1 00:00:05,730 --> 00:00:07,336 - So we're here talking about 2 00:00:07,336 --> 00:00:10,133 the Cybersecurity Maturity Model. 3 00:00:10,999 --> 00:00:15,999 And we're gonna hopefully secure the DoD supply chain. 4 00:00:16,110 --> 00:00:17,610 Go 'head next slide. 5 00:00:17,610 --> 00:00:21,080 Okay, so when we started talking about this, right, 6 00:00:21,080 --> 00:00:25,920 because you know when we measure programs in DoD 7 00:00:25,920 --> 00:00:27,823 we do cost, schedule, and performance. 8 00:00:28,920 --> 00:00:32,550 There was talk that said, "You know, hey, we were gonna". 9 00:00:32,550 --> 00:00:34,910 Now, these slides are out on our website so you don't have 10 00:00:34,910 --> 00:00:37,541 to take pictures if you don't want to. 11 00:00:37,541 --> 00:00:41,130 We started talking about it and we don't want it to be, 12 00:00:41,130 --> 00:00:43,800 security to be a tradable capability. 13 00:00:43,800 --> 00:00:45,940 It's not a negotiable item. 14 00:00:45,940 --> 00:00:48,780 So we said security has to become 15 00:00:48,780 --> 00:00:51,653 the foundation of what we're doing. 16 00:00:53,030 --> 00:00:57,170 All right, so we started lookin' at the levels, right? 17 00:00:57,170 --> 00:01:00,410 And the vast majority of our DIB partners are at the 18 00:01:00,410 --> 00:01:03,070 bottom with their cybersecurity. 19 00:01:03,070 --> 00:01:07,450 They barely have enough cybersecurity to manage what they 20 00:01:07,450 --> 00:01:09,750 tell you you should have for security at home. 21 00:01:10,630 --> 00:01:15,630 So, has anybody heard that we lose $600 billion a year 22 00:01:17,330 --> 00:01:21,170 in information because of these breaches that happen, 23 00:01:21,170 --> 00:01:23,720 because of the lack cybersecurity? 24 00:01:23,720 --> 00:01:25,150 So, Katie tells a story. 25 00:01:25,150 --> 00:01:27,517 Her husband was in the military 26 00:01:27,517 --> 00:01:30,090 and then her daughter joined later. 27 00:01:30,090 --> 00:01:33,530 Her husband used to go to the range every week 28 00:01:33,530 --> 00:01:36,550 and shoot and practice marksmanship. 29 00:01:36,550 --> 00:01:40,260 Her daughter joins, she gets to go 20 times. 30 00:01:40,260 --> 00:01:42,550 They get 20 bullets. 31 00:01:42,550 --> 00:01:46,310 If we just save 10% or 1% of the money 32 00:01:46,310 --> 00:01:51,310 that we're losing every day for cybersecurity losses, 33 00:01:51,460 --> 00:01:53,550 think how many bullets we could buy for these kids. 34 00:01:53,550 --> 00:01:56,860 And quite frankly, I'm not comfortable with my child 35 00:01:56,860 --> 00:01:59,590 going out in war only having 36 00:01:59,590 --> 00:02:02,810 practiced shooting 20 times, right? 37 00:02:02,810 --> 00:02:04,690 So, you know, we are bleeding out 38 00:02:04,690 --> 00:02:06,300 money and information from that, 39 00:02:06,300 --> 00:02:09,367 so it's paramount that that we get here, right? 40 00:02:09,367 --> 00:02:10,950 That we secure our DIB. 41 00:02:10,950 --> 00:02:14,817 So, we're lookin' to bring in cyber hygiene that, 42 00:02:14,817 --> 00:02:18,560 how many people are familiar with NIST 800-171? 43 00:02:20,815 --> 00:02:23,050 Okay, NIST 800-171 is really just 44 00:02:23,050 --> 00:02:25,570 the basic hygiene for you guys to be able to 45 00:02:25,570 --> 00:02:28,260 handle covered, unclassified information. 46 00:02:28,260 --> 00:02:31,535 So our cybersecurity model is gonna bring, 47 00:02:31,535 --> 00:02:35,313 it's gonna have levels from one to five, right? 48 00:02:36,351 --> 00:02:39,840 Three is gonna be where you're gonna be able to handle CUI, 49 00:02:39,840 --> 00:02:42,160 and that's the basic hygiene that's gonna be 50 00:02:42,160 --> 00:02:45,700 basically in line with NIST 800-171. 51 00:02:45,700 --> 00:02:47,280 Go ahead. 52 00:02:47,280 --> 00:02:49,020 Oh, this is a big one, right? 53 00:02:49,020 --> 00:02:53,670 So there's a lot of information on this slide but what CMMC 54 00:02:53,670 --> 00:02:56,273 is gonna be, planned to do, 55 00:02:56,273 --> 00:02:58,800 it's gonna be a go/no go capability. 56 00:02:58,800 --> 00:03:01,900 So what we're gonna say is in your RFPs, 57 00:03:01,900 --> 00:03:04,720 when you get them, you must be level 58 00:03:04,720 --> 00:03:08,060 one, two, three, four, five to do this work. 59 00:03:08,060 --> 00:03:10,640 Like I said on the previous slide, 60 00:03:10,640 --> 00:03:13,210 level three is the basic to handle 61 00:03:13,210 --> 00:03:14,880 covered unclassified information. 62 00:03:14,880 --> 00:03:16,970 Four and five is gonna be at our higher level, 63 00:03:16,970 --> 00:03:20,210 and in fact, I think if you go to the next slide. 64 00:03:20,210 --> 00:03:22,858 No, it's the next one after that, but anyway. 65 00:03:22,858 --> 00:03:26,534 That's where we're gonna hopefully 66 00:03:26,534 --> 00:03:28,780 have semi-automated tools. 67 00:03:28,780 --> 00:03:31,790 We're not making this hard for companies. 68 00:03:31,790 --> 00:03:33,870 We're gonna give you a deskbook 69 00:03:33,870 --> 00:03:36,440 that tells you exactly what you need to do. 70 00:03:36,440 --> 00:03:38,980 So we laugh, we're gonna give you the answers 71 00:03:38,980 --> 00:03:41,790 to the test before we give you the test, 72 00:03:41,790 --> 00:03:44,020 so you have the knowledge and understanding 73 00:03:44,020 --> 00:03:48,020 what needs to happen to be able to achieve that level. 74 00:03:48,020 --> 00:03:53,020 So right now I've been tapped to be the director for CMMC. 75 00:03:53,030 --> 00:03:55,990 We're setting up a consortium of companies 76 00:03:55,990 --> 00:03:58,510 that are gonna handle the training 77 00:03:58,510 --> 00:04:02,260 and the accreditation of the certifiers, 78 00:04:02,260 --> 00:04:04,060 and then we intend for there to be 79 00:04:04,060 --> 00:04:07,380 third-party certifiers that companies could go to 80 00:04:07,380 --> 00:04:09,940 to have them come in and give, 81 00:04:09,940 --> 00:04:11,500 do you have a question? 82 00:04:11,500 --> 00:04:15,800 Oh, come in and give you your certification, 83 00:04:15,800 --> 00:04:18,380 so the expectation is that a company's 84 00:04:18,380 --> 00:04:20,200 gonna have the answers to the test, 85 00:04:20,200 --> 00:04:21,610 they're gonna know what they need to do, 86 00:04:21,610 --> 00:04:25,600 so before you expend any funds or time 87 00:04:25,600 --> 00:04:27,050 to have a company come in and 88 00:04:28,020 --> 00:04:29,890 you have already been able to go through 89 00:04:29,890 --> 00:04:32,070 yourself and pretty much judge 90 00:04:32,070 --> 00:04:33,770 that you're where you need to be. 91 00:04:33,770 --> 00:04:35,530 Does that make sense? 92 00:04:35,530 --> 00:04:37,007 Okay, go ahead to the next one. 93 00:04:37,007 --> 00:04:38,763 All right, how do we do this? 94 00:04:39,660 --> 00:04:41,250 So, and we're workin' through it, 95 00:04:41,250 --> 00:04:43,712 we're gettin' ready, we're gonna probably put 96 00:04:43,712 --> 00:04:47,645 our dot .04 version 97 00:04:47,645 --> 00:04:50,840 that's comin' out at the end of the month, 98 00:04:50,840 --> 00:04:52,660 it'll probably be the middle of September 99 00:04:52,660 --> 00:04:54,170 before you'll see it on the website 100 00:04:54,170 --> 00:04:56,160 'cause we have to go through public affairs. 101 00:04:56,160 --> 00:04:58,626 We're gonna put it on our website 102 00:04:58,626 --> 00:05:01,740 for comment and for you awareness. 103 00:05:01,740 --> 00:05:03,260 Now, I'm not gonna promise we're 104 00:05:03,260 --> 00:05:04,410 gonna answer all the questions 105 00:05:04,410 --> 00:05:07,780 'cause if I know the DIB, we're gonna have a lot. 106 00:05:07,780 --> 00:05:09,010 But we're gonna go through them, 107 00:05:09,010 --> 00:05:09,957 we're gonna cull through them 108 00:05:09,957 --> 00:05:11,410 and make sure that we take 109 00:05:11,410 --> 00:05:14,030 into consideration your major questions 110 00:05:14,030 --> 00:05:16,240 and things that are gonna impact the model 111 00:05:16,240 --> 00:05:17,970 and try to keep those incorporated, 112 00:05:17,970 --> 00:05:20,830 but we're on a fast-moving train 113 00:05:20,830 --> 00:05:22,370 because we have a responsibility 114 00:05:22,370 --> 00:05:25,023 to have this thing settled and done by January, 115 00:05:25,940 --> 00:05:27,959 and that's when we're expecting the 116 00:05:27,959 --> 00:05:32,227 consortium to come in and start training the trainers 117 00:05:32,227 --> 00:05:34,660 and gettin' that information out, 118 00:05:34,660 --> 00:05:38,451 so by June we're ready to start certifying companies, 119 00:05:38,451 --> 00:05:41,460 and then by the fall, it'll be in RFPs, 120 00:05:41,460 --> 00:05:44,745 and we'll be able to start using the CMMC 121 00:05:44,745 --> 00:05:47,660 as a go/no go criterion contract. 122 00:05:47,660 --> 00:05:50,700 So what we've done in these different phases 123 00:05:50,700 --> 00:05:52,960 is we've taken different standards 124 00:05:52,960 --> 00:05:57,960 that are out in industry in other agencies, other countries, 125 00:05:58,520 --> 00:06:00,710 and we're using them as a model 126 00:06:00,710 --> 00:06:03,610 to come together to generate our 127 00:06:03,610 --> 00:06:05,890 assessment levels and our model. 