subject to them even if the allegation is completely wrong if you find yourself on the receiving end of a whistleblower claim you're going to end up having to hire people like me and our associates you're going to spend money on experts you're going to have disruption and expense and you could easily spend a great deal of money just defending against a meritless claim and so one of the you know outside of the box equations to consider is when you look at 2.0 don't just be thinking about what i can avoid until they make me but be thinking about how you can avoid the greater exposure of fca liability and more important you know how are you going to protect your enterprise because it's always been true that cmmc you know is about the confidentiality of information and it's equally true that the threat landscape doesn't limit itself to confidentiality especially with ransomware we see you know wholesale efforts that discriminate among no one to essentially deny you access to your system that's availability or to exfiltrate and potentially corrupt this is the information that's in your system that's integrity so you know to get right to the chase while cmmc 2.0 gives some company some more breathing room and postpones you know mandatory assessments the smart move now is to basically look at 171 and determine a course of action which in rel relatively promptly will take you to a point where you could get assessed and you would pass and where you have confidence that you have effective security in the dynamic environment cognizant of the actual threat environment as it evolves now i know that is a tall order but the world that we live in is demands it i did i've done work for mitre over the years and been on a defense science board task force so i do get some insight you know into all the bad things that could happen and i could say this conclusively however bad the threat environment was say in 2018 when i was a co-author of deliverance compromise it is only worse and by a substantial margin today we have more and different threat actors more in different forms of vulnerabilities and you know we have this whole new dimension of criminals who are very sophisticated who can do terrible things to you who are not going to send the information to china or russia necessarily but you know they're they they can do damage to your business which you cannot recover from that's the world we live in so you know yes cmmc is important yes when the contract claw new contract clauses come we're going to pay close attention to them but it's just a piece in that larger puzzle and dod knows this when you talk to higher level people listen to them within dod they're going to tell you that cmfc has its part but it's not the holistic solution because companies need to be thinking about different threat vectors and that can include your supply chain participants in other words the digital integrity and assurance that you have in working with a managed service provider with a cloud service provider with a software developer or with a solution provider that you use anyone and everyone digital or otherwise in your supply chain becomes a threat vector so there's an awful lot to deal with in companies that want to participate in the div and do sensitive and valuable work where they can get paid good money well they're going to have to be attentive not just to cmmc 2.0 but to other types of threats and finally one of the things that's important in the 2.0 announcement is this decision to kind of move away from that from the cmmc maturity level 3 and that model back to 171. why would they do that well one of the key reasons is that they they want to reconcile the security regime that dod imposes upon its contractors with what other federal agencies and departments can or will do for their contractors if dod went down the path of having a customer unique set of cyber requirements such as cmmc maturity level three well suddenly you would have dod contractors subject to one set of things and assessed under for one set of things even though the same companies might be selling to federal other federal departments and agencies where different rules would apply that would be more aligned with 171. so i see the decision to focus on 171 not as a retreat but as a way for dod to put itself you know in line with what it expects other departments and agencies to do which will rely upon this i'll say as an aside and then i promise to pass over the microphone i thought there was some great stuff in the maturity levels and i gave great credit to johns hopkins and to carnegie mellon for the incredible contribution and one of the reasons i do that is that as much as we all know 171 we've done it for a long time i mean it you know was written for a particular set of threats did not really include ransomware it was written for a particular condition information security wasn't worried about operational technology or manufacturing technology and it was written on this assumption that most ordinary prudent businesses were always already doing much of this stuff well in fact that's not true either i mean as we're learning most ordinary prudent businesses are working to do this stuff and so you know it's not going to be stuck in the mud forever dnd has already acknowledged that it's going to be looking to this to improve it and i hope for what it's worth i hope that nist will do so with some promptness and will consider what can be gained from cmmc uh workflow work effort and another point to realize is that by relying upon nist essentially if nist comes out with a revision three which they will in a year or two well suddenly that's going to be the new requirement in the contract and the new clauses so what is the smart move you know take advantage of this 9 to 24 months you know if you're really not very far along and being able to demonstrate or pass an assessment against 171 you have an opportunity to get further along and you should do it you know you're