CMMC Rollout and 2021 Outlook for the Defense Industrial Base (DIB)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right everybody um this is our first session today um i have with me miss stacy bostjanic she is now serving as the acting director of supply chain risk management for ousd and i think you may have some news about that in this role she is responsible for managing the initiation of the cmmc program and is responsible for establishing all policy and procedures with regard regard to cmmc previously she served as the dia head of contracting activity in which she was responsible for planning managing directing and accomplishing the total dia procurement program specifically for that one program within dia and also she worked as a senior contracting officer for mda missile defense agency where she was responsible for cradle to grave execution of over 5 billion of highly complex cutting-edge contracts for our nation's missile defense system so breadth of wisdom and experience that she brings to her current role and to our talk today so before i hand it over basically what we're going to try to accomplish today is uh miss botsgenic is going to talk about some of the recent happenings with the town hall that just happened not too long ago and also too just some latest breaking stuff that's happening this week and last week and really just over the last couple weeks i guess really giving overview and then we're going to hit some questions some questions that may have not been answered at the town hall and also just some general questions from our our customer base and some of the folks on the uh at the conference today so again stacy thanks for joining us here in virginia and uh yeah i'll let you go and take it from here so one part of late breaking news mr buddy deez is going to be taking over as the director of cmmc so and i'll still have my fingers in the the pie i'm sure on a constant basis but mr diesel is very well versed and very capable of handling it wonderful wonderful so um but for cmmc some of the late breaking and interesting news is our c3paos have been begun to be contacted by the dcma dibcac team to set up their level three assessments and they will continue uh to work with each of the c3paos as they become validated and ready for prime time to get in and do their level three assessment because we do view the assessment documentation that they are going to be handling as sensitive and we want to ensure that that data is held in the highest security because this is the the roadmap to a lot of these people's networks right right and i guess regardless of any of the debate whether or not it's cui or whether or not it's a certain data type it still needs to be protected whether and so you know one of the raging debates on linkedin was it can't be allowed to be cui because it's not under a contractual relationship sure but it is because we have a no-cost contract with the cmmcab and the c3paos are going to have a contractual relationship with the ab as their sub so either way you look at it you can make it cui and i but i would tell you my comfort level is it needs to be handled as cui because it's sensitive data that's right so that's where we want to go with it and you know i think it only makes sense that these companies are held to the same standard that they're holding others to sure you know and it's a to a double-edged sword or a benefit for these c3paos because they get to experience an assessment right by the dib cac assessors who have already been trained and examined gone through the examination process with the cmmcab to make sure that they are appropriately trained they have years of experience because they've been doing the dod assessments for us so they have a lot of experience so these c3paos will get to experience what it's like to go through an audit on their own as well as they will be the ones that will now be performing those audits against the um osc's right the organizations seeking certification that's the cmmcab term it took me for a minute yeah yeah oh it's amazing it means something else to me right so so anyway so that's where um the c3paos are now we have a hundred assessors that have been trained and uh examined and have gotten provisional acceptance and the reason why they're in a provisional phase is because we're still in the interim rule making process the interim rule became effective on november 30th which means we can now implement it and make it a requirement in contracts a contra requirement for award but we are still going through the rulemaking process so in that vein we've completed public comment on the 30th of november as well those comments have come into our organization and we are bucketizing them by category and then we will begin the process of um and we have already begun the process of adjudicating and answering those comments though once those are done it'll go back to omb we'll go through um the rest of their process there's an interagency review and some other things that have to happen the rule will probably be finalized become a final rule probably by august because it still has a go back to a congressional review after it finalizes all the other interagency and other reviews and the adjudication of comments but by virtue of the fact that omb recognized the extreme national security issue that we're under that's why they allowed us to make it an interim rule saying we could put them it put it into effect now while we're continuing the process of making it a final rule so while the assessors have been trained and they have also been certified because of the fact that there could be changes to the model and the process based on the outcome of the rulemaking process they're only provisional assessors so based on any changes that we see through that process all of those provisionally trained assessors will have to go back they will have to have the delta training and then they will also have to be re-examined and they will then be a certified assessor but in the interim