128 00:06:05,890 --> 00:06:10,530 (muttering) All right, so when we started looking 129 00:06:10,530 --> 00:06:14,162 like I talked before about the CMMC levels. 130 00:06:14,162 --> 00:06:17,630 So level one right now, is gonna be 131 00:06:17,630 --> 00:06:19,730 basically around 17 controls. 132 00:06:19,730 --> 00:06:22,580 Now when you see version four come out, 133 00:06:22,580 --> 00:06:23,860 I'm not exactly sure how they're 134 00:06:23,860 --> 00:06:26,090 gonna put the information out, it's funny 135 00:06:26,090 --> 00:06:28,256 'cause when they started lookin' 136 00:06:28,256 --> 00:06:31,580 at all the information across the world 137 00:06:31,580 --> 00:06:33,940 with all these certification standards, 138 00:06:33,940 --> 00:06:36,279 they did come up with 38, now they're like 139 00:06:36,279 --> 00:06:38,392 we're gonna go back and look at them 140 00:06:38,392 --> 00:06:40,053 and make sure we don't have any that are duplicative, 141 00:06:41,307 --> 00:06:44,940 we definitely get the ones that mean the most. 142 00:06:44,940 --> 00:06:49,430 So, CMMC level one, basic cyber hygiene, 143 00:06:49,430 --> 00:06:52,380 and every company in our perspective, 144 00:06:52,380 --> 00:06:55,030 every company that does business with the DoD, 145 00:06:55,030 --> 00:06:59,800 will have to be at a minimum level one certified, right? 146 00:06:59,800 --> 00:07:03,560 Then level two is a little bit more, 46 additional. 147 00:07:03,560 --> 00:07:05,456 So these build, right? 148 00:07:05,456 --> 00:07:07,233 So you have basic 17, then you have 46 more, 149 00:07:07,233 --> 00:07:10,313 then 47 more to get to the different levels. 150 00:07:11,410 --> 00:07:12,243 Go ahead. 151 00:07:13,115 --> 00:07:18,115 Okay, so how many have heard about NIST 800-171b? 152 00:07:21,330 --> 00:07:23,890 Okay, so we know 153 00:07:26,989 --> 00:07:28,970 that NIST 800-171b 154 00:07:28,970 --> 00:07:32,400 is gonna be for only the crown jewel type contract, right? 155 00:07:32,400 --> 00:07:33,940 And it's gonna be expensive. 156 00:07:33,940 --> 00:07:36,160 We've already looked at that, we recognize 157 00:07:36,160 --> 00:07:38,300 that it's gonna be a major cost. 158 00:07:38,300 --> 00:07:41,140 And we're working through how to handle all of that. 159 00:07:41,140 --> 00:07:45,710 And like I said, most everything that we do 160 00:07:45,710 --> 00:07:48,053 will probably end up being at a level three. 161 00:07:49,440 --> 00:07:52,830 And then we'll have the others, yeah. 162 00:07:52,830 --> 00:07:54,760 So I was laughing earlier. 163 00:07:54,760 --> 00:07:56,300 If you've heard Katie give the speech, 164 00:07:56,300 --> 00:07:58,050 she talks about the movie Phenomenon. 165 00:07:58,050 --> 00:08:00,050 How many have seen the movie Phenomenon? 166 00:08:01,540 --> 00:08:03,047 No, she's always like "c'mon! 167 00:08:03,047 --> 00:08:03,880 "It was a great movie!" 168 00:08:03,880 --> 00:08:05,583 I haven't seen it either, okay? 169 00:08:07,680 --> 00:08:11,151 But in the movie, John Travolta gets this brain tumor. 170 00:08:11,151 --> 00:08:13,270 And as the brain tumor grows, 171 00:08:13,270 --> 00:08:16,010 it makes him the most intelligent guy in the world, 172 00:08:16,010 --> 00:08:17,680 and he's a farmer, 173 00:08:17,680 --> 00:08:21,124 and he and his neighbor keep trying to figure out how to 174 00:08:21,124 --> 00:08:25,260 build fences to keep the bunnies out of their farm 175 00:08:25,260 --> 00:08:28,060 so they can't get in and eat the crops. 176 00:08:28,060 --> 00:08:30,830 So at the end of the movie, he's gettin' ready to die, 177 00:08:30,830 --> 00:08:33,119 and he looks at his buddy and he says 178 00:08:33,119 --> 00:08:35,547 "we can't build a fence big enough or wide enough 179 00:08:35,547 --> 00:08:39,960 "'cause the bunnies are already in the farm", right? 180 00:08:39,960 --> 00:08:41,810 So our adversaries theoretically 181 00:08:41,810 --> 00:08:43,680 are already in our networks. 182 00:08:43,680 --> 00:08:46,693 They're our bunnies in our farm. 183 00:08:47,949 --> 00:08:52,090 This is what we're gonna do to help get those bunnies out. 184 00:08:52,090 --> 00:08:56,292 Okay, so this is a crazy, wild slide, right? 185 00:08:56,292 --> 00:08:59,023 This is our flow chart, 186 00:09:00,640 --> 00:09:02,830 and it does look a little bit busy, 187 00:09:02,830 --> 00:09:05,005 but how many people have dealt 188 00:09:05,005 --> 00:09:06,060 with federal acquistion, right? 189 00:09:06,060 --> 00:09:06,983 Pretty crazy. 190 00:09:08,400 --> 00:09:11,170 So if you look at the model, 191 00:09:11,170 --> 00:09:12,150 and I'm trying to think what the 192 00:09:12,150 --> 00:09:13,933 best way to do this is, right? 193 00:09:15,110 --> 00:09:18,370 Workin' on the model hopefully by June 194 00:09:18,370 --> 00:09:22,010 we're ready to start training with certifiers, 195 00:09:22,010 --> 00:09:23,460 and then we're gonna move in to where 196 00:09:23,460 --> 00:09:25,390 companies are gonna get certified, 197 00:09:25,390 --> 00:09:27,713 and then it's gonna show up in our RFPs, 198 00:09:28,610 --> 00:09:31,010 and it's gonna be a go/no go criteria. 199 00:09:31,010 --> 00:09:33,840 Keep that in mind, all right? 200 00:09:33,840 --> 00:09:36,750 We're gonna intend for it to be 201 00:09:36,750 --> 00:09:39,370 if I get your proposal, 202 00:09:39,370 --> 00:09:41,030 and you don't have that certification 203 00:09:41,030 --> 00:09:42,740 that you're level three, 204 00:09:42,740 --> 00:09:44,700 they're gonna set your proposal aside, 205 00:09:44,700 --> 00:09:47,403 and they're not gonna look at it further, right? 206 00:09:50,860 --> 00:09:52,663 Well, it's human nature, right? 207 00:09:52,663 --> 00:09:55,540 They just saved themselves a week, right? (laughs) 208 00:09:55,540 --> 00:09:58,930 But truly, you need to have these certifications 209 00:09:58,930 --> 00:10:03,120 because we're losing $600 billion a year, folks. 210 00:10:03,120 --> 00:10:05,730 We cannot continue that. 211 00:10:05,730 --> 00:10:06,563 Go ahead. 212 00:10:07,740 --> 00:10:10,270 All right, so this is where we are in the schedule. 213 00:10:10,270 --> 00:10:13,633 I think I talked through that a couple of times already. 214 00:10:17,636 --> 00:10:20,090 Now like I said, these are out on our website 215 00:10:20,090 --> 00:10:21,440 I think if you go one more, 216 00:10:22,925 --> 00:10:24,850 ah you want to take a picture, 217 00:10:24,850 --> 00:10:25,683 that's the picture to take. 218 00:10:27,034 --> 00:10:30,122 (audience laughs) 219 00:10:30,122 --> 00:10:31,913 All right, anybody have any questions? 220 00:10:33,710 --> 00:10:34,543 Go ahead. 221 00:10:36,628 --> 00:10:39,930 Well, or, as a group, do we have her 222 00:10:39,930 --> 00:10:41,680 ask all of her questions and then see 223 00:10:41,680 --> 00:10:43,190 if any of yours is duplicative, 224 00:10:43,190 --> 00:10:45,870 or do you wanna like set a rule one per. 225 00:10:45,870 --> 00:10:46,703 Go ahead. 226 00:10:48,104 --> 00:10:51,604 (audience member talking) 227 00:10:52,849 --> 00:10:53,766 Okay, okay, 228 00:10:57,440 --> 00:10:58,889 Well fun? 229 00:10:58,889 --> 00:11:00,570 They didn't want to come and tell, how rude! 230 00:11:00,570 --> 00:11:02,995 How rude, that's just not fair. 231 00:11:02,995 --> 00:11:03,828 Okay, go ahead. 232 00:11:04,833 --> 00:11:08,333 (audience member talking) 233 00:11:12,198 --> 00:11:13,986 The 70-12, right? 234 00:11:13,986 --> 00:11:16,703 252-204-7012? 235 00:11:16,703 --> 00:11:21,703 (audience member talking) Right. 236 00:11:36,114 --> 00:11:39,720 So they've looked at some different capabilities 237 00:11:39,720 --> 00:11:43,480 for the third-parties in ways that they can get financed, 238 00:11:43,480 --> 00:11:46,180 but the way we're looking at it right now, 239 00:11:46,180 --> 00:11:49,160 and it's funny 'cause we've had 240 00:11:49,160 --> 00:11:51,823 some consternation over words. 241 00:11:52,860 --> 00:11:55,527 The Secretary of Defense originally came out and said 242 00:11:55,527 --> 00:11:59,540 "We're not gonna pay more for this", right? 243 00:11:59,540 --> 00:12:03,010 But that's because he already expected that it's 244 00:12:03,010 --> 00:12:05,963 an allowable cost under your overhead GNA rates. 245 00:12:07,027 --> 00:12:09,200 And so the expectation is is they're 246 00:12:09,200 --> 00:12:11,473 building that into their rates, 247 00:12:12,400 --> 00:12:14,600 and that's where it's being covered. 