not going to be held to an assessment tomorrow but you might find it advantageous to get one when you are ready even before it's required contractually because the presence of such documentation and demonstration of your security will go a long way to make you a more attractive candidate for a sensitive program for a high or high value connectivity primes are going to want us incumbent upon the smaller and medium-sized companies to show that they are trustworthy i'll stop sorry for the long monologue but hopefully something useful got communicated now that's a excellent sound that's perfect bob and i appreciate it and and it's a great segue into you know what we wanted to hear from josh on this number one you know josh you know reading into this as you do and and you read every single word of every single page of everything that comes out that's why you know you are who you are in your capacity as the cto what's your evaluation of this and then along the lines of what bob is talking about you know i'm gonna ask you to play mythbuster a little bit in terms of you know the dissenting voices of cmmc you might say there are too many bob metzgers involved in this too many lawyers you know not enough pure cyber security help us help us bust that myth as bob tries to tries to hide you know your you're way too center stage now bob so you know josh over to you would love to hear your uh your take on this after your evaluation of the cmmc announcement yeah well you know i i think i think that first myth of you know you talking to a lawyer about cyber security is like having a dentist work on your car you know i i think that's definitely a myth that's busted when we look at the contractual obligations that are aligning a lot of this and driving to a bare minimum right of a set of standards here you know it is a contractual obligation and um you know there's a lot of uh confusion in terms of hey is is this document that's labeled f-o-u-o or l-e-s or some other kind of labeling it is that cy does that does that apply here and uh you know driven by really how the contracts have been laid down with that individual organization is what then drives those relationships and those controls and those standards and it's it's a contractual obligation to be to be maintaining and managing and safeguarding this this government information as well as when you look uh across the organization in terms of do care and due diligence and and how you're operating and defending your business in itself i i think another myth i'd like to get after here is that uh you know there is this view that cmmc 2.0 somehow negates the work that went into cmmc 1.0 uh you know we've been on this journey for a while but you're predating d472 and predating uh some of the other activities inside the government and outside the government and you know from a perspective of where we're going it's getting better and better and you know i i do think we owe a bit of gratitude there with cmmc because it did change the conversation from just a technical conversation to also business conversation when we look at the upgrade here from 1.0 to 2.0 we're still having some of that business conversation here of of those contractual obligations but also in terms of you know the consequences and the enforcement activity that's going to go along with it now this isn't it and this is an adaptive set of capabilities that they need to mature over time and uh you know when when when we lean back and look at 2.0 more that's going in with this alignment here to 8171 uh more focus here potentially in 8172 that this streamlining really looks like an accelerant right we went from about 401 or so assessment objectives depending on how you you count those those maturity levels and their their objectives across the different domains down to about 320 or so uh within a here 171 but when we talk about the work in the activities and that as a program what we're also seeing is a simplification of the government saying look here's our information we want you to safeguard it they're also saying this is how we want your safeguard art information we want you as a company though to have a good cyber security program and apply best practices and standards not the government standards in terms of protecting that cui as as a limiting factor so you know when i look back and look at this from a hole you i think this this sets the community loose here to go after and be able to start getting good good capabilities you know we've been on this mission for the last couple years to bring national capabilities right you know most of the cybersecurity market is actually fairly underserved simply because most most organizations are too small we've been working heavily with microsoft and fireeye and mandy and others in the community here to get access to those national level capabilities baked into their infrastructure so you know i think this is going to be pretty helpful there as we start talking about uh turnkey compliant kind of capabilities and we start scoping down to the system side but also when we talk about just what what 2.0 means from from a streamline uh you know with 1.0 we're we're still probably waiting for about five years to get fully implemented with 2.08 i think that's maybe down to three and and it could be sooner also when we look at what what you know uh eo 14028 did here in terms of uh improving the national cyber defense both inside the government and outside it and this uh higher standard here going probably across the federal agreement as a whole vice just dod we really start talking about a more robust uh all government kind of approach which i i think is going to be a net positive can i jump in for a second please so you know i i get the point about lawyers uh i mentioned before are called that you know i served on the defense science board cyber supply chain study i was the only lawyer lawyers or not generally on those things and i did a number of technical briefings to