we've got a lot of different activities going on we started out last spring we did some pathfinder um activities with first one was with the missile defense agency and if you tuned in to the um town hall you heard ms dianne knight speak about all we did in that pathfinder we did model contract language we did model rfi language we went through a model post award conference between the prime and the program office to make sure we mapped cui down through the supply chain because one of the most important parts of cmmc is recognizing the controlled unclassified information making sure it's appropriately marked right as well as making sure that when you flow it down to your subs you're only flowing the information that they have to have to do their job right because one of the things that you don't want to do is just package up that entire tech data package shove it down to your subcontractor because then they're going to be in a position where they're going to be in receipt of controlled unclassified information when they don't need it right right and that puts them in a position where they may have to rise to a cmmc level 3 requirement when they don't they don't need it they can be a cmmc level one right so we need to be very cognizant and purposeful how we pass data down to our subcontractors to ensure that they have the right data and only the data necessary to do the job that you've asked them to perform right and i would imagine for many contracts especially prime contractors you know they have a pm or a dpm that's really going to be there's going to need to be an element of training and just really just communication from the from the actual contractor the company itself telling their pms telling their dpms hey you need to be cognizant of how you ship things down to subcontractors and not just trying to take the short and easy route of again just shipping data downward right being very cognizant of that that flow down and to that end because i know there's a lot of confusion surrounding cui people are very confused by it and they're not exactly sure how to market and what it is there is a great training out it's dod dot cui i think dot mil and and it's we can drop that in in chat either way so it's a brand new training that they've come up with that is gets grave reviews everybody says it's great we're we've got that training that's out for everybody we've also been working with dau as let's say they're actively working on oh yeah to make sure that we train our program managers and our contracting officers and one one point that i want to make sure everybody knows since i used to be an old contracting officer it's not the contracting officer's responsibility to mark the controlled unclassified information in a contract it's the program manager's responsibility the contracting officers need to ask the question and ensure that it's been thought of but it's not their responsibility to identify that cui for all my contracting officer friends out there it's oversight not responsibility yes exactly thank you so what's what we're doing with the provisional trainers and the pathfinders is so we did the mda pathfinder and we did a lot of good mock assessments and got a couple of um subcontractors uh you know went through a mock assessment at the level one and one of the things that i was heartened to see was the one level one that didn't pass it wasn't anything huge that caused them not to pass it they were silly things like they forgot to have the log at the front desk where people sign in and sign out for positive access control i see they had a back door that was into their data center that they propped open with a rock because their people like to come in and out and do go smoke cigarettes right so those are not expensive things to fix to make sure you can pass they're just things you've got to think about yeah so for them they will easily be able to sail through a level one assessment right because they were there they just had a couple little things that weren't expensive to fix i mean a lot of consternation has been about the cost and how this works so from the mda pathfinder we use dcma uh dib cac assessors that were trained with cmmc and sort of you know gone through the the certification exam and that to do those mock assessments now when we go through the next pathfinder with dla we will hopefully be able to reach out and use actual c3paos and actual cmmcab assessors to do that mock assessment and those are all risk reduction activities the department's taking to make sure that when we roll this out prime time we've got it ironed out we don't have a lot of glitches now having said that we all know there's going to be something that's going to come up that we haven't thought about that we'll have to be able to to accommodate and we we we're um definitely going to do that right we're committed to making sure that we we take these things as they come up and we handle them so those are our pathfinders along that same avenue we're also at the same time and we have a team of three government people working this so we're very busy wow we are working on our pilots now what we did was um miss lord before she left put out a memo requiring each one of the services to come up with three pilots and then the members of the fourth estate to also nominate pilots some of the other agencies so we she put out a press release with seven which were the first ones that we got and hence we've gotten some others from the army um we have the army foreign military sales uh field service representative support uh contract is a is a candidate pilot also with the army the women women in infant and children overseas program for dha and tricare also with the army is the main operating base installation service nodes then we moved to the navy they've nominated the integrated common processor the f-18 ef full mod s bar shift shut off a valve sorry then you've got the also with the navy the ddg e i lead yard service and follow-on yard service program the air force has