248 00:12:14,600 --> 00:12:16,980 Now, like I said, there are some small business 249 00:12:16,980 --> 00:12:18,970 programs that they've been talkin' about, 250 00:12:18,970 --> 00:12:20,820 but we haven't gotten anything 251 00:12:20,820 --> 00:12:23,310 solid that I'm prepared to say. 252 00:12:23,310 --> 00:12:26,390 Have 'em go to Bob and have 'em give 'em money, 253 00:12:26,390 --> 00:12:27,760 but we are looking at that, 254 00:12:27,760 --> 00:12:30,040 and we are trying to make sure 255 00:12:30,040 --> 00:12:33,200 that we don't put undue burden on the smalls 256 00:12:33,200 --> 00:12:36,640 'cause we recognize that it could be a limiting factor, 257 00:12:36,640 --> 00:12:39,190 and I think, you know, if I go back to the slide 258 00:12:39,190 --> 00:12:41,450 where it talks about the, don't actually, 259 00:12:41,450 --> 00:12:44,050 the different, if I just hit the right button right, 260 00:12:45,599 --> 00:12:47,810 all right, so if you look at the different levels, 261 00:12:47,810 --> 00:12:50,790 and I don't know where they would fall, 262 00:12:50,790 --> 00:12:54,080 if they're gonna handle covered, unclassified information, 263 00:12:54,080 --> 00:12:56,480 undoubtedly they'd have to be at level three, 264 00:12:56,480 --> 00:12:59,280 but you remember there are 110 controls in NIST 800-171. 265 00:13:02,130 --> 00:13:04,880 We're pretty close to the exact 266 00:13:04,880 --> 00:13:07,330 same for our level three as well. 267 00:13:07,330 --> 00:13:10,930 And our prospective, some of them 268 00:13:10,930 --> 00:13:12,100 might be a little different, 269 00:13:12,100 --> 00:13:14,110 but we're goin' more for a 270 00:13:16,200 --> 00:13:18,988 critical thinking kind of thing, right? 271 00:13:18,988 --> 00:13:21,120 We're not hoping that people just have 272 00:13:21,120 --> 00:13:23,330 a checkbox that they go through. 273 00:13:23,330 --> 00:13:26,000 We want them to be able to think about the threat. 274 00:13:26,000 --> 00:13:30,410 Because, you guys know, as soon as we fill one hole, 275 00:13:30,410 --> 00:13:32,620 some thirteen year old kid in another country 276 00:13:32,620 --> 00:13:34,790 is gonna figure out how to hack us 277 00:13:34,790 --> 00:13:36,695 and go in a different way, right? 278 00:13:36,695 --> 00:13:37,830 So we've gotta be critically thinking 279 00:13:37,830 --> 00:13:41,080 about the threat that's against our infrastructure 280 00:13:41,080 --> 00:13:42,730 and against our dead partners 281 00:13:42,730 --> 00:13:45,040 to be able to protect ourselves. 282 00:13:45,040 --> 00:13:48,270 So it's more of a cybersecurity culture and mentality 283 00:13:48,270 --> 00:13:51,110 that we're trying to build with this certification. 284 00:13:51,110 --> 00:13:52,743 Does that kinda answer your question? 285 00:13:54,499 --> 00:13:57,999 (audience member talking) 286 00:14:03,819 --> 00:14:07,350 Yeah, these are the guys that don't even remember 287 00:14:07,350 --> 00:14:09,450 to pay their parking tickets, right, yeah. 288 00:14:10,580 --> 00:14:13,950 I used to work with the applied math branch back in the day. 289 00:14:13,950 --> 00:14:15,873 All right, do you have another one? 290 00:14:18,353 --> 00:14:20,490 Anybody else wanna get in here? 291 00:14:20,490 --> 00:14:21,960 You wanna let her go? 292 00:14:21,960 --> 00:14:22,993 All right, go ahead. 293 00:14:24,017 --> 00:14:27,517 (audience member talking) 294 00:14:48,757 --> 00:14:51,410 So we're definitely lookin' at said ramp, 295 00:14:51,410 --> 00:14:52,449 and we definitely have that in our mind's eye 296 00:14:52,449 --> 00:14:56,950 that we're tryin' to make sure that we're not 297 00:14:56,950 --> 00:14:59,590 burdening people unduely, 298 00:14:59,590 --> 00:15:01,660 and we're lookin' at the different programs 299 00:15:01,660 --> 00:15:03,760 to make sure that there's reciprocity, 300 00:15:03,760 --> 00:15:05,400 and that we're not like 301 00:15:05,400 --> 00:15:08,100 because the last thing we wanna do is have somebody go 302 00:15:08,957 --> 00:15:11,157 "I had my certification in this, 303 00:15:11,157 --> 00:15:13,537 "and now I gotta spend an extra $100 thousand 304 00:15:13,537 --> 00:15:15,307 "to get this certification", 305 00:15:16,162 --> 00:15:18,360 so we're definitely looking at that. 306 00:15:18,360 --> 00:15:20,708 And what we can say. 307 00:15:20,708 --> 00:15:23,710 Okay, if you're theoretically if you're 308 00:15:23,710 --> 00:15:25,930 FedRAMP compliant or a FedRAMP certifier 309 00:15:25,930 --> 00:15:27,590 and have these certifications, 310 00:15:27,590 --> 00:15:30,510 you may only have to do one or two other things 311 00:15:30,510 --> 00:15:32,630 to get the CMMC certification, 312 00:15:32,630 --> 00:15:34,840 so we're lookin' at it. 313 00:15:34,840 --> 00:15:37,177 I can't give you particulars on it yet. 314 00:15:38,207 --> 00:15:42,040 (audience member talking) Okay 315 00:15:53,870 --> 00:15:55,320 So, ISACA is workin' with us. 316 00:15:57,229 --> 00:15:59,073 In fact, they're helpin' us with our consortium. 317 00:16:00,677 --> 00:16:01,957 And the group who set up CMMI 318 00:16:03,384 --> 00:16:06,400 are gonna be sittin' on our consortium, 319 00:16:06,400 --> 00:16:08,740 so these guys I think are gonna help us 320 00:16:08,740 --> 00:16:10,563 'cause they've got you guys in mind. 321 00:16:12,640 --> 00:16:16,140 (audience member talking) 322 00:16:47,065 --> 00:16:50,853 Right, it's gonna be a bow wave and then. 323 00:16:50,853 --> 00:16:53,640 Now, one of things we're talking about as well, 324 00:16:53,640 --> 00:16:56,147 I'm glad you just that just keyed me 325 00:16:56,147 --> 00:16:59,723 was we're talking about this being an annual certification, 326 00:16:59,723 --> 00:17:02,945 and one of the things that we're lookin' at, 327 00:17:02,945 --> 00:17:05,886 you know, is as these threats change, 328 00:17:05,886 --> 00:17:08,380 how are we gonna turn to on that? 329 00:17:08,380 --> 00:17:12,165 How are we gonna meet the emergent threats? 330 00:17:12,165 --> 00:17:15,240 'Cause right now I think it's now the 331 00:17:17,460 --> 00:17:20,923 defense counterintelligence security agency, DCSA, 332 00:17:23,300 --> 00:17:27,080 and DC3 now put those threats out, 333 00:17:27,080 --> 00:17:30,185 so that's another part of this 334 00:17:30,185 --> 00:17:32,229 that we're working through is to figure out 335 00:17:32,229 --> 00:17:34,294 how do we get the word out to the DIB 336 00:17:34,294 --> 00:17:36,120 that this is a possible threat, 337 00:17:36,120 --> 00:17:40,710 and you need to be looking at it and preparing for it, 338 00:17:40,710 --> 00:17:43,400 so I think right now we're looking at annual. 339 00:17:43,400 --> 00:17:45,260 When we first started out, 340 00:17:45,260 --> 00:17:46,763 we thought every two years, 341 00:17:47,842 --> 00:17:51,070 and then actually the consortium and the CMMI people 342 00:17:51,070 --> 00:17:53,937 were like "no, you definitely need it to be 343 00:17:53,937 --> 00:17:56,780 "like an annual certification", okay? 344 00:17:56,780 --> 00:17:58,320 Ah, oh now we're gettin' more. 345 00:17:58,320 --> 00:17:59,153 Go ahead. 346 00:18:00,676 --> 00:18:03,670 - So a lot of us have large supply chains ourselves 347 00:18:03,670 --> 00:18:04,782 - Yes 348 00:18:04,782 --> 00:18:06,363 - That provide parts and services to us, 349 00:18:07,541 --> 00:18:09,280 and so, do you guys have a vision 350 00:18:10,148 --> 00:18:11,163 of how that's gonna play out? 351 00:18:12,361 --> 00:18:14,759 'Cause if you (sneeze) a contract, 352 00:18:14,759 --> 00:18:16,666 and we have to flow down 353 00:18:16,666 --> 00:18:18,102 through these requirements - Yes 354 00:18:18,102 --> 00:18:20,680 So here's the thing with the level one, right? 355 00:18:20,680 --> 00:18:22,650 So your parts manufacturer would 356 00:18:22,650 --> 00:18:24,320 probably have to be at a level one 357 00:18:24,320 --> 00:18:26,790 'cause he's not gonna handle CUI, 358 00:18:26,790 --> 00:18:28,380 and this is where we're gonna have a challenge 359 00:18:28,380 --> 00:18:31,680 as well in educating our acquisition workforce 360 00:18:31,680 --> 00:18:33,970 'cause the way we see this playing out 361 00:18:33,970 --> 00:18:36,310 is that I'm program manager, right? 362 00:18:36,310 --> 00:18:38,980 And I've got CUI on my program, 363 00:18:38,980 --> 00:18:40,550 and he's gonna have to think through 364 00:18:40,550 --> 00:18:43,060 okay, I know my prime's gonna have to have it 365 00:18:43,060 --> 00:18:45,310 which ones of my subs are gonna have to have it 366 00:18:45,310 --> 00:18:46,670 because there could be a sub 367 00:18:46,670 --> 00:18:48,867 but there could be some others 368 00:18:48,867 --> 00:18:51,444 that need level three certification. 369 00:18:51,444 --> 00:18:55,940 So those guys are not gonna be real happy with us 370 00:18:55,940 --> 00:18:59,080 because their job's gonna get a little bit more complex. 371 00:18:59,080 --> 00:19:00,413 Go ahead. 372 00:19:00,413 --> 00:19:04,420 - So would that decision be with the prime? 373 00:19:04,420 --> 00:19:08,610 Or would it be with the government contractor's office? 374 00:19:08,610 --> 00:19:10,860 - I think it would be both, right? 