'CMMC Made Easy' | GovCon Chamber of Commerce (20 Mar 2020)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so it's three o'clock we're going to start it we just passed 200 folks which I'm extremely happy that folks have come in and participated shilling up early I love that on other events I do I give out prizes for showing up one minute early it's a really important thing to those of us are organized to actually find out people are here and to the panel thank you very much for showing up I just wanted to briefly introduce myself and the Gov Kahn chamber as the host of this event and why we do this so my name is Neil McDonald I spent 20 years after I got out of the Army as a government contractor small business the end of 2017 I sold my last company and decided to just flip to the other side and help small businesses through the Gov con chamber for many of you known me for a while it was the HUBZone Chamber announced the deaf con chamber because we're trying to help everybody and we helped at the tide level we want to raise the tide just a little bit we don't try to be experts at these very like we're not trying to be a CMC expert we try to be a communication expert right and guide you to maybe conc experts and so for us it's really important we just teach the process any video I ever do I say government contracting is not a secret it's just a process and for a lot of us the process is a secret so we got to you know get that secret out there and the reason we're doing this event is because we listed the DoD as they go around and do and we did this before any of the challenges we have right now we knew we wanted to do this event because CMMC is rolling out throughout DoD it's a fact of life so how do we get out there and help contribute to sharing that message to maybe audiences who aren't hearing it in the traditional ways you know we'll reach out another way so we've got other context and so if a lot of us do that we'll reach anybody that's a big part of what we're trying to do and in a minute I'm going to talk about what I'm hoping our goal is for today's event but I wanted to stop and just let the panel introduce themselves and actually if I am looking at my screen so if I just ask Katie and then Stacey and then sherry and the Biba and Kat that's how I see you on my screen if you can kind of just go in that order and briefly introduce yourselves so hi katie Arrington's so for acquisition and statement here at OSD I like to think myself as the mommy of the CMMC so hello and I don't know about the rest of you but I feel like I'm on the Brady Bunch and I'm Marcia I'm Stacey boss Jane I'm the director of CMC working with Katie and older than her but she's my mommy right now so and I'm working to get it all put together with the policy and the different contractual regulations and I guess I'd be Cindy sorry cat I don't know where it's gonna go me no no no sorry but I don't know from The Brady Bunch what you get at the end oh yeah I know and then Sherri you're a mute by the way here you go I'm Sherri Savage I'm with DLA we manage the PTA program and I am the PTA program manager and I guess I'm Peter or Alice so you are actually no I am Florence Henderson yes you sadly Stacy look like you're you're Greg you're Peter Sherri pork chops in Abidjan that's what it is Vibha hi good afternoon everyone I'm Reba the money I'm the CEO of Chitra productions Chitra is a HUBZone woman owned just newly graduated 80 firm in the arena of cyber security technology training and I know there is a lot of people here with the PTAC I'm very thankful really to the PETA Lynda one out of Virginia PTAC has truly truly been my mentor and has helped me throughout my journey and I'm also I know there's a lot of contracting offices and small business specialists many of my partners from the large primes really tremendous gratitude so thank you I'm Who am I Katie mama you're Alice sorry I'm Katherine demean I am from business engineering bei and we are located in Reston Virginia and we do manage services so we're doing a lot of the IT sort of fill in the gaps when you have that poem when you need that gap assessment that's kind of where we're stepping in on the cybersecurity side to help people out we have a lot of government contractor clients so we're helping them out and helping some new people out just a couple of quick housekeeping stuff before we get started one is for those who don't know we've been trying to coordinate the panelists virtually again even before this happened and so Katie Arrington was scheduled to be at one place than another and both those buildings came down with multiple cases kovat and Kathryn can you let me know first off thank you for you finding the final place where Katie's at but can you give us a little shout out plug for the organization that's hosting you guys absolutely so Katie and I are intelligent office we are at the satellite one in Arlington it's part of the Tyson's rest in Arlington group of intelligent offices and so they've been so kind to give us two conference rooms here and let us plug in and do our zooms from here yeah they were awesome I really appreciate the fact that they did that they did that last night we had another place in the morning that then went down and this goes into the second thing Katherine's replacing us as a panelist for Misha Nazir who's also running into health challenges right now and so we sent I send my prayers and I know anybody else does to her for speedy recovery she might even actually be online watching it she's at home but watch for when we bring her back as the central point of another panel but Katherine thank you for coming on at the last minute yourself and speaking up she's an aspiring cyst so if you've looked at her LinkedIn so she's we've got this great panel I'm excited about the panel another housekeeping thing for everybody again is if you haven't seen if you haven't seen a the gallery view you looked at your top right do that it's the last time I'm going to kind of say it here so Misha says she has no voice so she got two today she can watch and listen but no voice anyway speaker B you do that if we go through and you have questions please submit them whether we get to them today or we can follow up we'll get them answer for you I know DoD and the other panelists are interested in making sure the questions you have our answer and so I mentioned that the way I'm gonna go through this is similar to what I described as a Sunday morning talk show you have several panelists and you just kind of guide through on a similar topic our topic today is the cybersecurity maturity model and Katie I'm going to start with you because from a very high level there's there's many people I would submit who are on this call who it's the first time they're hearing it or the first time they're hearing it kind of the way you describe it but can you let us know what is CMMC and and why is he messy so the CMMC is the cybersecurity maturity model certification we Stacy biogenic my jam we created the model with a great team of individuals from Johns Hopkins APL Carnegie Mellon sei but more importantly industry I came from a background of small businesses that wanted to get involved with the government and it's really hard and we needed a way to streamline at least some of the things the number one thing would be the cyber security standards there are so many of them we have NIST 800 - 171 R 1 we have Nate NIST 800-53 we have NIST CFS the cybersecurity framework we have ISO 27001 we have the AIA standard there's just so many and for any wanting to get involved with the government I actually just hung up from an hour long telecom with the SAE dr. Roper of the air force and part of their challenge was make it easy we don't want a burden industry we want them to come to us and I know there are a lot of peat acts on the call today and you are gonna be a huge part to solving this problem so pay attention we created a model based on maturity for a company it was you know basic level one which is CMM sea level one which is equal to the far 52 that is currently in most contracts today that have 17 basic cybersecurity requirements that are of no cost but need to be done to protect not only the National Defense to which we don't exist without you but yourselves your IP your company we built the model based on levels 1 through 5 so as you progress up level 1 is basic cyber hygiene level 2 is a building block for small business primarily you will never see CMM sea level 2 in any given contract it's to help small businesses ramp up on how they move from 17 controls and requirements in level 1 all the way up to 130 in level 3 so CMM c2 is when we start implementing process into it into your cyber security posture helping you with guidebooks for handbooks for your company putting processes in place because at level 3 CMM sea level 3 is the instantiation of what's in most government contracts today which is defense Federal Acquisition regulation to 5 2.20 4.70 1/2 which came to life in 2014 was rolled into all contracts that touch controlled unclassified information in 2017 and is the instantiation of those 110 controls so companies that are on the phone now that have that D far clause in your contract you're already self attesting to the government you do in those 110 controls but because we don't want to gig you we don't want to we don't want you to leave we needed to create a way that we could actually take that NIST standard those ISO standards and I say there it's like the Tower of Babel all of those different standards were saying the same thing they wanted the same output but they had a