nominated the mobility air force tactical data links the consolidated broadband global network area network follow-on and then the azure cloud solution and the missile defense agency is has nominated the technical advisory and assistance contract so what we're going to do with all of these is we're going to go and we're going to vet them to ensure that the timeline meets up because it's not our intent to have cmmc hold up any program or cause them not to be able to get to a ward in a timely fashion so we're going to work so closely with them to ensure that that the timing is right that we have the ability to identify that kui and have it flow down into the subs at what at the appropriate level we'll be working hand in glove with them and miss diane knight from our office is heading up that and i stole her from mda i'm sorry mba if you're on if you're on right now and she actually helped mda when they started doing their work with their subs with controlled unclassified information and mapping it down the supply chain so she's a subject matter expert and i stole her for that particular reason because i knew she would be perfect for helping us out with this so the first pilot that's going to be out of the block that we're going to start working with is that f18 full mod s bar and shutoff valve and then i think the second one is an air force program the one thing i will tell you about the air force program that's the azure cloud solution this is a pilot that they're working on where they're providing the subcontractor a government uh cloud environment to operate in so we'll be able to see how that will work bring that out for um cmmc and and the protection of those end user devices that are contacting that cloud so that one will be a very interesting it will have a lot of uh data that will come back on both sides i'm sure i'm sure it's that way they can kind of deploy different engineering workloads in that kind of test bed environment and oh yeah and deploy them from there that's great yeah so that's awesome so from there i think um the assessors are going through their suitability determinations right now um we have several that uh already had existing suitability determinations that can move forward and we're hoping that they'll be working closely with their c3paos and we can start bringing out some of these cmmc assessments hopefully by mid-march mm-hmm yep fingers crossed i get my fingers crossed i'm holding my breath you know so that's our our excitement for now i think uh barring that i think we can go into questions yeah that's awesome that's awesome well i i appreciate the uh the the candor obviously even talking about hiring decisions you're about to make nba mad if you keep uh keep taking i know i have a couple of really good people thinking about it that's good though i'm glad you guys are bringing bringing the talent that you need um into the organization because obviously the task is uh is can be daunting at times and so uh so that's that's great um so i guess first question uh there's been some recent news around reciprocity and we were talking about azure earlier but you know obviously some of the bigger cloud vendors you get amazon with aws uh microsoft obviously with azure and some of their cloud offerings google et cetera et cetera there's going to be some reciprocity meaning you know these vendors these cloud service providers they meet certain cyber security requirements at the data center level at their level when they provide those offerings and so there's certain boxes that they more or less can check because of how they manage their data center you know they don't have a rock in their door for instance so they're they're checking yeah right that's right so you know they're not having anybody taking smoke breaks so they're compliant meeting certain certain requirements let's say you know at the physical level um and i believe and you can correct me and kind of speak to this the aim is that some of those boxes will be checked and covered and then kind of flowed down to contractors can you speak to that sure so we have completed the dod dib cac assessment reciprocity with cmmc and that memo is up for signature to finalize that and then we are currently working with fedramp and gsa to come up with a reciprocity agreement now when we do this we also include the dib sec members so we're working with gsa we're working with industry and ourselves our subject matter experts to make sure that we draw a good reciprocity between the two sure one of the big differences between fedramp and cmmc is that fad mr amp does allow poems and cmmc does not allow poems so if you are a cloud provider that currently has poems for some of your requirements under fedramp you would not get credit for that under cmmc i see so we're working through that with fedramp and then we have a various other um cyber programs that we're working to try to help reduce reciprocity as well as internationally so i'm um working with some of our allied partners and we're all trying to do a crosswalk between cmmc and their cyber programs and and do a crosswalk amongst them all right there are a couple of countries that do not have a cyber program yet and they're strongly looking at adopting cmmc gotcha so it just depends on on country by country nation by nation whether or not if they have a program then they they're more or less not adopting what they're adapting and then for nations that do not they're adopting wholesale possibly looking at cmmc right we haven't gotten there yet sure and i also will tell you that we've had uh two other federal agencies that have said they're going to adopt cmmc as well i don't think there's been a public announcement made for one of them i know dhs has been very vocal that they said they will definitely adopt a cmmc so we're working through that with the a b to say how we would bring on other federal agencies from our perspective i think it only makes sense that dod remains the executive agency for cmmc that we continue to use the same