375 00:19:10,860 --> 00:19:13,110 Because I think the contracting officer 376 00:19:13,110 --> 00:19:16,660 and the program manager are gonna tell you 377 00:19:16,660 --> 00:19:19,703 here's my level of information, CUI. 378 00:19:20,890 --> 00:19:24,135 Now, I would think that there would have to be some 379 00:19:24,135 --> 00:19:27,094 the prime's gonna be like "okay, I know who my subs are, 380 00:19:27,094 --> 00:19:30,970 "and I know what information I have to pass down to them", 381 00:19:30,970 --> 00:19:33,340 but in your proposal, 382 00:19:33,340 --> 00:19:35,670 and we haven't thought this all the way through yet, 383 00:19:35,670 --> 00:19:38,420 so it could be a little bit subject to change, 384 00:19:38,420 --> 00:19:41,158 but in your proposal, you're gonna come back in, 385 00:19:41,158 --> 00:19:43,563 and you're gonna go "okay, these are my subs, 386 00:19:43,563 --> 00:19:46,207 "and this is what Bob's gonna be doin' this, 387 00:19:46,207 --> 00:19:48,442 "and Tom's gonna be doin' this, 388 00:19:48,442 --> 00:19:51,107 "and the information I gotta flow to Tom is level three, 389 00:19:51,107 --> 00:19:52,747 "so he's gonna come in with level three, 390 00:19:52,747 --> 00:19:56,087 "but my bolt manufacturer, I'm not gonna give him any CUI, 391 00:19:56,087 --> 00:19:59,477 "so he only has to be level one", right? 392 00:19:59,477 --> 00:20:02,620 And then we're gonna have to do that walk down 393 00:20:02,620 --> 00:20:04,620 to make sure that we're protected, 394 00:20:04,620 --> 00:20:08,190 so I could see on a huge program, 395 00:20:08,190 --> 00:20:12,330 like F35, it's gonna get pretty complex. 396 00:20:12,330 --> 00:20:15,770 However, we also know that there's a plane 397 00:20:15,770 --> 00:20:17,180 flying around in China that looks 398 00:20:17,180 --> 00:20:19,310 very much like our F35, right? 399 00:20:19,310 --> 00:20:21,300 So we have to do this, 400 00:20:21,300 --> 00:20:23,140 and it's paramount that we do this 401 00:20:23,140 --> 00:20:26,340 as a team together and work together on this 402 00:20:26,340 --> 00:20:28,400 because really at the end of the day, 403 00:20:28,400 --> 00:20:31,580 we're protecting ourselves and our nation's. 404 00:20:31,580 --> 00:20:33,230 I always say whenever I do this, 405 00:20:33,230 --> 00:20:35,410 I ought to have a "proud to be an American" 406 00:20:35,410 --> 00:20:37,850 or something playing in the background, 407 00:20:37,850 --> 00:20:39,900 but this is our patriotic duty to protect 408 00:20:41,029 --> 00:20:43,380 our infrastructure and our capabilities, 409 00:20:43,380 --> 00:20:48,380 and I will say that we also sit on the DHS taskforce, 410 00:20:48,780 --> 00:20:51,330 and Katie Harrington is on the 411 00:20:51,330 --> 00:20:53,850 Federal Acquisition Security Counsel, 412 00:20:53,850 --> 00:20:58,360 and they're looking at CMMC as a 413 00:20:58,360 --> 00:21:01,500 potential to go federal government wide 414 00:21:01,500 --> 00:21:03,350 because we're losing this information 415 00:21:03,350 --> 00:21:06,763 across the entire federal government, okay? 416 00:21:08,284 --> 00:21:09,860 - I don't wanna call out. 417 00:21:09,860 --> 00:21:14,721 So we do have ordering from parts store company 418 00:21:14,721 --> 00:21:17,106 that manufactures for DoD and we have 419 00:21:17,106 --> 00:21:19,370 foreign suppliers - Right 420 00:21:23,320 --> 00:21:25,936 And yeah, well and the pedigree of the 421 00:21:25,936 --> 00:21:28,470 foreign companies you deal with, right? 422 00:21:28,470 --> 00:21:31,130 I mean, that's one of the things where 423 00:21:31,130 --> 00:21:33,380 there are a lot of tools that we're 424 00:21:33,380 --> 00:21:37,420 finding out about that can help you look through 425 00:21:37,420 --> 00:21:40,110 that and know where your suppliers 426 00:21:40,110 --> 00:21:43,640 are comin' from and what their pedigree is, 427 00:21:43,640 --> 00:21:46,140 but a lot of the data loss. 428 00:21:46,140 --> 00:21:47,650 When we start lookin', at first 429 00:21:47,650 --> 00:21:49,220 we were a little unwitting about 430 00:21:49,220 --> 00:21:51,040 where the data was going and who had it, 431 00:21:51,040 --> 00:21:53,303 and now that we've got our eyes wide open, 432 00:21:54,409 --> 00:21:56,340 those are our concerns. 433 00:21:56,340 --> 00:21:57,941 Okay, now you had your hand up, 434 00:21:57,941 --> 00:21:59,815 and you had your hand up over here, right? 435 00:21:59,815 --> 00:22:01,950 So you first, and then I'll go to you. 436 00:22:01,950 --> 00:22:05,447 - So I would imagine when it comes to (coughing), 437 00:22:06,578 --> 00:22:08,860 despite having the answers to the test, 438 00:22:08,860 --> 00:22:10,516 there will still be some gaps? 439 00:22:10,516 --> 00:22:12,123 - So yes, now we haven't worked through 440 00:22:12,123 --> 00:22:12,970 exactly how that's gonna be 441 00:22:12,970 --> 00:22:17,002 because we all have our naysayers like 442 00:22:17,002 --> 00:22:19,610 "you're not gonna be able to have this done by next fall". 443 00:22:19,610 --> 00:22:23,010 Our anticipation and our goin' in position 444 00:22:23,010 --> 00:22:26,900 at this point in time is uh uh go/no go, right? 445 00:22:26,900 --> 00:22:29,400 So if you're not level three certified 446 00:22:29,400 --> 00:22:32,366 and you gotta have CUI, sorry for your luck. 447 00:22:32,366 --> 00:22:35,807 However, the reasonable person would say 448 00:22:35,807 --> 00:22:38,787 "Okay, but if I come next November, 449 00:22:38,787 --> 00:22:40,417 "and I've got this major contract, 450 00:22:40,417 --> 00:22:44,047 "and I've only got one guy that's level three, 451 00:22:44,047 --> 00:22:45,850 "I can't do that", right? 452 00:22:45,850 --> 00:22:47,953 So then, we're gonna have to 453 00:22:47,953 --> 00:22:49,350 take a step back and take a look, 454 00:22:49,350 --> 00:22:53,800 but I will guarantee you that for our critical programs 455 00:22:53,800 --> 00:22:55,870 it's gonna be go/no go, all right, 456 00:22:55,870 --> 00:22:57,710 and we're not gonna have the ability 457 00:22:57,710 --> 00:23:00,203 for waivers or what have you, 458 00:23:00,203 --> 00:23:02,340 but it's federal government. 459 00:23:02,340 --> 00:23:04,440 At any time, there's gonna have to be something 460 00:23:04,440 --> 00:23:06,680 where somebody's gonna say "but I got a one-off", 461 00:23:06,680 --> 00:23:08,800 and we're gonna have to deal with that, 462 00:23:08,800 --> 00:23:10,280 but for the majority of the time, 463 00:23:10,280 --> 00:23:13,547 uh uh it's go/no go, hard line, right? 464 00:23:13,547 --> 00:23:15,860 'Cause we don't want our adversaries 465 00:23:15,860 --> 00:23:17,800 flyin' planes that look like our F35. 466 00:23:17,800 --> 00:23:20,909 That cost us a lot of money to come up with! 467 00:23:20,909 --> 00:23:24,280 And these guys just (fwoosh) stole it, 468 00:23:24,280 --> 00:23:25,390 they didn't have to spend that money, 469 00:23:25,390 --> 00:23:26,500 that's just not fair! 470 00:23:27,618 --> 00:23:29,959 All right, how about you. 471 00:23:29,959 --> 00:23:33,459 (audience member talking) 472 00:23:50,917 --> 00:23:52,170 So I think I got lost a little bit. 473 00:23:52,170 --> 00:23:53,270 Go back and ask again. 474 00:23:54,471 --> 00:23:58,388 (audience member talking) Okay. 475 00:24:13,627 --> 00:24:15,076 That's good question. 476 00:24:15,076 --> 00:24:16,210 In our minds eye, 477 00:24:16,210 --> 00:24:19,470 what we're hoping is this goes ISO, 478 00:24:19,470 --> 00:24:22,784 that this becomes an ISO standard eventually. 479 00:24:22,784 --> 00:24:26,130 I would imagine that if a corporation 480 00:24:29,788 --> 00:24:31,127 has the accreditations to do the certifications, 481 00:24:34,130 --> 00:24:36,590 then we're gonna have to assume 482 00:24:36,590 --> 00:24:38,940 that your individuals are certified, 483 00:24:38,940 --> 00:24:41,453 but I would think, and we haven't 484 00:24:41,453 --> 00:24:42,860 gotten through all of this yet, 485 00:24:42,860 --> 00:24:44,780 'cause we're just building the 486 00:24:44,780 --> 00:24:46,720 consortium now to be the governing body, 487 00:24:46,720 --> 00:24:48,240 and I would think they're gonna be 488 00:24:48,240 --> 00:24:51,220 the ones in this next couple months 489 00:24:51,220 --> 00:24:52,860 when we get that nailed down, 490 00:24:52,860 --> 00:24:54,040 are gonna be the ones that are gonna 491 00:24:54,040 --> 00:24:58,080 tell us how the best way to handle that would be, 492 00:24:58,080 --> 00:25:00,050 but undoubtedly if you're a guy 493 00:25:00,050 --> 00:25:01,420 goin' out doin' the assessments, 494 00:25:01,420 --> 00:25:03,659 you're gonna have to have some sort of 495 00:25:03,659 --> 00:25:05,100 accreditation or certification that you've 496 00:25:05,100 --> 00:25:07,520 taken the classes and understand what you're doin'. 497 00:25:07,520 --> 00:25:10,320 And one of the thing that we're gonna make sure of 498 00:25:10,320 --> 00:25:11,870 is that if your company goes out 499 00:25:11,870 --> 00:25:16,870 and assesses Locky for one through three, 500 00:25:17,810 --> 00:25:20,420 when your company goes in to give them four and five 501 00:25:20,420 --> 00:25:23,410 that you can count that the guy who did the one and three 502 00:25:23,410 --> 00:25:26,280 that everybody does it the same, that there's consistency, 503 00:25:26,280 --> 00:25:28,267 that we're not gonna have this 504 00:25:28,267 --> 00:25:31,017 "Well call Joe's company 'cause they're easy. 505 00:25:31,017 --> 00:25:32,670 "They don't even hardly look anything." 