Katie Arrington on DFARS Interim Rule

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

👍︎︎ 2 👤︎︎ u/multifactorpassphraz 📅︎︎ Oct 08 2020 🗫︎ replies

Captions

[Music] all right so without further ado uh starting us off we have miss katie arrington uh she currently serves as the sizzo for the office of the under secretary of defense for acquisition in this position she serves as the central hub and integrated within dod to align acquisition cyber strategy leading up to her sizzle appointment katie served as the cyber lead and programmatic advisor for strategic cyber programs katie arrington has been rightfully described as the change agent and bridge between departmental information security efforts congress industry and academia in her short tenure she has been diving into one of the most significant acquisition reforms in dod through cmmc in addition to her service and as the south carolina u.s representative she required or acquired excuse me her experience in cyber over the past 15 years with booze allen hamilton centeria corporation and dispersive networks so thank you again katie for joining us good deal we're live all right so first off tell me about the interim rule and uh does your team have a sense of how many comments you're gonna get so there are several pathways that a rule can go down a proposed rule interim rule and uh much like with um recently i don't know if you were tracking the 889 b it posted as an interim rule and went into effect um 60 days later the reason why we do that um and that short that pathway was just um decided on at omb ohira so this is bigger than me um it's bigger than the dod um it was a matter of an of national security and a national emergency so um you know we went through gosh we went through a year or so of comments um on building the model i mean we kept putting it out for public review um every time we did uh uh you know we we published it we took the comments and adjudicated them so uh they had felt very comfortable that they had sufficient uh uh baseline right that that was the big thing the cost analysis was a big thing right because if you've read the dfa rule um the interim rule it's pretty pretty impressive the amount of um money that we're talking about here right it's it's definitely so um even with all that um the the interagency uh council found that it was in the matter of national interest so they posted it as an interim rule we will um and and we've been in uh the public comment period uh we adjudicate those as we go um it's not that we ignore them there is a team that handles them as they they come in from the day that it posted out to today um the comments are are definitely um not streaming in but coming in um most of the ones that we've seen thusly uh are more about how are we going to uh you know what what is going to be the rollout as we you know we we move through the dib cac and we move into the cmmc uh those are things that we are you know because it comes under um in the interim rule that the under secretary of defense for acquisition and sustainment uh miss ellen lord the honorable lord my boss um we we are working through the strategy we've been saying this for two years it isn't going to be a light switch that we have a a strategic process those are what the bulk of the comments have been thus far um so it's it's robust and uh you know it's it's one of those things that we've said from the very beginning and this is going to take five years to implement and we need to get going so why delay right right you know it's interesting uh this is uh kind of off off subject but on subject in terms of questions there's been some comments at least online about the so now you have 7012 or or 7012 or however you want to say that you have 70 19 70 20 70 21 has there been any thought given to what do we call all of these things in aggregate do we call them the d470 series do we no i haven't had anybody name them yet okay but yeah that that is a definite way to look at it um you know the 7012 is is what we have been focused on uh like a laser and that is the dib cyber security requirement in dfar language so um it's it's it's been sporty yeah absolutely absolutely so obviously this talk is in the conference itself is kind of centered around cloud can you tell me a little bit about some of the considerations given to varying types of the same assessment but for cloud companies are cloud companies going to uh you know your amazons your microsoft et cetera are they going to need to be certified is there going to be reciprocity can you kind of speak to that so they're going to have to get certified like every other company right there they are they have to have present and i would assume at a bare minimum they are running at at least a 4 or 5. when a uh a business decides to use a csp as a supplement to how they achieve certification what we will need to do is ensure that the csp has the right credentials you know from fedramp um and that they meet the right criteria fedramp moderate fedramp high um and you know working through that that that reciprocity of the the assessors right that's the big thing right the people that are going through i mean we had first class um graduated there were 25 provisional assessors with 25 additional um provisional assessors so we need to make sure and that's a big part of the training and and the assessment is understanding adjudication baselines and if you've been involved in any of the working groups or with the accreditation body or with the dod or you know me i am big on adjudication baselines we have to know what is a a level set standard so that we can all look at it through the the same lens so i'll say that's been probably one of the sportier parts is looking and making sure that apples to apples and that part of the pathfinders that we've done are when a a sasser has a a a a belief of a level and the company disagrees what is the the remediation process it needs to be expedient it does not need to be at a cost of the vendor right so they're coming in and they're getting an assessment it's understanding that they are allowed like anything else to have their say um and and the the it's it's funny although the things that go behind the scenes that nobody knows about but everybody juxtaposes that they have uh the the in on they they don't um it's it's i wish there were more people on these these working group and and volunteerism efforts um but you know working through the legal uh um i would say milestones for the ab for the c3paos and for the actual assessor um to make sure all of the parameters are there to protect the vendor and ensure that their best interest is at heart so um we're definitely rocking and rolling good deal good deal so next question is um for companies some of them may be small some of them may be large that are cloud only businesses so their their infrastructure their systems are all cloud-based um or even maybe for a company that's hybrid you know they have some cloud systems and they have some uh that are on premises do you eventually see there being uh various guidelines or uh or sets of standards uh and where they originate that could be arguable but where do you think eventually there's going to be a set of standards or separate guidelines for the see through paos for instance that says hey if you you have a client that is mainly cloud only here's some things that you need to be looking for because cloud technology can be different here are the nuances to that oh my gosh we're already there right so as we're looking at this and it goes international right and you know uh last week uh my team and and this week um we have you know literally been um on almost