different dialect we took all of them together so when you go to the guide when you look at each of the controls it lists where the standard is duplicated where you can find it in multiple standards then the next thing it does is it actually says what the control is and then it translates it into English it's called the clarification and then the next thing you'll see are examples in small business terms what we're actually talking about so we created the model then accreditation body stood up to receive the model to create the training to train the c3p AOS the cyber third-party auditing organizations and we're going to train the trainer's get the Assessors out there because the government does not have enough resources to do this we needed to make it scalable so that we could get third parties to audit companies capability and ingest that into the Department of Defense so the reason why is the biggest thing we're losing our collective to our adversaries 600 billion dollars a year is being lost every year to our adversaries and data rights lost IP lost R&D loss and straight-up cyber espionage and we needed a way to help our industry partners get secure and to be the backbone of the national industrial base you know all this conversation that we've had about the past couple of days about the defense production act and what the dip really means Stacey and I work for the Department of Defense we are loyal loyal government employees but we build nothing and it's our industrial based partners to do the heavy lift and without you or nothing we really are nothing you are what is saving this country right now this is you are stabilizing the world's economy we need you but we needed a way to make sure that we had a level playing field so the CMMC is rolling out to RFI's near you in June 2020 we're in the process of a default rule change and this will become part of RFPs rolling out in the fall of 2020 yeah I think in and that's a lot in there one of the questions is interesting as you were talking two questions have popped up which is exactly why I like doing these panels one was is that model that you were talking about published yes it is okay so we put links in to the chat I'm hoping somebody my team did that already putting links in there for you to be able to access that and we actually yesterday on the website Stacy do you want to tell about the update we did yesterday yeah maybe go right into that Stacy so what we did yesterday is we put up on the website and actually I think it'll be published it was published today because we had to take a step back and put a current kovat 19 page up first but what we've done is we've gone in and cleaned up that model to make sure that all the administrative issues and taken care of we put a couple of other notifications on there so and we're gonna have an important press release that's gonna be coming out here soon so they'll more to come keep your eyes on our website because oh you Stacy you did all the hard work tell them what we've done well so we've gotten together with the accreditation body who's gonna be the body that's gonna manage this they're responsible for providing the training to the c3p AOS if you get them accredited and tested and license to be able to go out and perform the assessments with the companies they're going to have a Marketplace's they're gonna issue registration for classes so you can go in and register it become a c-3po or you can go to see where there's a certified organisation near you that you can bring in to do the assessments on your company and so they're gonna organize that they're also going to be reviewing different tools that are out there the industry has risen to the task we've got all kinds of interesting tools where companies are coming together to help companies make this easy so it's not an upper burden to them that's gonna be included in there in the website as well we're building the database so all that information is you get certified will be transitioned so the government can validate that you have the proper certifications for RFPs so we've been rocking and rolling so what she doesn't want to say and I'll do it is that we executed the MoU with the accreditation body well I sure whether or not that was allowed to be I am I am so miss lourd will be making a fold there are higher priorities in the department right now that are taking and extraordinarily and I need to take a minute and and say this to everybody you don't understand what that office is those offices have been doing since the past three days and they Miss Lord took it one of the higher priorities was to execute the MOU we drafted an amazing press release but people's lives far superseded our press conference or what we're going to do so look for that to be coming out in the coming days but I want you to know that we haven't stopped ha species team has been amazing in the fact that we we have not missed a minute and when this all started one of the things I said on the team call was we have people that are dealing with the crisis at hand but we still have to remember that as a country as a nation as an economy tomorrow the Sun will rise and we will continue to do work and why we work really hard to ensure that we do our best to maintain the sanctity of life with each other and make sure people stay healthy that we know we still have missions to meet and DOD especially this industrial base we're not missing a beat so thank you guys and look for miss chords press release next week no that's perfect and I'm gonna bring back and ask a lot of questions related to the accreditation body and maybe take a little bit more into the model sure I wanted to come down though to you with and you're on mute just you know the one of the questions I got asked is exactly what a lineup is what are the ptex right we talked about how the P types and we could talk in a minute about how the P text will help with CMMC but what are they even just generally out there they are dl a's award recipients we issue cooperative agreement awards to them and they're always a non-profit or a state a governmental entity or Indian tribe and they pay part of the cost of running their P tax so they are as invested as the federal government is in their success and their role is to provide government contracting assistance to businesses who are trying to get those contracts so their assistance can be helping you learn who buys what who buys what you produce or helping you know how to find those solicitations how do you get registered in Sam there specifically with regard to this topic they are going to be trained by those I think we call it you call them c3p AOS maybe the the people who are going to train these certifiers are also going to train the p tax so the p techs are going to have the same great information that will be used to certify you but the p tax reason for having that information is just to walk you through it hold your hand all the way through your self-assessment so that the businesses have an understanding of the expectations and how they can be successfully CMMC certified and all of its free the federal government pays for the PTAC so that businesses don't have to pay yeah what do you have P tax in almost every state sorry Neil do you want to go ahead I was just gonna leave right so that you can talk about that but I in the chat for everybody as Sheree is talking about it there's a link in there to the DL AP tax site so then go ahead right it's also easy to find your local P tech if you just Google DLA PTAC if you if you lose the link or anything you can always just google it and there is one at least one in every state except for Hawaii and South Carolina and most states have several different locations where you can receive your services and again it's always free to you for those early yeah for those of you run early the you might have heard Bieber who's our next panelist here talking to Sheri about how great an experience she's had with her PTAC and taking full advantage of the relationship and what they offer frankly to your businesses successfully but and you're on mute but I'm gonna ask you a question because one of the reasons I asked people to come on in representing a CEO or business owner is we can talk about CMMC from a government level and this is what it looks like this is what we envision it but I also wanted you to just see it from a business owner perspective of you know what are we looking at and people my question to you I guess at the start here is how different is what you're hearing you know CMS C is gonna be to what you've already been doing so thank you for that question I've been tracking this for a while because I do pay attention very closely to the changing regulations within the small business arena as well as anything that's going to impact me and fellow small business owners I think there is nothing to be scared if they're small obviously they're small business community owner CEOs and other members from small businesses here they're it's nothing to be scared of and to what katie is saying I mean this war doesn't look but it used to many many years ago it's really it's cyber war now and and we're being proactive and we do have a lot of information that we need to protect so this change that's coming I see it as a step in the right direction label one two and three does not scare me at all I just feel like this is something we're already doing we're paying great attention to it so small business owners let's embrace this this is nothing to be scared no that's why I appreciate that and I I mean that's what I think industry needs to hear out there because there's