WEBVTT 00:05.730 --> 00:07.336 - So we're here talking about 00:07.336 --> 00:10.133 the Cybersecurity Maturity Model. 00:10.999 --> 00:15.999 And we're gonna hopefully secure the DoD supply chain. 00:16.110 --> 00:17.610 Go 'head next slide. 00:17.610 --> 00:21.080 Okay, so when we started talking about this, right, 00:21.080 --> 00:25.920 because you know when we measure programs in DoD 00:25.920 --> 00:27.823 we do cost, schedule, and performance. 00:28.920 --> 00:32.550 There was talk that said, "You know, hey, we were gonna". 00:32.550 --> 00:34.910 Now, these slides are out on our website so you don't have 00:34.910 --> 00:37.541 to take pictures if you don't want to. 00:37.541 --> 00:41.130 We started talking about it and we don't want it to be, 00:41.130 --> 00:43.800 security to be a tradable capability. 00:43.800 --> 00:45.940 It's not a negotiable item. 00:45.940 --> 00:48.780 So we said security has to become 00:48.780 --> 00:51.653 the foundation of what we're doing. 00:53.030 --> 00:57.170 All right, so we started lookin' at the levels, right? 00:57.170 --> 01:00.410 And the vast majority of our DIB partners are at the 01:00.410 --> 01:03.070 bottom with their cybersecurity. 01:03.070 --> 01:07.450 They barely have enough cybersecurity to manage what they 01:07.450 --> 01:09.750 tell you you should have for security at home. 01:10.630 --> 01:15.630 So, has anybody heard that we lose $600 billion a year 01:17.330 --> 01:21.170 in information because of these breaches that happen, 01:21.170 --> 01:23.720 because of the lack cybersecurity? 01:23.720 --> 01:25.150 So, Katie tells a story. 01:25.150 --> 01:27.517 Her husband was in the military 01:27.517 --> 01:30.090 and then her daughter joined later. 01:30.090 --> 01:33.530 Her husband used to go to the range every week 01:33.530 --> 01:36.550 and shoot and practice marksmanship. 01:36.550 --> 01:40.260 Her daughter joins, she gets to go 20 times. 01:40.260 --> 01:42.550 They get 20 bullets. 01:42.550 --> 01:46.310 If we just save 10% or 1% of the money 01:46.310 --> 01:51.310 that we're losing every day for cybersecurity losses, 01:51.460 --> 01:53.550 think how many bullets we could buy for these kids. 01:53.550 --> 01:56.860 And quite frankly, I'm not comfortable with my child 01:56.860 --> 01:59.590 going out in war only having 01:59.590 --> 02:02.810 practiced shooting 20 times, right? 02:02.810 --> 02:04.690 So, you know, we are bleeding out 02:04.690 --> 02:06.300 money and information from that, 02:06.300 --> 02:09.367 so it's paramount that that we get here, right? 02:09.367 --> 02:10.950 That we secure our DIB. 02:10.950 --> 02:14.817 So, we're lookin' to bring in cyber hygiene that, 02:14.817 --> 02:18.560 how many people are familiar with NIST 800-171? 02:20.815 --> 02:23.050 Okay, NIST 800-171 is really just 02:23.050 --> 02:25.570 the basic hygiene for you guys to be able to 02:25.570 --> 02:28.260 handle covered, unclassified information. 02:28.260 --> 02:31.535 So our cybersecurity model is gonna bring, 02:31.535 --> 02:35.313 it's gonna have levels from one to five, right? 02:36.351 --> 02:39.840 Three is gonna be where you're gonna be able to handle CUI, 02:39.840 --> 02:42.160 and that's the basic hygiene that's gonna be 02:42.160 --> 02:45.700 basically in line with NIST 800-171. 02:45.700 --> 02:47.280 Go ahead. 02:47.280 --> 02:49.020 Oh, this is a big one, right? 02:49.020 --> 02:53.670 So there's a lot of information on this slide but what CMMC 02:53.670 --> 02:56.273 is gonna be, planned to do, 02:56.273 --> 02:58.800 it's gonna be a go/no go capability. 02:58.800 --> 03:01.900 So what we're gonna say is in your RFPs, 03:01.900 --> 03:04.720 when you get them, you must be level 03:04.720 --> 03:08.060 one, two, three, four, five to do this work. 03:08.060 --> 03:10.640 Like I said on the previous slide, 03:10.640 --> 03:13.210 level three is the basic to handle 03:13.210 --> 03:14.880 covered unclassified information. 03:14.880 --> 03:16.970 Four and five is gonna be at our higher level, 03:16.970 --> 03:20.210 and in fact, I think if you go to the next slide. 03:20.210 --> 03:22.858 No, it's the next one after that, but anyway. 03:22.858 --> 03:26.534 That's where we're gonna hopefully 03:26.534 --> 03:28.780 have semi-automated tools. 03:28.780 --> 03:31.790 We're not making this hard for companies. 03:31.790 --> 03:33.870 We're gonna give you a deskbook 03:33.870 --> 03:36.440 that tells you exactly what you need to do. 03:36.440 --> 03:38.980 So we laugh, we're gonna give you the answers 03:38.980 --> 03:41.790 to the test before we give you the test, 03:41.790 --> 03:44.020 so you have the knowledge and understanding 03:44.020 --> 03:48.020 what needs to happen to be able to achieve that level. 03:48.020 --> 03:53.020 So right now I've been tapped to be the director for CMMC. 03:53.030 --> 03:55.990 We're setting up a consortium of companies 03:55.990 --> 03:58.510 that are gonna handle the training 03:58.510 --> 04:02.260 and the accreditation of the certifiers, 04:02.260 --> 04:04.060 and then we intend for there to be 04:04.060 --> 04:07.380 third-party certifiers that companies could go to 04:07.380 --> 04:09.940 to have them come in and give, 04:09.940 --> 04:11.500 do you have a question? 04:11.500 --> 04:15.800 Oh, come in and give you your certification, 04:15.800 --> 04:18.380 so the expectation is that a company's 04:18.380 --> 04:20.200 gonna have the answers to the test, 04:20.200 --> 04:21.610 they're gonna know what they need to do, 04:21.610 --> 04:25.600 so before you expend any funds or time 04:25.600 --> 04:27.050 to have a company come in and 04:28.020 --> 04:29.890 you have already been able to go through 04:29.890 --> 04:32.070 yourself and pretty much judge 04:32.070 --> 04:33.770 that you're where you need to be. 04:33.770 --> 04:35.530 Does that make sense? 04:35.530 --> 04:37.007 Okay, go ahead to the next one. 04:37.007 --> 04:38.763 All right, how do we do this? 04:39.660 --> 04:41.250 So, and we're workin' through it, 04:41.250 --> 04:43.712 we're gettin' ready, we're gonna probably put 04:43.712 --> 04:47.645 our dot .04 version 04:47.645 --> 04:50.840 that's comin' out at the end of the month, 04:50.840 --> 04:52.660 it'll probably be the middle of September 04:52.660 --> 04:54.170 before you'll see it on the website 04:54.170 --> 04:56.160 'cause we have to go through public affairs. 04:56.160 --> 04:58.626 We're gonna put it on our website 04:58.626 --> 05:01.740 for comment and for you awareness. 05:01.740 --> 05:03.260 Now, I'm not gonna promise we're 05:03.260 --> 05:04.410 gonna answer all the questions 05:04.410 --> 05:07.780 'cause if I know the DIB, we're gonna have a lot. 05:07.780 --> 05:09.010 But we're gonna go through them, 05:09.010 --> 05:09.957 we're gonna cull through them 05:09.957 --> 05:11.410 and make sure that we take 05:11.410 --> 05:14.030 into consideration your major questions 05:14.030 --> 05:16.240 and things that are gonna impact the model 05:16.240 --> 05:17.970 and try to keep those incorporated, 05:17.970 --> 05:20.830 but we're on a fast-moving train 05:20.830 --> 05:22.370 because we have a responsibility 05:22.370 --> 05:25.023 to have this thing settled and done by January, 05:25.940 --> 05:27.959 and that's when we're expecting the 05:27.959 --> 05:32.227 consortium to come in and start training the trainers 05:32.227 --> 05:34.660 and gettin' that information out, 05:34.660 --> 05:38.451 so by June we're ready to start certifying companies, 05:38.451 --> 05:41.460 and then by the fall, it'll be in RFPs, 05:41.460 --> 05:44.745 and we'll be able to start using the CMMC 05:44.745 --> 05:47.660 as a go/no go criterion contract. 