506 00:25:32,670 --> 00:25:34,580 We're gonna have to do quality checks 507 00:25:34,580 --> 00:25:36,750 on them to make sure that we're hittin' it. 508 00:25:36,750 --> 00:25:38,200 This is too important not to. 509 00:25:39,231 --> 00:25:42,731 (audience member talking) 510 00:25:46,050 --> 00:25:48,100 So here's what we're lookin' at 511 00:25:48,100 --> 00:25:49,740 is we're gonna get it all set up 512 00:25:49,740 --> 00:25:51,210 and have the model put together, 513 00:25:51,210 --> 00:25:52,910 and then we're gonna hand it over. 514 00:25:54,119 --> 00:25:56,690 Now, initially we said nonprofit. 515 00:25:56,690 --> 00:25:59,440 There are people in the department, like even the lawyer, 516 00:25:59,440 --> 00:26:01,890 like "I don't know if it has to be a nonprofit", 517 00:26:01,890 --> 00:26:03,440 so we're still trying to figure out 518 00:26:03,440 --> 00:26:06,410 exactly how that governing body works, 519 00:26:06,410 --> 00:26:08,050 but I will tell you that the federal government 520 00:26:08,050 --> 00:26:11,250 will have a large seat at the table 521 00:26:11,250 --> 00:26:13,360 on the board for the direction of it, 522 00:26:13,360 --> 00:26:17,817 and there's gonna have to be a close relationship 523 00:26:17,817 --> 00:26:19,650 because of the fact that we're gonna have to 524 00:26:19,650 --> 00:26:21,500 be able to pass the information for 525 00:26:21,500 --> 00:26:23,192 emerging threats and stay on top of it 526 00:26:23,192 --> 00:26:28,149 in the ever-changing world of cyber. 527 00:26:28,149 --> 00:26:31,866 - Because we are as strong as our weakest link, 528 00:26:31,866 --> 00:26:33,656 - Yes - We are thinking 529 00:26:33,656 --> 00:26:36,128 I know that we are looking more over 530 00:26:36,128 --> 00:26:38,490 what we have control of, 531 00:26:38,490 --> 00:26:39,980 what we can see. 532 00:26:39,980 --> 00:26:43,094 How about some of these providers 533 00:26:43,094 --> 00:26:46,543 Like Visa, Verizon, AT&T that provide a service to us 534 00:26:46,543 --> 00:26:48,993 are they have to be also certified? 535 00:26:50,231 --> 00:26:52,173 That will affect services for anything. 536 00:26:53,894 --> 00:26:56,320 - Yes, I think, yes, they will have to be certified. 537 00:26:56,320 --> 00:26:58,595 I think we're lookin' at anybody 538 00:26:58,595 --> 00:27:00,940 anybody who does business with 539 00:27:00,940 --> 00:27:03,010 the federal government has to be level one. 540 00:27:03,010 --> 00:27:08,010 Now, please tell me that a company like Verizon 541 00:27:08,290 --> 00:27:10,850 has got their eye on the ball, right? 542 00:27:10,850 --> 00:27:14,082 And one of the things with this whole CMMC, 543 00:27:14,082 --> 00:27:17,700 it protects the companies as well. 544 00:27:17,700 --> 00:27:19,800 I mean, part of the $600 billion 545 00:27:19,800 --> 00:27:22,858 is your intellectual property that's leakin'. 546 00:27:22,858 --> 00:27:25,310 And I think some of the smaller companies 547 00:27:25,310 --> 00:27:28,600 are unaware that their information has gotten out, 548 00:27:28,600 --> 00:27:31,310 but it's paramount for the whole thing, 549 00:27:31,310 --> 00:27:33,902 so please, I hope Verizon, AT&T, 550 00:27:33,902 --> 00:27:35,802 they're keepin' their eye on the ball. 551 00:27:37,107 --> 00:27:38,076 Go ahead. 552 00:27:38,076 --> 00:27:41,576 (audience member talking) 553 00:28:03,830 --> 00:28:06,610 So I'm thinking that they have 554 00:28:06,610 --> 00:28:10,400 the certification documentation, they have a certificate, 555 00:28:10,400 --> 00:28:14,430 so when you propose on a proposal, 556 00:28:14,430 --> 00:28:17,233 we get a copy of that certificate. 557 00:28:18,130 --> 00:28:20,040 And that's kind of the way I'm thinking about it now, 558 00:28:20,040 --> 00:28:22,197 we can get into this consortium thing (mumbles), 559 00:28:23,577 --> 00:28:25,610 "you're so naive, that's not the way it works", 560 00:28:25,610 --> 00:28:27,993 but that's what I'm thinking, okay? 561 00:28:28,934 --> 00:28:30,560 Go ahead. 562 00:28:30,560 --> 00:28:33,276 - What level of risk management 563 00:28:33,276 --> 00:28:37,126 are you guys thinkin' is the mandatory? 564 00:28:37,126 --> 00:28:40,920 - To? - To be certified 565 00:28:40,920 --> 00:28:45,920 - So when you look at the different controls, right, 566 00:28:46,540 --> 00:28:49,163 and I know multifactor, they keep telling me 567 00:28:49,163 --> 00:28:51,800 "Stacy, multifactor is a little bit, it's like level two", 568 00:28:51,800 --> 00:28:56,800 but those kinds of capabilities in your system 569 00:28:58,170 --> 00:29:01,371 is what we're lookin' for in the standards, 570 00:29:01,371 --> 00:29:03,390 and what we're also lookin', 571 00:29:03,390 --> 00:29:06,160 and I think I'm gonna get to your question now, 572 00:29:06,160 --> 00:29:11,130 is that there's a mindset in the company 573 00:29:11,130 --> 00:29:15,820 that is whatchin' for the incoming threat. 574 00:29:15,820 --> 00:29:17,380 What kinds of things are you building 575 00:29:17,380 --> 00:29:21,250 into your system yourself to protect 576 00:29:21,250 --> 00:29:23,460 against the emergent threats, right? 577 00:29:23,460 --> 00:29:26,850 And it's that mindset that we're lookin' for. 578 00:29:26,850 --> 00:29:30,443 - So there's not like a mandatory risk management framework? 579 00:29:30,443 --> 00:29:33,167 - Not yet, not yet. - Okay. 580 00:29:34,075 --> 00:29:35,940 - All right, go ahead. 581 00:29:35,940 --> 00:29:40,940 (audience member talking) Right. 582 00:30:36,330 --> 00:30:40,000 So, and it's funny, because if you 583 00:30:40,000 --> 00:30:42,460 start lookin' at this problem, 584 00:30:42,460 --> 00:30:43,910 the best bet for the government 585 00:30:43,910 --> 00:30:46,480 is if we could come up with offensive tools 586 00:30:46,480 --> 00:30:49,720 that test things to know, right? 587 00:30:49,720 --> 00:30:52,141 I don't think you're ever gonna be able 588 00:30:52,141 --> 00:30:55,050 to eradicate the problem in its totality, 589 00:30:55,050 --> 00:30:57,980 but I would think so from your perspective, 590 00:30:57,980 --> 00:31:01,434 if you're gettin' parts from outside the country, 591 00:31:01,434 --> 00:31:05,560 but you have the cybersecurity, 592 00:31:05,560 --> 00:31:07,410 then you're gonna meet my standard. 593 00:31:07,410 --> 00:31:09,740 But when I start gettin' those part, 594 00:31:09,740 --> 00:31:12,800 there's gonna have to be some "testing", 595 00:31:12,800 --> 00:31:16,610 some random testing to make sure 596 00:31:16,610 --> 00:31:17,830 those parts aren't counterfeit, 597 00:31:17,830 --> 00:31:20,290 and that actually is gonna dovetail into, 598 00:31:20,290 --> 00:31:22,390 so that's not really CMMC, 599 00:31:22,390 --> 00:31:24,330 that's gonna dovetail into some of our other 600 00:31:24,330 --> 00:31:28,910 supply chain risk management things that we're working on. 601 00:31:28,910 --> 00:31:30,780 In fact, we just stood up a supply chain 602 00:31:30,780 --> 00:31:33,910 risk management working group at the Pentagon 603 00:31:33,910 --> 00:31:37,190 to try to start gettin' at those kinds of problems. 604 00:31:37,190 --> 00:31:42,190 Now, DoD has had a fairly robust counterfeit part plan, 605 00:31:44,510 --> 00:31:47,710 so we're still gonna utilize that as well, 606 00:31:47,710 --> 00:31:50,400 but we're gonna probably be looking 607 00:31:50,400 --> 00:31:53,220 for things that can help us in that area. 608 00:31:53,220 --> 00:31:55,350 - So our company was inspected by 609 00:31:55,350 --> 00:31:58,233 DoD for compliance for CUI. 610 00:31:58,233 --> 00:31:59,470 - Compliance for what? 611 00:31:59,470 --> 00:32:01,270 - For CUI - CUI, okay. 612 00:32:01,270 --> 00:32:05,180 - So I know that auditing is probably 613 00:32:05,180 --> 00:32:07,576 gonna be moving over to DCSA 614 00:32:07,576 --> 00:32:09,228 - Not all of it. 615 00:32:09,228 --> 00:32:10,061 Not all of it. - Not all of it, 616 00:32:11,122 --> 00:32:13,015 so do yo still see them being 617 00:32:13,015 --> 00:32:14,823 Or is all that gonna be outsourced? 618 00:32:16,646 --> 00:32:19,741 - So for CMMC, we're gonna go to third parties. 619 00:32:19,741 --> 00:32:23,680 - Okay. - The DCSA and DCMA 620 00:32:23,680 --> 00:32:25,933 will still have a role to play. 621 00:32:27,140 --> 00:32:28,610 They're not gonna go away, 622 00:32:28,610 --> 00:32:31,100 and the DCSA still has cognizance for the 623 00:32:31,100 --> 00:32:33,600 NIST in the cleared defense contractors. 624 00:32:33,600 --> 00:32:36,660 So remember, CMMC is mainly talkin' about 625 00:32:36,660 --> 00:32:38,794 the uncleared contractors which is 626 00:32:38,794 --> 00:32:43,630 a base of about 300 thousand companies, 627 00:32:43,630 --> 00:32:46,230 and DCSA for the cleared contractors 628 00:32:46,230 --> 00:32:48,760 is like 20 thousand companies, 629 00:32:48,760 --> 00:32:51,910 so they're still gonna be involved with that, 630 00:32:51,910 --> 00:32:54,360 but they will also still have a role to play 631 00:32:54,360 --> 00:32:57,950 with CMMC when we see that there's an issue, 632 00:32:57,950 --> 00:33:01,310 there's probably gonna be an opportunity 633 00:33:01,310 --> 00:33:03,130 for them to go out and help 634 00:33:03,130 --> 00:33:06,420 and assist to triage some issues. 