various levels of experience we have some of us understand cyber for some of us that's just a really part of our operations important but you know we're more focused on what we do and can I might pull over to you on on this because just on a on a kind of a quick level for level one one of the things I've heard Kitty Arrington talk about in different places and Katy correct me if this has changed a little bit in the way you're messaging but that many of us small business is really gonna be looking at level one yes okay good and for me I always say don't worry about level two three or four or five if you're not even one right so for this conversation I we're just really trying to go what's one and cat when I look at level one or when you look at level one you know forget about the far forsake it just complexity how complex does it seem or how would you describe that to maybe some of your customers who are looking at level one yeah I mean I don't think that it's complex at all there's certainly a few things that you might need spelled out maybe need to reference somebody who knows a little bit about IT but the great thing about CMC what they've done with appendices which Katie referenced earlier is really given those real world examples and taken particularly what's in 801 71 and spelled it out in between giving the real world example so that's awesome and when I look at level one I just try to think about who are these government contractors who are maybe working out of their house right they don't even have a space can they do this and everything that's in level one they can do some things might be it might be easier to do in a commercial space than at your house right and but I think everything that's in level one can easily be done for those home-based government contractors and definitely in a commercial space and what Katie was also saying earlier fairly inexpensively you know most of these things are things that you're already doing immediately when you get a computer when you setup your home network so there's a few tweaks here there there's things you need to be making sure that you're doing you know I wouldn't use free anti-malware and a virus out always pay for something like that but outside of those things it's it's gonna be level one definitely something that's attainable for anyone yeah I know that's probably I appreciate it and I'm gonna come back to that as we go long Katie one of the things that I I was seeing with as this is rolling out and and how it'll hit the contracts there's all these questions people have about the rollout and I know that your team is in the rollout so it's like there's a lot of questions you also have a new plate you're ready to answer but I'm curious if what level of answer you kind of give us as you know longer term not just the first ten but what's what's it gonna look like as CMMC gets integrated into contracts like what should we be thinking about from the RFI to RFP phase and how it gets integrated first things first right security is not one size fits all so most contracts that you'll see they'll either be so let me break break for that D far clause I talked about that the one ending in seven zero one two you have to be touching or transmitting cui controlled unclassified information out of the 300,000 companies in the supply chain you have to remember about fifteen thousand of those are actually those companies doing level three CMMC level three it's a very small portion most contracts have we talked a lot about government contracting and remember that ninety-nine point seven percent of contracts are done under acquisitions under $350,000 you'll only hear about the super super big ones right but most of the transactions that we move are really small so the CMMC level one was set up you'll see most contracts actually have CMMC level one but those that have level three you won't just see level three you'll see that the prime needs to be level three but as the flow down of information goes as we look at what the sub is supposed to be doing that's the level of certification they're gonna require so if the Prime has they're required to do CMMC level three and you're one of the subs and all you're doing is a sub is providing a service that never touches any cui your level one and remember that level 1 certification that you got for that one piece of work is good for all of DoD work OTAs zippers as tt-rs grants so one certification lasts for three years let me ask a quick quick clarifying question on that and when you look at the levels and there's five levels and I think if I heard it correctly we're really not anticipating a level to having account right so we're gonna and then three what what are you because you just said 15,000 so from a high level what are you thinking when you say level three level four level five how many you see companies potentially having to go there and the reason I say it's because many of us out there going oh my god I could be level five no you don't point zero six percent of all DoD contracts will have level five and point zero six will have level four that's by our analysis right now we're not talking five point zero six we are today yeah no which is and this is the message that would be great for I know there's a lot of small business professionals from DoD on this call and that's a lot of what they're getting is their small business industrial base calling them to say oh my god it's gonna cost me seven figures to get this and I haven't even got my first contract well then maybe you're missing a piece of information which you're sharing today so yes and whoever just said that I do have a New York accent yes I do to help it that's funny you are watching it oh I am I'm actually keeping track of all that but I'm gonna actually let Stacy respond to that because we really worked hard her team specifically worked really hard to ensure that the model first and foremost I mean when we talk about what what instructions when we started this was they were really simple right the founding pillars of the CMMC are first and foremost it must be economical second I if the eighth grader cannot read it what did I say Stacy it's not right right we've got to make it easy and that's one of our biggest plans is to make sure that you know our assessment guides and the things that we're gonna provide make it easy for you to understand and we drill it down and one of the other initiatives that I'm working on because I know a lot of people complain that well my program manager my contracting officer haven't told me what I have is cui are what level it is we're working on documentation for them it's the layman's guide the cui so they can quickly figure out what level their data is drill it down and how to disaggregate it so when it goes down the supply chain we're not require people to be at a higher level than DV and companies understand how to disaggregate that data to be able to get it where it needs to be and not just hit Send and send the entire drawing but just send the portion that's necessary let me ask you a quick housekeeping just for people in the chat if you're writing questions if I can get you to put them in the Q&A section we can begin to kind of rank them in there it will get them after some of these prep prepared questions but Stacy Cohen's what you just said if I ask a tough question right most of my questions are well you can always say they're technology I couldn't hear that question the dogs were barking one of the concerns out there is that like I hear this if it's level 3 here and it's the flow down is level 1 for example what's to stop the the larger prize from just requiring three and almost kind of excluding that is there going to be training that we start doing the larger primes that to encourage that not to falsely yes it's also gonna assist them from a proposal perspective right it doesn't make good business sense for them to make somebody have to rise to the level of a three if they don't need to okay and guys thats at that point in our Stacey's one so in doing that rule change we actually know how much it's gonna cost and we're not gonna pay for what we don't need so we're going to be very specific and saying this only requires a level one so if you make your prime get I mean your sub get a level three then you're gonna have to figure out the cost because the government yeah no that's so that was my only tough question there for saying be curious I look at the P text in the DLA and as they try to get engaged I know you would through an email traffic we were doing alluded to some tool but I'm also curious from a higher level what what involvement DLA is kind of lining up to support the ptex that are out there whether there's kind of centralized activity that they'll be able to do I think my opinion is they seem you know a little bit more independent or decentralized but something like this a centralized approach could possibly help what's DLA doing to line up or you know what do you guys have lined up over the next year to your vision well well I can tell you that we started training the P tax two years ago maybe even a little bit more when the DeForest cause that Katie referenced came into place and we worked with DP s-- OSD DPC and the OSD CIO to create a self assessment checklist and then we distributed to the Pete acts and trained them on how to guide businesses through that self assistance self-assessment excuse me checklist so we DLA coordinates with OSD to help bring the expert trainers to the ptex and the ptex have a training conference two times every year where they hear from us and from other government agencies because we make