05:47.660 --> 05:50.700 So what we've done in these different phases 05:50.700 --> 05:52.960 is we've taken different standards 05:52.960 --> 05:57.960 that are out in industry in other agencies, other countries, 05:58.520 --> 06:00.710 and we're using them as a model 06:00.710 --> 06:03.610 to come together to generate our 06:03.610 --> 06:05.890 assessment levels and our model. 06:05.890 --> 06:10.530 (muttering) All right, so when we started looking 06:10.530 --> 06:14.162 like I talked before about the CMMC levels. 06:14.162 --> 06:17.630 So level one right now, is gonna be 06:17.630 --> 06:19.730 basically around 17 controls. 06:19.730 --> 06:22.580 Now when you see version four come out, 06:22.580 --> 06:23.860 I'm not exactly sure how they're 06:23.860 --> 06:26.090 gonna put the information out, it's funny 06:26.090 --> 06:28.256 'cause when they started lookin' 06:28.256 --> 06:31.580 at all the information across the world 06:31.580 --> 06:33.940 with all these certification standards, 06:33.940 --> 06:36.279 they did come up with 38, now they're like 06:36.279 --> 06:38.392 we're gonna go back and look at them 06:38.392 --> 06:40.053 and make sure we don't have any that are duplicative, 06:41.307 --> 06:44.940 we definitely get the ones that mean the most. 06:44.940 --> 06:49.430 So, CMMC level one, basic cyber hygiene, 06:49.430 --> 06:52.380 and every company in our perspective, 06:52.380 --> 06:55.030 every company that does business with the DoD, 06:55.030 --> 06:59.800 will have to be at a minimum level one certified, right? 06:59.800 --> 07:03.560 Then level two is a little bit more, 46 additional. 07:03.560 --> 07:05.456 So these build, right? 07:05.456 --> 07:07.233 So you have basic 17, then you have 46 more, 07:07.233 --> 07:10.313 then 47 more to get to the different levels. 07:11.410 --> 07:12.243 Go ahead. 07:13.115 --> 07:18.115 Okay, so how many have heard about NIST 800-171b? 07:21.330 --> 07:23.890 Okay, so we know 07:26.989 --> 07:28.970 that NIST 800-171b 07:28.970 --> 07:32.400 is gonna be for only the crown jewel type contract, right? 07:32.400 --> 07:33.940 And it's gonna be expensive. 07:33.940 --> 07:36.160 We've already looked at that, we recognize 07:36.160 --> 07:38.300 that it's gonna be a major cost. 07:38.300 --> 07:41.140 And we're working through how to handle all of that. 07:41.140 --> 07:45.710 And like I said, most everything that we do 07:45.710 --> 07:48.053 will probably end up being at a level three. 07:49.440 --> 07:52.830 And then we'll have the others, yeah. 07:52.830 --> 07:54.760 So I was laughing earlier. 07:54.760 --> 07:56.300 If you've heard Katie give the speech, 07:56.300 --> 07:58.050 she talks about the movie Phenomenon. 07:58.050 --> 08:00.050 How many have seen the movie Phenomenon? 08:01.540 --> 08:03.047 No, she's always like "c'mon! 08:03.047 --> 08:03.880 "It was a great movie!" 08:03.880 --> 08:05.583 I haven't seen it either, okay? 08:07.680 --> 08:11.151 But in the movie, John Travolta gets this brain tumor. 08:11.151 --> 08:13.270 And as the brain tumor grows, 08:13.270 --> 08:16.010 it makes him the most intelligent guy in the world, 08:16.010 --> 08:17.680 and he's a farmer, 08:17.680 --> 08:21.124 and he and his neighbor keep trying to figure out how to 08:21.124 --> 08:25.260 build fences to keep the bunnies out of their farm 08:25.260 --> 08:28.060 so they can't get in and eat the crops. 08:28.060 --> 08:30.830 So at the end of the movie, he's gettin' ready to die, 08:30.830 --> 08:33.119 and he looks at his buddy and he says 08:33.119 --> 08:35.547 "we can't build a fence big enough or wide enough 08:35.547 --> 08:39.960 "'cause the bunnies are already in the farm", right? 08:39.960 --> 08:41.810 So our adversaries theoretically 08:41.810 --> 08:43.680 are already in our networks. 08:43.680 --> 08:46.693 They're our bunnies in our farm. 08:47.949 --> 08:52.090 This is what we're gonna do to help get those bunnies out. 08:52.090 --> 08:56.292 Okay, so this is a crazy, wild slide, right? 08:56.292 --> 08:59.023 This is our flow chart, 09:00.640 --> 09:02.830 and it does look a little bit busy, 09:02.830 --> 09:05.005 but how many people have dealt 09:05.005 --> 09:06.060 with federal acquistion, right? 09:06.060 --> 09:06.983 Pretty crazy. 09:08.400 --> 09:11.170 So if you look at the model, 09:11.170 --> 09:12.150 and I'm trying to think what the 09:12.150 --> 09:13.933 best way to do this is, right? 09:15.110 --> 09:18.370 Workin' on the model hopefully by June 09:18.370 --> 09:22.010 we're ready to start training with certifiers, 09:22.010 --> 09:23.460 and then we're gonna move in to where 09:23.460 --> 09:25.390 companies are gonna get certified, 09:25.390 --> 09:27.713 and then it's gonna show up in our RFPs, 09:28.610 --> 09:31.010 and it's gonna be a go/no go criteria. 09:31.010 --> 09:33.840 Keep that in mind, all right? 09:33.840 --> 09:36.750 We're gonna intend for it to be 09:36.750 --> 09:39.370 if I get your proposal, 09:39.370 --> 09:41.030 and you don't have that certification 09:41.030 --> 09:42.740 that you're level three, 09:42.740 --> 09:44.700 they're gonna set your proposal aside, 09:44.700 --> 09:47.403 and they're not gonna look at it further, right? 09:50.860 --> 09:52.663 Well, it's human nature, right? 09:52.663 --> 09:55.540 They just saved themselves a week, right? (laughs) 09:55.540 --> 09:58.930 But truly, you need to have these certifications 09:58.930 --> 10:03.120 because we're losing $600 billion a year, folks. 10:03.120 --> 10:05.730 We cannot continue that. 10:05.730 --> 10:06.563 Go ahead. 10:07.740 --> 10:10.270 All right, so this is where we are in the schedule. 10:10.270 --> 10:13.633 I think I talked through that a couple of times already. 10:17.636 --> 10:20.090 Now like I said, these are out on our website 10:20.090 --> 10:21.440 I think if you go one more, 10:22.925 --> 10:24.850 ah you want to take a picture, 10:24.850 --> 10:25.683 that's the picture to take. 10:27.034 --> 10:30.122 (audience laughs) 10:30.122 --> 10:31.913 All right, anybody have any questions? 10:33.710 --> 10:34.543 Go ahead. 10:36.628 --> 10:39.930 Well, or, as a group, do we have her 10:39.930 --> 10:41.680 ask all of her questions and then see 10:41.680 --> 10:43.190 if any of yours is duplicative, 10:43.190 --> 10:45.870 or do you wanna like set a rule one per. 10:45.870 --> 10:46.703 Go ahead. 10:48.104 --> 10:51.604 (audience member talking) 10:52.849 --> 10:53.766 Okay, okay, 10:57.440 --> 10:58.889 Well fun? 10:58.889 --> 11:00.570 They didn't want to come and tell, how rude! 11:00.570 --> 11:02.995 How rude, that's just not fair. 11:02.995 --> 11:03.828 Okay, go ahead. 11:04.833 --> 11:08.333 (audience member talking) 11:12.198 --> 11:13.986 The 70-12, right? 11:13.986 --> 11:16.703 252-204-7012? 11:16.703 --> 11:21.703 (audience member talking) Right. 11:36.114 --> 11:39.720 So they've looked at some different capabilities 11:39.720 --> 11:43.480 for the third-parties in ways that they can get financed, 11:43.480 --> 11:46.180 but the way we're looking at it right now, 11:46.180 --> 11:49.160 and it's funny 'cause we've had 11:49.160 --> 11:51.823 some consternation over words. 11:52.860 --> 11:55.527 The Secretary of Defense originally came out and said 11:55.527 --> 11:59.540 "We're not gonna pay more for this", right? 11:59.540 --> 12:03.010 But that's because he already expected that it's 12:03.010 --> 12:05.963 an allowable cost under your overhead GNA rates. 12:07.027 --> 12:09.200 And so the expectation is is they're 12:09.200 --> 12:11.473 building that into their rates, 12:12.400 --> 12:14.600 and that's where it's being covered. 