635 00:33:06,420 --> 00:33:09,069 - So the CMMC will apply to only 636 00:33:09,069 --> 00:33:12,740 uncleared contractors or both? 637 00:33:12,740 --> 00:33:14,720 - It'll apply to both, okay? 638 00:33:14,720 --> 00:33:17,262 But it's only meant to handle the 639 00:33:17,262 --> 00:33:19,560 covered, unclassified information 640 00:33:19,560 --> 00:33:22,590 and the basic cybersecurity of a company. 641 00:33:22,590 --> 00:33:24,500 When you get into your classified data, 642 00:33:24,500 --> 00:33:26,170 that goes to a different level, 643 00:33:26,170 --> 00:33:29,090 and it may have different requirements. 644 00:33:29,090 --> 00:33:31,584 - But a classified development company 645 00:33:31,584 --> 00:33:34,041 does work on the unclassified side, 646 00:33:34,041 --> 00:33:36,010 so are you going to apply this 647 00:33:36,010 --> 00:33:37,840 to their unclassified portions? 648 00:33:37,840 --> 00:33:40,520 - Yes, sir, yes, sir. 649 00:33:40,520 --> 00:33:43,290 We will definitely, to make sure, right? 650 00:33:43,290 --> 00:33:46,529 I mean, we've had, there was one company that 651 00:33:46,529 --> 00:33:49,360 I can tell you about that I won't give their name, 652 00:33:49,360 --> 00:33:54,360 so they got hacked back in like 2015, 653 00:33:55,320 --> 00:33:57,680 and it took us a while to figure it out. 654 00:33:57,680 --> 00:33:58,960 So once we figured it out, 655 00:33:58,960 --> 00:34:00,660 and then they got hacked again. 656 00:34:00,660 --> 00:34:03,570 So they brought a company in to help them, 657 00:34:03,570 --> 00:34:04,900 and while that company was in there, 658 00:34:04,900 --> 00:34:07,190 they got hacked again, right? 659 00:34:07,190 --> 00:34:11,530 And we're talkin' like petabytes of data, 660 00:34:11,530 --> 00:34:14,640 so it's important, they were a clear defense contractor, 661 00:34:14,640 --> 00:34:18,123 so their unclassified side wasn't covered as well. 662 00:34:20,665 --> 00:34:21,498 Say hey! 663 00:34:21,498 --> 00:34:25,040 All right, anybody else got any questions? 664 00:34:25,040 --> 00:34:26,268 Yes, sir. 665 00:34:26,268 --> 00:34:30,880 - Other briefings, we saw the control side, 666 00:34:30,880 --> 00:34:33,590 and then there was a process side, 667 00:34:33,590 --> 00:34:35,290 and lookin' at our processes for 668 00:34:36,140 --> 00:34:40,386 any can have comments on how you're gonna assess 669 00:34:40,386 --> 00:34:45,386 our process and see how mature we are? 670 00:34:45,450 --> 00:34:47,360 - So no, I'm not gonna 671 00:34:47,360 --> 00:34:52,360 'cause I'm not familiar or bright enough technically 672 00:34:52,660 --> 00:34:56,180 to even being to try to go there for you. 673 00:34:56,180 --> 00:34:58,620 I know the team that we have that's working on it 674 00:34:58,620 --> 00:35:01,410 are extremely brilliant individuals, 675 00:35:01,410 --> 00:35:03,150 and they've got the lay down, 676 00:35:03,150 --> 00:35:07,260 and now when you see the dot 04 677 00:35:07,260 --> 00:35:10,800 model come out mid-September-ish, 678 00:35:10,800 --> 00:35:13,100 that'll give you some more indication of that, 679 00:35:14,046 --> 00:35:15,128 so check the website. 680 00:35:15,128 --> 00:35:17,360 Now understand, though, when you see this, 681 00:35:17,360 --> 00:35:20,250 don't freak out because it's still in revision, 682 00:35:20,250 --> 00:35:22,700 so that's just dot four, 683 00:35:22,700 --> 00:35:25,590 and we gotta get to one by January, 684 00:35:25,590 --> 00:35:30,590 so it's gonna be changing, it's not gonna be static. 685 00:35:31,795 --> 00:35:33,240 So if you look at that, 686 00:35:33,240 --> 00:35:35,260 don't have a heart attack on me 687 00:35:35,260 --> 00:35:37,527 because it's still gonna be changed, 688 00:35:37,527 --> 00:35:39,933 but do make your comments, do ask questions. 689 00:35:42,310 --> 00:35:44,680 They're not too many Stacy Bostjanick's around, 690 00:35:44,680 --> 00:35:46,810 so you can probably pick up the phone, 691 00:35:46,810 --> 00:35:49,330 figure out where I am, all right. 692 00:35:49,330 --> 00:35:51,040 Anybody else got any more questions? 693 00:35:51,040 --> 00:35:51,873 Go ahead. 694 00:35:53,091 --> 00:35:56,591 (audience member talking) 695 00:35:59,758 --> 00:36:00,633 When the dot four comes out, 696 00:36:01,511 --> 00:36:04,179 it'll give you an indication of what the controls are, 697 00:36:04,179 --> 00:36:08,270 they're gonna align very closely to the NIST 800-171, 698 00:36:08,270 --> 00:36:10,770 so they'll be very similar to that. 699 00:36:10,770 --> 00:36:13,210 They've pulled in some from AIA, 700 00:36:13,210 --> 00:36:17,980 we have been in close contact with the British MOD, 701 00:36:17,980 --> 00:36:20,090 and they've got a system now, 702 00:36:20,090 --> 00:36:22,740 and, I guess, how many of you are familiar with 703 00:36:22,740 --> 00:36:25,570 the AirDine issue that just came up? 704 00:36:25,570 --> 00:36:26,890 Have you heard about that? 705 00:36:26,890 --> 00:36:29,280 Yeah, that was a little painful. 706 00:36:29,280 --> 00:36:34,280 So these guys self-attested that they met 800-171. 707 00:36:35,090 --> 00:36:37,180 Sorry about their luck, 708 00:36:37,180 --> 00:36:38,550 but they had a disgruntled old CIO 709 00:36:38,550 --> 00:36:42,410 that called the Hotline said "no they're not", 710 00:36:42,410 --> 00:36:46,210 and they got fined, I think, $14 million 711 00:36:46,210 --> 00:36:49,210 under the false claims act (whistle) 712 00:36:49,210 --> 00:36:52,000 because they self-attested when they weren't, 713 00:36:52,000 --> 00:36:54,520 so there is precedence here, 714 00:36:54,520 --> 00:36:57,320 and the British had the hold thing against 715 00:36:57,320 --> 00:36:59,120 I think it was British Airways, 716 00:36:59,120 --> 00:37:02,590 and it was like 250 million pounds or something. 717 00:37:02,590 --> 00:37:03,423 That hurt, right? 718 00:37:03,423 --> 00:37:06,555 I could have a lot of swimming pools for that much. 719 00:37:06,555 --> 00:37:08,573 (audience chuckles) 720 00:37:08,573 --> 00:37:10,967 So you think about, there is a precedence now 721 00:37:15,560 --> 00:37:18,180 for not just self-attesting and 722 00:37:18,180 --> 00:37:20,270 kinda bein' laissez-faire about it. 723 00:37:20,270 --> 00:37:21,970 We need to pay attention to this, 724 00:37:21,970 --> 00:37:24,980 and we're lookin' for you guys to step up 725 00:37:25,934 --> 00:37:27,920 and really cover your programs and make sure 726 00:37:27,920 --> 00:37:31,393 and do the right thing for yourselves and for the nation. 727 00:37:32,340 --> 00:37:34,239 Any other questions? 728 00:37:34,239 --> 00:37:35,464 Go ahead! 729 00:37:35,464 --> 00:37:38,784 - You mentioned tht there might be a push 730 00:37:38,784 --> 00:37:43,665 to make an ISO standard or something like that. 731 00:37:43,665 --> 00:37:45,307 Is that - It's gonna be the 732 00:37:45,307 --> 00:37:47,885 Stacy Bostjanick ISO standard - Yes 733 00:37:47,885 --> 00:37:50,475 - Wouldn't that be nice? 734 00:37:50,475 --> 00:37:52,120 Go ahead. 735 00:37:52,120 --> 00:37:56,087 - So in terms of doing coordination with 736 00:37:56,087 --> 00:37:58,810 any of our data departments, for example, 737 00:37:59,694 --> 00:38:03,630 is that being looked at to, is this part of this 738 00:38:03,630 --> 00:38:06,521 to kind of come up with a common standard? 739 00:38:06,521 --> 00:38:10,070 - Yes, and, in fact, if we go back 740 00:38:10,070 --> 00:38:14,957 to that cornucopia chart, this one, right? 741 00:38:16,240 --> 00:38:20,200 If you see in there, I think there are 742 00:38:21,490 --> 00:38:23,400 some of the other standards, 743 00:38:23,400 --> 00:38:26,284 but yes we are definitely workin' with 744 00:38:26,284 --> 00:38:31,120 Australia has some, British 745 00:38:31,120 --> 00:38:32,620 is another one we've been lookin' at, 746 00:38:32,620 --> 00:38:37,100 so the guys they're really bright individuals 747 00:38:37,100 --> 00:38:41,380 that are the cybergeeks from applied physics lab 748 00:38:41,380 --> 00:38:43,040 John Hopkins Applied Physics Lab 749 00:38:43,040 --> 00:38:46,780 and Carnegie Mellon's Software Engineering Institute. 750 00:38:46,780 --> 00:38:48,330 I always get that one mixed up, 751 00:38:49,420 --> 00:38:51,460 so those are the guys that are helpin' us 752 00:38:51,460 --> 00:38:53,450 take all of these different standards 753 00:38:53,450 --> 00:38:57,013 from across the world and put them into this model. 754 00:38:58,033 --> 00:39:00,350 Anybody else? 755 00:39:00,350 --> 00:39:02,289 You're frowning, don't frown! 756 00:39:02,289 --> 00:39:03,625 (audience chuckles) 757 00:39:03,625 --> 00:39:05,067 You need more coffee! 