sure that their training stays very relevant and moving forward with the CMMC we talk reached out to Katie and asked if she and Stacey could provide that same training at the ptex conference and we just had one in Chicago and unfortunately they weren't able to attend but they coordinated with project spectrum who is an OSD contractor that is contracted to provide training for the ptex and for other small businesses so that they have a website they're not completely stood up yet from what I understand but that's called project spectrum Daioh and it's a really good news story because that's actually a small business called eckle on that is a mentor-protege and the OSD office of small business programs has a contract with them to provide the training so we plan on leveraging the project spectrum and we are continuing to provide training through Stacey and Katie and their team and resources and as I already said Katie has arranged to have the ptex trained along with the certifiers and I also wanted to say Katie reminded me the ptex themselves will all have to be level one CMMC so any business that comes to a p-tech for assistance with CMMC certification at level one will know that their p-tech has already been through it and we wouldn't be able to do this in all honesty now granted I am from said I have a New York accent but I was a legislator in South Carolina I love South Carolina we don't have one but we need when we started this I mean if we don't have the P tax I mean they've done a fantastic job over the past year just the training that I've actually been to or participated we absolutely the accreditation body one of the first phone calls that we had with them was you know hey we need to get the P tax ramped up and ready to go because there there are small business you know I say the bridge or the the connectivity to help them understand how to do business so I can't say enough about P tax I was actually on the phone with senator Hirono today from Hawaii hurt a staff and they're like why don't we have a PTAC so coming it's somebody in a wide he's gonna have to set it up but they're essential and we in the government the whole CMMC you know revolution is really about using what we have at our fingertips and just coordinating and consolidating all of these different standards have been there the DLA and what they offer have been there with the P tax it's bringing everybody together and making the best use of a all of our combined knowledge and our expertise and our passion but moreover making the best use of taxpayer dollars I mean that's like being one we had a buy down the cost on this sorry that's really quick Katie because before I move on to other questions as it relates to the weight you know no no but as as it relates to the way the communication happens if am I correct in saying it kind of this way softly right you have P tax are out there almost your first touch point because they can guide you there so you should be talking to your P tax getting to know them P tax are getting their guidance from the Accreditation Board and DoD but the Accreditation Board is then answering to DoD so it's like there's your chain of command yes you can go to DoD and look at their website yes you can go to the accreditation for it there's a lot of interpretation that might happen where when you go to the P tech you're getting counseling I guess or can you know that basic that's Baltic Service now that's exactly it like so the a/b bod is gonna be about training the trainers right and making sure that the people doing the audits are inspected and overseen the training is that whole issue when you you're a small business and you have a question or you have a challenge to get to work with the government that's be tact that's that's down there those guys what yes we one more question yeah I do in this year they're right there oh boy yeah a minute against AC reach behind me and touched you on my screen I was like question because the P tacks are so valuable and I want to come down and ask with Bhima and cat from a more on the ground boots on the ground kind of questions but from the p-tech i see the invaluable contribution i'm going to make to this had what is DoD thought about as it relates to the veteran Business Center women business centers small business development centers and B the SBA general field offices that interact a lot of small businesses even the 8a right the aided business opportunity specialists who work with all the 8 a firms and in other small businesses that are reaching out has there been talk yet with them at that level that's similar to the P tech or is that in the future or is that a good idea uh well I can tell you from the P tech standpoint and then I'm gonna have to pass it over to Katie to let you know what she has thought of but those other programs that you just mentioned are all owned by SBA they are not DoD programs so I think that probably Katie and Stacey reached out to the P tax because the P tax are a DoD program and they can control us they can they have the ability to leverage because we are their asset we don't have the ability to set terms and conditions for those SBA owned programs however the P tax do collaborate extensively with all of those programs and I work with SBA leaders to foster that collaboration and to kind of keep our lines clear about where our support has to start and stop and where their start and stop because we are all the programs are operated under statutory authority and our our mandates are pretty clear in the statute and so for example ptex can't help entrepreneurs set up businesses and they help small and large businesses the SBA programs are supposed to help entrepreneurs and they are only supposed to help small businesses so there are some differences among the programs because of the statutes that authorized our funding but we work together to make sure that businesses get what they need so PTX very often make referrals to SBDCs or to Department of Commerce has programs called manufacturing extension partnership s' the PX collaborate with all of those programs no that's for in and that's kind of the idea down the line is where they all interact because a lot of us sometimes might feel the message is confusing out in the field and if we could start going ptex a be do be it gives us a path that you know many of us who are on the call and communicating b-but I wanted to ask you a question on as it related to just interacting with your existing customers and your existing Prime's because although it is you know the way the message is right now is we're rolling out kind of slow with CMC but your customers are going to be getting to look at it themselves you know your large Prime's especially since you play in that world what kind of advice do you have for the smalls that are on the line about beginning that dialogue with the folks that are out there and remember you're on mute thank you for that question Neal so we work with the many large primes whether it's a man tech CACI Booz Allen and what we have seen is especially getting the education currently from Katie and Stacy today it's it's I was feeling pretty comfortable about this whole thing but even more so now as a small business that if they're going to give us swim lanes that we don't need levels poor or level five and we really just need to be level one or level two I think that is a tremendous ease of mind to me and to businesses like myself already and so you know we do look as a small business owner I do look at you know RFI's that are going out fully and open and I start marketing our company's performance evals what have you to larger companies and this would be another layer which i think is really a needed layer this is is here to protect our country and all of us so I think I will be vigilant but I'm feeling very much at ease listening to Stacey and Katie that it's not going to be a broad brush approach that for small businesses you give us a swim lane if that insisted it does in and I'm winking it's given me tremendous confidence that really the bulk is that level one we want people to start going to three but level ones where the bulk is and that's where people need to start and Katie or Kathryn maybe I come back and ask you about level one because a lot of people on this call haven't looked at the CMMC sorry Katie it's great you know so this part of this call as I wanted to say look at the 17 practices on level one for a second and really see them for what they are like what is saying that they're pretty straightforward and they're what generally we've been doing it's what we would do almost for our house let alone our business which is a revenue generator and a job creator so can you share a little bit about some of the examples like I know three of them are virus protection related can you share a little bit examples of just what's in level one from a kind of ease of ease of knocking him out yeah absolutely so um well I mean let's it the virus protection one so that don't like the system and information integrity join and the very first one for level one is patch management and that's very much automated right so you have your computer you make sure that you're downloading security updates and critical updates from Microsoft for your for your system and then the other three within that domain are antivirus anti-malware type things so making sure you're paying for a good anti-malware and antivirus you could use you know just a V sometimes anti-malware doesn't play well with certain things but a lot of people use both making sure that you're using that and that's going to be real-time kind of scanning