12:14.600 --> 12:16.980 Now, like I said, there are some small business 12:16.980 --> 12:18.970 programs that they've been talkin' about, 12:18.970 --> 12:20.820 but we haven't gotten anything 12:20.820 --> 12:23.310 solid that I'm prepared to say. 12:23.310 --> 12:26.390 Have 'em go to Bob and have 'em give 'em money, 12:26.390 --> 12:27.760 but we are looking at that, 12:27.760 --> 12:30.040 and we are trying to make sure 12:30.040 --> 12:33.200 that we don't put undue burden on the smalls 12:33.200 --> 12:36.640 'cause we recognize that it could be a limiting factor, 12:36.640 --> 12:39.190 and I think, you know, if I go back to the slide 12:39.190 --> 12:41.450 where it talks about the, don't actually, 12:41.450 --> 12:44.050 the different, if I just hit the right button right, 12:45.599 --> 12:47.810 all right, so if you look at the different levels, 12:47.810 --> 12:50.790 and I don't know where they would fall, 12:50.790 --> 12:54.080 if they're gonna handle covered, unclassified information, 12:54.080 --> 12:56.480 undoubtedly they'd have to be at level three, 12:56.480 --> 12:59.280 but you remember there are 110 controls in NIST 800-171. 13:02.130 --> 13:04.880 We're pretty close to the exact 13:04.880 --> 13:07.330 same for our level three as well. 13:07.330 --> 13:10.930 And our prospective, some of them 13:10.930 --> 13:12.100 might be a little different, 13:12.100 --> 13:14.110 but we're goin' more for a 13:16.200 --> 13:18.988 critical thinking kind of thing, right? 13:18.988 --> 13:21.120 We're not hoping that people just have 13:21.120 --> 13:23.330 a checkbox that they go through. 13:23.330 --> 13:26.000 We want them to be able to think about the threat. 13:26.000 --> 13:30.410 Because, you guys know, as soon as we fill one hole, 13:30.410 --> 13:32.620 some thirteen year old kid in another country 13:32.620 --> 13:34.790 is gonna figure out how to hack us 13:34.790 --> 13:36.695 and go in a different way, right? 13:36.695 --> 13:37.830 So we've gotta be critically thinking 13:37.830 --> 13:41.080 about the threat that's against our infrastructure 13:41.080 --> 13:42.730 and against our dead partners 13:42.730 --> 13:45.040 to be able to protect ourselves. 13:45.040 --> 13:48.270 So it's more of a cybersecurity culture and mentality 13:48.270 --> 13:51.110 that we're trying to build with this certification. 13:51.110 --> 13:52.743 Does that kinda answer your question? 13:54.499 --> 13:57.999 (audience member talking) 14:03.819 --> 14:07.350 Yeah, these are the guys that don't even remember 14:07.350 --> 14:09.450 to pay their parking tickets, right, yeah. 14:10.580 --> 14:13.950 I used to work with the applied math branch back in the day. 14:13.950 --> 14:15.873 All right, do you have another one? 14:18.353 --> 14:20.490 Anybody else wanna get in here? 14:20.490 --> 14:21.960 You wanna let her go? 14:21.960 --> 14:22.993 All right, go ahead. 14:24.017 --> 14:27.517 (audience member talking) 14:48.757 --> 14:51.410 So we're definitely lookin' at said ramp, 14:51.410 --> 14:52.449 and we definitely have that in our mind's eye 14:52.449 --> 14:56.950 that we're tryin' to make sure that we're not 14:56.950 --> 14:59.590 burdening people unduely, 14:59.590 --> 15:01.660 and we're lookin' at the different programs 15:01.660 --> 15:03.760 to make sure that there's reciprocity, 15:03.760 --> 15:05.400 and that we're not like 15:05.400 --> 15:08.100 because the last thing we wanna do is have somebody go 15:08.957 --> 15:11.157 "I had my certification in this, 15:11.157 --> 15:13.537 "and now I gotta spend an extra $100 thousand 15:13.537 --> 15:15.307 "to get this certification", 15:16.162 --> 15:18.360 so we're definitely looking at that. 15:18.360 --> 15:20.708 And what we can say. 15:20.708 --> 15:23.710 Okay, if you're theoretically if you're 15:23.710 --> 15:25.930 FedRAMP compliant or a FedRAMP certifier 15:25.930 --> 15:27.590 and have these certifications, 15:27.590 --> 15:30.510 you may only have to do one or two other things 15:30.510 --> 15:32.630 to get the CMMC certification, 15:32.630 --> 15:34.840 so we're lookin' at it. 15:34.840 --> 15:37.177 I can't give you particulars on it yet. 15:38.207 --> 15:42.040 (audience member talking) Okay 15:53.870 --> 15:55.320 So, ISACA is workin' with us. 15:57.229 --> 15:59.073 In fact, they're helpin' us with our consortium. 16:00.677 --> 16:01.957 And the group who set up CMMI 16:03.384 --> 16:06.400 are gonna be sittin' on our consortium, 16:06.400 --> 16:08.740 so these guys I think are gonna help us 16:08.740 --> 16:10.563 'cause they've got you guys in mind. 16:12.640 --> 16:16.140 (audience member talking) 16:47.065 --> 16:50.853 Right, it's gonna be a bow wave and then. 16:50.853 --> 16:53.640 Now, one of things we're talking about as well, 16:53.640 --> 16:56.147 I'm glad you just that just keyed me 16:56.147 --> 16:59.723 was we're talking about this being an annual certification, 16:59.723 --> 17:02.945 and one of the things that we're lookin' at, 17:02.945 --> 17:05.886 you know, is as these threats change, 17:05.886 --> 17:08.380 how are we gonna turn to on that? 17:08.380 --> 17:12.165 How are we gonna meet the emergent threats? 17:12.165 --> 17:15.240 'Cause right now I think it's now the 17:17.460 --> 17:20.923 defense counterintelligence security agency, DCSA, 17:23.300 --> 17:27.080 and DC3 now put those threats out, 17:27.080 --> 17:30.185 so that's another part of this 17:30.185 --> 17:32.229 that we're working through is to figure out 17:32.229 --> 17:34.294 how do we get the word out to the DIB 17:34.294 --> 17:36.120 that this is a possible threat, 17:36.120 --> 17:40.710 and you need to be looking at it and preparing for it, 17:40.710 --> 17:43.400 so I think right now we're looking at annual. 17:43.400 --> 17:45.260 When we first started out, 17:45.260 --> 17:46.763 we thought every two years, 17:47.842 --> 17:51.070 and then actually the consortium and the CMMI people 17:51.070 --> 17:53.937 were like "no, you definitely need it to be 17:53.937 --> 17:56.780 "like an annual certification", okay? 17:56.780 --> 17:58.320 Ah, oh now we're gettin' more. 17:58.320 --> 17:59.153 Go ahead. 18:00.676 --> 18:03.670 - So a lot of us have large supply chains ourselves 18:03.670 --> 18:04.782 - Yes 18:04.782 --> 18:06.363 - That provide parts and services to us, 18:07.541 --> 18:09.280 and so, do you guys have a vision 18:10.148 --> 18:11.163 of how that's gonna play out? 18:12.361 --> 18:14.759 'Cause if you (sneeze) a contract, 18:14.759 --> 18:16.666 and we have to flow down 18:16.666 --> 18:18.102 through these requirements - Yes 18:18.102 --> 18:20.680 So here's the thing with the level one, right? 18:20.680 --> 18:22.650 So your parts manufacturer would 18:22.650 --> 18:24.320 probably have to be at a level one 18:24.320 --> 18:26.790 'cause he's not gonna handle CUI, 18:26.790 --> 18:28.380 and this is where we're gonna have a challenge 18:28.380 --> 18:31.680 as well in educating our acquisition workforce 18:31.680 --> 18:33.970 'cause the way we see this playing out 18:33.970 --> 18:36.310 is that I'm program manager, right? 18:36.310 --> 18:38.980 And I've got CUI on my program, 18:38.980 --> 18:40.550 and he's gonna have to think through 18:40.550 --> 18:43.060 okay, I know my prime's gonna have to have it 18:43.060 --> 18:45.310 which ones of my subs are gonna have to have it 18:45.310 --> 18:46.670 because there could be a sub 18:46.670 --> 18:48.867 but there could be some others 18:48.867 --> 18:51.444 that need level three certification. 18:51.444 --> 18:55.940 So those guys are not gonna be real happy with us 18:55.940 --> 18:59.080 because their job's gonna get a little bit more complex. 18:59.080 --> 19:00.413 Go ahead. 19:00.413 --> 19:04.420 - So would that decision be with the prime? 19:04.420 --> 19:08.610 Or would it be with the government contractor's office? 19:08.610 --> 19:10.860 - I think it would be both, right? 