Episode #9 | Teleworking 

Announcement: [00:00:00] Broadcasting from Fairfax, Virginia. You are now tuned in to The Highlight Cast with your hosts, Adam McNair and Kevin Long.

 Adam McNair: Welcome to The Highlight Cast. This is Adam McNair  joined by Kevin Long. Hi, Kevin.

Kevin Long: How’s it going, Adam? Good to hear your voice. See your face.

 Adam McNair: Absolutely, yeah. So, uh, this has been, uh, several months since we’ve done one of these, and The world ended in between. A a absolutely, yeah. It’s It’s been very, very different, obviously, as I think it has been for everybody. Uh, we, for, for transparency’s sake, we closed down our main office in March. And as we sit here today, it is now September. So we’ve all been remote. Um, I guess my, you know, my, my. Overall business perspective, there’s a lot of things about and all of that. I will tell you from the personal angle of it. I started out thinking that maybe this would be a month or something and set up temporarily and in the kitchen and then moved to the kind of the next stage was, well, this might be a while and set up in the basement. And the third phase for me has been this might really, really be a while, and I have now established an upstairs room as an office. Out of the dungeon. Yeah, absolutely. So that’s kind of how it has gone here. How has your just personal logistics worked out? 

 

Kevin Long: Seriously, yeah. I mean, it’s been, it’s been crazy. Uh, I felt exactly the same way. I started with Okay, well, I mean, I’ve got a laptop so I can work from home and, you know, uh, my wife works from home too. So she has the work from home space normally set up. And so I was working other places so as to not disturb her. [00:02:00] So I’d have my laptop on my lap and I did that for a while. And then I was like, you know, this is, this is, this is not going to end super soon. I’m going to get me a keyboard and I’m going to get set up with a desk and some place to work. Right. And so, uh, uh, and ironically, I just also migrated to a second floor room myself with a desk. And so it’s, uh, more comfortable. So thumbs up there. 


Adam McNair: Yeah, I would tell you the little logistical challenges that I have had to overcome, uh, the, the inability to have cell service in the basement was the first one.


Kevin Long: Wow. 


Adam McNair: Um, and so I had to get some Wi Fi extenders and figure that out. Um, I have, have turned back on a home phone so that I can have a, a, another line in the event that I am going to be on a longer call that’s not [00:03:00] some digital platform. Um, and, and the, the echo factor, the microphone, headset, so forth, um, you know, what I’ve found is that a lot of these calls, some of them do better than others, depending on the Depending on what platform you’re on of absolutely using whatever algorithm they used to separate out the voice track. And some of them don’t do it very well at all. And, um, so I’ve, I think I’m now set up and able to communicate without echo and all of those things, but it’s just interesting. Those are the kinds of things that you just. When you when you have a meeting here or there remotely, you just don’t have that big a problem with 


Kevin Long: right?

Yeah, it was uh, I literally had to get set up with with the microphone and everything as well I mean, I never realized like I I would walk around the office I mean mbwa management by walking around right and hear about what’s going on things like that Now you’re jumping on to zoom or skype Or [00:04:00] teams or Google Hangouts or, or a cell phone call, um, to do the same stuff. And if I couldn’t just walk in there or I was out and about, I’d essentially be in my car on Bluetooth, right? And so I found out that. My cell phone and computer microphone speakers sucked for everybody else that I was talking to, right? They’re like, Kevin, you’re talking through a tunnel and we don’t think you are, we see you on the camera, you know, please fix. And so, yeah, it was, uh, it’s a totally different, different set of must haves for, for being able to communicate well to a group and, and around. It’s, it’s been really, yeah, and honestly, headphones that are comfortable to wear for four straight hours, right? 


Adam McNair: Yeah, and I, I, that, that interaction from walking around was a big thing [00:05:00] for me to figure out how to replace. I mean, different people work differently. And I think, um, the layout of our, uh, Our physical office as best I recall it from six months ago. What? Everything that I would do when we have kind of two floors in our building, and I’d go from one to the other, and you pretty much walk through most of the the areas of the office going from one to the other, and I would just catch up with people on things and and trying to find structured ways to do that where you’re not just, you know, running into people.


Kevin Long: Yeah. Solving problems before they become problems because you heard or overheard a conversation of people trying to solve something. In the common room, right? It is. Oh, it is such a challenge for me because it, it is, it is absolutely the way, the way I prefer to operate that, you know, now when I walk around, all I do is have, you know, my wife looking at me saying, you know, I’m working too. And my dog saying, does this mean we’re taking a walk 


Adam McNair: now? Yeah. Yeah, it’s, um, it’s very, very different and it’s, it is, it feels strange to me to be so excited about collaboration tools. Like, I, the only one that I can really say that I felt that way about from a, Technical perspective at any point was when, when the first time that I went from developing a proposal with the old check in, check out the document method and everyone could be in the document at one current 


Kevin Long: collaboration as this is amazing, 


Adam McNair: right? And now that we have gone, um, we had Microsoft teams on our backlog of things to accomplish. But it was still, it still felt like kind of a, um. Evolving tool. [00:07:00] Yeah, and we were going to get to it and we had been on Skype for business and it’s okay for going back to the creating a dial in bridge so that everybody can dial into something from their phones. It works just fine for that. Um, but there’s a reason it’s an end of life tool now and Microsoft teams. It’s so cool. It’s so much better and I actually feel like it’s chat functionality because it allows us to have almost like digital informal conversations that are themed and separated and it’s not just, you know, by person, um, you know, that’s like random history 


Kevin Long: and timestamp.