things making sure you're updating all of those definitions which is typically just flipping on a switch within your AV or your anti-malware program so that it's automatically updating those signatures and then the third thing is just to periodically scan your system and and that sort of plays into the one before so if your antivirus and anti-malware are constantly updating the signatures then you want to scan your whole system for maybe files that were downloaded a month ago or a couple weeks ago and then you rescan with those updated real time real world virus signatures that are out there and do that against your files that are already on your system so so much of that branch is automated right she's turning things on painting a program installing it and then just remembering to run that every now and then and there's you know when you look in there there's like four that are just on physical access alone which is kind of what you're doing with your house don't let anybody once they yeah they say it and keep the doors locked track the keys I mean my wife does that all the time where the heck's that key we have a spare key it's gone you know when you look at that are there I know one in there I had a question for you about sometimes if we're not familiar with the jargon it might get a little confusing but but when we hear it and maybe an analogy it's less confusing but what's the difference between a an internal network and a publicly accessible network right when they are a system they talk about that you know a lot of customer example or so leave us on the call yeah absolutely so your internal network is you know your server with your files on it and your computer in your office and then obviously there's the internet right so you have your public your website the public can all go to your website presumably it's not behind a house where do you want to out there so that people can go visit it so there's controls in level one where it's like hey don't put FCI out there on your website which is kind of a no duh right but these antother pardon what's the acronym ofci federal contract information so I mean that's important for people to understand just yeah I'll take an attachment just throw it out there that has a contract exactly so you don't want to put that out there and I think the example in the in the CMMC in the appendices is about your marketing team right hey I want to start marketing and saying we're doing all these things well just be careful what you're gonna put out in these press releases and make sure that it's going through an approval process and that the people that are posting things are limited right you don't want everybody able to just put information out so a lot of that's just procedural make sure your social media manager or your website manager that they're trained and they know what they can put out and what they can't what they should ask for permission on that's okay would you just said it's you know I joke around when I go out and like the first rule of Fight Club is don't talk about Fight Club right did he do such a bad service to ourselves I get being fully transparent we created sorry I'm Saddam I like the CMM seeing a completely transparent collaboration with industry but know that when you you go on your website and you say that hey we're working on this program the world is watching and you have to be careful and you have to be you know we need you to have the critical thinking skills around security about how do you buy down the risk telling somebody that you know we just want a contract doing hypersonics and we're working on widget why for this Department of Defense Khan we you shouldn't want to do that right it's it's that we want you to be able to tell the good news story that you've got work that you're doing greatness but we also don't need to make it easier on the adversary on how to get to you and that was one of the big things on the model um Stacy and I spent hours with the team arguing the fundamentals of do you post your set your level certification on your website do you do you tell people what level you're certified at and I said well you should say you're certified but if you say you're only certified to level one then I know what you're not doing and I know how to get around that and that's you so it's it's the Devils in the details in this right because we are at you know it's it's worth cyberwar whether you know you want to be you know it's not with a particular adversary it's just it's all-out war because it's such an easy way for people to want to get to us right it's you think about kinetic weapons and it takes how many years did we develop and plan the f-35 ten plus years think about how much tax dollar investment went into the Ardea the f-35 and China's flying a plane that looks just like it right the same canopy flaws that we had my mother always said imitation is the sincerest form of flattery I'm tired of China I'm tired of North Korea I'm tired of Iran and try to Russia um you know copying me so we have to we have to really think about what we're doing why we're doing what we're doing I that's part of the biggest about the CMMC model is why do I need you to have critical thinking about cybersecurity because it's not just one adversary it's an entire environment and kinetic when you make that weapon it's very finite it is a very limited area of impact where cyber is low cost high impact area you can throw a thousand things out and if one hits and one sticks good so we needed a way to get to it so I'm what you said Kat was so spot-on though don't well you really have to think about what's putting on your website which put on your LinkedIn profile you know and if I can add on to that sort of real world and I know that you've talked about this too but you know in a previous life I was a target err and we would have targets right we would have people or other things that we want to know more information about and a lot of people who you might target they might know that they're a target right so they have great objects they don't have a LinkedIn they don't put stuff on their personal Facebook page but those people have moms and sisters and cousins and they go to parties and they do things there and so so much of what we would learn about targets were from their network great and so this is where the Dib comes down is sure maybe the Lockheed czar whoever our super or lockdown with what they're doing but all I have to do is find somebody in the chain down below who is not living up to what they said they were doing with GM NC level one or even level three and just start to work in that way and I think you know one of Katies examples before and Stacy you you hinted at it was the idea that maybe somebody that's doing something a very small piece of the project doesn't need the whole plan doesn't need the whole blueprint right and so but if I'm going after you if I'm an adversary I'm like oh let me look at this person who happen happens to be in the supply chain and I get on there and I'm like great they sent them the whole blueprint all they do is make glue but that's my way and then you start working up and then yeah rent the office next door and then you start chatting them up and then you try to get a job there and then all of a sudden you have all of this extra information because you know they're a weak link and that so when you think about you know our cyber assurance testing that we do in in the DoD and you go through that that's exactly it and to think that people aren't interested I always have to smile when a company says why would they care about me why wouldn't they care about you I mean the IP on how you run your small business may not necessarily be in code you developed maybe it's how you answer your phones and you get your product shipped and your quality assurance testing that makes your intellectual property unique protect that that's important and when an adversary can get it and it doesn't necessarily mean China Russia North Korea anybody and exploit that you should want to protect it we're doing the CMMC because we're we want this these small businesses that literally are the backbone of the industrial base they are the bedrock to be there today like I said in the beginning of this you know we keep moving on the CMMC because the Sun will rise and we do have more you know things to take on this is a big pandemic right now but we have a future we have a long long lifespan in this country that we have to get through and working together and making sure that we understand that in the internet of things and we're all sitting here on zoom' over 260 people this afternoon and we are all connected think about that you know a hundred years ago what would it take to get 260 people in a room together I mean let me bring it back because a lot of those two six you have questions and so I'm going to switch the questions faster I think to make sure we get as many of theirs and that's just the ones I lined up but one thing I wanted to make sure we're hearing these examples and they're really driving to the you know the why behind a lot of this but I want to make sure those of you listening also remember that when we talk about raising the tide we're talking about getting the level 1 or getting the level 1 remember if it's not a heavy lift right there's other things that'll be bigger challenges and so that you know when you walk away and the questions you're asking this is a big part and so as I go through the questions I'm looking for the ones that are going to be talking about mostly level two and one maybe three any four is advice I'm gonna keep on