19:10.860 --> 19:13.110 Because I think the contracting officer 19:13.110 --> 19:16.660 and the program manager are gonna tell you 19:16.660 --> 19:19.703 here's my level of information, CUI. 19:20.890 --> 19:24.135 Now, I would think that there would have to be some 19:24.135 --> 19:27.094 the prime's gonna be like "okay, I know who my subs are, 19:27.094 --> 19:30.970 "and I know what information I have to pass down to them", 19:30.970 --> 19:33.340 but in your proposal, 19:33.340 --> 19:35.670 and we haven't thought this all the way through yet, 19:35.670 --> 19:38.420 so it could be a little bit subject to change, 19:38.420 --> 19:41.158 but in your proposal, you're gonna come back in, 19:41.158 --> 19:43.563 and you're gonna go "okay, these are my subs, 19:43.563 --> 19:46.207 "and this is what Bob's gonna be doin' this, 19:46.207 --> 19:48.442 "and Tom's gonna be doin' this, 19:48.442 --> 19:51.107 "and the information I gotta flow to Tom is level three, 19:51.107 --> 19:52.747 "so he's gonna come in with level three, 19:52.747 --> 19:56.087 "but my bolt manufacturer, I'm not gonna give him any CUI, 19:56.087 --> 19:59.477 "so he only has to be level one", right? 19:59.477 --> 20:02.620 And then we're gonna have to do that walk down 20:02.620 --> 20:04.620 to make sure that we're protected, 20:04.620 --> 20:08.190 so I could see on a huge program, 20:08.190 --> 20:12.330 like F35, it's gonna get pretty complex. 20:12.330 --> 20:15.770 However, we also know that there's a plane 20:15.770 --> 20:17.180 flying around in China that looks 20:17.180 --> 20:19.310 very much like our F35, right? 20:19.310 --> 20:21.300 So we have to do this, 20:21.300 --> 20:23.140 and it's paramount that we do this 20:23.140 --> 20:26.340 as a team together and work together on this 20:26.340 --> 20:28.400 because really at the end of the day, 20:28.400 --> 20:31.580 we're protecting ourselves and our nation's. 20:31.580 --> 20:33.230 I always say whenever I do this, 20:33.230 --> 20:35.410 I ought to have a "proud to be an American" 20:35.410 --> 20:37.850 or something playing in the background, 20:37.850 --> 20:39.900 but this is our patriotic duty to protect 20:41.029 --> 20:43.380 our infrastructure and our capabilities, 20:43.380 --> 20:48.380 and I will say that we also sit on the DHS taskforce, 20:48.780 --> 20:51.330 and Katie Harrington is on the 20:51.330 --> 20:53.850 Federal Acquisition Security Counsel, 20:53.850 --> 20:58.360 and they're looking at CMMC as a 20:58.360 --> 21:01.500 potential to go federal government wide 21:01.500 --> 21:03.350 because we're losing this information 21:03.350 --> 21:06.763 across the entire federal government, okay? 21:08.284 --> 21:09.860 - I don't wanna call out. 21:09.860 --> 21:14.721 So we do have ordering from parts store company 21:14.721 --> 21:17.106 that manufactures for DoD and we have 21:17.106 --> 21:19.370 foreign suppliers - Right 21:23.320 --> 21:25.936 And yeah, well and the pedigree of the 21:25.936 --> 21:28.470 foreign companies you deal with, right? 21:28.470 --> 21:31.130 I mean, that's one of the things where 21:31.130 --> 21:33.380 there are a lot of tools that we're 21:33.380 --> 21:37.420 finding out about that can help you look through 21:37.420 --> 21:40.110 that and know where your suppliers 21:40.110 --> 21:43.640 are comin' from and what their pedigree is, 21:43.640 --> 21:46.140 but a lot of the data loss. 21:46.140 --> 21:47.650 When we start lookin', at first 21:47.650 --> 21:49.220 we were a little unwitting about 21:49.220 --> 21:51.040 where the data was going and who had it, 21:51.040 --> 21:53.303 and now that we've got our eyes wide open, 21:54.409 --> 21:56.340 those are our concerns. 21:56.340 --> 21:57.941 Okay, now you had your hand up, 21:57.941 --> 21:59.815 and you had your hand up over here, right? 21:59.815 --> 22:01.950 So you first, and then I'll go to you. 22:01.950 --> 22:05.447 - So I would imagine when it comes to (coughing), 22:06.578 --> 22:08.860 despite having the answers to the test, 22:08.860 --> 22:10.516 there will still be some gaps? 22:10.516 --> 22:12.123 - So yes, now we haven't worked through 22:12.123 --> 22:12.970 exactly how that's gonna be 22:12.970 --> 22:17.002 because we all have our naysayers like 22:17.002 --> 22:19.610 "you're not gonna be able to have this done by next fall". 22:19.610 --> 22:23.010 Our anticipation and our goin' in position 22:23.010 --> 22:26.900 at this point in time is uh uh go/no go, right? 22:26.900 --> 22:29.400 So if you're not level three certified 22:29.400 --> 22:32.366 and you gotta have CUI, sorry for your luck. 22:32.366 --> 22:35.807 However, the reasonable person would say 22:35.807 --> 22:38.787 "Okay, but if I come next November, 22:38.787 --> 22:40.417 "and I've got this major contract, 22:40.417 --> 22:44.047 "and I've only got one guy that's level three, 22:44.047 --> 22:45.850 "I can't do that", right? 22:45.850 --> 22:47.953 So then, we're gonna have to 22:47.953 --> 22:49.350 take a step back and take a look, 22:49.350 --> 22:53.800 but I will guarantee you that for our critical programs 22:53.800 --> 22:55.870 it's gonna be go/no go, all right, 22:55.870 --> 22:57.710 and we're not gonna have the ability 22:57.710 --> 23:00.203 for waivers or what have you, 23:00.203 --> 23:02.340 but it's federal government. 23:02.340 --> 23:04.440 At any time, there's gonna have to be something 23:04.440 --> 23:06.680 where somebody's gonna say "but I got a one-off", 23:06.680 --> 23:08.800 and we're gonna have to deal with that, 23:08.800 --> 23:10.280 but for the majority of the time, 23:10.280 --> 23:13.547 uh uh it's go/no go, hard line, right? 23:13.547 --> 23:15.860 'Cause we don't want our adversaries 23:15.860 --> 23:17.800 flyin' planes that look like our F35. 23:17.800 --> 23:20.909 That cost us a lot of money to come up with! 23:20.909 --> 23:24.280 And these guys just (fwoosh) stole it, 23:24.280 --> 23:25.390 they didn't have to spend that money, 23:25.390 --> 23:26.500 that's just not fair! 23:27.618 --> 23:29.959 All right, how about you. 23:29.959 --> 23:33.459 (audience member talking) 23:50.917 --> 23:52.170 So I think I got lost a little bit. 23:52.170 --> 23:53.270 Go back and ask again. 23:54.471 --> 23:58.388 (audience member talking) Okay. 24:13.627 --> 24:15.076 That's good question. 24:15.076 --> 24:16.210 In our minds eye, 24:16.210 --> 24:19.470 what we're hoping is this goes ISO, 24:19.470 --> 24:22.784 that this becomes an ISO standard eventually. 24:22.784 --> 24:26.130 I would imagine that if a corporation 24:29.788 --> 24:31.127 has the accreditations to do the certifications, 24:34.130 --> 24:36.590 then we're gonna have to assume 24:36.590 --> 24:38.940 that your individuals are certified, 24:38.940 --> 24:41.453 but I would think, and we haven't 24:41.453 --> 24:42.860 gotten through all of this yet, 24:42.860 --> 24:44.780 'cause we're just building the 24:44.780 --> 24:46.720 consortium now to be the governing body, 24:46.720 --> 24:48.240 and I would think they're gonna be 24:48.240 --> 24:51.220 the ones in this next couple months 24:51.220 --> 24:52.860 when we get that nailed down, 24:52.860 --> 24:54.040 are gonna be the ones that are gonna 24:54.040 --> 24:58.080 tell us how the best way to handle that would be, 24:58.080 --> 25:00.050 but undoubtedly if you're a guy 25:00.050 --> 25:01.420 goin' out doin' the assessments, 25:01.420 --> 25:03.659 you're gonna have to have some sort of 25:03.659 --> 25:05.100 accreditation or certification that you've 25:05.100 --> 25:07.520 taken the classes and understand what you're doin'. 25:07.520 --> 25:10.320 And one of the thing that we're gonna make sure of 25:10.320 --> 25:11.870 is that if your company goes out 25:11.870 --> 25:16.870 and assesses Locky for one through three, 25:17.810 --> 25:20.420 when your company goes in to give them four and five 25:20.420 --> 25:23.410 that you can count that the guy who did the one and three 25:23.410 --> 25:26.280 that everybody does it the same, that there's consistency, 25:26.280 --> 25:28.267 that we're not gonna have this 25:28.267 --> 25:31.017 "Well call Joe's company 'cause they're easy. 25:31.017 --> 25:32.670 "They don't even hardly look anything." 