Adam McNair: Exactly. I mean, cause one of the things that I had had to evolve to a long time ago was there’s so much email come again. That, I mean, you know this, I tell everybody, [00:08:00] if you need something, you need to text me because I’m going to get 500 emails a day. 


Kevin Long: I will get to your email eventually. If it’s time sensitive, don’t put it in email unless there’s a text that accompanies it that says, check your email.


Adam McNair: Yeah. And, um, And so there’s, there’s just so much of that and, and text was okay, but then when you’re in the basement, it doesn’t get signal. So I solved that problem. That was the first, the first piece was not now my texts don’t work, but then once they did, because it was becoming a communication platform, now all of a sudden I’m getting so many texts. I can’t, I’m losing track of texts. 


Kevin Long: Oh no. 


Adam McNair: But Teams has really handled that. I mean, it really, um, the integration on mobile, the, the ability to work, uh, collaboratively to work in documents, to have conversations, to have team based conversations. I mean, it’s been, um, yeah, 


Kevin Long: it’s great. I mean, last night I was, you know, Stan needed a, uh, Stan and Raj needed a quick catch up on a proposal that they were working on. So Stan texts me and says, Hey, do you have a quick second for a Teams call? And I replied back, sure. Only this via cell phone, though, because I wasn’t at my computer. I could put it on on speaker and I could keep making dinner and get them the information that they needed. Right. It was it was great. And I’m still learning everything that teams can do. Well, I mean, I just got out of a meeting with a partner that that has been using teams for years and the stuff that he’s talking through on that. I mean, I was already excited. I’m super excited to figure out all of that stuff. 


Adam McNair: Yeah, it’s, it’s amazing. Um, yeah. Yeah, so I, I think that that was, is the biggest change that, you know, that we’ve made, um, as we’ve been, um, remote here, remote extensively. Um, and, [00:10:00] yeah, um, Since we’ve, we’ve closed the office, uh, I’ve been in there three or four times where something needed to be done in paper or, you know, signed with ink, cause that’s still a thing or, or something like that. Um, but. Yeah, one thing for a second. So yeah, we did get to have that happen. And I mean, luckily, if you’re going to pick a time to have an office flood, it’s good to have it flood when no one is using it. But yeah, the storm drain for the building backed up in one of the major rainstorms we had, and they got to, you know, Replace all the carpet and the bottom 14 inches of drywall on the entire, it wasn’t just our suite, it was the entire first floor of the building. So it was, uh, pretty extensive. Yeah. Uh, well, you know, it’s interesting. We just, um, kind of settled up all the back and forth. And, and of course, when that happens, there was some wiring that had to be done after the fact and whatever. So that’s, um, that’s getting, you know, Getting closed up and we we did we use Microsoft Teams to share our COVID reopening plan, uh, which what we are trying to do is figure out just the minimum number of people that really have, um, Physical requirements for space and it ends up being contracts and procurement and finance. There are some things that, um, they still have to handle in paper for one reason or another. Right? Um, so we’re trying to do HR 


Kevin Long: probably too. 


Adam McNair: Yeah, a little bit. You know, a lot of the things that we’ve, we’ve digitized the offer letter process. All of the signature is, uh, is, is digital. Um, the I nine verification is all digital. So a lot of that stuff we’ve been able to, um, To streamline and [00:12:00] minimize that, um, you know, the other thing that we have is that we have added some, uh, support organization staff during during this period. And so we, we, frankly, we wouldn’t have an office for everybody under old space guidelines, let alone. Uh, trying to keep people distanced and yeah, you know, and regardless of what the, the recommendations for square footage and everything are, it’s just important that I don’t want people to sit there and be uncomfortable. I mean, even when it gets to a point where, um, you know, whether the state tells you you can or you can’t or whatever, um, I don’t want to go tell two people.


Kevin Long: Hey, hey, here, here you go. You can sit on either side of this plastic screen. Yeah. I mean, and if work can be done. Someplace where someone’s more comfortable doing it, right? I mean, we’re an it company, 


Adam McNair: right? Let’s eat our own dog food. Yeah. Yeah. And, and one of the things that I [00:13:00] have found interesting is so many of those, um, you know, support recs as we open them, it’s like, well, location is in Fairfax, Virginia, and then you pause for a second. You’re like, but I guess it doesn’t really need to be 


Kevin Long: never going to walk in here. Unless something unusual happens. So yeah, how about Topeka? 


Adam McNair: Yeah, I’ve the last several interviews that, that I’ve been conducting, um, California, Florida, and then frankly, a couple of people, I’m not even sure where they are, I know they weren’t local, but they were someplace else. And it’s just not. It’s not a, uh, a factor to weigh into, you know, this, the staffing decision. Uh, yeah. 


Kevin Long: Yeah. I mean, if, if you’re not, if the intention is to have them be a hundred percent remote, I mean, right. I mean, wherever that’s, I mean, that’s exciting. 


Adam McNair: Yeah. The one thing that I did have is a, is an interesting thought.[00:14:00] Um, one of these interviews that I was conducting recently was there is now a whole technical stress layer on top of it that for the, for the applicant, you know, ordinarily they’re coming in to get interviewed and, uh, What happens if there’s traffic? What happens if I can’t find the building? There’s those kinds of things that has been alleviated, but that has been replaced by 


Kevin Long: what happens if my internet goes out, 


Adam McNair: internet goes out, I can’t get my camera to work, um, you know, and it’s, it, I find it to be interesting because you’ll send out a Skype teams, whatever invite, and if the person just calls in by phone, it does, it gives, gives me the, the momentary thought of like, well, how’s this remote work work for you? Are you kind of comfortable with that? Um, yeah, 


Kevin Long: absolutely. 