going down and some of them I'm gonna cruise through so I want to come back to the ptex because this is a question that is sitting at the top but it's got a lot I know you touched a little bit on it sherry from training but I might spin the question a little bit because the question is what training resources are available for the p-tech to you know get the word out there but also I'm curious for the ptex is there a central place that you know those personnel should all be going to is that that new tool you talked about or is there a like a deal a site specific for ptex right they should be going to project spectrum Guyo and project spectrum has reached out to all of them and asked them to schedule their dates for training so project spectrum Daioh is there for them and once the certifiers are ready for their training the ptex will receive training from them but but that's not ready for them yet in the meantime the ptex have already been receiving training and can continue to receive training from other entities at the conference that I attended with them last week they received training from several different training providers left burying professionals was there and trained them I think totem was there and trained them so they're there is a wide variety of training available to them but really it's not time for them to be focused that heavily on it yet the project spectrum that IO training is due to roll out on April 18th and then the training from OSD CISO is going to come later so right now the best thing for the ptex to focus on is going through that self assessment checklist that they already have and seeing what questions do they have where are their weak areas and then focus on training themselves on on those weaknesses you know if they if they can't answer the question for a business what is multi-factor authentication then they can be figuring that out right now while they're waiting for the project spectrum training yeah can I just quickly s or no is that checklist available that can go out publicly to like the smalls to be able to follow that same checklists or is it only internally available no I believe that's available for anybody that's probably is a published document and it's the scored self assessment checklist so it assigns a score to the different items of the of the NIST 800 - 171 and so they can learn which things will raise their score higher faster so it's publicly available I'm sure and I'm gonna kind of go through these questions fairly rapidly to see how many the panel can answer because there's a lot and be creative thinking we can answer as many Stacy I was gonna throw this one your way because I had written something similar to this in my prep and I see it here but there's a two-part question first is I was gonna ask there's different stakeholders in the entire CMC process right there's small businesses maybe there's people who are helping them get cyber ready or something I've heard the term auditors Assessors can you talk to me outside of the you know like vibha probably talk to me in a minute about who she uses but the auditors Assessors I know they're not ready you know for primetime but what are those roles we just kind of get used to the right terms that are going to be coming down for who could help us be CMC one for example and then somebody asked here a bigger question who can perform the CMC audits so they're gonna be the c3 PA OS which are the third-party assessment offices right the cyber or CMMC third-party assessment offices and those will be the ones that the accreditation body will train and certify and occur to come out and do the assessment of your company right to be able to validate that you meet the standards and the requirements of the model another side of those companies will also be able to come out and consult now what we have asked strongly is that we have a conflict no conflict clause from the accreditation by this and you can't go out and consult with the same company you accredit because there's a fine line for yourself like an ice-cream cone exactly so we've asked that there be rules and regulations from that perspective because what we have to make sure of is that this is is rolled out and everyone is treated in the same consistency to make sure that when we have an audit it's a valid audit and we can count on it right so you're gonna have two sets two groups that are gonna come through the accreditation body ended up itself also have a billet II train and reach out and do some outreach for some of the smaller companies to help them come along as well so from the stakeholder perspective that accreditation body is where you're going to really want to focus your attention because they're gonna be your resources to help you get your prayer company through the process and get to be able to achieve your certifications is that throw this question somebody asked it but I'm just gonna say it's answered about what are the general requirements for becoming a c-3po c-3po and and but the body is the one who will be putting out that information right so go to the website right and they they will have a registration site for classes where people who are interested in becoming those Assessors can go sign up eat rain be tested to make sure that they can meet the certification requirements to be an auditor and at that point in time they will be able to go out and perform assessments they'll come out bill they will perform us an assessment based on the the guidelines in the model they will produce a report that will go back to the accreditation body the accreditation body will do a QA check on it and they will issue your CMM sea level to the cop okay perfect and then for Kat there's a questionnaire it says I don't you can see it but you know what's your perspective can you see it you tangle at one of them but I like summarizing if I can yes so I mean it says what's my perspective on the role of an MSP a managed service provider and a CMMC accreditation chain and if if my clients need to be certified do I also need to be and and I would say yeah I mean absolutely if I have access to your network I'm access to the place where that cui is then I need to have a system security plan I need to have all my ducks in a row we are currently going through that I mean we're paying money we have you know two different auditors that we're talking to that's going through things we're making sure all of our policies and procedures have Oliver you know eyes dotted and t's crossed and everything's in a row because again talk about targets like you don't want a trunk slammer who doesn't know anything about cybersecurity have keys to your entire kingdom that's just that doesn't make sense so you got to lock up all those places so msps absolutely and they should have all the documentation if they can get certified we'll see hopefully they can and then they'll be able to say that and that will be a way for people to choose a vendor yes and so one of the things you know the ad program does is make sure that the principal owner is a US citizen I think that's very important and another layer that we can add because it's really you know that's a lot of delicate information and we want to make sure the right companies have it is also just a potential idea is a US citizen with top-secret you know it opens a lot of the world of the veterans that have served to be able to start those companies I think there's tremendous trust as you know you don't want the wrong people becoming auditors as far as your LinkedIn search on top secret it says right there don't post it hey Katie let me ask you a question that's been on my mind and I see it popping up here but if I use office 365 use an example if I use Microsoft Office 365 their e3 version which is the business version that's out there that many small businesses might be using on the DoD side should I be looking at having to get off that it do you know anything about Microsoft that they've already got a lot of protections in place and this might piggyback also off a cat but so part of one of the big things that we've worked on is getting cyber security as a service right that's a big deal I talked about CMM sea level 2 and how that's the bridge to help small businesses look at the investment do you want to make the you know to cat what cat was saying you know as you're going through all your inspections and audits do you really want to organically own that capability or do you want to get cyber security as a service so the part of the what of the accreditation body will have is we're working with NSA and another couple of entities to create a testing environment that the right tests so that you can actually use you know Microsoft if they were to put together a a package that a small business can you know buy a-- you know buy this is a certified product that will provide you all of these component parts of the CMM C as a service that correlates if and when I started this whole movement back last year it was that if I if we mapped out exactly what the small businesses would need as capability that the industry the market would respond with packages that align to it and they have you'll see when the a B marketplace comes out that you'll actually see you know I can't say because I I'm not in charge of products but I have definitely and Stacey and I have definitely sat through hundreds of companies that have come through and demonstrated their packaged products to able to provide to small businesses as the way to buy down the risk by down the cost and have the capability at like level 3 or you know what kind of products suites you'd need to have a level 5 