back-to-back phone calls with our international partners um getting them prepared right because a lot of these um these 15 uh pilots you know contracts are not going to be just us-based i mean we do have international partners especially on big programs like f-35 for per se um our cloud our fedramp is for u.s based right so if we have a partner in today um you know or earlier uh talking with israel right um huge you know allied partner in in a lot of of our weapon systems but they don't have the fedramp certification they have theirs and walking through much like we did with the model right we took standards the nist we took iso we took aia and we did the overlay and we said this is what this this control or this process is required to produce this outcome so we've been working on that um and and that's another thing you know behind the scenes i wish more people knew or we're a part of how much work we have been doing but that is absolutely a you know for for dod right now it's fed ramp and i don't see that changing anytime soon i speak pretty frequently with the um the cio rep on cloud peter ranks amazing individual about you know where do we see ourselves in five years and 10 years and how do we you know in in incentivize and and create more opportunity with our international partners so um been a discussion will continue to be a discussion and for the next question that people are asking in their mind we're doing it on a country by country basis we can't um you know part of this whole process which yet again if if the if you understood the complexity behind all of this you will say you got it done in what each country has a bilat bilateral agreement that we have each country has um the ditsa has a security agreement with each individual country that is cognizant and respectful of their own laws right that equals to ours so it's been a just i can't express enough how much work the department has put in to this and how much uh you know with the volunteers on the accreditation body um and the working groups it's just been it's it's unbelievable and and when five years from now we turn around and we look back we will we will look back at this time and say when government needs to solve a big problem and we collaborate with industry to solve it we can do it in record time i mean we started this conversation in january not even it was march 2019 when i started talking i think my first event was in april or may and we delivered in january and here we are you know october 2020 and we have had a rule change already out there so and training started for assessors and on and on and it's you know it's and i i i would say you know one of the things um i was on with com deaf uh last week uh 2020. and i was on a panel with the um the commander of space force right of of the uk mod space force um and i i want to say it's vice air marshall or i i can't remember the complete technology but smythe um amazing individual who has um you know one of those people i look at and want to be like one day right right right in amazing person right um if anybody is you know you should google him um came out very publicly in the uh summer of 2020 to call out one of our adversaries for doing something um you know that was not good and and risked a lot um to be one of those people that said you know when we've got to get things right right but the the thing that when we were talking about yesterday was risk aversion right and that we need to accept a little bit of risk to get the really innovative outcomes that we desire and um you know nothing in this world comes without a cost right and you have to decide early on um you know if it whatever you're doing and whatever the cost is if you don't have it you don't appreciate it right it's like you know if you don't you know your parents used to say like you need to know what it's like to earn a dollar well yeah we need to understand very clearly that the risk far far of our adversarial impact are are and i'm gonna say it uh social media and the online presence of let's pick apart every little thing and not get to a strategic objective instead of realizing that we are incredibly intelligent articulate that this has been a collaborative from the get-go and instead of poking at it get on board with it i l i would love the individuals that feel compelled um to go out and and say things and and create um unnecessary angst for you know i i hate to say it but they're it's like you're poking at the thing you're trying to feed off of right there they're i i just i i struggle with that right please um and as a i am now an official ses and i will say this is um this is not a dod statement this is a katie arrington statement um my mom god rest her soul used to tell me some really really key things in life and one of her things raising three daughters with one bathroom um is uh she does not tolerate whining and uh her thing was if there is a if you're identifying a problem without a solution or part of the solution you're whining and instead of people getting out there and complaining jump on board if you're critical of it come help right it's one thing to sit on a a mountain far far away and say the village is going to flood get in the village figure out how to make the drainage system work and there's so many paths forward to contributing it's it to me and it's it's you know you got to take that right it's it's a lot easier to poke at something then to vest yourself in it and it's also i think a apart for some people that have you know they've staked their career and we need to do it this way and no not necessarily um we we were charting another course it's you know people fear what they the unknown and and i appreciate that but it's it it's real right the interim rule is out there this is not going away so how about get on board we want you no hard feelings come on board the more the merrier um the more voices on a productive working level absolutely an imperative right we that was the whole basis of this so sorry i went on my little rant there but no i think it's merited um there's been so much discourse that uh i think is just uh it's not beneficial to the community it's not beneficial to uh really the cause and i i think it i think it needs to be said so i appreciate you going there no listen i'm one of those people that anybody you know and and you know from people prior uh department of defense civilians in very high ranking places um if it was working we wouldn't be having this discussion yeah and you can't you know another thing my wonderful mother said you know if you done what you did you're going to get what you got and we can't do what we have done we need to change and it's you know it's it's a movement forward there's a little bit of risk involved but a heck of a lot of a positive outcome i mean and i don't mean to to take your your your time on your your availability this environment but one of the things i i've said to people is how do we know what we're doing is really beneficial right that was one of my from the very beginning how and and remember katie arrington said adjudication baselines are an imperative right they have to be met so when we first started in the department and we started doing the dip cac assessments in mid 2019 and we put the you know the the original uh crew through nobody was getting uh uh uh a high you know a dib cat high new one um we were at a 50 ratio right and it wasn't until the cmmc really started getting a lot of chatter behind it right that companies understood we are not kidding yeah we watched the assessments go from you know out of a potential 110 and we've had some that scored negative right they were in the