military government audiences on the study and i found that being a lawyer was a barrier that i had to overcome and i did but you know when we talk josh just made the point i mean there is no overarching federal statute that says you must have cyber security not there and you know although there are arguments that you could be negligent and liable for negligence if you fail to have due care and cyber security those cases actually don't get very far because nobody exactly knows what that due care is so the reason that we are paying attention to cyber security is a function of acquisition practices that include regulations that are distilled into contract clauses which are included in your contracts and where they are subject to oversight and compliance enforcement and potentially sanctions lawyers should not be the people that you rely upon to decide how to do security i'm not the guy for that but if you don't do it well you may be calling people like me and you know where we can be valuable is it maybe helping to understand or to shape you know dod's thinking about kind of what they should do with that regulus regulation acquisition authority and how they should apply you know these these principles you know for all the for all the time that 7012 has been you know on the ground and under our feet do we really understand all of what it means i think not i mean if anybody can tell me what what it what is cui under the definition the 72 7012 clause you're a bad at me because i've never figured out what the boundaries are of information that you know is used in support of performance of a government contract now let's go on to the three other things you know at the very start of this uh review effort within dod mr salazar said that there were three objectives and he returned to them last night one of them was to clarify requirements the second was to restore or improve integrity of the cmnc process and the third was to help small business well i'm going to give you sort of an instant checklist yeah they kind of clarified it to some extent i mean you know we it's 171 not not cmmc and you know they they they clarified uh some but they introduced new things right so one of the things that he said is that they're going to bifurcate level two bifurcate and and the distinction is going to be that some companies who have lower importance information are going to be allowed to self-assess and have a senior executive attest to that annually but then they said that they're going to be required assessments if you happen to be handling information that is critical for national security well i don't remember that particular definition appearing in the cui rule and it actually is not the same as the definitions including cover defense information that are in 7012 and you know i can have my own guesses as to what information is critical to national security but we're not going to want to guess so we're going to need to know just you know what is that and one of the problems that presents to companies is that you aren't going to know and you really don't want to wait until an rfi or rfp comes out and suddenly you have an opportunity to bid on a program which is deemed to have information critical to national security but you haven't actually started or done anything or done enough and so if you actually plan to play you know in the defense universe where you could be working on programs that might be important to national security military preparedness or the competence of the warfighters well then you really kind of have to assume that that assessment part of level two is going to apply to you because if you make the other guess you're not going to have time or ability to respond in at least some likelihood now let's talk finally about small business now there's a lot of talk that's been oh we're helping small business but exactly how the biggest way that small business is helped here is because the hundreds of several hundred thousand companies that are level one with federal contract information are not going to be obsessed thank you i mean it was always a ridiculous idea no offense to the instigators and you know law provider you know it's not it was never really feasible to have armies of assessors that could go out to small and medium-sized or commercial companies who had federal contract information it wasn't worth the investment ever so at least we're getting some rationalization there that's good but you know beyond that what did dod really tell us to help small businesses well it said we're just asking you to comply with 171. that's not such a simple proposition might be a little bit simpler than cmmc material level 3 but some of that stuff that's in the plus 20 that are being removed actually kind of holds back into 171 in the first place so i think there is a long distance for the department to go to actually help small businesses and giving them you know websites and toolkits that's nice but i mean i think it's really up to industry to come up with ways to harness commercially available technology so that you know solutions can be provided to small and medium-sized businesses which in fact are affordable and practicable and secure and i think a lot of effort's been made in that area we need dod to help effectuate it and enable it but i mean the truth is dod is not going to solve the small business problem it can help facilitate it it's going to be industry to solve the small business problem yeah i'd love to build on that for a second if that's okay john and because um you know i'm not a i'm not a cyber security expert and i i came to this business by way of digital transformation work um i've learned a lot about cyber security in the past three years and but as a business owner myself and having started a few of these companies and grown a few of these companies and you know the question is always where are you going to put your dollars and so the specification or the specificity i should say that that the legal