Adam McNair: Yeah. Cause I, I did an interview where the person was like, you know, they couldn’t get the camera to work. Uh, Hey, I can’t get, Um, the speakers to work. Um, then I had one where we ended up, they left their camera on and had to dial in from cell phone for the audio part. And, um, you know, it’s like, where’s that, where’s that line between it coaching on how to get this to work? And just, we’re supposed to be talking about a job, right? 


Kevin Long: Oh, absolutely. And, and how tech, I mean, it’s, it’s nice. Cause at least for partially technical. Roles, you know, welcome to welcome to an informal skills test, 


Adam McNair: right? I mean, essentially, and if you think about, you know, all the things that we do, if you’re not proficient in teams, general online collaboration tools, those kinds of things, it would be hard [00:16:00] to support what we’re doing right now, if you couldn’t use those things. 


Kevin Long: Yeah, I mean, For the foreseeable future. I mean, cause I mean, I, I read that plan and to, for reoccupancy and it’s, I mean, uh, at least in the meetings that we’ve been having, it was always, you know, it started in March. I mean, I, I flew back from Boston, St. Louis Friday, the 13th in March. And you texted me and said, we’re shutting down the office work from home. And then we’re like, we’ll reassess in June. Came to June, we’re going to reassess in July, July came, we’re going to reassess in September, September came, we’re right now it’s November. We’re looking at for a few people going back in and so, yeah, I mean, if you can’t do, uh, which awesome reassessment, great decisions, uh, I think, especially with how successful it has been in, in making sure that people can continue to work, um, I mean, I, they’ve resolved the two IT tickets for me today with random things. So huzzah, but, uh, yeah, it’s, if you, if you’re going to have people that aren’t comfortable with the new normal, right. Yeah. That, that answers a lot of your questions already. 


Adam McNair: Yeah. And you know, the, so it’s, it’s a, that’s a point to bring up is, you know, the way that we established a date for reopening of an office. So when all this happened, you know, it was kind of to be determined. The state of Virginia had mandated that things closed down there for a while. And, um, so we, we were closing and the schools closed. Uh, so we closed on, Essentially, the same time schools closed, we made the call a week before schools closed that we were going to close in a week. And so that that Monday that schools closed, we were had closed the office as well. Um, but the all the different factors that. Into the decision, we [00:18:00] got a note from our health care provider that offered from a best practice. It basically said, if you are knowledge workers, if you are in an industry that where you can do things remote. They believed that in their guidance that to protect the, um, health and welfare of your employees that, or I want to say it was something like 22nd or 27th or something like that, seemed to be a good date to which to extend the, uh, the remote work. And so certainly there’s, The health and welfare aspect. So that was one angle and underlying it. I mean, certainly far secondary, but certainly when you’re looking at the overall span of things that could play into the decision, uh, the cost associated with. I don’t want anybody to get sick ever, but also coupled with that, the potential cost exposure of if you had a bunch of people that got, um, that got very sick, I mean, a COVID outbreak in a company, um, if you think about that, all tracing up to the company’s health plan, uh, there’s a lot of costs that goes, goes in there and your renewal every year is big, Based on what you experienced last year. And so there’s, there’s financial risk exposure. 


Kevin Long: Double whammy. Cause people are too sick to work and we’re, we’re still pretty small, right? So goes through HQ. And so you don’t have HR proposal and. And half of ops management, they’re laid out sick and they’re laid out sick. So then now, now work’s not getting done and your, your insurance premiums quintuple because seven people are hospitalized.


Adam McNair: Yeah, 


Kevin Long: absolutely. 


Adam McNair: Yeah. The, the operational risk to the company was [00:20:00] also something that. Um, you know, okay, yeah, I want to make sure that nobody, you know, gets, gets sick. We don’t expose people to things. I also, I mean, hey, all our life is stressful enough and jobs are stressful enough and enough things happen. You don’t have to, if you can avoid having somebody sit there and worry about, you know, getting sick or, or taking it home, um, you, you do that. But as you say, we’re, we’re in 30. To this point, but our nerve center, if you will, is, uh, 6, 000 square feet of office space, right? And, and shared break rooms and all of that kind of thing. And so, um, we. We have a lot of it redundancy and a lot of cross training and all of that. But if about 25 people were out of commission for a couple of weeks, assuming best case, I better, uh, you know, even if it was the flu, whatever it was, if something [00:21:00] happened and it took, uh, several of our, of our folks offline for a couple of weeks, be a really bad, um, impact to the, to the business, um, I don’t want to have 


Kevin Long: to learn how to run payroll.


Adam McNair: No, no. And nobody wants me doing that. Trust me, uh, yeah, and, and then the other thing, I think, um, everybody, you know, the logistics of, of life and how to do things, accomplish things, uh, people whose kids are in school, out of school. online only two days a week and that is changing. And again, I, you know, dynamic changing landscape, things change. So I get that, but it’s also hard to plan. And it’s, it’s hard to tell somebody that they have to show up every day when they don’t even know if their kids are going to be in school. 