dib cac assessment procedures for the c3paos because the one thing that we have to have with cmmc is consistency across the board you can't have one agency adopting quasi cmmc and asking for one set of requirements and dod having another will drive industry nuts with having multiple different certifications i also think that having the dibcac team do the assessments for the c3paos makes sense because then you have that consistency across the board for how your c3paos are evaluated right but we haven't signed on the dotted line with any of these agencies yet so there could be things that change in the interim but that's kind of the way we're leaning and where we would like to go with it yeah and it makes a lot of sense obviously because as you probably know very well this process of standing up a a maturity model and a certification process and assessors and training and all the things that go into making cmmc work um it's it's an undertaking and so then duplicating that effort again for another agency or another set of agencies is probably not the best use of taxpayer dollars in some cases exactly um and i can also imagine even like department of energy for instance i mean the dod maybe doesn't have as much of an obvious tie to the department of energy but let's say the energy grid is susceptible to cyber attack the national energy grid uh that and that very well impacts the dod in our operations here at home so uh so i could definitely see that cyber is going to become something that's going to be cross-cutting across the whole world right as we saw with solar winds right the recent efforts with that with our adversaries to take down our infrastructure right and it was federal agencies industry writ large that all got hit mm-hmm and we have to protect against it yeah absolutely so one of the you mentioned dibcac earlier and obviously those assessments of see-through paos are underway or at least that process has started um are those c-3pos having to pay for those assessments how does that work what's that arrangement like if you will no so um one thing is you cannot pay the federal government so one of i've heard i think they call it augmentation of funds yeah so we we can't do that but what we have determined is it makes good business sense to have the um impartiality of the government agency doing the assessments of the c3paos it doesn't make sense for one c3pao to assess another yeah right and have them have to pay each other because you know then it's ripe for disputes right so with that with the c3paos being assessed by the dip cat team i think we have consistency across the board we have um hopefully the integrity of the process right those those assessors are very good they have high integrity high standards and so we'll ensure that all the people that are doing this the assessments for us will ascribe to that same level right right um another question too that we mainly received a lot especially so we talked to katie in october of last year and uh you know one of the questions back then and i think it still remains true right now and i think it's good to speak to it there's a lot of question about you know uh the relationship between the cmmc ab and the dod and there seemed to be uh to the industry there was talk that there was a seeming disconnect or that it didn't seem like they were doing many things jointly but i think now especially as you saw with the town hall meeting it seems like there's more of a a closer connection more um collaboration even public collaboration like a town hall is that true yes it definitely is true i you know as with any relationship you all go through your forming storming in norman yeah right right and so um you know through the negotiation process that we went through with with them and you know each person had their opinion um we work through that yeah and we are now uh one team one fight very cohesive under contract yeah and we always were one team one fight you know i think just when you're ironing out the details there you know that that's where and unfortunately i think uh people out on social media take a little something and make it something big and we have we have our naysayers we have people who are trying to make a quick buck off of cmmc you know there are a lot of organizations out there that are pop-up organizations you know we've seen the cmmc center of excellence we've seen the cmmc center of awesomeness which i thought was it was really cool it was it was funny clever naming oh yes yes and we have the you know all of these organizations that are on their own they're not authorized by dod they're not sanctioned by dod and you know the cmmcab is our only authorized source and they are the ones that are um authorizing and accrediting the c3paos and the rpos right and the assessors and we have actually sadly heard of companies that have gotten hood winked by some of these other organizations that said hey i can get you certified and they pay them a good bit of money and they come in and they don't really do much and they didn't really help them and this small business is upset because they're out this money right and they didn't get where they wanted to go and unfortunately for us we can't stop public free market pre-market and all that right we can just pray and uh continue to communicate and have town halls and make things clear as you can and that the people that do establish their free market ability that they are have high integrity they get the training from the cmmcab and that they don't take advantage of some of these poor small businesses that are just trying to make it and provide us a very necessary um capability yeah you know this one is interesting uh we've had this question come up quite a bit at least just amongst clients and folks that we talk to within industry this idea of grant funding and things of that nature that flow out to different states and those are managed uh whether through mep centers or through other means can you speak to just any of the hallway conversations