negative then we had companies as we went back we watched the the crate the the quality of what they were doing the the working down of their poems it has been amazing so for some people to say it's not going to be worth it it's already been worth it right we've already seen data to support prior to covid from mid 2019 when we really started talking about cyber security and watching the threat and the x fill we watched a decrease yeah watched it the the culture started to change so if if we did that with nothing more than conversation right you know when i was in indianapolis with you guys you know one of the things and and prior to coming on to this webinar i will tell you i i we were talking i do go back back and look at my previous statements to make sure you know continuity and i will add this and i was trying to get uh to to get it noticed um they didn't get my sense of humor um at all but it was it's a tough crowd it really is but it's um shout out to the midwest yeah but it's you know it's it's just really something to see that um i i commented to someone social linkedin the other day that they were you know commenting about the the interim rule and i said you know what's really amazing to me is the fact we're having this conversation in the first place yeah and you can't um fix something you know in any way unless you you taught discuss it and and create the solution set so let's dig in um i i want you know companies like summit seven and and what you guys are doing i want companies like lockheed martin and you know really small innovative niche firms um you know to really be be a part of our community for the long term because as i've stated again and again and again the industrial base the national defense we in the department of defense rely 100 percent on you i don't you know we go to sleep at night and close our eyes with a pretty good feeling we are the the world's leader in military right there's a reason why it's the person that lives next door to you and people like you and our community so let's let's go for it yep and it's far-reaching um you know we've already began talking to some of the meps across the country and um they're all active um all active um and and that's really one of the things right it's this conversation that you know i i think this is the first step in a bigger process much much bigger process right we have the adaptive acquisition framework which is helping us in the department reform acquisition and ensuring that cyber security is foundational and then you look at the things like supply chain illumination tools that you can see in real time a supply chain and and identify risk within it i i just think that there is so much ahead of us that the cmmc is the start of something that will um i think harden it and harden our our national defense um that we're not going to thwart the adversary completely but my gosh we're going to make it really hard for them and the more that i can make those um cyber actors and our adversaries work right it's it's you know our struggle is going to be um as anything right that strategic view and making sure that we come back and that we're accountable to ourselves um which it's funny it's in and i i kind of i sit back right as as a a former legislator as a former small business owner as a former contractor and we look at the well i wish they right or i wish government would do this or i wish the dod would do that or they need to do this understand we function off of tax dollars [Laughter] this really is like when you say um it's it really is i'm really concerned because it's my money just like your money going into this and making sure that we have a check and balance to come back and say okay what is the baseline is this effective i think the next thing that we really need to get to good on is sharing threat if our adversary is going after a supply chain the likelihood that they are that they have gone through the the the amount of pre-work it goes into to create a ddos attack per se they're not going to do it on one company they're going to do it on multiples at one time and we have to you know cmmc start um adaptive acquisition framework another part of it supply chain illumination another part of it information sharing is has got to be the next barrier that we really break through and understand that sharing threat with each other is not a you know i joke the the thing like it's not a four-letter word if it's happening to you the likelihood is going to happen to me if not today or in the future how can we thwart it right and you know i i actually didn't plan on talking much i mainly wanted to let you talk but you bring up an interesting point because uh there's an obvious uh i guess a detractor at least when it comes to adopting cloud technologies because sometimes if an industry adopts much of the same technology then you have kind of a single threat vector that can be taken advantage of but on the other hand though i know like the amazons the microsofts of the world they're already deploying artificial intelligence that if something happens over here uh in this one cloud tenant that it will then communicate to the rest of the cloud tenants to hey block this particular thing um or run this particular patch to you know address that vulnerability and so i think there's there's a lot of progress being made within industry to kind of already facilitate that communication of threat oh and i i think for the csps right as we look forward into the future um you know 10 years 15 years down the line um the likelihood that you know your life is living in the cloud pretty likely yeah and that the you know as it will never be perfect i guess that the thing that you know we we do our best to create standards and metrics and tools to to do exactly that but understand that there's no 100 percent secure way to do things and that as much communication as we can have with each other um the ai piece i think is definitely going to be that the game changer um i am concerned like with quantum right you know as we evolve ai evolves and we've got this this nastiness a quantum like living back here and then one of the other factors right on on the cloud service providers and how we do is go back to one of the original tenants of when i talked about the cmmc is even if you have a csp you have to understand encryption and data flow right those are the two big things you know what can your pipe take and how can you protect you know end-to-end encryption i think needs to become really a part of um this environment with cloud right we have we've got to get there um uh it's it's just it's every day i mean there will be something new every day but it's it's we were learning you know the the capability on ai and cloud and and understanding and getting the predictive analysis on threat has been amazing and i'm i'm excited to see you know what does ai look like backed with quantum computing what you know hal 2000 i mean you just it's can you imagine where your children's children are going to be yeah oh yeah oh yeah it's good i'm excited i'm excited for mine well i'm just i'm i'm just waiting for them to figure out teleporting um they did it in willy wonka it's gotta be possible right it's got to be in our future so one of the things that um in the interim role as we as our team you know immediately started to kind of digest it and devour it and and kind of think through changes and how's it going to impact clients and some other folks in the industry one of the things that was kind of speculated hey we may see this we may not see it is the paragraph c through g um in d far 7012 about some of the reporting requirements that you know if there's