25:32.670 --> 25:34.580 We're gonna have to do quality checks 25:34.580 --> 25:36.750 on them to make sure that we're hittin' it. 25:36.750 --> 25:38.200 This is too important not to. 25:39.231 --> 25:42.731 (audience member talking) 25:46.050 --> 25:48.100 So here's what we're lookin' at 25:48.100 --> 25:49.740 is we're gonna get it all set up 25:49.740 --> 25:51.210 and have the model put together, 25:51.210 --> 25:52.910 and then we're gonna hand it over. 25:54.119 --> 25:56.690 Now, initially we said nonprofit. 25:56.690 --> 25:59.440 There are people in the department, like even the lawyer, 25:59.440 --> 26:01.890 like "I don't know if it has to be a nonprofit", 26:01.890 --> 26:03.440 so we're still trying to figure out 26:03.440 --> 26:06.410 exactly how that governing body works, 26:06.410 --> 26:08.050 but I will tell you that the federal government 26:08.050 --> 26:11.250 will have a large seat at the table 26:11.250 --> 26:13.360 on the board for the direction of it, 26:13.360 --> 26:17.817 and there's gonna have to be a close relationship 26:17.817 --> 26:19.650 because of the fact that we're gonna have to 26:19.650 --> 26:21.500 be able to pass the information for 26:21.500 --> 26:23.192 emerging threats and stay on top of it 26:23.192 --> 26:28.149 in the ever-changing world of cyber. 26:28.149 --> 26:31.866 - Because we are as strong as our weakest link, 26:31.866 --> 26:33.656 - Yes - We are thinking 26:33.656 --> 26:36.128 I know that we are looking more over 26:36.128 --> 26:38.490 what we have control of, 26:38.490 --> 26:39.980 what we can see. 26:39.980 --> 26:43.094 How about some of these providers 26:43.094 --> 26:46.543 Like Visa, Verizon, AT&T that provide a service to us 26:46.543 --> 26:48.993 are they have to be also certified? 26:50.231 --> 26:52.173 That will affect services for anything. 26:53.894 --> 26:56.320 - Yes, I think, yes, they will have to be certified. 26:56.320 --> 26:58.595 I think we're lookin' at anybody 26:58.595 --> 27:00.940 anybody who does business with 27:00.940 --> 27:03.010 the federal government has to be level one. 27:03.010 --> 27:08.010 Now, please tell me that a company like Verizon 27:08.290 --> 27:10.850 has got their eye on the ball, right? 27:10.850 --> 27:14.082 And one of the things with this whole CMMC, 27:14.082 --> 27:17.700 it protects the companies as well. 27:17.700 --> 27:19.800 I mean, part of the $600 billion 27:19.800 --> 27:22.858 is your intellectual property that's leakin'. 27:22.858 --> 27:25.310 And I think some of the smaller companies 27:25.310 --> 27:28.600 are unaware that their information has gotten out, 27:28.600 --> 27:31.310 but it's paramount for the whole thing, 27:31.310 --> 27:33.902 so please, I hope Verizon, AT&T, 27:33.902 --> 27:35.802 they're keepin' their eye on the ball. 27:37.107 --> 27:38.076 Go ahead. 27:38.076 --> 27:41.576 (audience member talking) 28:03.830 --> 28:06.610 So I'm thinking that they have 28:06.610 --> 28:10.400 the certification documentation, they have a certificate, 28:10.400 --> 28:14.430 so when you propose on a proposal, 28:14.430 --> 28:17.233 we get a copy of that certificate. 28:18.130 --> 28:20.040 And that's kind of the way I'm thinking about it now, 28:20.040 --> 28:22.197 we can get into this consortium thing (mumbles), 28:23.577 --> 28:25.610 "you're so naive, that's not the way it works", 28:25.610 --> 28:27.993 but that's what I'm thinking, okay? 28:28.934 --> 28:30.560 Go ahead. 28:30.560 --> 28:33.276 - What level of risk management 28:33.276 --> 28:37.126 are you guys thinkin' is the mandatory? 28:37.126 --> 28:40.920 - To? - To be certified 28:40.920 --> 28:45.920 - So when you look at the different controls, right, 28:46.540 --> 28:49.163 and I know multifactor, they keep telling me 28:49.163 --> 28:51.800 "Stacy, multifactor is a little bit, it's like level two", 28:51.800 --> 28:56.800 but those kinds of capabilities in your system 28:58.170 --> 29:01.371 is what we're lookin' for in the standards, 29:01.371 --> 29:03.390 and what we're also lookin', 29:03.390 --> 29:06.160 and I think I'm gonna get to your question now, 29:06.160 --> 29:11.130 is that there's a mindset in the company 29:11.130 --> 29:15.820 that is whatchin' for the incoming threat. 29:15.820 --> 29:17.380 What kinds of things are you building 29:17.380 --> 29:21.250 into your system yourself to protect 29:21.250 --> 29:23.460 against the emergent threats, right? 29:23.460 --> 29:26.850 And it's that mindset that we're lookin' for. 29:26.850 --> 29:30.443 - So there's not like a mandatory risk management framework? 29:30.443 --> 29:33.167 - Not yet, not yet. - Okay. 29:34.075 --> 29:35.940 - All right, go ahead. 29:35.940 --> 29:40.940 (audience member talking) Right. 30:36.330 --> 30:40.000 So, and it's funny, because if you 30:40.000 --> 30:42.460 start lookin' at this problem, 30:42.460 --> 30:43.910 the best bet for the government 30:43.910 --> 30:46.480 is if we could come up with offensive tools 30:46.480 --> 30:49.720 that test things to know, right? 30:49.720 --> 30:52.141 I don't think you're ever gonna be able 30:52.141 --> 30:55.050 to eradicate the problem in its totality, 30:55.050 --> 30:57.980 but I would think so from your perspective, 30:57.980 --> 31:01.434 if you're gettin' parts from outside the country, 31:01.434 --> 31:05.560 but you have the cybersecurity, 31:05.560 --> 31:07.410 then you're gonna meet my standard. 31:07.410 --> 31:09.740 But when I start gettin' those part, 31:09.740 --> 31:12.800 there's gonna have to be some "testing", 31:12.800 --> 31:16.610 some random testing to make sure 31:16.610 --> 31:17.830 those parts aren't counterfeit, 31:17.830 --> 31:20.290 and that actually is gonna dovetail into, 31:20.290 --> 31:22.390 so that's not really CMMC, 31:22.390 --> 31:24.330 that's gonna dovetail into some of our other 31:24.330 --> 31:28.910 supply chain risk management things that we're working on. 31:28.910 --> 31:30.780 In fact, we just stood up a supply chain 31:30.780 --> 31:33.910 risk management working group at the Pentagon 31:33.910 --> 31:37.190 to try to start gettin' at those kinds of problems. 31:37.190 --> 31:42.190 Now, DoD has had a fairly robust counterfeit part plan, 31:44.510 --> 31:47.710 so we're still gonna utilize that as well, 31:47.710 --> 31:50.400 but we're gonna probably be looking 31:50.400 --> 31:53.220 for things that can help us in that area. 31:53.220 --> 31:55.350 - So our company was inspected by 31:55.350 --> 31:58.233 DoD for compliance for CUI. 31:58.233 --> 31:59.470 - Compliance for what? 31:59.470 --> 32:01.270 - For CUI - CUI, okay. 32:01.270 --> 32:05.180 - So I know that auditing is probably 32:05.180 --> 32:07.576 gonna be moving over to DCSA 32:07.576 --> 32:09.228 - Not all of it. 32:09.228 --> 32:10.061 Not all of it. - Not all of it, 32:11.122 --> 32:13.015 so do yo still see them being 32:13.015 --> 32:14.823 Or is all that gonna be outsourced? 32:16.646 --> 32:19.741 - So for CMMC, we're gonna go to third parties. 32:19.741 --> 32:23.680 - Okay. - The DCSA and DCMA 32:23.680 --> 32:25.933 will still have a role to play. 32:27.140 --> 32:28.610 They're not gonna go away, 32:28.610 --> 32:31.100 and the DCSA still has cognizance for the 32:31.100 --> 32:33.600 NIST in the cleared defense contractors. 32:33.600 --> 32:36.660 So remember, CMMC is mainly talkin' about 32:36.660 --> 32:38.794 the uncleared contractors which is 32:38.794 --> 32:43.630 a base of about 300 thousand companies, 32:43.630 --> 32:46.230 and DCSA for the cleared contractors 32:46.230 --> 32:48.760 is like 20 thousand companies, 32:48.760 --> 32:51.910 so they're still gonna be involved with that, 32:51.910 --> 32:54.360 but they will also still have a role to play 32:54.360 --> 32:57.950 with CMMC when we see that there's an issue, 32:57.950 --> 33:01.310 there's probably gonna be an opportunity 33:01.310 --> 33:03.130 for them to go out and help 33:03.130 --> 33:06.420 and assist to triage some issues. 