community can help uh bring um tells me from a compliance perspective you know what's the minimum i've got to do but in order to make good decisions i think there's a couple of things that cmfc has helped bring the light and that even this move to cmmc2 has helped emphasize but the one that's probably i think most important and maybe not highlighted all that much was the comment that deputy salazar made yesterday uh where he said something along the lines of our hope is that no company is waiting for dod contractual requirements to figure out how to meet for cyber security challenges and the reality is that um cyber security expenditures are going to be part of your business model if you um are expecting to do a cost benefit analysis and say well i'm just going to get out of dod contracting if you're going to other federal contracting dod has already announced that the changes that they're making are to allow them to be able to line up better with the requirements that are probably going to be whole of government requirements in the coming years and i know we do work for commercial organizations that are now asking us to do more and more to demonstrate our ability to safeguard their information so i don't think this is a dod issue and i think it's good the dod is saying that it's not their issue and if your primary revenue stream comes from dod contracts then what you've really got right now is 9 to 24 months and if your approach to those 9 to 24 months is well i'm going to hire someone we're going to do a project and then we're going to be secure and that's going to take me a couple of months to get done if you're getting that kind of advice it's not accurate advice and the requirements of a good cyber security program are not one and done requirements they are things that uh you have to do on a regular basis so you're going to need help you're going to need help doing those things either from internal staff or from a firm like us and i think more importantly you've got 9 24 months to analyze your business model and say this is my cost model right now when i add the cost of the cyber security controls that i need to put into place what can i do with that right am i increasing prices am i spreading those costs around more customers so do i need to create growth am i creating productivity with the tools that i put in place and so i can decrease other costs to allow to afford this and those are not things that you're going to figure out um immediately right or or with a couple of weeks of thought those are things that you're going to discover over time so my big takeaway is dod came out and said we're not going to be the guides to how to defend yourself right and how to have a good program for yourself i think cmmc 1.0 had some of those elements in it and dod has stepped away from those a bit and the timeline is relatively short when you consider the task at hand and good news there's a little bit of an on-ramp that that cmmc2o creates maybe you start by being foundational maybe you then work to get the requirements that can't be on a poem uh into your organization um and then from there you can go look at the entirety of 800 171 as a way to step into this but i think if you wait until the end to get started you're going to find yourself behind your competitors so there's an opportunity here to really look at your business model and figure out how you're going to get something like this not not just for dod customers but for any customer yeah you know john if you don't mind my mommy follow up a little bit um you know i i was thinking the other day here john wheeler over at gartner has been talking off a lot about how to deal with this increased regulatory environment and you know there's a natural reaction to want to go and build a cybersecurity program around compliance first a risk management program around compliance first uh you know in cmmc one point i was really kind of driving towards that of building building your whole program around cmmc where 2.0 is really kind of freeing you from that and you know i think if anything you want to take away from this conversation today is is going forward where we go from here is you know we don't want to put the horse in front of the car or behind the car right so um you know that cart being compliance and uh you know he talked about these two different kinds of model one is where you're focused on business performance first resiliency of the organization second assurance of what you're doing third and then compliance for a practical solution right now alternatively if you're putting compliance first right compliance then resilience then assurance and then performance of the organization well that's a crap model right and so uh you know going forward with with we're looking at with cmmc 2.0 you you can either choose kind of this this path that's a practical path as gartner puts it or really this other path that they're describing as a crap path and uh you know underneath of that then is is what is the the motions in terms of how you want to build out your program are you looking for partners that are going to be able to help you accelerate your organization and thrive in this challenged operating environment or are you looking for uh building a solution that's really just around uh complying with those that that minimum set of controls and treating it as a cost center alone i would uh i would add to that if i might you know it i like the concept of you know putting compliance into the mix but not making it drive the solution because the quality of the solution isn't going to be very good if it's just wrapped around you know some set of 110 requirements that's attached to a regulation you know in truth companies need to be you know agile and they need to be adaptive and they have to understand that security security needs today are going to be different than those in 6 or 9 or 12 or 24 months you want to end up with a solution that can in fact be informed