758 00:39:05,067 --> 00:39:08,567 (audience member talking) 759 00:39:18,394 --> 00:39:20,630 So one of the thing that you'll see, 760 00:39:20,630 --> 00:39:21,720 so yeah you're right, 761 00:39:21,720 --> 00:39:24,300 they're supposed to be flowin' it down, 762 00:39:24,300 --> 00:39:29,300 and so the DCMA and the DCSA audits 763 00:39:30,310 --> 00:39:32,770 that are goin' on now or they're startin' out, 764 00:39:32,770 --> 00:39:35,020 so they've just completed the summer, 765 00:39:35,020 --> 00:39:38,000 and I think they did most of the big companies, 766 00:39:38,000 --> 00:39:40,110 and now they're goin' to the next tier 767 00:39:40,110 --> 00:39:42,100 group of companies and performing this, 768 00:39:42,100 --> 00:39:44,020 and they're lookin' to make sure that they have 769 00:39:44,020 --> 00:39:46,480 the documentation and they're flowin' it down. 770 00:39:46,480 --> 00:39:49,130 When CMMC comes into play, 771 00:39:49,130 --> 00:39:53,570 and you give me your proposal, 772 00:39:53,570 --> 00:39:57,070 you're gonna have to talk to here are my suppliers 773 00:39:57,070 --> 00:39:59,240 and here are their certification levels. 774 00:39:59,240 --> 00:40:01,480 Now, there's one thing we haven't quite worked through 775 00:40:01,480 --> 00:40:05,307 'cause some of the suppliers are like "I'm not tellin' you", 776 00:40:05,307 --> 00:40:09,200 so okay, how are we gonna de-conflict that? 777 00:40:09,200 --> 00:40:12,127 Because you as a prime are not gonna wanna have 778 00:40:12,127 --> 00:40:13,430 "okay here are my suppliers", 779 00:40:13,430 --> 00:40:16,078 and they federal government can go in and look 780 00:40:16,078 --> 00:40:18,327 and go "sorry for your luck, but Tom, he's not there, 781 00:40:18,327 --> 00:40:20,622 "so we're gonna throw your proposal out", 782 00:40:20,622 --> 00:40:22,495 that's not fair, all right, 783 00:40:22,495 --> 00:40:24,320 so you guys are gonna have to work with your suppliers, 784 00:40:24,320 --> 00:40:26,200 and I think it's probably gonna be 785 00:40:26,200 --> 00:40:30,200 a peer-pressure kind of issue, right? 786 00:40:30,200 --> 00:40:32,030 Because I'm not gonna use you unless you tell me 787 00:40:32,030 --> 00:40:34,230 you're certified and show me your documentation 788 00:40:34,230 --> 00:40:36,400 so I can put it in my proposal. 789 00:40:36,400 --> 00:40:39,270 So it will become a forcing factor. 790 00:40:39,270 --> 00:40:41,060 Does that make sense? 791 00:40:41,060 --> 00:40:42,590 All right, sir! 792 00:40:42,590 --> 00:40:45,800 - I know that you kind of alluded to 793 00:40:45,800 --> 00:40:48,173 the F35 and probably some other issues, 794 00:40:49,426 --> 00:40:50,693 but it may be up there, I just can't see it, 795 00:40:53,087 --> 00:40:55,737 is there any interweaving or overlapping with (mumbling) 796 00:40:57,350 --> 00:41:00,970 - I think so, but I can't tell you that definitively. 797 00:41:00,970 --> 00:41:02,017 - Okay. 798 00:41:02,017 --> 00:41:04,333 - I mean, the guys that we've got workin' with us 799 00:41:04,333 --> 00:41:08,580 are pretty good about spanning the whole thing. 800 00:41:08,580 --> 00:41:10,670 I'm trying to think if I, I know I've talked 801 00:41:10,670 --> 00:41:12,250 to some of the anti-tamper guys, 802 00:41:12,250 --> 00:41:16,063 so I think, I think, I think, but don't quote me on that. 803 00:41:17,320 --> 00:41:20,550 - So I know that a big part of the CMMC 804 00:41:20,550 --> 00:41:24,420 is going to be independence of the audit. 805 00:41:24,420 --> 00:41:26,370 That you cannot self-attest anymore, 806 00:41:26,370 --> 00:41:28,220 now you have to have a third party coming in 807 00:41:28,220 --> 00:41:29,708 - Yes ma'am 808 00:41:29,708 --> 00:41:31,560 - Have y'all clearly defined what independence 809 00:41:32,974 --> 00:41:33,953 means as far as just a large number of contractors, 810 00:41:35,250 --> 00:41:37,170 that have multiple divisions. 811 00:41:37,170 --> 00:41:39,190 They'll have an IT suport division, 812 00:41:39,190 --> 00:41:40,530 they'll have a cyber division, 813 00:41:40,530 --> 00:41:41,990 they'll have this, 814 00:41:41,990 --> 00:41:45,270 are they allowed to participate 815 00:41:46,520 --> 00:41:51,016 - Oh like can I have my west wing come audit my east wing? 816 00:41:51,016 --> 00:41:51,849 - Exactly 817 00:41:51,849 --> 00:41:54,081 - Yeah so - define that yet? 818 00:41:54,081 --> 00:41:55,393 - No we have not, 819 00:41:55,393 --> 00:41:57,478 but I would imagine we're not gonna go there, 820 00:41:57,478 --> 00:41:59,130 and the consortium that we've got 821 00:41:59,130 --> 00:42:02,440 with the individuals that have put some of these 822 00:42:02,440 --> 00:42:05,980 things together before that we're workin' with 823 00:42:05,980 --> 00:42:08,642 are gonna help us get through that, 824 00:42:08,642 --> 00:42:13,642 and no, well, I'd say no, but, go ahead. 825 00:42:14,079 --> 00:42:17,698 - Before, a gentleman said, is there gonna be 826 00:42:17,698 --> 00:42:21,772 a sort of a clearinghouse where we can look to see 827 00:42:21,772 --> 00:42:26,283 what companies are certified rather than just 828 00:42:26,283 --> 00:42:29,480 - So we're workin' through how that works. 829 00:42:29,480 --> 00:42:31,110 We've looked at some of the tools 830 00:42:31,110 --> 00:42:35,813 like ComplyUp and Exostar is anybody familiar with Exostar? 831 00:42:37,140 --> 00:42:39,470 So there are some different tools 832 00:42:39,470 --> 00:42:41,670 out there that we've been lookin' at. 833 00:42:41,670 --> 00:42:43,760 I'm trying to set up, 834 00:42:43,760 --> 00:42:46,040 but you know how it is in that puzzle palace there 835 00:42:46,040 --> 00:42:47,540 trying to get the right person to help me 836 00:42:47,540 --> 00:42:50,163 'cause they're like "oh no, you can't do it yourself". 837 00:42:50,163 --> 00:42:52,262 And see, I used to be a contracting officer, 838 00:42:52,262 --> 00:42:54,270 so I know how to do it, so I'm a little frustrated. 839 00:42:54,270 --> 00:42:57,250 What we wanna do is do an industry demo day 840 00:42:57,250 --> 00:43:00,001 for companies that have these kinds of tools 841 00:43:00,001 --> 00:43:02,970 that can call come in and give us 842 00:43:02,970 --> 00:43:05,740 because they're really startin' to pop up a lot, 843 00:43:05,740 --> 00:43:09,520 so we're talkin' about "trying" 844 00:43:09,520 --> 00:43:12,810 to have a tool that would have those levels, 845 00:43:12,810 --> 00:43:15,490 but it'll depend on the company's willingness 846 00:43:15,490 --> 00:43:19,160 to participate and put their certification level in there 847 00:43:19,160 --> 00:43:21,760 because I don't think, we've gotta 848 00:43:21,760 --> 00:43:24,753 work with the lawyers to see where we are on that. 849 00:43:25,727 --> 00:43:27,140 Can we publish that? 850 00:43:27,140 --> 00:43:28,970 Can we not publish that? 851 00:43:28,970 --> 00:43:32,780 Is that proprietary or information? 852 00:43:32,780 --> 00:43:34,033 That kind of thing. 853 00:43:34,033 --> 00:43:37,000 I would think, at the end of the day, 854 00:43:37,000 --> 00:43:39,874 it would make sense for companies to wanna step up 855 00:43:39,874 --> 00:43:41,870 and put their certification out there, 856 00:43:41,870 --> 00:43:43,920 and it'd be somethin' they'd be proud of. 857 00:43:44,813 --> 00:43:47,320 (audience member talking) 858 00:43:47,320 --> 00:43:48,460 Yes, sir, that's why we're gonna have 859 00:43:48,460 --> 00:43:50,320 the Stacy Bostjanick ISO, right? 860 00:43:51,544 --> 00:43:52,677 Yes, sir. 861 00:43:52,677 --> 00:43:57,677 (audience member talking) Right, right, right. 862 00:44:12,660 --> 00:44:14,330 So our consortium is gonna, 863 00:44:14,330 --> 00:44:17,460 we will have an adjudication process. 864 00:44:17,460 --> 00:44:20,010 We haven't defined exactly what body 865 00:44:20,010 --> 00:44:21,910 would do that adjudication. 866 00:44:21,910 --> 00:44:24,074 Most probably it'll go back to 867 00:44:24,074 --> 00:44:25,550 a government entity to do that, 868 00:44:25,550 --> 00:44:27,110 but we haven't defined that. 869 00:44:27,110 --> 00:44:30,440 But the hope is that when we put this model out 870 00:44:30,440 --> 00:44:32,949 they are preparing desk guides 871 00:44:32,949 --> 00:44:36,570 for both the certifiers and the companies 872 00:44:36,570 --> 00:44:38,650 that kinda explain these are the kinda things 873 00:44:38,650 --> 00:44:40,600 we're lookin' for, this is what we expect to see, 874 00:44:40,600 --> 00:44:45,150 so hopefully, go back to my nun story earlier, 875 00:44:45,150 --> 00:44:47,410 we won't have those issues. 876 00:44:47,410 --> 00:44:49,310 I'm sure there will be, one or two, 877 00:44:49,310 --> 00:44:51,573 but I'm hopin' that it'll be minimal at best. 878 00:44:52,570 --> 00:44:53,959 Yes, sir. 879 00:44:53,959 --> 00:44:57,950 (audience member talking) 880 00:44:57,950 --> 00:45:02,070 We have been trying to accumulate that data, 881 00:45:02,070 --> 00:45:06,760 and I will tell you, it ranges all across the span. 882 00:45:06,760 --> 00:45:09,960 To a thousand dollars, like fifty dollars 883 00:45:09,960 --> 00:45:13,113 to a thousand dollars an employee depending. 884 00:45:14,190 --> 00:45:17,710 So yes, we definitely understand 885 00:45:17,710 --> 00:45:19,923 that there's a cost impact. 