an incident there's a there's a reporting requirement that you have to provide certain things the dod or at least certain accessibilities if you will or accessibility um for the dod to come come looking around for lack of better ones um that that seems to be the same d4 70 12 most of what its content seemed to be the same um is there any reason why uh d47012 was more or less more or less left alone um on some of those on some of those topics and really just writ large and then we just kind of made the addition of 70 19 and 20 and 21. so 7012 you have to think about who 70 19 20 and 21 effect classify you know clear defense contractors are different right you have to think about that right 70 12 is everybody yeah right and 7012 and the rule change the the interim rule um that was the you know um uh bob metzler the um uh one of the co-authors of deliberate uncompromised was emailing me today um and uh one of the things that you know i said which is in nuance right um i think a lot of people missed that in the interim rule that we no longer put it from contracts that transmitted or stored kui right or or you know had the capability and someone um put online um once she doesn't even know what kui is no kui is is something that the adversary clearly stated right if the adversary could see it hear it scan it replicate it it's bad right and the aggregate of kui is what makes us the the problem right the whole thing i've been saying this whole time is clear defense contractors are different than people transmitting kui right so there are different rules it's if people don't dig in and actually understand the dfar and and the complexities to it um i you know education you know more if we need more classes to discuss that but kui is understanding and that's what this rule change really said and this is what they're saying to bob um this made every dod contract have cyber requirements and that they can't all be high right you can't do five because you can't it's unattainable and you needed to have everyone have some cyber requirement and 7012 was the every one not the sums right it was the opportunity vector to get that there but that you know understanding of kui you know we're working through our our dau class to put out to discuss that but people need to understand that the adversary um very rarely i mean we've had some incidences where they've gotten into big platforms but for the most part what they've done is they've gone into people that don't think that that what they're touching is important right and they're getting it flowed down and they're pulling the aggregate they're taking pieces and parts and putting it together and this is part of the complexity of our amazingly transparent acquisition is that the the adversary knows because we tell them who's on every contract right we we make those public so yes when you're bidding on the f-35 the world sees who got the contract they know who are the subs it's because we tell them it's just it's it's so uh you know to me it's just it's it's one of those things that i i would i will go to my grave and may my children's children's children get the same opportunity that i was blessed with to be born and live and and work and breathe in this country but my gosh you know for all of her faults and and there are several right we we're not perfect by any stretch but my gosh i mean just the the amount of transparency and that we're still the world's leader in military um with all of our transparency when we're fighting a near-peer adversary who doesn't say anything to anybody works as one you know one entirety for the for the good of the government how awesome we are you don't see it at all yeah we forget that there are not lines of people waiting to go into other countries right there's a reason and imitation is the sincerest form of flattery and i will always say and make china forever live this right you copied my f-35 you didn't innovate yeah right take it sorry yeah yeah exactly um no i think that's the posture we have to have um and it kind of it fuels the fire right like i mean that's that's exactly why we're doing what we're doing um i mean why do you do it why do you get up every morning and love cyber and and your basis right is it you or is it your kids and yeah it's got to be bigger than the individual um it has to be um and that's part of the reason why you brought up earlier the discourse online you know that's why that doesn't make sense um to you know use use a platform uh to rather bring attention to a good or service by just nay-saying or being hyper-critical of what's going on when you can just invest so take break break katie arrington not representing dod here katie arrington talking right on clearly define the break do you really think the social media conversation in the u.s today is really us or is it them you bring up a very interesting point is is you know you go to the art of war people right what's the easiest way to destroy from within don't let the adversary distract you from your mission and know that as bad as we you know and on social media right as bad as people want to say oh listen right destroying from within why are you putting out all this about how negative and bad like what are you trying to like bring the adversary in the back door like they're not already do it like we do not have enough problems so you know that's katie arrington that's not um the dod but i would just say people stop for a minute great think and and remember um you know it's this thing of one that whatever you say online will follow you right like remember to tell your kids like it doesn't go away there there is no you know going away people say oh your text message is good you know after 30 days no they don't it just you have to go harder to find them right sorry no i i appreciate that um i think i think it's felt among many in the community um so i don't think it's uh i don't think it's just a katie harrington thing for sure no but i mean for every one negative out there um i i get 100 emails that say please don't stop right you know for every one person that makes you know oh this isn't right i get a get a hundred don't don't stop don't stop don't stop so i take it you know listen it ain't perfect right i i know that um i hope it never is right i hope that whatever we we don't turn into a checklist that it's not the perfect checklist i hope that the cmmc it lives on is what it was we we right the community nist cio breathed life into right this this thing that it evolves with us that it doesn't become a checklist that in five years or ten years you know passwords are outdated that we update and that we hold each other accountable to that um as cloud service providers evolve in their capability that we evolve in in trying to stay ahead of the curve so i i pray that that that is something that we as a as a collective take that this is not perfect because threat changes you can't build perfect but i i am willing to take a 90 solution to buy down a significant risk than opine on a zero percent solution and let the adversary have their way with us um so and so i know there's like there's there's this immediacy to this all i mean companies need to be starting now they should have already started maybe they should have already been this nist 800 171 compliant i think the interim rule kind of speaks to that um but so one of the questions that and i'm sure you'll get comments on this um and everything is still obviously tons of research went into this and discourse amongst industry and experts in academia et cetera to go put this in a remote and obviously there's a bunch of specialists involved um on the awarding piece or when a