Kevin Long: Absolutely. I mean, as I interview people for new jobs, I’ll tell you, like there are a couple of questions that I always get. And one of them is, Always, I have kids, when are things going to require me to no longer be at, at home? Like, when will I have to start showing up on a site? And I have, I mean, some customers know that answer, some customers don’t. Uh, HQ people, you know, we definitely know that answer. But, yeah, I mean, it is. It is a question everybody asks. I mean, if you have kids and, you know, uh, a huge number of folks that I know are, are doing partial, I mean, I don’t know, let me rephrase that. I don’t know any school system. That I have people that I know in that has a hundred percent on site students that we’re doing. And so it is, you know, the, the, how do I continue to provide value for the company and continue to do what is necessary for my family is [00:23:00] always the question.


Adam McNair: Right. And you know, there are some things that I do think this will, this will kind of permanently impact the remote versus in person. Um, yeah. Not only do people want the flexibility, I think a lot of people, I mean, not everybody, everybody’s different. A lot of people want the flexibility to be able to work from home and fit things into their schedule and so forth. Um, but I think that the, the collaboration tools and the familiarity with them and kind of that personal barrier to entry for, for doing this has been out of necessity pushed through and kind of fought through as we’ve done, as we all had to work from home. And I think there were, there was a lot of just, um, kind of, uh, Stasis around these things have to be done in person, 


Kevin Long: right? And they’ve had to be [00:24:00] done in person because they were always done in person. Not and not because there was technology that would allow you to not do it. And, you know, it’s it’s staggering how many things. People have have decided cannot be done in person, like Intel community customers working remote, except for, you know, very specific things. Uh, you have, uh, customers doing, you know, major banking, uh, support and loan support. like FSA, all remote. I mean, just, you know, scattered to the wind. I mean, and we’ve had, I mean, we’ve had people literally be able to be like, well, I mean, I can work from anywhere. So I’m going to head to the country with a hotspot. And cause I know that they have 5G and so I can do what I need to do from there. 


Adam McNair: Yeah. Right. Yeah. So have you, [00:25:00] have you seen any functions that you’ve had to, Accomplish where you felt like remote was just really that if we had the option to get everybody back in a room that that particular thing that you did was would have really benefited from from in person.


Kevin Long: Yeah, 


Adam McNair: one. 


Kevin Long: Uh, solution sessions 100 percent when you’re trying to figure out how to approach a complicated problem, how to put up a solution diagram, how to put together a complicated workflow, things like that. It is, there are tools out there that you can do whiteboarding and things like that online, but they are, at least for me, and you know, uh, core competency of mine is looking around the and figuring out who thinks what we’re doing is crazy. Right. That is just, it is not the same because some people turn off their cameras, some people dial in some people. And [00:26:00] so being able to, to, to focus on that, um, is you can do it, but it is, it is a slower process. 


Adam McNair: That was actually my answer, too, frankly. Um, that was what was stuck in my head because I’ve been on two or three different sets of solutioning calls that, like you say, I think if, if everybody was really focused and video on and took it as a collaboration session.


Kevin Long: And everybody had a white board where they were working. Right. I 


Adam McNair: think you’d have more of a likelihood of having it really work. Yeah. Um, I’ve been on a lot, most of the ones I’ve been on. Um, and again, it’s multiple companies coming together around specific opportunities, you’ve got people with different platform, uh, comfort. And so some of them aren’t familiar with the tool that you’re using and how to, how to interact. And then you’ve got 30 percent of them are only dialed in and you only see their kind of icon. Um, There’s clearly a couple of people that dialed in and never said anything. And I think that’s kind of the, uh, 


Kevin Long: never come off mute.


Adam McNair: And it’s like, it’s like going to a class in college and putting your coat on a chair and leaving and coming back and getting it at the end. So somebody thought you were there kind of thing. You know, I, 


Kevin Long: yeah, 


Adam McNair: uh, so that happens. Um, but yeah, I think the solution session piece and I, um, maybe we’ll figure it out.

You know, I, I think, um, you know, there’s a lot of commercial businesses and multinational corporations and all of that, that have teams around the globe and have, have figured this out. And I think we’re, um, you know, still probably though, some of those aspects are still stuck a little bit further back in the get everybody in a [00:28:00] room and nobody leaves until the picture’s drawn kind of right.


Kevin Long: And just being able to, to hand someone A whiteboard marker and say, what do you write? And it’s just, uh, then, yeah, I mean, the, not everybody’s on a touchscreen tablet and I mean, in drawing with a mouse is not the same thing as, as drawing with your hand, it’s, you know, the, The dexterity and physical limitations around some of that are, are, uh, are still frustrating. And I, I expect that if there aren’t major innovations already coming or stuff already out there that we don’t know about, which I’m sure is the case, at least some point there’s, there’s going to be new stuff to, to address all. All of that, you know, live collaboration that isn’t just talking back and forth having a meeting, things like that, [00:29:00] um, where you’re collaborating on, on a to be determined diagram workflow, something like that.


Adam McNair: Yeah. Yeah. And I, um, I also wonder how much like as we were talking about just kind of personal, um, you know, evolution of our work space and in logistics and all of that, how much is, is other people catching up to that? And, um, what, what comes down to individual, you know, circumstances, um, all of those things that are kind of real life stuff about, well, I only have wifi in this part of my house and I don’t have good coverage over there, or I’m trying to work and somebody else is trying to do online classes in another area of the house, or, you know, Dogs, construction, um, Ambulances, [00:30:00] ambulances, all 


Kevin Long: of those kinds of things. Um, I live under the flight path of Dulles. We have a guy who lives under the flight path of Dulles. Um, so, right. I mean, yeah, it’s, it’s an absolute thing, but I mean, I’ll tell you, uh, before I got the keyboard to be able to make my life easier. I absolutely had to go out and get a new wireless router because it was, um, I had great internet, but an older router and it was stripping 50 percent of my throughput, which was fine when When only one of us was working from home, but when both of us are working from home and, uh, all doing stuff online and, you know, streaming video and streaming audio and streaming television and streaming all that stuff. Yeah, no, it, it, it, we absolutely had to figure out how we could expand coverage to parts of the house that would allow folks to [00:31:00] work independently and not step on each other’s toes. Yeah. So, yeah. Yeah, 


Adam McNair: the one thing that I haven’t figured out just quite yet is from a corporate culture standpoint, it feels to me like it’s important to get everybody to be on camera and be able to see people.