886 00:45:19,923 --> 00:45:24,410 Like I said earlier with the NIST 800-171, 887 00:45:24,410 --> 00:45:25,990 it's already anticipated that you're 888 00:45:25,990 --> 00:45:28,976 accumulating this cost in your rates, right? 889 00:45:28,976 --> 00:45:32,180 We also recognize that levels four and five 890 00:45:32,180 --> 00:45:37,180 with the NIST 800-171b is gonna be extremely expensive, 891 00:45:38,020 --> 00:45:41,890 and there's probably gonna have 892 00:45:41,890 --> 00:45:44,010 to be some consideration otherwise, 893 00:45:44,010 --> 00:45:46,147 but we haven't thought through 894 00:45:46,147 --> 00:45:47,683 exactly how that's gonna work yet. 895 00:45:48,740 --> 00:45:51,096 - [Audience Member] So you're 896 00:45:51,096 --> 00:45:53,363 saying that level one is gonna be 897 00:45:53,363 --> 00:45:54,196 not that expensive to get that audit, right? 898 00:45:56,097 --> 00:45:58,210 Level five, and I'm just talking about the audit 899 00:45:58,210 --> 00:45:59,710 - So, how much you would have to pay 900 00:45:59,710 --> 00:46:03,907 a company to come in, so hopefully 901 00:46:03,907 --> 00:46:07,407 (audience member talking) 902 00:46:22,317 --> 00:46:25,067 You probably have to speak louder 903 00:46:27,770 --> 00:46:28,860 - Oh, thank you. 904 00:46:28,860 --> 00:46:31,410 So for anyone that's gone through a FedRAMP assessment, 905 00:46:31,410 --> 00:46:33,630 the 800-171 or an equivalent feels 906 00:46:33,630 --> 00:46:35,420 like almost like target practice, 907 00:46:35,420 --> 00:46:38,470 and the price tag is very similar to that, 908 00:46:38,470 --> 00:46:40,434 so I would say this is probably 909 00:46:40,434 --> 00:46:42,468 one of the cheapest assessments that we do 910 00:46:42,468 --> 00:46:45,312 is the 800-171 security assessments. 911 00:46:45,312 --> 00:46:49,562 (drowned out by noise without mic) 912 00:46:58,360 --> 00:47:00,930 - And hopefully we'll have so many certifiers out there 913 00:47:00,930 --> 00:47:03,823 that the market, competition, right? 914 00:47:05,108 --> 00:47:06,700 Yes, sir! 915 00:47:06,700 --> 00:47:08,300 - Maybe you lost me a little bit 916 00:47:09,487 --> 00:47:11,000 or you have to rewind on the 917 00:47:11,000 --> 00:47:12,665 who can be a certifier? 918 00:47:12,665 --> 00:47:14,970 I mean, you do plan to, as a government entity, 919 00:47:14,970 --> 00:47:17,676 make a list of certifiers, like 920 00:47:17,676 --> 00:47:20,657 how are you gonna determine they're qualified 921 00:47:20,657 --> 00:47:21,997 to do that? - So 922 00:47:21,997 --> 00:47:23,880 what we're gonna do is we're in the process 923 00:47:23,880 --> 00:47:26,690 of putting together a "consortium" of companies 924 00:47:26,690 --> 00:47:30,730 because we recognize, are you familiar with CMMI? 925 00:47:30,730 --> 00:47:35,730 Okay, so CMMI had ISACA as their governing body. 926 00:47:36,020 --> 00:47:37,110 When we started talkin' about this 927 00:47:37,110 --> 00:47:39,280 with 300 thousand companies, 928 00:47:39,280 --> 00:47:41,060 we all quickly recognized that 929 00:47:41,060 --> 00:47:46,040 one body, one company, one isn't big enough. 930 00:47:46,040 --> 00:47:48,330 So we're accumulating a consortium 931 00:47:48,330 --> 00:47:50,270 of different companies to help us. 932 00:47:50,270 --> 00:47:53,740 That consortium will be the oversight body for this. 933 00:47:53,740 --> 00:47:56,242 They're gonna be the ones who accredit 934 00:47:56,242 --> 00:48:00,389 the certifiers, train the certifiers, 935 00:48:00,389 --> 00:48:04,500 make sure that they communicate with the certifiers, 936 00:48:04,500 --> 00:48:06,700 and they're gonna be the ones are gonna make sure 937 00:48:06,700 --> 00:48:09,270 that you as a certifier have 938 00:48:09,270 --> 00:48:11,170 the credentials, have the capabilities, 939 00:48:11,170 --> 00:48:12,290 and then they're gonna come out 940 00:48:12,290 --> 00:48:16,120 and audit you as a certifier to make sure that you guys 941 00:48:16,120 --> 00:48:17,660 'cause one of the things I kept hearing 942 00:48:17,660 --> 00:48:19,400 is that they ran into with some of 943 00:48:20,510 --> 00:48:21,850 the earlier things they did with CMMI 944 00:48:21,850 --> 00:48:24,890 were certifiers just copyin' and pastin', 945 00:48:24,890 --> 00:48:26,120 and they don't want that, 946 00:48:26,120 --> 00:48:28,990 so they're already, the groups that we've 947 00:48:28,990 --> 00:48:30,484 talked to that are gonna help us, 948 00:48:30,484 --> 00:48:33,839 have already seen some of the issues 949 00:48:33,839 --> 00:48:38,610 and so we're hopefully preparing for that to make sure, 950 00:48:38,610 --> 00:48:41,410 and like I said, I want everybody certified the same, 951 00:48:41,410 --> 00:48:43,820 I want consistent practices across the board, 952 00:48:43,820 --> 00:48:46,730 so if you go to one guy and get a level three, 953 00:48:46,730 --> 00:48:48,860 if he comes in to give you a level four, 954 00:48:48,860 --> 00:48:50,270 he can pick up that level three 955 00:48:50,270 --> 00:48:52,863 and be confident that it was done correctly. 956 00:48:53,949 --> 00:48:57,170 Okay, anybody else? 957 00:48:57,170 --> 00:48:58,177 We good? 958 00:48:58,177 --> 00:48:59,920 - Stacy, can I add one more thing? 959 00:48:59,920 --> 00:49:00,753 - Sure! 960 00:49:02,539 --> 00:49:05,010 - For instance, under FedRAMP, oh thank you. 961 00:49:05,010 --> 00:49:06,290 HLA is the governing body, 962 00:49:06,290 --> 00:49:08,710 so as one of the three PALs, we do go through 963 00:49:08,710 --> 00:49:11,210 we're certified under an ISO standard 17020, 964 00:49:11,210 --> 00:49:12,710 we go through an annual audit, 965 00:49:13,759 --> 00:49:15,419 every assessor is expected to maintain 966 00:49:15,419 --> 00:49:16,420 a level certifications as well. 967 00:49:16,420 --> 00:49:18,800 Same thing where as a certification for (mumbles). 968 00:49:20,984 --> 00:49:23,180 Auditing the auditors is never fun. 969 00:49:23,180 --> 00:49:24,013 I've done it. 970 00:49:24,013 --> 00:49:25,706 When we go through that audit, 971 00:49:25,706 --> 00:49:27,640 it's more of a pain than what we cause to our clients, 972 00:49:27,640 --> 00:49:29,830 so I'm assuming it'll be a similar model 973 00:49:29,830 --> 00:49:32,190 where there is a set of requirements, 974 00:49:32,190 --> 00:49:34,080 most of them probably pretty stringent. 975 00:49:34,080 --> 00:49:36,000 Again if you compare them to FedRAMP. 976 00:49:36,000 --> 00:49:38,158 I'm anticipating something similar. 977 00:49:38,158 --> 00:49:41,145 - And we are stealing from FedRAMP. 978 00:49:41,145 --> 00:49:43,312 We are stealing from CMMI. 979 00:49:45,594 --> 00:49:48,460 They say stealing. 980 00:49:48,460 --> 00:49:50,600 I tried to get a copy of their MOU the other day, 981 00:49:50,600 --> 00:49:51,657 and it was funny 'cause they were like 982 00:49:51,657 --> 00:49:53,130 "no we can't give it to you", 983 00:49:53,130 --> 00:49:56,747 so I had to go through my point of contact at FedRAMP, 984 00:49:56,747 --> 00:49:59,150 and then he was like "oh great, I'll send it to you today" 985 00:49:59,150 --> 00:50:00,652 it's like, what happened, right? 986 00:50:00,652 --> 00:50:02,046 (audience chuckles) 987 00:50:02,046 --> 00:50:04,780 But we've got our eye on the fact 988 00:50:04,780 --> 00:50:07,030 that it's a burden on companies. 989 00:50:07,030 --> 00:50:09,750 We've got an eye on the fact that we want to be consistent. 990 00:50:09,750 --> 00:50:11,830 We're not tryin' to have you go through 991 00:50:11,830 --> 00:50:14,101 a whole system for FedRAMP certification 992 00:50:14,101 --> 00:50:15,593 and then you go through something 993 00:50:15,593 --> 00:50:16,940 totally different for CMMC. 994 00:50:16,940 --> 00:50:19,610 Where we can leverage the certifications 995 00:50:19,610 --> 00:50:21,945 of other groups, we're lookin' at that. 996 00:50:21,945 --> 00:50:25,403 But we also have an end state that we're trying to achieve. 997 00:50:26,270 --> 00:50:30,767 And that's more of the culture and mindset of security 998 00:50:30,767 --> 00:50:35,767 protecting our information so we don't have airplanes, 999 00:50:36,420 --> 00:50:38,670 that we put our blood, sweat, and tears in 1000 00:50:38,670 --> 00:50:41,710 to develop the technology and capability for, 1001 00:50:41,710 --> 00:50:43,890 showin' up in somebody else's country 1002 00:50:43,890 --> 00:50:47,050 where they didn't have to do the same hard work, right? 1003 00:50:47,050 --> 00:50:48,000 It's just not fair. 1004 00:50:49,017 --> 00:50:51,440 All right, barring any other questions, 1005 00:50:51,440 --> 00:50:54,050 I'm Stacy Bostjanick, you can reach out to me. 1006 00:50:54,050 --> 00:50:56,853 You can put questions on the website. 1007 00:50:58,612 --> 00:50:59,445 And like I said, 1008 00:50:59,445 --> 00:51:01,600 if you're gonna take a picture of a slide, 1009 00:51:01,600 --> 00:51:03,020 this is the one, right? 1010 00:51:03,020 --> 00:51:04,940 And please, communicate with us. 1011 00:51:04,940 --> 00:51:08,593 We wanna hear from you, okay? 1012 00:51:11,660 --> 00:51:13,885 Thank you so much for your time. 1013 00:51:13,885 --> 00:51:16,885 (audience clapping)