and adjust as the security environment changes and you want to be in a position where you can mature your model i know we're moving away from maturity models but in truth there's a fundamental validity to the point that you can improve your maturity over time through a progression and that's important because a highly mature enterprise is able to you know adapt and recover from threats that may be known or unknown and that's you know where you want to be maybe you can't afford it now but you can certainly make that the plan and work towards that so michael walk me through this if you're you know you've got this nine to 24 months and and to borrow your adage of stop stalling and get started you know say you're you know the the average company out there and you really have no idea what you need why you need it you see this in the news you know we're talking in in industry vernacular now but you know a lot of companies out there and a lot of leadership and companies don't necessarily speak that language how do you take this message to you know the the div and and companies out there who need it the most how do they get started what does the process look like and how is that something that a company like artists can help with um well i think the there's a lot of practitioner advice out there for executives that you know unfortunately i think you have to be a bit of a practitioner to understand and so the the first kind of breakdown that i like to think about is just what are we really up against as an organization and and the thing that you're really up against as an organization as a fight sometimes people think about security as a state i am secure i am insecure but the question is always i am secure against what right and your physical security and your other risk management models in your organization are no different and you know if you're a multinational airline you're going to be hedging against fuel prices if you're a 40-person organization right now you're going to be hedging against a different set of risks so the first question is to understand what it is that you're trying to be able to compete with and compliance is obviously a driver then for that i need to be able to compete with a set of standards that's probably going to increase over time which will preclude me from bidding on certain kinds of contracts if you want to flip that risk on your head and turn it into an opportunity and dod hinted to this a little bit last night when they said they're going to be looking for incentives then you say i the buyers of my services are going to care about how good a job i can do with cyber security so how can i demonstrate and this is where the c3pos and the cmmc do add some unique value over government assessment um how can i demonstrate to uh my customers that i've got this under control and what does that look like what do my customers care about and the second thing that i think you need to look at is you know the typical uh you know built by decision do i have the staff internally and do i have the capability internally and do i want to manage internally this process uh and from what we've seen uh just looking at the you know average size of a dip company um a lot of companies in the defense industrial base just don't have the staff and so need to turn the industry to figure out how to source the talent and maintain the talent that's necessary to execute your program um third thing that i think it's important for a business owner or business leader to realize is again this isn't a one-time project this is an ongoing process whether there's a maturity model or not how do i as an organization set out to put some processes and controls in place get those things done reassess my threats put more in place so that i can keep up with the threat i would actually compare and to existing business functions that you've got um and maybe even differently than other risk management that functions that you have in your organization cyber security to me has been more like marketing than anything else in that there's a competition and the speed with which you need to adapt is driven by your competitors and so if you're going to take the smart long view on cyber security as a business owner and what you're going to say to yourself is how often do i need to take a look at this to make sure i'm one step ahead of in this case the adversary as opposed to one step ahead of my competitors and that's going to be an ongoing process so you've got this opportunity now to get an on-ramp on that process a lot of your competitors aren't there yet and if you are small enough that you expect to not be a target of the larger threats out there i think there's debate about whether or not that's true but if that's the perspective you're going to take then you need to use this time to get ahead and and what i mean by that is if you think the real compliance enforcement is going to go against your prime now is your chance to be able to demonstrate to your prime that you're better than the other subs in terms of helping that with them with that problem if you really think that the hackers are going after organizations like solarwinds and the dod themselves now you've got an opportunity to see how you can put those types of capabilities that would be able to alert you to those kinds of attacks meet your reporting requirements under those kinds of tax in place and then the last thing i'll mention john is industry really has a lot of work to do here both in terms of their ability to communicate solutions uh especially to small and mid-sized companies that haven't had the kinds of budgets that you know banks or the federal government has had to put solutions in place so they need to be able to drive solutions to price points that smaller organizations can get and you know we need to be able to get out of this highly technical war-fighting language even though we're dealing with a highly technical subject that is in certain cases akin to