or anything else that's kind of uh percolating around grant funding and things of that nature even if it's just training related so well now we do have a very robust uh training we've got project spectrum we've got the p tax that are being trained that are going to be working with the small business and i have a bi-weekly call with the nist mep organization and they're getting going through the a b training as well so they can provide assistance to the small businesses and and be active with their uh organizations to help now for the grant money it has been talked about i believe there was even something in the ndaa but since we're in the midst of a late signed ndaa and an administration change i have yet to see i have yet to see the money yeah a little bit up in the air all right so we're still working through that but hopefully it would come one i think one of the other questions that i keep getting right is is the new administration going to reverse cmmc that's a good one or are they going to be to it they're going to make the requirements easier we have seen no indication of that yeah um cmmc has been a very bipartisan effort we've got you know we get questions from both sides equally and they're all very interested in it and supportive and one of the things that i would also tell you is with the recent hack with solarwinds i don't think that they're going to push to make the requirements less right right because we've seen how we have been hammered with some of these things cyber security like i've said many times is going to be a whole country issue you know we all have to be aware of right even in your own personal life right i you know um making sure that you protect your accounts i met a guy when i was down doing i think i talked about it last year i'm not sure um he construction contractor for the government lost forty thousand dollars because somebody stole his cage code identity yeah right and he calls the government's like when am i getting my money and they're like we paid you he's like no you didn't and they were like oh yeah we did and we sent it up and when they went back checked it somebody had stolen his identity and redirected those funds to their account and you know for him forty thousand dollars is a good chunk of change yeah you know that's not no not peanuts but when you go to the justice department and try to file charges and try to have that um looked in upon they're like sorry we don't have time for that it's not a high enough dollar value for us yeah so i think you know from that perspective you have to make sure that you're doing your due diligence to protect yourself let alone meet the requirements right wow yeah um one of the things on um i'm trying to remember what you said earlier i had a question about oh sorry no no no uh i was paying too much attention i was i was getting into what you were saying so oh on the training piece i know you said you have these bi-weekly calls with the mep centers and i think the p-tacks are also working on stuff uh with as it pertains to training are we thinking 2021 is when this uh is going to start rolling out some of these trainings and things of that nature so project spectrum has already rolled out that one is yes and they've been working i believe the ptacs are already engaged as well the meps i know that there was one gentleman that had signed up for the training through the ab and he was very frustrated and so they called me to get involved in his finance people never sent the money so now that he's got that straightened out he's going to get the training one of the other ladies that uh i've been working with directly is going to be and hopefully in the next class okay so there yes it's going to be 2021 that they'll have the capability wonderful wonderful um obviously we've talked about some of the initial contracts that are going to have cmmc language in them obviously we've talked about some of the dip cac assessments of c3pos et cetera um of the outside of that core group of the core group of c-3pos core groups of primes that are looking at those contracts that next level the next level of primes that are outside of just that scope when when do those companies need to get ready or when can those companies expect to be assessed kind of that second wave so when you start looking at the pilots that we have right those pilots are going to have subcontractors right and if you see the list of pilots that we have and you think that um i may be a sub on one of those programs then you want to start looking at getting your certification yeah what i would also tell you is we have the um cmmc assessment guides out there i think they're going to update them here in a little bit with rulemaking and clarify some things that may have not been clear enough but get those assessment guides start looking through them to see what you need to have to be assessed and they're on our website so you can download them and start preparing your company now because even if you're not assessed you need to start implementing the requirements to make sure you protect yourself that's right so um even if you think hey i don't have to do get pay for the assessment for two or three years because none of my program you know i'm in my contracts and they're not coming up for renewal or anything like that then go ahead and start looking at it now the other thing that companies need to understand is that interim rule was a three-part rule and that's been a an area of confusion that i probably ought to try to clear up so that rule had three parts it had 252 204 70 19 70 20 and 70 21 1719 was a provision that goes into solicitations but it also says that you can't garner an award unless you go into the dod spurs system and it's supplier performance rating system we call it spurs because we're all about acronyms and that's where you have to go in and do your basic self-assessment they give you a scoring methodology for you to be able to give yourself a score so at least the government the dod knows that you