certification is going to be required there is some language in the interim rule that said we were we are currently going with ad award is when you know you gotta have your certification ready um instead of at proposal can you speak to a little bit about like some of some of why and i do have some follow-up questions about you know some what-ifs and hypotheticals and all that kind of stuff but speak to why at least right now that's the path forward a time of contract award yes yes so that was industry um actually going to me and going are you crazy um so forbidden proposal right that um for a company to position themselves to get to where they want to be right the capability um a lot like when you know and i go back to my contractor days right i i one of for those people who don't know my history um i i have a 100 win factor on on proposal writing 100 i if i write it i'm gonna win it because the the whole purpose of that right and is that you have to get the right teaming in place you have to get the right capability in line and not what you you're right one-on-one hey hey right so you speak to what the customer wants in their language and you explain clearly how you can refill their requirement so an industry came and they said you know you can't do it in proposal because we're we're still trying to figure out what we want to be right it's got to be that if i may be um so a if there's not a certification available yet right and i want to get there right so if i'm saying i have to be three that means i'm i'm positioned and whatnot we wanted companies to strive to be better to to get better and we wanted that opportunity um and also a proposal for really those small businesses um you know you want to be a level three there's there's investment and you you probably have to go to your board right and and to your bank or to for the investment and those of us who work in contract and business development of p win matters right do you make that investment we do it all the time in dod we have entire portfolio managers that go through and just say you know where do we need to invest our our dollars on on big things the same thing with industry right do if i have a p win of 20 and i can achieve a level three i have all of the documentation out already where i can take it to my my internal team or you know hire a consultant to say hey listen i want to be level three where are my gaps you can look at the tools online that are free and inside that and you know what listen if i was a level three my p win goes up to 60 there's rational you know thought behind okay we need to make that investment that that was the whole purpose of moving it to at the time of award was 100 to get businesses that opportunity to position themselves appropriately for the work that they you know you dress for the job you want not for the job you have that was the analogy that was the whole purpose people so i thank you for asking that because that was all of my time in capture management and vd coming out like when industry said no no you got to get ready right to be where you want to be and and that's a contract award and that's when the rubber meets the road yeah so one that's a really great answer um so one one uh hypothetical scenario and i know all of this is still being worked this is an active project that we're in right now um even though some things have been solidified especially the fact that most of these companies needed to be nested in 171 last time i'm going to say that um but um so let's say hypothetically you know a company wins they have been notified of award and they don't get their act together maybe they don't they don't get their certification by then um number one what's the kind of like process or thing that's being kicked around will they have an interim period to correct and get certified or is it at that point in time sorry pal or yeah so i'm gonna i'm gonna say the way we rolled the rule out we left a rolled and not out we rolled it out um was that the um the honorable ellen lord and the saes have a pretty good swath of what they can and can't over the next five years to get good um it's not a pass by any means right but we're going to work as we have stated from the very beginning hand in hand with industry and the accreditation body and all of the entities that support that to ensure that we get it right and we we don't hamper acquisition but with that being said your point about nist 171 is is spot on that for years for five years the better part of five years industry has been saying yeah we're doing it and we can't award um you know this is a a a crawl walk run and when we're operational on this we really if you can't do the work if you cannot get the the trust but verify we can award um but there will be time you know between now and the five years that's why we have a five-year rollout process and we're gonna work but it's not a pass because we are dead serious about this in the government um i i cannot implore people enough to adhere to the good work that nist has done remember that the cmmc is 100 based on nist 53 that gave birth to nist 171 the nist cfs the cyber security framework um iso people it's it's you know it's not an and or they all were building up to it but to have a maturity level of one through five you have to have some instances of 53 in level 1 to get to level 2 to get to level 3 which created the 171. so it's know that nist is the basis of the model it has never deviated from that um the cio is the entity that determines the cyber security standard for the department of defense that is currently the honorable dana diese um and for him to change that he has to go through rule change too so know that you know we're you know i can't applaud somebody um asked me a week or so ago you know what is nist 53 i'm like oh that's for federal systems that's for inside the wall right how we we function inside the wall which is not exactly how we function outside the wall that's 171 and there is a difference right and 53 it gave birth to 171 and you've watched which is really ironic right when people think that you know i i i this is i i can't help who i am i talk a lot about me because i'm the the person like i can't say anything for anybody else but it kills me yourself the most yeah when people say oh she doesn't understand the nist and how no i do i just understand that they updated 53 but you do know they updated 172 right understand that it's not it's like d far 12 d far 19 and 20 and 21 right they're like but not the same and nist has been doing an amazing job evolving and and people come oh well you just need to use 53 you can because that's for a federal system and there are differences um but it was 100 based in the nist and i i you know the the people over at nist and i'm going gonna say ron ross um you know they're there are people you look at over your career and you look back and just doing the right thing for all the right reasons for so long and people like him and and the folks at nist and i just can't say enough positive about them and his excitement you want to talk about social media presence right ron's excitement daily has been at a high pitch for many many years right i'm a newcomer in that that landscape per se and wow you just sit back and you're like oh my gosh he missed he's been a champion for years he really has been and i don't think he gets enough accolade in that regard that you know and it's just he's one of those people it's like yeah the nist says this and this is what we based it on it's it's pretty impressive they they're they're amazing people yeah yeah you mentioned bob earlier i would lump him into that crowd as well yeah oh god yeah