that and we still need to be able to educate decision makers on how to make a good decision here and too often the choices between um you know annihilation a set of things that i can't afford or doing nothing and the reality is that there is a space in there where you can prepare yourself against certain kinds of risks you don't have to face annihilation and you don't have to individually be able to stand up to a nation-state actor in order to reduce the likelihood that you're going to have a cyber attack or a ransomware attack and increase the likelihood that that will not be an existential threat to you if it happens uh may i come in please bob there's some some great insight there uh you know really the 7012 rule and the 171 requirement was written around threats from nation state actors who had proven their ability to infiltrate contractor information systems and to exfiltrate or steal valuable technical data that didn't happen to be unclassified and there is a long list of accomplishments by the uh by the chinese and the people's uh the people art sorry the army the chinese army of what it's been able to do with our stolen information but the cyber world has evolved in some unfortunate directions now there um are international criminals operating individually or in some collectives who are looking to attack any company and could care less about providing the results to a nation state you are not immune they are not looking just to hospitals or school districts or pipeline companies they're looking to anybody and they have tools to get into your system to do reconnaissance to decide what's important to you and to choose the technique for a ransomware attack that will cause you the most distress it's really important for companies now to appreciate the nature of ransomware attacks and the means that should be taken to be alert to them when they are attempted and to be able to restore and to be resilient if they are successful some of that is accomplished by 171 some requires um other techniques that are a little bit different and some more difficult but you know the world we live in is not confined just to compliance it also you know includes maintaining the security stability and the operability of your business now you know all of us here have some connection one way or another to cloud service providers and i i wrote back in 2016 a 15 000 word white paper or exostar uh which some of you know essentially i said in 2016 gee you know it's likely that you can do a better job moving away from premises investment to relying upon cloud service providers who can who have the scale who can concentrate knowledge expertise tools and technology who will be investing more in to improve their security and will certainly have a better threat intelligence and i said way back when you know 70 12 is kind of written about uh do written with a do-it-yourself mentality and so is 171. you know here are the requirements that you should meet on your system well you know i think it's really essential that as i said in 2016 i say it even more so now and let's appreciate that there's a lot you can do internally and some things that you must do internally that are non-delegable but it really is smart to be looking for ways in which you can draw upon that concentrated expertise at scale it can be microsoft it could be aws i mean i know companies like salesforce are in the game i'm not picking picking favorites here but you know it's just essential that first you know companies think about how they can take a step out of their current limitations and be in a superior platform which i think is cloud enabled and um i think it's essential for companies to pressure dod to act upon its constant promise to provide reciprocity and clarity for cloud utilization i mean i i heard it again we're working on reciprocity please i heard it again well you know fedramp we're gonna we're gonna improve that please i i get it but you know too slow scale too low and you know ultimately un insufficient so you know these are areas where you have opportunities to make your own choices and hopefully we can influence the department and other agencies as they proceed so bob if i may inject here you know we we've talked about this on the 30 000 foot level and then we're we're pushing it down to the tactical level of what companies have to do you're that ceo you're that person who doesn't have too much time to listen to the i.t person coming in shaking the the can for more money what is what is we all know what the cost of doing nothing is um it's exposing yourself to ransomware and possibly putting the national security of this country at risk but you've been doing this for a long time in general how often do you get the question of how much is cmmc2 going to cost me is it going to cost more than cmmc one how much does just getting to a basic level of compliance you know how much is that going to cost does that come up a lot and in general you know what what do you think those costs are to your average company you know i i can't say because i don't really think there's an average company i mean in a sense the security that's required is going to be tailored to a function of and a product of your particular business you know what you do who you depend on where information figures into it where what your ip is how important that is to your business there's no you know single answer but i do know for a fact that smaller and medium-sized businesses are always worried about the return on investment for security and with respect to cmmc 1.0 they were concerned that you know they might be spending more than they could ever get back either to recover from dod and indirect cost rates or to get it or to as accomplished in new business well you know i i do believe that if you look across the ring the range of threats and consequences that you know most um c-suite executives and many boards of directors you know are coming to recognize that it's not a yes or no