Um, I mean, I think in these times where. I’m not really going anywhere for the most part. I’m not, um, you know, I’m, I’m, we’re probably not just up for the fact that we’re busy with with work and everything, but we’re probably airing on the side of stay in a phase or so behind wherever the, um. Kind of reopening is, but, um, seeing everybody from that perspective, maintaining a team morale and interaction, but then just the, from the speaker interaction side, when [00:32:00] somebody wants to say something and you can tell non verbally that they’re getting ready to want to say something to avoid that 19 people talking over top of each other, and then everybody is real quiet for a minute or two. And then they try it again. And, um, But also from the participant side that I’m not saying we have any of these kind of folks in our company, certainly, but somebody that kind of like that jacket on the chair type that has simply dialed in is not really engaged 


Kevin Long: with, without, without a camera. Turned on, you could absolutely connect to a meeting, put it on mute, and walk away. Yes. Absolutely. Yeah. Without a doubt, you really, you really could. Uh, I mean, it’s, get the cardboard cut out, you know, for, to turn on and just sit there and with your, with a smile on your face, sitting in a chair. Yeah. 


Adam McNair: So I think trying to encourage that. Now, is that something, how are you handling that with teams and [00:33:00] the meetings that you run? Are you? Um. Absolutely. Trying to keep everybody online or on camera? 


Kevin Long: So meetings that I control, I mean, even if I look like crazy and I need a haircut and I haven’t shaved in four days, my camera’s on, right? I mean, the digital backgrounds that you can get are awesome so that you can’t necessarily see that, you know, I need to, I need to put some stuff away in the room behind me. Right. I mean, it’s great, but I’ll turn the camera on. Cool. And that, I mean, is it, it’s not, it’s, it’s a nonspecific cue, but it says, Hey, I’m here. You can look at me. Let’s, let’s do that. And people will do the same by and large meetings that my customers do that I’m not running that I don’t control, um, 0 percent of them use cameras. They are all still treating it like dialing. [00:34:00] 


Adam McNair: Yeah, I would say that, um, like I just, I had a customer meeting today and everybody is, it’s just their icon. There’s nobody is using a camera. Nobody’s nobody’s visible. Yeah. 


Kevin Long: Yeah. So, Uh, the meetings that I run, you know, with, you know, industry and teammates and things like that. And I mean, again, you know, if I can’t see, I mean, that, that someone thinks what I’m saying is crazy, then I’ll just assume they think I’m great and keep going. Uh, you know, that’s the egocentricity of, uh, that I have there, but. But yeah, it’s being able to see, be able to say something like, Hey, you know, Milner looks like you disagree with me. Let’s let’s work this out. Right. Um, absolutely. It is, uh, it’s, it’s great. And honestly, it’s sort of democratizing because I have several teams that are geographically distributed. [00:35:00] Anyway, right. So, you know, I’m not always even, even beforehand, I couldn’t always be in Boston, couldn’t always be in St. Louis. Right. So now even the folks that are, you know, in Montgomery County that, or downtown DC that I would normally get into a car and drive to, you know, it’s all, all the same. And I think that as it goes on and depending on how long This continues, I think that we’ll, we’ll likely see, uh, more customers using cameras as well.


Adam McNair: Yeah. I, and there’s also the supply chain of, you know, a lot, a lot of organizations didn’t have cameras integrated because they, they either 


Kevin Long: didn’t need some of their Hardware needs to be able to go into secure rooms, and so they explicitly deactivate cameras. 


Adam McNair: Yeah, and, and in a lot of buildings, I know the collaborative [00:36:00] rooms, building out video teleconferencing rooms, um, a lot of money, a lot of space has gone into that.

And the, the setup for, okay, everybody has their own mic, their own camera pointed at them, we’re going to do this. It’s going to be this big collaborative little, little nerve center inside of a, of a, of our building. We know if you, if you want people to use those, you don’t put cameras on their desks, because if you put cameras on everybody’s desk, nobody ever leaves their desk and they just VTC from each, um, you know, each of their locations. But I think they’ll get a little bit catch up on that on the hardware side. 


Kevin Long: Yeah, I think you’re right. Yeah, I mean, it’s the difference between, like, how public schools work. Like, our IT is set up to provide a robust IT learning experience from these particular buildings slash rooms. Yeah. And now it’s, now we’re needing to transition to providing a robust IT, uh, uh, presence wherever there’s a piece of IT [00:37:00] hardware.


Adam McNair: Yeah, I think, you know, from a hardware standpoint, that’s not too different to me from when they finally had the, um, HSPD 12 PIV cards that they wanted you to actually use those and plug them into a laptop and have a card reader. And when that first happened, I remember having a lot of conversations about, well, we don’t have any of those readers. And now our standard corporate image laptop has one in it. Yep. And everybody has them. I mean, we buy from Dell and Dell offers it as a standard. Standard plug in. Yep. Standard plug in. Um, So I, I think there’ll be some, some catch up there, um, certainly. 