oh my so you so you you think about um wow this conversation's really gone down a different path but i like to sit back and think about if i was to you know have a hand in poker right i used to joke around about my deck of 52 um for government right who are the 52 people i'd love to have in a deck right that would be the deck and i think about the people that are in the deck now right and i've got the hand and poker and you there are just some really amazing thought leaders out there and um that have been illuminaries for a long time and you think that their little candle will go out and they just keep going um bob metzler uh being one of them you know ron ross absolutely um i i could go down the line of people that is just um miss lord right um saying yeah we gotta get right you know coming out of the it's really has been um you know and i would be remiss if i didn't mention you know kevin fahey right yeah the the father of acquisition and it's these people have been saying the the same cadence and conversation for a long time to to get to where we are today this is not a new conversation it's just taken a lot of momentum to get there yeah most certainly i mean uh mr fahey and also miss lord uh laid quite a road for you it was uphill it was still uphill but they laid they laid quite a road for you they put these carrots in front of me yeah that too that too um so i last two questions one is on scoring visibility and the mechanisms for that so obviously there's clear definition on you know how some of those score how the how the scores are going to be on the score sheet they're going to be in the system um sprs um for primes because they're gonna need to be kind of held responsible um they're gonna be held responsible for making sure their subs and i'm not gonna get there or certified how are they gonna kind of know from a scoring standpoint that hey i'm bringing on subs that are cyber secure is it going to be through their own checklist or will they get to know some of those scores some of those certifications and things of that nature so go back to the original and and this one um i i'm saying we're we're still working through right because first rule of fight club is you don't talk about fight club right yeah and somebody asked me this on linkedin i i think and i i will be honest whoever it was i responded to i was playing with my grandchildren i had just walked in the door my grandkids were there and i was typed to texting so i hope it came out right um because i do read this stuff right i am i'm trying trying hard um but it's uh you know what our intent is that it would be in the nda of the sub to the prime and the teaming agreement okay that they would disclose it at that time um if companies and i i this is my reference point and i could be you know the devil goes both ways right you say on your website you're iso certified okay you say on your website your cmmi but do you really need to say what level right i yeah because then it's just and and i'm we're open to discussion we're going to put it in spurs it's you know going to be something that we can see in the dod um i'm just i'm apprehensive of if companies put it in their marketing then the difference between level 2 and level three immaturity the adversary has a direct line on how to hit you right and that's i i don't have uh i have my thought right i firmly believe that it should be something that you know um it's it's like your car right you want to show it off but you lock it so i think the best way to do it is in the teaming agreements right that you signed an nda word will get around right that's not not a doubt but um that that is where i i i'm not gonna be the decision maker around this that's that's definitely up to the the the body of this whole effort but that has always been my thought that if we post it that makes it easy for the adversary and then the other side i talked myself out of this all the time right well we tell everyone that this is based on the nist the adversary already knows the controls and the processes so i i struggle right and this is part of the conversation i i don't know everything by a long shot i'm just for sure not the smartest person in the room ever um and and but it's you know there always is somebody who has a different perspective that may come differently look at it differently so open to the con the communication about it but that's where we're sitting right now is that if we keep it at that level and we we nda it um the thing that you know small business and this is other um comment i said to bob metzler in my email was um he had asked a question and i said um you know the small business administration grilled us pretty hard on um as they should that's their job to represent small business right um they asked how it wasn't um that we weren't giving all the power to the prime mm-hmm on the small business and i said oh my gosh no it actually supports one thousand percent the innovation and the capability of the small business because those thresholds on contract award and small business participation are gonna have to be met and if we're smart on this we say in our our our acquisition strategy right 25 of the work that is needed on a cmmc level 3 needs to be from a small business because we need to drive it down that way right to get goodness so it bubbles up because you know growing organically companies that way you know that they start small they get big but you create the culture and the the critical thinking about doing it in a secure environment only you know better enables all of us so there are some some interesting things that that you know i think are coming down the pipe i can't say 100 but if i'm i'm a betting lady right um you know the the fact that we're we're working through that that 5 000 um the adap acquisition framework we have a total instruction about cyber security and taking the pm back and saying all right now what is the goal what are you trying to protect here and literally like requirement by requirement this will require a level you know unless otherwise stated level one certification for the cmmc if you're doing this this will require a level three um and and staying on on point that you know every you know large contract award needs to have small business participation at x you can tweak that to say it at x level blank we have capability but we have to have the conversation right and let's not fool ourselves too you know the the small business industry one is resilient number two it's made up of business-minded people that are rather going to a take an opportunity and say i'm going to get my certification i'm going to get my stuff together and i'm going to be competitive because some of my other competitors are not doing this they're not being proactive and so when i go to you know l3 harris lockheed martin et cetera some of these primes and say i'm ready to go and my competitors are not ready to go who are they going to pick um and then similarly if lockheed martin l3 harris etc if they're looking for a skill set or a capability within a business and that business has not done what they needed to up into that point you better believe if those busines those primes see it advantageous to have that company on their team they're going to make sure that company gets ready to get certified there so you mentioned that and i know we're at we're close to time but there's two things that i want to talk about so you may go over yeah hit me all right so that's the a the first things first right um there they're they're two the national cyber solarium i cannot talk about that report enough if you're not paying attention to the overarching theme of the