have taken a moment you've thought through it right right you know that you need a system security plan and where you don't meet all of the the requirements that you can still have a poem but at least you've thought about it at least you've taken a look at your systems and you've evaluated where you are right right that's the first step then we move to the 7020 clause 7020 clause is where dod has the ability to come in and do the medium and the high assessment that says if we ask you you need to let us come in now the medium assessment is a conversation it's where you sit down with an assessor you talk through your system security plan in your poem you talk through the artifacts that you have that prove that you've got those um controls in place and it's a conversation yeah the dib cac hi assessment is where they actually get to look over your shoulder at your network now in covid we've been very successful at doing it fairly uh virtually i think there are only two or three components that are facility uh intensive yeah not maybe not intensive but you got to be there yeah you got to be on the ground to to make sure that door is closed you know those kinds of things now we've been using video cameras and face time kind of things where we can to to be able to close those gaps but there are like two or three that get left unturned that the dib cat team will have to come back to finalize to get your all 110. and to that end what the reciprocity agreement with the dip cac assessment is if you score above a 70 on that dip cac high assessment then you would only have to do the delta assessment for cmmc between the 70 and the 130. and if you score below a 70 you have to do the whole thing yeah and it goes up from there so if you score 90 then you don't have to you only have to do the delta if you've gotten a perfect 110 then you only for the reciprocity for cmmc you only have to be assessed against the requirements of the the um last 20 you don't have to be assessed against the three practices that are associated with that because they feel like if you've met the 110 then you've already got those practices down pat right with the basic assessment you know speaking of timeline i know we've discussed a little bit about you know when you should start doing things and that kind of thing as far as sbrs goes should uh should businesses of all size prime small prime sub small large doesn't matter should they go ahead and start doing those self-assessments and getting those ends is there any reason they wouldn't i don't know what boy they wouldn't need or why they would need to do that now no they all need to okay because one of the things that um and and so to be clear 70 19 and 70 20 aren't my under my purview right sure sure so i'm working with other people so you know somebody else may say what you know what'd she say but and to be clear so 70 20 is 7 21 is mine 21 yeah excuse me not 70 20. 70 19 70 20. but the 70 20 19 clause is for all contractors that would do business with dod and you cannot get an option exercise if you have an existing contract you have to have that registration in spurs to have your option exercise right so and you cannot garner a new award under um the dod unless you have that information in spurs so there is no reason not to do it right i think the only people that are excluded are cots products yes right and i know i got a question that we have not answered that is that going to change because of the solar winds uh hack and so what i would say a great question we're looking at there's a lot of intensive uh research being done right now with regard to that hack and what it would take to have protected against it yeah and or to detect it so uh more to come on that yeah that's interesting it kind of even gets into some of that reciprocity conversation about how software companies software providers are assessed themselves and what certifications they need to get themselves and how their software is certified the software right you know there was there have been a couple of sections in the ndaa that talk to um companies needing to come uh open with if they've shown their software to or any of our other countries or adversaries or things of that nature yeah yeah wow um so two two last questions um the first being what uh what steps do organizations need to take to avoid rather over-classifying information or under-classifying information as it relates to them having to meet cmmc level three and i guess we talked about classifying and who's doing the classifying so maybe that question isn't totally accurate maybe but even just over treatment is there such a thing is it bad for a company let's say that can configure their entire environment and all their systems as though any of them could have cui on them is that is there any negatives to that i guess and then also too um is there a way that they could be under classifying or under treating their systems or their data that kind of thing so um the only negative is the cost associated right i mean undoubtedly the more secure you make your systems the better from my perspective and for your own protection sure but it does have a cost associated with it so you have to make that decision and i think for the marking of cui you know we're trying to come up with a really good rule of thumb right and the best thing that we've come up with is if it's information that if our adversaries got a hold of they could use against us or they could use to um leapfrog ahead of us right that it would give them an advantage against us then you want to protect it as cui yeah right now when it comes to working with your prime and working through your contracts then you need to have that constant communication because there is contractor derived information that would fall in the same vein of cui yeah and so you might be like well i don't think it needs to be cmm level three i produced it but if you think about the fact that if you develop something and if our adversaries could get a hold of it it would give