Stacey do you want to add anything to that well take off mute right yeah no it's a hundred percent I think that you're gonna see a burgeoning industry for certain security as a service and I think the accreditation body is who we're kind of leaning on right now to help us get those products through and tested and approved and they will have on their marketplace a listing of different products that can be used that meet the standards in their requirements that's going to be part of their marketplace as well and it's not going to be the pay to play right it's here's a group of products that were to do this capability what we don't want to do and and I'll say the accreditation body is a Coalition of the Willing we we don't want it to be that you know you have to use product X right because that's stifles innovation that stifles what the whole point of the CMM seems is about it's getting the right tools to the right people at the right time at the right cost to do the right thing right now that's pretty it's funny I was scrolling down what we were talking and there's other questions related to this exact same thing which is perfect hey quick question sherry on your side I don't know if it's been answered already but how do P tags receive the self-assessment tool so this is coming from four or five ptex how did they get it I received it how do they receive it's in locals they received it from me and an email to their program manager so it's possible if a p-tech employee is asking the question their program manager did not pass it down to them and I can send that out again and we'll but we received that December from OSD DPC so I distributed it probably less I have to break for one second I have a very quick call that is urgent all right so this next question in and I don't know Stacy probably falls right into your world is on cui because this is something that I'm sorry with vibha about a little bit before the call and and understanding cui data when you type you know a lot of us who are HUBZone firms for example try to influence a contract to go set-aside HUBZone by convincing them that you know we can do it it's the same thing with any of the requirements that are in a contract is there and so I guess there's two parts to the question right how can maybe smalls do that and then what assistance our Contracting Officer is getting because right now there's contracting officers which you guys probably know who are confused about the process and so and I know you guys have an answer so just more broadly what advice can they get so one of the things when you talk and cui and what is it we're working with da you and to put together an entire training program for both program managers and contracting officers so when a program has cui its marked appropriately because that's like one of the biggest things we've heard from most of the contractors this nobody's told me I have it right so the way the process should work is that when you get it the RFP it's going to tell you what is considered to be cui in that program and then we'll be able to aggregate the data so saying you have something that's just level 3 and you're gonna have subs underneath that some of those subs may not necessarily be handling that cui so they'll only have to be a level 1 at the onset of the program the program manager will be able to add a high-level identify those areas where the and the levels of the data after contract award what we will expect is that there would be a kickoff meeting where the program people and your I have to put in a gig for this security information security officers because they're gonna play a big part in this as well to all get together and discuss the data because I know for from the primes not all with a this is do you have all your subs laying flat when you put your proposal together so you're gonna know at a high level that I'm gonna have to be level 3 and these subs may only have to be level 1 but I haven't decided how I'm going to handle this one other section so then you're gonna have to have a conversation with your program person to identify that the levels of information and how they flow down and then when you get a sub you're gonna have to ensure that that sub meets the certification or they can begin work on the program and it's right now there are no wavers we're not gonna have wavers you either are that tickles Missouri right we've either are certified or you're not and you know one of those discussions I had with a one of my colleagues the other day they were saying we need an exemption I said when we have a classified program where we're giving secret data we never say oh we're gonna give you an exemption you don't have to meet the secret classification level you have to do it same with cui because it's such a huge issue with being an open wound where we lose so much information because of our adversaries we have to lock it down does that answer exactly what you were looking for Neal it does and and that's part of it too it's evolving thing that's one of those I really want people who are listening is to realize that everything about CMC is a little bit agile in the sense that learning as you along you've got the big picture solid and as you move forward you'll begin to fear about weather just when you that's you I lined up for so our 15 programs that we're going to start with or as our initial rollout is gonna be a wealth of knowledge and experience for us as we walk through it and I I promise you that we're gonna find stumbling blocks as we go through you we're gonna have to figure out and come up with processes and procedures as we go because note no two programs are alike but if we get the methodology down if we get the way we can work it through set and I think that'll help all the explain it and train it throughout the process your mute your mute Katie young it I am you there go so what would be ideal what what is the the dream state right is that we all embraced cybersecurity as much as we embrace safety every day and think about that and and the long haul so the the contracts that we're rolling out will we find problems you bet you I mean this and I ask this of industry and of the P tax and of the small businesses we yes can a small business put the price of the CMMC yes we're going in security as an allowable cost that's what the whole point of this is let me take your indirect rate there's other questions I just wanted not count to make sure because there's confusion in here that it's really important to me that I like you just rapidly go through because somebody is asking and clearly I'm causing some of the confusion just right now this kid of small business self assess or and certify or or or we require to go through VTech so it's not even the self assess it's like I'm it somehow the messaging across that it is not P tax certifying and then came out and the speech attacks are not going to issue certifications they're gonna get you ready you're still gonna have to go to the accreditation body and request that you have an auditor come the auditor will come and do an insight visit to go through your your your evaluation and issue the only people that can issue you a license are going to be the accreditation body the auditor is going to submit their report the ad then submits your license number there's the ptex are there to just help you get ready if there's questions if you need help or or guidance on how to get to things that's their role clarify the one thing though the P tacks are gonna are there to serve as guidance to give you you know tips they're not getting you ready right I mean just because people like questions away and think that then they're the I'm assuming right they're not coming into the companies and getting them ready now the ptex can't do the work for the business but the PX can provide the checklist they can explain the checklist in terms that the business can understand if there's some you know jargon that the business isn't understanding or more likely an expectation like what can I do to meet this expectation the ptex can help with that but the business is going to have to go implement the multi-factor authentication and find you know apply to the accrediting body the PDX just to help her just like Katie said and just expanding on Katie that's self assessment just because that question got asked multiple times in here as well there's no self-assessment process you prepare yourself if you address that just that make sure they keep her it again we are not the whole point of what we have currently is self attestation model where you say I'm really good we need to trust but verify that's the whole point of the scene MMC so you will receive tools where you can walk through these to find out where you are but there will be no self attestation the government will accept the Department of Defense will accept here's why right so we have to trust but verify we need to ensure that you're actually implementing the controls that we need you to do that we're Bala dating that you're implementing the controls because we're going to be paying for them so we want to ensure you're doing them and then the last thing on why we're going to make a CMMC certified auditor come to you to do you is because we're buying down the risk of foreign ownership and shell companies right part of this is that we're gonna make it really hard for those people trying to steal our IP take our our hard-earned tax dollars we're gonna make it harder we're gonna buy down the risk we're gonna buy up the uncertainty on them and in that Delta is where you guys as small businesses for the most part do amazing things right