national cyber solarium it's about cyber security insurance right it's all about you know and i've given the analogy before about the driver's license like we didn't have when cars first came out we all had to go get driver's licenses so we understood the risk and how the we we make sure each other are in checks and balances the insurance rate right think about what they're talking about the the big for anybody listening to this webinar the fact that they want to amend sarbanes-oxley should have everybody going oh i better get ready right that they want to amend sarbanes-oxley to have a cyber maturity level for the company and the reporting you're filing come on people it's it goes back to the it's it's the core tenant of what the cmmc started off with and and will always be right you can't get off of it cyber is in everything we do and unless we understand the rules of the road on the information super highway and we all agree that while we're out there we gotta agree to the commonality that's what the the cmmc is so that's that's one side um that definitely but when it comes to the thing that you talked about was the primes getting the the small businesses and i will tell you um capable and ready um a lot of larges are working out in moving into cloud instantiations where they can let those small business niche capability providers come into their cloud we are absolutely in in sync with the fact that that may be how they they they fulfill that requirement and we we look forward to that right because if you have to decide right am i about the capability that i can provide to the prime right or is it the security what for the prime has more value is it worth that that overarching let me create a cloud instantiation that my small businesses can enter to do the work that is classified or kui that we need to protect versus you know getting them you know to get that organic capability or or semi-hybrid capability i think those discussions have been going on already for about a good year two years to get companies good but that's you know i look at those two different pathways right that there are two very different things going on in that regard but you know we'll we'll see where it goes but i'm excited about what the primes have said i have also taken great pains and consideration with everything that we've done coming from a small business my husband and i you know he owns a a small business the backbone of this nation was built on small business because it's very rare i mean people forget amazon was small i mean do you remember when amazon was a book service right let's think about nothing starts big tesla started small ford small they got big and we need to understand that to get the really good innovation we we always have to go back to small business and and we in the department of defense um i can tell you small business has always been core we don't want to put them out of business we want to help them be resilient and enduring and grow because you don't get the amazons of the world you don't get the the forge you don't get the teslas you don't get the microsoft i mean think about it microsoft started in a garage yeah small business 101 yep exactly well katie i know we're about at time do you have two more minutes for one last question of course okay we haven't talked as much about the a b so we'd be remiss about maybe not uh bring it on i guess not not talking about that group and some of the great work they're doing and we talked about volunteering and getting involved obviously that's one of the ways that some of the folks listening can get involved um how is you know with this interim rule the comments you're going to be getting and the continued process forward um how is your team working with that team vice versa all that kind of good stuff speak to that a little bit so let's go back in time to the november 2019 when we did the or was it october and i'm so sorry it's all a blur yeah we did that we we did the original rfi we we went out and we said we needed a non-profit to hopefully you know be able to take this model we had i think and i'm sorry i i i want to say it was ten or eight responses right so we put out an rfi it's not like we we just went and said poof we put out an rfi then we insured everybody that responded to that arm if i had an end pub the public had an invitation to this is what we need to happen to to make this we can't we can't do it in the department we really need a non-profit 501c3 um many people were a part of that um and then they created and and if you would uh allow me the time i would love to have this this two to three minutes to discuss this all of the people that were in at those original meetings um they came together right and what was presented back to the dod just so were crystal clear only one thing came back at all that there weren't multiple hey we want to be there was one entity group that that came back to us think about that right we put it out for the whole wide world we said give us what you got and we got that thing and they formed they created those those volunteers those those original you know we're going to be here they created their mission their charter their election bylaws how their their board is set up we had nothing to do with it i love the people that try and put this this pay to play um for any previous board member current board member and future board member if anybody has ever been on a board of a non-profit to which i proudly say i have been on many it ain't easy okay and this group came together and they they had an election they they had nominations they voted on it they've had board meetings they've they went and they filled out the work to become a 501c3 all doing this with nothing more than an mou and a desire to get something right yeah and were there missteps yeah of course right not perfect but for you know and and part of the challenge has been you know as they're standing up and and they're getting good what are the things we need to impart on them to make sure that there's no oci right so um originally they signed all of the the board members from day one to today sign oci agreements they have things in place but we went the further step right as as this started to gain momentum and people started being fearful that it's going to turn into the self-licking ice cream cone that the people are going to be the the ones to make all the money um just level set nobody on the board has earned a dime a dime because they don't right this is all volunteer you're talking about people who have day jobs right they have volunteered they believe in it they on an ab a non-profit and they're spending hours every day oh yeah hours right away from their money-making business which i'm so so people come back and they bat you know why you know why you're defending i'm defending anybody who has ever done and leaned in to make it better and volunteerism should be something that is is honored and and cherished in our in this nation right and in this industry we all have things like gafsias and the ndias where you go in and those are associations but you volunteer um i was on the board of directors for the charleston defense contractors association for the better part of seven years put on a summit for 2 000 people every year with a crew of volunteers on a board and it never is easy and there is never a time when everybody on the board is singing kumbaya and in love with each other that's never been the case on any non-profit i have ever served in in the entirety of time but they somehow managed to continue to evolve and grow and we came back and after industry made comment and said hey can you do this so we said all right