Kevin Long: Yeah, well, certainly as, as I mean, cause some of our customers, like I’ve been reached out to, I have a GFE laptop for one of our customers and they pay me saying, Hey, your laptop’s old. You can get a new one if you want. I mean, I don’t want to drive into the middle of the city to do it, and so [00:38:00] it’s fine. Like, I can do my job with it, and so I let them know that that was fine. But there, as, as hardware cycles through their, uh, their processes, I’d be surprised if they didn’t start issuing more things that were more capable of that. Yeah, I would think that sort of robust, uh, uh, VTC collaboration suites. 


Adam McNair: Yeah, so last question for you is, have you done any conference industry event type, um, you know, whether it was conferences or little seminars or anything like that. Have you done any of those kinds of things? Yeah. Remotely. 


Kevin Long: Yeah, I attended a lunchtime, uh, speaking, uh, thing on, you know, about, uh, COVID and its impact on, on some of the IT industry a few months ago that was, um, Oracle put it on. Um, [00:39:00] it was, it was pretty well done, honestly. Um, You know, with these, those types of, I mean, you lose the looking around the room and seeing who’s there handing out business cards, hearing conversations and talking with folks about, about what they’re doing. You lose that, but you definitely get more attention on here’s the topic, you know, and here’s what’s going on with that. So, uh, I think it’ll be interesting to figure out how we can replace. The networking portion of it, not just the learning portion, because yeah, I have not seen or heard of any really successful versions of seminars like that, where you can have. You know, the, the, the standard half hour before you stand up and FCA does the pledge and you, and you get, you have your, your [00:40:00] coffee and your, and your, and your Danish and 75 people in suits walking around talking about what they’re all working on and, and, you know, putting teams together and figuring that stuff out. Um, and yeah, not seen anybody successfully do that yet or heard of, uh, uh, a way to, to replace that yet. 


Adam McNair: Yeah, so I’m, I’m going to sign up for, uh, the Act IAC, ELC, Imagination, that, that big of the kind of, that’s always been their big capstone annual event. And I’m going to go ahead and sign up for that. And that’s a day or two, and they’re still going to have speakers and all the tracks and all of that. And they’re, yeah, that’s a nice month, right? It’s normally October, right? Yeah. I think they might be doing the beginning of November this year. Um, but it, you know, the benefits, I think, um, I didn’t go the last year or two because it was several [00:41:00] days and I’d look at them like, wow, I have to go to either Williamsburg or Philadelphia.

Yeah. I’m going to burn three days or four out of the office. And that’s tough. And, um, yeah, And then you have, you know, the Costa Hotel and all the rest of that that goes into it that makes you decide how many people you want to send and all that. But then plus, the sign up for different tracks, go to this event, go to that event. There’s been a lot of times that, um, there was some topic I’d be interested in and I’d stick my head in and I realized, like, this room is, is jam packed. Right. I’m interested, but not interested enough to stand in the back for an hour and a half for an hour and a half. So, you know, nevermind. Um, and as much as you shouldn’t multitask, take phone calls, do all those things, sometimes stuff comes up and that whole step out and then you don’t want to interrupt the speaker. Am I going to go back in and all that? I think, [00:42:00] um, that’s going to make it a lot easier, but I, I do. Networking interaction piece will be interesting to see, I mean, Act I Act does a good job on, um, on a lot of their events and it’s going to be interesting to see if they figure out a, you know, technology angle. Uh, that that bridges that gap. Um, I know we similarly in an area where I think, um, it can be a little challenging is we, we recently have been doing, um, we did a CMMI appraisal. And we also, uh, we did the first CMMC, which we’ll talk about in a future podcast here, but there, we, we did the first CMMC, uh, assessment gap analysis, uh, that was done in the country and, um, both of those are very important. Intensive activities [00:43:00] and generally benefit from a lot of discussion and interaction and all of that. They are also full eight hour days focused on that. And 


Kevin Long: the auditors really like to be in person to make sure that people aren’t, you know. Blowing sunshine and going, you know, texting people to get answers for them to get the right stuff. So 


Adam McNair: yeah, so they required for these, we had to, uh, we had to video record them. And so on the CMMI side, CMMI reserved the right to go in and Um, essentially audit the video to check in at any points to make sure that we were really doing what we were supposed to be doing and, um, that it was being conducted in accordance with all of the rules and so [00:44:00] forth. So, um, you know, I think that’s, it, it’s, it’s interesting to see the, the technology challenges. And again, this is probably Where we’re talking about the ACT IAC conference, there’s probably a tool out there that either isn’t intended for the networking angle or is used for it in some other industry or something that, that will come to the forefront. And, you know, I think between niche players like that and enhancements of big provider, like Microsoft Teams, you know, the, The what are they going to do to to counter that, you know, engage in that market? Um, some of these event companies, you know, we have a contract that involves events and event hosting and strategy and marketing and all of that and working through how that’s gonna operate. I think [00:45:00] those tool those sets of tool of analysis of tools. Um, I think that’s now a, A growing niche market that there’s probably somebody that has a small niche company that has some tool that, uh, you know, six months from now is going to get acquired by Microsoft and, and, and, and, and bolted into one of these platforms and, um, probably make a lot of money out of that process.

It’s usually. Works. 


Kevin Long: right? And if it can solve that problem worth every penny. 