question it's a question of which measures are sufficient to protect my enterprise and my shareholders and my lenders and my customers and my ip dod is a part of that regulations are a part of it but the real reason that executives should be facing the challenge and making prudent decisions is because of all of those other elements that need to be protected in a cyber in a world in which cyber dangers are you know persistent and varied so michael and josh over to you in the end what does a good cyber security program look like you know call it cmmc call it 1.0 call it 2.0 in the end you're a company and you're advising them that you need to start number one stop stalling number two you need a good cyber security program what what does a good cyber security program look like joshua you want to take that one first from a practitioner perspective and then i can wrap up from the business yeah yeah so um you know the the the the two key words there is is aligned and evolving right and so uh you know an aligned is almost a double stuff in terms of understanding what the organization is that that program is protecting and then also the operating environment it's working through so that that's a that's a variability right you know any expert will tell you it depends and so uh you know the starting point there is always that it's aligned the the other part of that then is that that this is a changing space right business in itself right we're trying to become more and more agile and so in itself it is ever evolving okay and the landscape the operating environment the set of capabilities you can bring to bear are ever evolving and you know i i think the third then in that uh to because there's always three there is that not only are we aligned and we're evolving partners right which which partners what parts of the supply chain you know we're getting to this point here where we're starting to realize outsized impacts on the supply chain where a company can have a far greater impact on supply chain than it's actually worth it and and those those second uh third-order effects i think are pretty dangerous and um aside from the impact and how the consequences have the the flip side of that when we talk about partnership and whatnot is that most these businesses aren't in the business of doing cyber security and so they need to identify the right partners to work with them to take them on this journey you know we've we've built some the the the the leading cyber defense capabilities out there and and uh they aren't cheap but you know when we look at this problem we look at even the one or two person just got started kind of shop that's doing some groundbreaking things uh there's a set of capabilities that we can bring down that is cost effective for them and that is comprehensive for them and and well aligned it's evolving and they have the right set of partners so that that's that's my three takeaways there i think that's a that's a great overview josh and um you know i can tell you that john kind of how we we like to think about it and i think what maybe differentiates us a little bit from some other other choices out there and but again you know i'm pretty fond of saying this if you don't do this with us just i mean please do it um because it's really important to to get it done one way or the other and so from from a business perspective and to me the the main thing that organizations need to navigate right now is this challenge that i alluded to in my last answer which is if you look across the landscape of possibilities um you do nothing and you're destroyed uh you do nothing and you go like this and and hope that whatever business outcome you're trying to achieve you get there before somebody gets you um or you feel like you have to invest in something that's uh an outsized um investment that's hard to get a return on so i would challenge um the industry i would challenge your partners uh and i would challenge your internal stakeholders too to say how can we get on a path to continuous improvement you know to josh's point about alignment and uh and maturity or evolution again there's a space in between those three potential outcomes that exist that's not necessarily easy for especially a smaller mid-sized business owner to identify but there are ways you can get after it including taking the time to understand your particular business model where the threats exist inside your business model and then how to deploy your resources to the places um where those threats are the most uh uh you know the riskiest and and you do have an opportunity then to um you know to wade into this uh so pick a control set i mean for the for the defense industrial base the the cmmc has been for a while now and will continue to be even under its new iteration a road map for getting started in a way that doesn't require you to sit down and solve this problem on your own so there's a level one if you're not doing those things do them and if you can add email protection and mfa on top of it because they're not on the list but you should be doing them anyway and the white house is and cesar are talking about this list of four or five things that every organization should be doing start doing those things they're not all expensive things um and then from there you can sit down at the breadth of controls dod is gonna publish this list of things they won't allow you to put on the poem maybe that's your next list to tackle but again you know dod said don't make us the only standard so you know talk to companies like us microsoft publishes a list of requirements that are not requirements for recommendations gartner publishes a list mandy and publishes a list there are sources out there for you to figure out what to add next and add next and add next and as long as you understand that that work isn't going to be done just like your marketing is a competitive thing that you have to spend money on every year realize that you're going to have