33:06.420 --> 33:09.069 - So the CMMC will apply to only 33:09.069 --> 33:12.740 uncleared contractors or both? 33:12.740 --> 33:14.720 - It'll apply to both, okay? 33:14.720 --> 33:17.262 But it's only meant to handle the 33:17.262 --> 33:19.560 covered, unclassified information 33:19.560 --> 33:22.590 and the basic cybersecurity of a company. 33:22.590 --> 33:24.500 When you get into your classified data, 33:24.500 --> 33:26.170 that goes to a different level, 33:26.170 --> 33:29.090 and it may have different requirements. 33:29.090 --> 33:31.584 - But a classified development company 33:31.584 --> 33:34.041 does work on the unclassified side, 33:34.041 --> 33:36.010 so are you going to apply this 33:36.010 --> 33:37.840 to their unclassified portions? 33:37.840 --> 33:40.520 - Yes, sir, yes, sir. 33:40.520 --> 33:43.290 We will definitely, to make sure, right? 33:43.290 --> 33:46.529 I mean, we've had, there was one company that 33:46.529 --> 33:49.360 I can tell you about that I won't give their name, 33:49.360 --> 33:54.360 so they got hacked back in like 2015, 33:55.320 --> 33:57.680 and it took us a while to figure it out. 33:57.680 --> 33:58.960 So once we figured it out, 33:58.960 --> 34:00.660 and then they got hacked again. 34:00.660 --> 34:03.570 So they brought a company in to help them, 34:03.570 --> 34:04.900 and while that company was in there, 34:04.900 --> 34:07.190 they got hacked again, right? 34:07.190 --> 34:11.530 And we're talkin' like petabytes of data, 34:11.530 --> 34:14.640 so it's important, they were a clear defense contractor, 34:14.640 --> 34:18.123 so their unclassified side wasn't covered as well. 34:20.665 --> 34:21.498 Say hey! 34:21.498 --> 34:25.040 All right, anybody else got any questions? 34:25.040 --> 34:26.268 Yes, sir. 34:26.268 --> 34:30.880 - Other briefings, we saw the control side, 34:30.880 --> 34:33.590 and then there was a process side, 34:33.590 --> 34:35.290 and lookin' at our processes for 34:36.140 --> 34:40.386 any can have comments on how you're gonna assess 34:40.386 --> 34:45.386 our process and see how mature we are? 34:45.450 --> 34:47.360 - So no, I'm not gonna 34:47.360 --> 34:52.360 'cause I'm not familiar or bright enough technically 34:52.660 --> 34:56.180 to even being to try to go there for you. 34:56.180 --> 34:58.620 I know the team that we have that's working on it 34:58.620 --> 35:01.410 are extremely brilliant individuals, 35:01.410 --> 35:03.150 and they've got the lay down, 35:03.150 --> 35:07.260 and now when you see the dot 04 35:07.260 --> 35:10.800 model come out mid-September-ish, 35:10.800 --> 35:13.100 that'll give you some more indication of that, 35:14.046 --> 35:15.128 so check the website. 35:15.128 --> 35:17.360 Now understand, though, when you see this, 35:17.360 --> 35:20.250 don't freak out because it's still in revision, 35:20.250 --> 35:22.700 so that's just dot four, 35:22.700 --> 35:25.590 and we gotta get to one by January, 35:25.590 --> 35:30.590 so it's gonna be changing, it's not gonna be static. 35:31.795 --> 35:33.240 So if you look at that, 35:33.240 --> 35:35.260 don't have a heart attack on me 35:35.260 --> 35:37.527 because it's still gonna be changed, 35:37.527 --> 35:39.933 but do make your comments, do ask questions. 35:42.310 --> 35:44.680 They're not too many Stacy Bostjanick's around, 35:44.680 --> 35:46.810 so you can probably pick up the phone, 35:46.810 --> 35:49.330 figure out where I am, all right. 35:49.330 --> 35:51.040 Anybody else got any more questions? 35:51.040 --> 35:51.873 Go ahead. 35:53.091 --> 35:56.591 (audience member talking) 35:59.758 --> 36:00.633 When the dot four comes out, 36:01.511 --> 36:04.179 it'll give you an indication of what the controls are, 36:04.179 --> 36:08.270 they're gonna align very closely to the NIST 800-171, 36:08.270 --> 36:10.770 so they'll be very similar to that. 36:10.770 --> 36:13.210 They've pulled in some from AIA, 36:13.210 --> 36:17.980 we have been in close contact with the British MOD, 36:17.980 --> 36:20.090 and they've got a system now, 36:20.090 --> 36:22.740 and, I guess, how many of you are familiar with 36:22.740 --> 36:25.570 the AirDine issue that just came up? 36:25.570 --> 36:26.890 Have you heard about that? 36:26.890 --> 36:29.280 Yeah, that was a little painful. 36:29.280 --> 36:34.280 So these guys self-attested that they met 800-171. 36:35.090 --> 36:37.180 Sorry about their luck, 36:37.180 --> 36:38.550 but they had a disgruntled old CIO 36:38.550 --> 36:42.410 that called the Hotline said "no they're not", 36:42.410 --> 36:46.210 and they got fined, I think, $14 million 36:46.210 --> 36:49.210 under the false claims act (whistle) 36:49.210 --> 36:52.000 because they self-attested when they weren't, 36:52.000 --> 36:54.520 so there is precedence here, 36:54.520 --> 36:57.320 and the British had the hold thing against 36:57.320 --> 36:59.120 I think it was British Airways, 36:59.120 --> 37:02.590 and it was like 250 million pounds or something. 37:02.590 --> 37:03.423 That hurt, right? 37:03.423 --> 37:06.555 I could have a lot of swimming pools for that much. 37:06.555 --> 37:08.573 (audience chuckles) 37:08.573 --> 37:10.967 So you think about, there is a precedence now 37:15.560 --> 37:18.180 for not just self-attesting and 37:18.180 --> 37:20.270 kinda bein' laissez-faire about it. 37:20.270 --> 37:21.970 We need to pay attention to this, 37:21.970 --> 37:24.980 and we're lookin' for you guys to step up 37:25.934 --> 37:27.920 and really cover your programs and make sure 37:27.920 --> 37:31.393 and do the right thing for yourselves and for the nation. 37:32.340 --> 37:34.239 Any other questions? 37:34.239 --> 37:35.464 Go ahead! 37:35.464 --> 37:38.784 - You mentioned tht there might be a push 37:38.784 --> 37:43.665 to make an ISO standard or something like that. 37:43.665 --> 37:45.307 Is that - It's gonna be the 37:45.307 --> 37:47.885 Stacy Bostjanick ISO standard - Yes 37:47.885 --> 37:50.475 - Wouldn't that be nice? 37:50.475 --> 37:52.120 Go ahead. 37:52.120 --> 37:56.087 - So in terms of doing coordination with 37:56.087 --> 37:58.810 any of our data departments, for example, 37:59.694 --> 38:03.630 is that being looked at to, is this part of this 38:03.630 --> 38:06.521 to kind of come up with a common standard? 38:06.521 --> 38:10.070 - Yes, and, in fact, if we go back 38:10.070 --> 38:14.957 to that cornucopia chart, this one, right? 38:16.240 --> 38:20.200 If you see in there, I think there are 38:21.490 --> 38:23.400 some of the other standards, 38:23.400 --> 38:26.284 but yes we are definitely workin' with 38:26.284 --> 38:31.120 Australia has some, British 38:31.120 --> 38:32.620 is another one we've been lookin' at, 38:32.620 --> 38:37.100 so the guys they're really bright individuals 38:37.100 --> 38:41.380 that are the cybergeeks from applied physics lab 38:41.380 --> 38:43.040 John Hopkins Applied Physics Lab 38:43.040 --> 38:46.780 and Carnegie Mellon's Software Engineering Institute. 38:46.780 --> 38:48.330 I always get that one mixed up, 38:49.420 --> 38:51.460 so those are the guys that are helpin' us 38:51.460 --> 38:53.450 take all of these different standards 38:53.450 --> 38:57.013 from across the world and put them into this model. 38:58.033 --> 39:00.350 Anybody else? 39:00.350 --> 39:02.289 You're frowning, don't frown! 39:02.289 --> 39:03.625 (audience chuckles) 39:03.625 --> 39:05.067 You need more coffee! 