you got to get iso certified that you have to do these things so we've i'm going to say there's a lot of there's a lot of noise right um and and i can address a few things yes i i have known ty scheiber for a long time i have known a lot of people in industry a long time i've been around a long time um ty i had no idea that the the the the he he put himself or or anybody i had no visibility no visibility into the elections who they decided what they did and i'll tell you um i'm i'm friends with tai i think he's a really great guy uh he's a marine you can't not not um and i appreciate the fact that he he took this monster on um and perhaps to him but um you you look at all of the board members it's you know it's how can you not be grateful of everybody from you know nicole and chris and john and mark and and you know regan and all of them right it's just they're all good people you know things happen ty's not on the chairman of the ab anymore it's irrelevant to me it's it's not about the the the the individual it's about the mission right needed a good service it's not like yeah all of them have in their own right and people have left the ab and and there have been votes and there have been things but that's what we asked for was a non-profit that we didn't have any say-so on right that was a whole point of it so hey if you want you know they're the nominations like as they come i mean they have you can only serve for i think two or three years you have a cooling off period so even if you you leave with your you know you you decide for health reasons your family you still have a cooling off period that you're not supposed to do work with business so yeah things happened um missteps yeah but not as much as people want to present that there are because we're here we had people go through trainings we've had you know the the website stood up we have had it's you know we're doing processes and it's just like ah you know so carlton you know is the chairman right now um if people don't know carlton's background he is an amazing individual who really believes in this country um regan uh ben i i can't from you know it's you you know and i sit back and i i laugh and i'm sorry i've gone so far over but i very rarely get to go down this path i i sit at the original room in and psc thank you david berto and and the psc the professional service council for having that event for us and live streaming and i look in my mind's eye over that audience and a lot of the people that were in there you know i saw their faces and as i watched them come together and and you know mind you um i have had a lot of insight into what the the the process of the the the model and the training i have not ever um been i'm sorry i take that back i went to one meeting in person with the ab that was uh you know basically the kickoff right um of what we were doing and then they have functioned right stacy bosgenick is the director of the cmmc she's doing a fantastic job there's a pmo of a program management office and you know i i'm i hope uh that at the end of the day anybody that has put time in um is is looked at as a community um as a thank you and uh good job and uh you know it's but nothing's ever gonna be perfect and you know the the hubba baloo about me um and and it's just it's not about me right it was never about me it's nev i'm just the mouth of the south and nor will it be about any particular cmmc ab member um people are going to come and go um this is these are hard jobs and people have personal things you mentioned earlier you know reasons for someone to to take a hiatus or you know remove themselves for a time like these things do not need to be dramatized or sensationalized this is hard work and we're going to see people come and go and and we need to be thankful for their time that they do spend with us and and with the greater community and and one of those things to say right as the the the direction and the the the per you know to do a startup com get a you know a non-profit stood up is a different lens than sustainment right and it's a lot for any one person to you know i i carlton as you know serving as the vice and then becoming the chair and we we do keep a listing of who is on the a b and i know they have a few new members who have come on board they have a different lens right they have a different perspective on things and that's the whole point of volunteerism and a board and you cycle through and i know one of the conversations that we had with the board is you can't have a a you know they asked in the very beginning what would what are one of the the downfalls of an ab and i said well when you've stood up like you guys did if you don't have like a a rolling off rolling on process you're going to lose all that continuity of care right so you've got so it's there's so much to be grateful for i i can't and i've gotten a lot of you know i somebody asked me the other day i said oh i'm the most vilified person that you know i'm out you know creating a monopoly um and doing this so i do hope the world realizes and i'm sorry this is going down a whole different path because this is my time to be in service and i am honored and privileged and the department you know putting it and making it an ses position um the the ciso ans was because they realized that it needed to be an enduring and i competitively bid for right because i want to see it through um you know i i could have very easily said peace out and high-fived um i i said no i want to dig in and i want to invest you know i believe in this so this is my commitment like all of those people who have volunteered to serve in this nation you know they they get paid while they're doing it but it's at a cost of and you know i'm just stop for a second before you chuck stones at anybody in this whole process is that you know anything worth obtaining in this life comes with costs go back to the very beginning i always do this the circle of life thing um i'm just i know that we in the department are incredibly grateful to you know and the k the cast of of the many from chris dalton mark berman ty scheiber john wyler um you know ben um carlton i i just for me to go through and say all the amazing things that each of those individuals have brought and will continue to bring regardless if they're on the a b or they're just part of the mission until you you know um put up or yeah you know and and these are the i wish people could understand all the complexity i i just no i i appreciate it i appreciate it we need people that are passionate that add value and are hard working and i think you obviously encapsulate those three things as well as many of the people you mentioned so thanks again katie um really do appreciate it and no everything you talked about i think is poignant to the day we live in and um amen um i will do this um and for everybody stay positive test negative and know that we'll get the word we're getting there and stay true right just got to keep keeping on in the mission but yeah all right thanks katie so much for answering some of those questions i think the the audience is really going to appreciate that and we look forward to getting this video published so again thank you for joining us thank you [Music]

Info

Channel: Summit 7 Systems

Views: 1,922

Rating: undefined out of 5

Keywords: CMMC, DFARS, Interim Rule, DFARS 7012, DFARS 7019, DFARS 7020, DFARS 7021, Compliance, Cybersecurity, Defense, Aerospace, Arrington, DoD, DIB, Cybersecurity Maturity Model Certification, CMMC AB, Summit 7, CS2, Cloud Security, Cloud Compliance

Id: jgy6xvFvC58

Channel Id: undefined

Length: 74min 3sec (4443 seconds)

Published: Wed Oct 07 2020