them an advantage then we want to protect that right and then you would want to make that uh considered a cui and be protected as such you know but that constant communication with your prime your next level tear up and your next tier down and ensuring that when you do flow information that you only flow what they absolutely have to have to do their job because we don't want to put um companies in the position of being in receipt of cui when they don't need to and having to rise to the level of cmmc level three right it's just like that story i've told a million times about the the well not the construction guy the the welder okay and he's like i don't need cyber i'm a welder and he had the entire tactical design structural design of one of our tactical aircraft because they didn't cut out the welds they just sent him the whole tech data package right which goes back to your flow down statements earlier about you know how do pms and dpms need to control um what gets sent down and what doesn't exactly exactly we we have got to take and it's difficult because everybody is overburdened right and everybody's being pushed to meet an aggressive schedule we've got to get things done faster faster faster so you know it's undoubtedly easier just to stick that whole tech data package in an email and shoot it down to the next level and not take the time to cull through it but we're going to have to yeah right we're going to have to make sure that we're not putting all our data out there for everybody to see that's right so i have one statement and then the last question i remember what i was going to say earlier you know you were talking about the great question of oh so we have a new regime a new new president and a bunch of new leaders that are coming into place that are going to do great work to serve the country um to the best of their ability you know regardless of the change regardless of any sort of political swing that may or may not be happening you know i think most people rather uh political leaders civil servants and also to just just great old citizens of the u.s of a i think we can all agree and i think all of those parties would agree that regardless of how much money is spent on the dod regardless of the initiatives of the dod i think we can all agree that the dod and all of its supply chain needs to be secure yes i don't think that is in limbo or anything is going to change about that posture i think from from the newly elected president all the way down i think everybody agrees that that the the eye doesn't need to go off the ball and and we need to continue to be focused on that the covid 19 is a perfect example and it's not just dod right we need to make sure that our national supply chain is protected and is secure yeah right you know when you find yourself in a situation where you don't manufacture enough on your own in your own country and you're dependent on somebody who's one of our adversaries for a lot of your product yeah you know you find yourself in a tough spot that's right and you know i think that that has been an eye-opening experience to most people yeah and so yeah we need across our nation not just dod dhs doe all of those agencies need to ensure that their supply chain is secure as well as our national infrastructure right i want to make sure that the drugs that i'm getting from cvs have had a secure supply chain all the way to my my dining room table that's right and you know i don't want anybody and you know there are adversaries out there that want to take this country down yeah and we need to make sure we protect ourselves against that that's a good note so last question kind of ties into that is um if you had you know magic wand and you're looking forward to the end of 2021 what would you like to see this is more of a stacey question again this isn't you know what's to come you know please win the lottery and be on a beast yeah yeah yeah yeah so everybody put your pins down this isn't you know a guarantee but if you could have it your way as it pertains to cmc what would you like to see at the end of the year kind of in place or just anything anything surrounding cmmc what would you like to see i would want to see wholesale adoption i would want to see excitement from the industry and i don't want the right type of excitement yeah the right type of yes a lot of energy and support of cmmc now having said that we have gotten a ton of support and we have had most of industry very excited about this and recognize that this is a necessary thing that we have to do yeah now on the downside i mean they think it's a great thing they know we have to do it but on the downside they don't have to pay for it you know it's gonna it's gonna take work yeah right but if everybody would be recognizing that yeah it's going to take work but we got to do this and we're excited to do this because we recognize the need because i want to be able to close my eyes at night and know that my country is secure and that we don't have that threat of some of our adversaries overpowering us or at least you know taking military and economic advantage yeah and and so that was where i would love to be that's great that's great good deal well stacy thank you again for joining us anytime we have many more sessions to come so everybody please stick around and uh yeah we're looking forward to more conversations in the future obviously we'd like to also speak to some of the new appointees within your within your staff as well so be looking forward to that and again thanks for joining us here in virginia yes and war eagle for those of you in alabama still awesome well everybody stick tight and we'll be back here in a little bit thank you so much thank you

Info

Channel: Summit 7 Systems

Views: 573

Rating: undefined out of 5

Keywords: DFARS, CMMC, Cybersecurity, DoD, Compliance, Cloud, DFARS 7012, CUI, Aerospace, Defense, CS2, FCI, CTI, NIST, DIB

Id: LHeyyAgx4F4

Channel Id: undefined

Length: 44min 36sec (2676 seconds)

Published: Fri Feb 12 2021