Adam McNair: Yeah, absolutely. Well, so I think so for the for the next highlight cast, we’ll we’ll first get to see the experiment here of the Microsoft teams recorded podcast translated to audio file and then we’ll We can dig into CMMC. And I think there’s a lot to talk about there, uh, that it’s just, it’s just an interesting, uh, [00:46:00] paradigm of, of change in the government around that new certification around cybersecurity. Uh, and it’s a very, very different, much more detailed way to become compliance. We’ll talk about that. But, uh, until then, we’ll go work on our technical work and see if we can’t make this a podcast.


Kevin Long: Outstanding. 


Adam McNair: All right. Thanks, Kevin.

Kevin Long: Thanks, Adam.

 

Episode #10 | Everything CMMC

Kevin Long: Broadcasting from Fairfax, Virginia. You are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Welcome to the Highlight Cast again. I am joined as usual by Kevin Long. Hi, Kevin. How’s it going, Adam? Good. And also by Mary Padberg who leads our internal operations. Hi, Mary. So today we’re going to talk about CMMC. Uh, this is the Cybersecurity month and it is also we have a lot of things coming to head Uh from the perspective of cmmc. This is the dod department of defense cyber maturity model that they have created and Unleashed on the world. Absolutely And they gave they gave some heads up and some notice. I think this has been a long time in being developed uh, there’s certainly a lot of Content to it. It is much more complex than your standard It compliance model. Most of the things that we see that are compliance related, whether it’s Department of Labor or security clearance, most of the times it’s a lot of policy stuff and a little bit of things you really have to do. Right. Um, this is not that way. And so the, It’s being enacted. I completely understand why it’s being enacted. Um, you know, we, we all work in environments where we have customers and we have systems that. Are not air gapped from each other. So you can be inside of an environment and have protected information and have somebody email it to your, to your home network. Um, you can have people working with company equipment, accessing customer data, and you can tell everybody not to download things to the laptop, but. That’s how information spills happen and people just do things. So, um, I mean, it, it seems like it makes sense, right? It does. 

Kevin Long: And, and this was being enacted way before everybody started working from home. But I mean, even still now, it’s less and less work is being done on, on government site itself, which means there’s more and more risk being, being put out into the world for, for IT systems that the government has. So it’s, Very apropos of the moment and, you know, came out in a great time. Yeah. Yeah. Yeah.

Mary Padberg: And I think with the bring your own device environment, um, that we have and all these cloud systems, you know, we have email on our phone and we have, you know, Teams chat on our phone and, you know, being able to define in scope, um, you know, how the data secured where it is. And yeah, it makes a lot of sense.

Um, but 

Kevin Long: yeah, if it was just a tick box for yes, we’re secure, it would have been a lot like, you know, uh, other government policies, but wouldn’t have actually actually helped demonstrate data. Which is, I mean, so it’s more painful to, to, to, to actually do, which I’m sure Mary can wax poetic on for, for hours, but it, uh, actually has an opportunity, I think, to do some real good.

Adam McNair: It’s an interesting scenario for us as well, because so we’ve been having. Conversations in our IT meetings for in literally the last three or four years where we would talk about risk posture and risk profile and we implemented ISO 27000 which put a little bit more rigor around, you know, and think well we It was kind of under the assumption that it, you know, as long as things work, we’re okay. And we don’t really have a lot of data. And you know, the IT team was really not really a team at one point. And so as we grew to have an actual IT team and an infrastructure and more and more, uh, company owned devices and more contracts, we’ve had conversations. At least monthly and and done a real threat landscape kind of analysis once a year about what’s the landscape look like to us and what should we be worried about? And frankly, from a corporate perspective, fishing have we see a lot more of that than we have seen Concern about information leaks, because again, most of our people are working on government furnished equipment and working in government environments. And so the overall threat, you just assume that that it probably is not that high, but we certainly had policies around it and told everybody don’t save these things on these systems. But as we recently won a new contract that, you know, in normal work times, everybody would be in the customer environment on GFE. And it would be an air gap network that doesn’t have Internet connectivity, where we’re. Looking at how do we make sure that these people are going to be supporting this environment that, you know, we are, um, you know, that we are as stringent as we can be. And luckily, we had started that whole process and had more rigorous conversations around it, uh, as we started down the CMC. Certification self assessment process. We actually were, supposedly, according to our, our assessor, uh, the partner that we, that we worked with, uh, Michael West and his team, and, um, some of the folks from BroadSword, we were theoretically the first company in America to do a self assessment. Um, Which, as you can imagine, was very much kind of both process building and assessing at the same time. Um, but it feels very assessors. Yeah, but it feels very much like a real live in depth audit. I mean, Mary, you want to talk a little bit about. What it took to actually do the, the appraisal, the, the, the self assessment.