39:05.067 --> 39:08.567 (audience member talking) 39:18.394 --> 39:20.630 So one of the thing that you'll see, 39:20.630 --> 39:21.720 so yeah you're right, 39:21.720 --> 39:24.300 they're supposed to be flowin' it down, 39:24.300 --> 39:29.300 and so the DCMA and the DCSA audits 39:30.310 --> 39:32.770 that are goin' on now or they're startin' out, 39:32.770 --> 39:35.020 so they've just completed the summer, 39:35.020 --> 39:38.000 and I think they did most of the big companies, 39:38.000 --> 39:40.110 and now they're goin' to the next tier 39:40.110 --> 39:42.100 group of companies and performing this, 39:42.100 --> 39:44.020 and they're lookin' to make sure that they have 39:44.020 --> 39:46.480 the documentation and they're flowin' it down. 39:46.480 --> 39:49.130 When CMMC comes into play, 39:49.130 --> 39:53.570 and you give me your proposal, 39:53.570 --> 39:57.070 you're gonna have to talk to here are my suppliers 39:57.070 --> 39:59.240 and here are their certification levels. 39:59.240 --> 40:01.480 Now, there's one thing we haven't quite worked through 40:01.480 --> 40:05.307 'cause some of the suppliers are like "I'm not tellin' you", 40:05.307 --> 40:09.200 so okay, how are we gonna de-conflict that? 40:09.200 --> 40:12.127 Because you as a prime are not gonna wanna have 40:12.127 --> 40:13.430 "okay here are my suppliers", 40:13.430 --> 40:16.078 and they federal government can go in and look 40:16.078 --> 40:18.327 and go "sorry for your luck, but Tom, he's not there, 40:18.327 --> 40:20.622 "so we're gonna throw your proposal out", 40:20.622 --> 40:22.495 that's not fair, all right, 40:22.495 --> 40:24.320 so you guys are gonna have to work with your suppliers, 40:24.320 --> 40:26.200 and I think it's probably gonna be 40:26.200 --> 40:30.200 a peer-pressure kind of issue, right? 40:30.200 --> 40:32.030 Because I'm not gonna use you unless you tell me 40:32.030 --> 40:34.230 you're certified and show me your documentation 40:34.230 --> 40:36.400 so I can put it in my proposal. 40:36.400 --> 40:39.270 So it will become a forcing factor. 40:39.270 --> 40:41.060 Does that make sense? 40:41.060 --> 40:42.590 All right, sir! 40:42.590 --> 40:45.800 - I know that you kind of alluded to 40:45.800 --> 40:48.173 the F35 and probably some other issues, 40:49.426 --> 40:50.693 but it may be up there, I just can't see it, 40:53.087 --> 40:55.737 is there any interweaving or overlapping with (mumbling) 40:57.350 --> 41:00.970 - I think so, but I can't tell you that definitively. 41:00.970 --> 41:02.017 - Okay. 41:02.017 --> 41:04.333 - I mean, the guys that we've got workin' with us 41:04.333 --> 41:08.580 are pretty good about spanning the whole thing. 41:08.580 --> 41:10.670 I'm trying to think if I, I know I've talked 41:10.670 --> 41:12.250 to some of the anti-tamper guys, 41:12.250 --> 41:16.063 so I think, I think, I think, but don't quote me on that. 41:17.320 --> 41:20.550 - So I know that a big part of the CMMC 41:20.550 --> 41:24.420 is going to be independence of the audit. 41:24.420 --> 41:26.370 That you cannot self-attest anymore, 41:26.370 --> 41:28.220 now you have to have a third party coming in 41:28.220 --> 41:29.708 - Yes ma'am 41:29.708 --> 41:31.560 - Have y'all clearly defined what independence 41:32.974 --> 41:33.953 means as far as just a large number of contractors, 41:35.250 --> 41:37.170 that have multiple divisions. 41:37.170 --> 41:39.190 They'll have an IT suport division, 41:39.190 --> 41:40.530 they'll have a cyber division, 41:40.530 --> 41:41.990 they'll have this, 41:41.990 --> 41:45.270 are they allowed to participate 41:46.520 --> 41:51.016 - Oh like can I have my west wing come audit my east wing? 41:51.016 --> 41:51.849 - Exactly 41:51.849 --> 41:54.081 - Yeah so - define that yet? 41:54.081 --> 41:55.393 - No we have not, 41:55.393 --> 41:57.478 but I would imagine we're not gonna go there, 41:57.478 --> 41:59.130 and the consortium that we've got 41:59.130 --> 42:02.440 with the individuals that have put some of these 42:02.440 --> 42:05.980 things together before that we're workin' with 42:05.980 --> 42:08.642 are gonna help us get through that, 42:08.642 --> 42:13.642 and no, well, I'd say no, but, go ahead. 42:14.079 --> 42:17.698 - Before, a gentleman said, is there gonna be 42:17.698 --> 42:21.772 a sort of a clearinghouse where we can look to see 42:21.772 --> 42:26.283 what companies are certified rather than just 42:26.283 --> 42:29.480 - So we're workin' through how that works. 42:29.480 --> 42:31.110 We've looked at some of the tools 42:31.110 --> 42:35.813 like ComplyUp and Exostar is anybody familiar with Exostar? 42:37.140 --> 42:39.470 So there are some different tools 42:39.470 --> 42:41.670 out there that we've been lookin' at. 42:41.670 --> 42:43.760 I'm trying to set up, 42:43.760 --> 42:46.040 but you know how it is in that puzzle palace there 42:46.040 --> 42:47.540 trying to get the right person to help me 42:47.540 --> 42:50.163 'cause they're like "oh no, you can't do it yourself". 42:50.163 --> 42:52.262 And see, I used to be a contracting officer, 42:52.262 --> 42:54.270 so I know how to do it, so I'm a little frustrated. 42:54.270 --> 42:57.250 What we wanna do is do an industry demo day 42:57.250 --> 43:00.001 for companies that have these kinds of tools 43:00.001 --> 43:02.970 that can call come in and give us 43:02.970 --> 43:05.740 because they're really startin' to pop up a lot, 43:05.740 --> 43:09.520 so we're talkin' about "trying" 43:09.520 --> 43:12.810 to have a tool that would have those levels, 43:12.810 --> 43:15.490 but it'll depend on the company's willingness 43:15.490 --> 43:19.160 to participate and put their certification level in there 43:19.160 --> 43:21.760 because I don't think, we've gotta 43:21.760 --> 43:24.753 work with the lawyers to see where we are on that. 43:25.727 --> 43:27.140 Can we publish that? 43:27.140 --> 43:28.970 Can we not publish that? 43:28.970 --> 43:32.780 Is that proprietary or information? 43:32.780 --> 43:34.033 That kind of thing. 43:34.033 --> 43:37.000 I would think, at the end of the day, 43:37.000 --> 43:39.874 it would make sense for companies to wanna step up 43:39.874 --> 43:41.870 and put their certification out there, 43:41.870 --> 43:43.920 and it'd be somethin' they'd be proud of. 43:44.813 --> 43:47.320 (audience member talking) 43:47.320 --> 43:48.460 Yes, sir, that's why we're gonna have 43:48.460 --> 43:50.320 the Stacy Bostjanick ISO, right? 43:51.544 --> 43:52.677 Yes, sir. 43:52.677 --> 43:57.677 (audience member talking) Right, right, right. 44:12.660 --> 44:14.330 So our consortium is gonna, 44:14.330 --> 44:17.460 we will have an adjudication process. 44:17.460 --> 44:20.010 We haven't defined exactly what body 44:20.010 --> 44:21.910 would do that adjudication. 44:21.910 --> 44:24.074 Most probably it'll go back to 44:24.074 --> 44:25.550 a government entity to do that, 44:25.550 --> 44:27.110 but we haven't defined that. 44:27.110 --> 44:30.440 But the hope is that when we put this model out 44:30.440 --> 44:32.949 they are preparing desk guides 44:32.949 --> 44:36.570 for both the certifiers and the companies 44:36.570 --> 44:38.650 that kinda explain these are the kinda things 44:38.650 --> 44:40.600 we're lookin' for, this is what we expect to see, 44:40.600 --> 44:45.150 so hopefully, go back to my nun story earlier, 44:45.150 --> 44:47.410 we won't have those issues. 44:47.410 --> 44:49.310 I'm sure there will be, one or two, 44:49.310 --> 44:51.573 but I'm hopin' that it'll be minimal at best. 44:52.570 --> 44:53.959 Yes, sir. 44:53.959 --> 44:57.950 (audience member talking) 44:57.950 --> 45:02.070 We have been trying to accumulate that data, 45:02.070 --> 45:06.760 and I will tell you, it ranges all across the span. 45:06.760 --> 45:09.960 To a thousand dollars, like fifty dollars 45:09.960 --> 45:13.113 to a thousand dollars an employee depending. 45:14.190 --> 45:17.710 So yes, we definitely understand 45:17.710 --> 45:19.923 that there's a cost impact. 