to spend money on this every year and then figure out how to work that cost into your business model and how to turn that investment into an advantage whether that's being able to compete for work that you couldn't compete with before compete for before or whether that's advertising um your ability to handle increasing levels of sensitive information on behalf of your customers and whether that's the ability to much more quickly respond to inquiries from existing clients or future clients about your cyber security practices those are all things that you can do um i'll add one more sorry um whether it's obtaining productivity improvements out of the investments that you make as you move into the cloud or deploy new systems and those are all ways that you can help offset these costs either with new sales or reduce costs in other areas it's a business problem it's not a technical problem and if you put your hands around it like a business uh problem you'll be fine you'll you'll get to the right place so bob i'm going to give you the uh the last word here before we get to a couple of questions in the chat we're almost to time but i definitely wanted to hear from you before we signed off well you know cmmc 2.0 is a rationalization uh but not a change in the in the idea i mean behind cmmc 1.0 was an idea that we promoted in the deliver uncompromised report namely that the security of the defense industrial base was important that companies hadn't been doing a good job and the reliance upon self-attestation for valuable information wasn't working but we still have that so now we have some closer match between the ambitions of the program and what it can accomplish and we have a tighter focus upon information that actually has consequence to dod and our warfighting capability this all makes good sense it's true that they we all have a lot of questions and it's true that we're going to learn a lot as this new process unfolds and i don't think there's any any reason to question that any company that looks to sell not just a dod but to other federal departments and agencies ought to be tending to at cyber security and looking for ways not just to do the minimum or barely enough but to improve and sustain their enterprise security so we have one question uh if i don't have cui yet and i have the dfar cyber clause in my government contract is an sprs score required uh for um for the dib to handle fci protection level under cmmc 2.0 i'll answer that giving general legal impressions not legal advice no i mean there there's a lot of things that have to happen before you are required to do that self-assessment and submit it you have to have the 70-12 clause but you actually have to have the subject of the 70-12 clause which is cover defense information which equals cui so the fact that that clause could show up in your contract even though you don't actually have cover defense information or cui well i mean the fact that it's there doesn't mean you have the subject that would require you to do the self-assessment or submit to sippers well if i could just ask a question to elaborate on that because we hear this a lot from customers and how do i know if i have it if it's marked f-o-u-o or using some other legacy marking um should i um you know should i assume should i ask my my core how do i find out if if something with a legacy marking is or isn't cui yeah that's a gigantically important and difficult question i only have a moment or two look the a chronic problem with the whole apparatus dating back before cmmc is that you were told to protect things which really are government information or government categories of information where the government ought to have told you what those are and what it wants you to protect but often it didn't moreover as you suggest michael there can be situations where the government employs a label that really isn't in that current set of cui i see stuff that is fuel all the time the intelligence agencies continue to use it that's not one of the categories that exist in the nara cui rule so the way that i approach it from a practical standpoint is the first thing is i look to what i know from the agency that provided the information if they think it's sensitive then i'm inclined to go along with them even if they don't use the formal distribution statement to tell me and the next thing i looked at honestly is you know what would be the consequence to my ultimate customer and the to the department to warfighting capabilities to readiness what would be the consequence if this information was stolen and ended up in the hands of the chinese i mean if it's completely immaterial well then you know maybe i'm going to treat it as something other than cui but if it's information you know such as a bill of material ordering parts price list for parts on a sensitive system identifying particular suppliers who may be in short supply well even if it's not marked as cui or cdi might be thinking i don't want that information to get in the hands of our adversaries and so the better call in such situation is to treat it as cui and protect it then you're fulfilling the purposes of the program so at the end of the day paying attention to the mission always matters yes thank you well gentlemen we're at time really appreciate it bob i know that you have to go but um thank you for your context and and your expertise here josh and michael thank you for your points of view as well for any more information on cmmc 2.0 or your path to compliance or cyber security hygiene please visit us at www.ardelist.com we will post the video and recording of this webinar on our linkedin page um and please um have a great day for michael specca josh o'sullivan robert metzger i am john schofield that's the end of the webinar we'll see you later you

Info

Channel: Ardalyst

Views: 319

Rating: undefined out of 5

Keywords:

Id: drTVOsGqbEM

Channel Id: undefined

Length: 62min 31sec (3751 seconds)

Published: Wed Nov 10 2021