now the adversary has he has the edge right they can set up shell companies they can fake Kate they're they're stealing cage codes they're stealing your cage codes and actually routing false payments to them it's happening so the the whole thing of self activation is because we need to trust but verify the audit for CMMC level one is so easy and will be so low-cost I promise you it will not be that impactful it just will make you a better person better business to partner with and that's perfect thank you and I'm gonna answer a whole bunch of questions here could the panel I'm gonna just do a clean up a bunch of them tell me if I get any wrong there right one of the questions is where what are the default clauses they're in their documentation you can find them on the links that are in the chat that we keep putting in there so the DoD and the AV site you can find them there and they're tied directly to each level the next one was in Germany are Clause one its D far to five 2.20 4.70 one two dash taken me 12 yes and then this question was Katy approximately 96% would be level one or two what's the estimated percentage split between level one and two and thinking I was here you say we're not really trying to target anybody - - it's just gonna be it's gonna be the bridge for to get from 1 to 3 but the bulk share of the contracts that we have will be CMM sea level one point zero six percent are estimated to be at level five point zero six percent at level four I would assume that if you look at the the amount of clear defense contractors we have today CDC's they're less than fifteen thousand so well over 90% of the the supply chain will be CMM sea level one here's a question for the P taxon if I heard correctly ptex have to be level one certified how will this CMM cieaned it cost be paid DLA OSD etc so this is coming from the P tax the ptex will charge that against their Pete at cooperative agreement there you go answered live just remotely through a lot of these the so one of the questions I had for you Vemma is just what kind of advice you have other business owners because there's I'm assuming there's some stuff you do internally to get yourself prepared for level 1 or even level 3 if that's where you're going and then how do you make some of the decision of who to who to work with as external vendors to help you with some of these cyber needs so thank you mean for that question definitely keeping a good cyber hygiene for all small businesses just like we do for a home it's not very difficult level one again is something you can maintain very easily level 3 obviously I think we will we are Beijing I think it's in May or June it's opposed to the decisions are are made and they will you know there'll be guidance to us we're ready people as I understand there will be two different business one would come and first do a precursor and then there will be another so I correct me if I'm wrong Stacy but will there be two vendors that we actions so it depends on you if you choose to have a vendor come consult with you to help you get ready then you would have and then you would have to have another vendor that would come do the assessment if you yourself go through the assessment guide so that we put out online and you feel ready then you can call an Assessor to complicate your company from the get-go you don't necessarily have to have a consultant come in so it just depends on your company paradigm whether or not you have internal people that can interpret and get the company ready or not thank you for that Stacy so in in our case Neil we feel we we can get ourselves ready usually the rules that are put out there they're pretty easy if you follow it to the tne our team is very good and we would we would do the first part ourself and then then wait for for the guidance as to the vendor we would pick no that's for and I might go to you on that same question but from a because you know this is kind of in your world some guidance you might provide of how firms can choose other companies that could help because the CMC folks Ella Laura Katie and others have put out these notices you know unethical business practices out there they're like a better way but there's Ithaca people out there who can help you what some of your guidance on how we can identify and vet them out yeah so I would just say the things that I've seen just from watching you know some peers first of all there's some awesome people that are in this new like ecosystem right CMMC consulting and I've learned a lot from some of them but the things that I've seen from people that kind of make me stop and go hmm are the language you're using a marketing and right like come to our webinar we'll get you level three certified like that's we're misleading it's not good marketing it's not ethical so watch for that but I think the big thing that I would do is when you're looking at a company cybersecurity is very different from the auditing world go with a company that has an auditor or that's working with an auditor who or who understands that side of it and I only say that because so much of this is about the documentation and that is the auditing world right so much of level-3 is that you're writing it down that you have these policies and procedures in place and that you can show that you're following them and you're doing them so that's a mess my personal opinion but just look for people that are established that maybe have people on staff that have a background that can talk the talks I can and in that are you know making those right hires so you might come across a company that doesn't have an auditor but maybe they have you know a wealth of experience in it and everything that they're saying sounds good maybe they go get certified as one of these third-party groups so like that is going to be a really that's going to be a big marker a good badge if you go with a company who already has that right they're auditing other people so why couldn't they be your consultant but if you don't go with somebody like that and I would just be really careful and look for people that actually have experience I'd agree your best bet is to go with somebody who's gone and taken the training and test it out and and has the credentials to be able to understand exactly what they're talking about Hey before I close up and thank the panel I did want to just restate something I hope the panelists agree solidly with that for any of you are on and I'm so excited 200 plus people have stayed for 90 minutes for this that as you look at see what I'm seeing you you have questions about it and you you're planning your own strategy around it look to your local context as a great source of folks to talk to and then the escalation path is the accreditation board their website has a ton of information and the people who keep joining the committee's helpful and then frankly the last resort kind of like an Asda boo is the last resort compared to a small business professionals the first resort the DoD is there and they have their site etc so there's kind of your path I was gonna throw it Katie you're way to kind of close out or any last minute message you want this group of people to know and to pass along to our three friends so that's the first thing right we need to make sure that the the passed this information along the best word of best marketing the best way to get the entirety of this community is you if you make post on LinkedIn if you reach out through your professional network and say hey this is coming can we collaborate can we talk about it it's the best way the other thing I'll mention one of the other issues is this you know how do you how was your company looking at your security as a posture so if any of you are struggling with your leadership or your c-suite but they don't understand this please reach out to us we are more than happy to engage and educate how a company is postured on their cybersecurity is absolutely going to be very relevant to how businesses need to be valued without the throughout the ecosystem going forward on your cybersecurity stance how your company is prepared and reacting is going to become paramount so any kind of collaboration that Stacy and I and our team can do to help you let us know feel free to reach out for sure no that is perfect and everybody has the LinkedIn contact on the Flyers etc so I want to thank our panelists for sure for coming in for being so early that we had no technical hurdles on a time when zoom is experiencing probably a thousand percent usage right now and I want to do a special thank you to a cat for stepping in at last moment and helping him deal some of the logistics and last one is Cecilia's my silent partner on logistics and been answering all the questions on the chat or putting out on the links or something thank you for that if anybody has questions feel free to read back out to the folks that are on the panel or reach out to me and I will point you right to a PTA

Info

Channel: Neil McDonnell

Views: 1,837

Rating: undefined out of 5

Keywords: #HUBZone, #Small Business, #PTAC, #SBA, #SAM, #DSBS, #Capability Statement, federal contracting, govcon, neil mcdonnell, government contracting, WOSB, wosb, woman owned, GSA Advantage, Proposal Writers, Capabilities Statement, veteran, win contracts, procurement, fbo, 8A, 8a, 8A setaside, 8a program, set-a-side, setaside, GSA, dynamic small business search, dsbs.sba, DSBS, US Federal Contractor Registration, Contracting tips, matchmaking, win government contracts, cmmc, katie arrington

Id: 2XXkf0SUv-M

Channel Id: undefined

Length: 87min 48sec (5268 seconds)

Published: Mon Mar 23 2020