45:19.923 --> 45:24.410 Like I said earlier with the NIST 800-171, 45:24.410 --> 45:25.990 it's already anticipated that you're 45:25.990 --> 45:28.976 accumulating this cost in your rates, right? 45:28.976 --> 45:32.180 We also recognize that levels four and five 45:32.180 --> 45:37.180 with the NIST 800-171b is gonna be extremely expensive, 45:38.020 --> 45:41.890 and there's probably gonna have 45:41.890 --> 45:44.010 to be some consideration otherwise, 45:44.010 --> 45:46.147 but we haven't thought through 45:46.147 --> 45:47.683 exactly how that's gonna work yet. 45:48.740 --> 45:51.096 - [Audience Member] So you're 45:51.096 --> 45:53.363 saying that level one is gonna be 45:53.363 --> 45:54.196 not that expensive to get that audit, right? 45:56.097 --> 45:58.210 Level five, and I'm just talking about the audit 45:58.210 --> 45:59.710 - So, how much you would have to pay 45:59.710 --> 46:03.907 a company to come in, so hopefully 46:03.907 --> 46:07.407 (audience member talking) 46:22.317 --> 46:25.067 You probably have to speak louder 46:27.770 --> 46:28.860 - Oh, thank you. 46:28.860 --> 46:31.410 So for anyone that's gone through a FedRAMP assessment, 46:31.410 --> 46:33.630 the 800-171 or an equivalent feels 46:33.630 --> 46:35.420 like almost like target practice, 46:35.420 --> 46:38.470 and the price tag is very similar to that, 46:38.470 --> 46:40.434 so I would say this is probably 46:40.434 --> 46:42.468 one of the cheapest assessments that we do 46:42.468 --> 46:45.312 is the 800-171 security assessments. 46:45.312 --> 46:49.562 (drowned out by noise without mic) 46:58.360 --> 47:00.930 - And hopefully we'll have so many certifiers out there 47:00.930 --> 47:03.823 that the market, competition, right? 47:05.108 --> 47:06.700 Yes, sir! 47:06.700 --> 47:08.300 - Maybe you lost me a little bit 47:09.487 --> 47:11.000 or you have to rewind on the 47:11.000 --> 47:12.665 who can be a certifier? 47:12.665 --> 47:14.970 I mean, you do plan to, as a government entity, 47:14.970 --> 47:17.676 make a list of certifiers, like 47:17.676 --> 47:20.657 how are you gonna determine they're qualified 47:20.657 --> 47:21.997 to do that? - So 47:21.997 --> 47:23.880 what we're gonna do is we're in the process 47:23.880 --> 47:26.690 of putting together a "consortium" of companies 47:26.690 --> 47:30.730 because we recognize, are you familiar with CMMI? 47:30.730 --> 47:35.730 Okay, so CMMI had ISACA as their governing body. 47:36.020 --> 47:37.110 When we started talkin' about this 47:37.110 --> 47:39.280 with 300 thousand companies, 47:39.280 --> 47:41.060 we all quickly recognized that 47:41.060 --> 47:46.040 one body, one company, one isn't big enough. 47:46.040 --> 47:48.330 So we're accumulating a consortium 47:48.330 --> 47:50.270 of different companies to help us. 47:50.270 --> 47:53.740 That consortium will be the oversight body for this. 47:53.740 --> 47:56.242 They're gonna be the ones who accredit 47:56.242 --> 48:00.389 the certifiers, train the certifiers, 48:00.389 --> 48:04.500 make sure that they communicate with the certifiers, 48:04.500 --> 48:06.700 and they're gonna be the ones are gonna make sure 48:06.700 --> 48:09.270 that you as a certifier have 48:09.270 --> 48:11.170 the credentials, have the capabilities, 48:11.170 --> 48:12.290 and then they're gonna come out 48:12.290 --> 48:16.120 and audit you as a certifier to make sure that you guys 48:16.120 --> 48:17.660 'cause one of the things I kept hearing 48:17.660 --> 48:19.400 is that they ran into with some of 48:20.510 --> 48:21.850 the earlier things they did with CMMI 48:21.850 --> 48:24.890 were certifiers just copyin' and pastin', 48:24.890 --> 48:26.120 and they don't want that, 48:26.120 --> 48:28.990 so they're already, the groups that we've 48:28.990 --> 48:30.484 talked to that are gonna help us, 48:30.484 --> 48:33.839 have already seen some of the issues 48:33.839 --> 48:38.610 and so we're hopefully preparing for that to make sure, 48:38.610 --> 48:41.410 and like I said, I want everybody certified the same, 48:41.410 --> 48:43.820 I want consistent practices across the board, 48:43.820 --> 48:46.730 so if you go to one guy and get a level three, 48:46.730 --> 48:48.860 if he comes in to give you a level four, 48:48.860 --> 48:50.270 he can pick up that level three 48:50.270 --> 48:52.863 and be confident that it was done correctly. 48:53.949 --> 48:57.170 Okay, anybody else? 48:57.170 --> 48:58.177 We good? 48:58.177 --> 48:59.920 - Stacy, can I add one more thing? 48:59.920 --> 49:00.753 - Sure! 49:02.539 --> 49:05.010 - For instance, under FedRAMP, oh thank you. 49:05.010 --> 49:06.290 HLA is the governing body, 49:06.290 --> 49:08.710 so as one of the three PALs, we do go through 49:08.710 --> 49:11.210 we're certified under an ISO standard 17020, 49:11.210 --> 49:12.710 we go through an annual audit, 49:13.759 --> 49:15.419 every assessor is expected to maintain 49:15.419 --> 49:16.420 a level certifications as well. 49:16.420 --> 49:18.800 Same thing where as a certification for (mumbles). 49:20.984 --> 49:23.180 Auditing the auditors is never fun. 49:23.180 --> 49:24.013 I've done it. 49:24.013 --> 49:25.706 When we go through that audit, 49:25.706 --> 49:27.640 it's more of a pain than what we cause to our clients, 49:27.640 --> 49:29.830 so I'm assuming it'll be a similar model 49:29.830 --> 49:32.190 where there is a set of requirements, 49:32.190 --> 49:34.080 most of them probably pretty stringent. 49:34.080 --> 49:36.000 Again if you compare them to FedRAMP. 49:36.000 --> 49:38.158 I'm anticipating something similar. 49:38.158 --> 49:41.145 - And we are stealing from FedRAMP. 49:41.145 --> 49:43.312 We are stealing from CMMI. 49:45.594 --> 49:48.460 They say stealing. 49:48.460 --> 49:50.600 I tried to get a copy of their MOU the other day, 49:50.600 --> 49:51.657 and it was funny 'cause they were like 49:51.657 --> 49:53.130 "no we can't give it to you", 49:53.130 --> 49:56.747 so I had to go through my point of contact at FedRAMP, 49:56.747 --> 49:59.150 and then he was like "oh great, I'll send it to you today" 49:59.150 --> 50:00.652 it's like, what happened, right? 50:00.652 --> 50:02.046 (audience chuckles) 50:02.046 --> 50:04.780 But we've got our eye on the fact 50:04.780 --> 50:07.030 that it's a burden on companies. 50:07.030 --> 50:09.750 We've got an eye on the fact that we want to be consistent. 50:09.750 --> 50:11.830 We're not tryin' to have you go through 50:11.830 --> 50:14.101 a whole system for FedRAMP certification 50:14.101 --> 50:15.593 and then you go through something 50:15.593 --> 50:16.940 totally different for CMMC. 50:16.940 --> 50:19.610 Where we can leverage the certifications 50:19.610 --> 50:21.945 of other groups, we're lookin' at that. 50:21.945 --> 50:25.403 But we also have an end state that we're trying to achieve. 50:26.270 --> 50:30.767 And that's more of the culture and mindset of security 50:30.767 --> 50:35.767 protecting our information so we don't have airplanes, 50:36.420 --> 50:38.670 that we put our blood, sweat, and tears in 50:38.670 --> 50:41.710 to develop the technology and capability for, 50:41.710 --> 50:43.890 showin' up in somebody else's country 50:43.890 --> 50:47.050 where they didn't have to do the same hard work, right? 50:47.050 --> 50:48.000 It's just not fair. 50:49.017 --> 50:51.440 All right, barring any other questions, 50:51.440 --> 50:54.050 I'm Stacy Bostjanick, you can reach out to me. 50:54.050 --> 50:56.853 You can put questions on the website. 50:58.612 --> 50:59.445 And like I said, 50:59.445 --> 51:01.600 if you're gonna take a picture of a slide, 51:01.600 --> 51:03.020 this is the one, right? 51:03.020 --> 51:04.940 And please, communicate with us. 51:04.940 --> 51:08.593 We wanna hear from you, okay? 51:11.660 --> 51:13.885 Thank you so much for your time. 51:13.885 --> 51:16.885 (audience clapping)