Mary Padberg: Yeah, sure. So, um, Michael’s team, they came in and, uh, we worked for months beforehand to, um, go through all of the requirements. So CMNC has five levels of maturity, um, similar to the CMMI certifications you’re going to see. Um, and so we were doing a gap analysis against level three. And so the. Do you consider that good cyber hygiene and level three is expected to be kind of the standard level that you’re going to need to bid work and be on teams on the BD side. But, um, so we went ahead and ahead of time kind of mapped out, you know, What we had, you know, what controls are in place, you know, what, uh, procedures and policies from like 000, and just the basic, you know, FedRAMP stuff we comply with as a contractor. Um, and then we sat down for several days and went through it. And so we talked through a couple of things and something that was interesting about that was, you know. The requirements that are written up in the standard right now. Um, they’re not set in stone, right? The concepts are, but there’s details about implementation and clarifications. And so, you know, it’s a conversation about, you know, what does this really mean? What are they asking for? What’s the spirit and intent of these, you know, these requirements? So that was going on while we’re simultaneously saying, okay, we, we can agree that I think this is what this means, you know, so let’s look at what’s in place. And so we basically just. You know, said, okay, either pass or fail or needs improvement and took, took record of that and then produced a action plan and, um, you know, presenting that to Adam and the team, um, to, yeah, kind of show where we’re at. And I think we did pretty well, um, you know, against the model. And so there’s always areas to improve and it was those questions about, you know, what is this really going to mean once they finalize, you know, certifying these auditors and everything. Because right now I’m. You know, as you know, there’s people are still getting registered as an auditor, you know, so we’re kind of in a weird spot where, you know, we know we have to be compliant and the version 2 or whatever is out for CMMC. But, you know, all of the implementation pieces are kind of variable. 

Adam McNair: So I, I think that’s a really good point about kind of the, the, the strategy or the thought process or the underpinning of some of the requirements is going to stay the same, but because this is a highly technical model, this is not like any of the other ISO or even the CMMI standards, they, they look at it and say, okay, well, we say that you have to collect metrics. We’re not going to tell you what metrics you have to collect. You decide which ones are important for you and then show us how you’re doing it. CMMC is prescriptive. Now, the thing is, I do think it makes sense. All the different areas where, for example, they say, look, you should be able to have device management so that you can lock down workstations and not allow them to have removable media. Yeah. I mean, there’s, There’s no reason why that, that anyone would want to argue that that’s a thing that you shouldn’t do. So I, I agree with them. Um, I do think there is some, some challenge from the standpoint of it is a moving target. You know, they, they published this. Interim rule that there’s now a deadline in November where companies are going to have to log a, you know, a self assessment essentially to say whether they have at least looked at themselves at some level. They’re already dropping contracts that have 

Kevin Long: it as a requirement. So, 

Adam McNair: yeah, is it something that you’ve heard? Customers on your side talk about at all? 

Kevin Long: So from my side, not by CMMC, but by NIST 801 7 1 dash 1 7 1 And like, like the, the pieces that are underneath, uh, that, that sort of build up the, the actual implementation of. Of CMMC? Absolutely. Um, like, uh, across all, all of the contracts that, that I have that are DOD that operate, uh, in, in an environment where we have to be cyber aware, uh, that we’re not just using their GFE in, in, in their, in their spaces where there’s a whole other team or contractor Group of folks that that are worrying about it. Absolutely. I mean, when we were working with Kessel run, I mean, we had to absolutely put in network and device security to those standards and report up to them on it. And as seems. CMMC extraction. More and more questions were coming to us about, hey, show us how you’re compliant with these different things.

Mary Padberg: Right. Right. 

Kevin Long: Yeah. Yeah. 

Mary Padberg: That’s a good, 

Kevin Long: I’m sorry. Good. Right. 

Mary Padberg: Yeah. So that’s a good point. Um, CMMC is one of the foundational, you know, NIST, you know, standards is 800 171, but, um, there’s also a lot of other things that go into it and something that, you know, we were looking at was, you know, well, NIST 800 171 has been out for years, you know, and this, this model is really a way for, um, for companies to have a stepped approach to compliance and meeting those controls, but, um, you actually don’t reach like level 100% Compliance with this data and I wanted to hit level 3 on the model. And even then there’s non federal org controls that you have to meet. Usually, if you’re 27, 000, you’re going to meet them. But there’s additional things. And so it’s kind of interesting to see the relationship between. You know, NIST 800171, which won’t go away, and then CMMC and how those meet up and where the gaps are there as well. Um, I think it’s easy to just kind of like, oh, we’re CMMC compliant, you know, we’re good. Well, no, there’s other things that back that up. 

Kevin Long: Yeah. So since it is such a technical thing with, with cyber being such a moving target, do you expect CMMC to have to get updated more frequently than say, uh, You know, CMMI are the types of things that are similar with it, because when I was first seeing this, I was looking at it going like, wow, I mean, this is a big framework around something that that literally changes every day.

Mary Padberg: Yeah, yeah, that’s a good point. And, um. Yeah, I think the way that it’s written, I think it will need to be updated in some areas, but it’s prescriptive, but not overly so. And so I think they’ve really tried to hit on both the requirements for security controls on an on prem environment and in a cloud environment. And so because of there’s that ambiguity there, um, and that discrepancy, It leaves enough room for the order to make a decision based on the landscape at that time. And so, you know, we could be sort of, if we had two assessments or two appraisals in one year, you know, and something huge happens in the cybersecurity landscape, a new encryption algorithm comes out, or, you know, there’s a new threat, that same auditor might come back. Six months after our initial one and say, Hey, actually, I think, according to this requirement, which may be, you know, authentication standards or the way that we’re encrypting right now. It’s 140 dash two. They might say, once 140 dash three comes out, you need to meet that. I think they’re going to leave that up to the auditors. Um, and so they’ve tried to be careful not to make it too, too prescriptive, but. Yeah, I do think it will. The implementation and the spirit and intent of it, you know, will adjust as things move forward. 

Adam McNair: Yeah, I think also there will be more and more parts of this. There will be a lot of companies that are able to automate a lot of these things. Uh, there are tools in the marketplace now that you can do log aggregation and start to do a lot of the checks and searching and things that you need to be doing automatically. I, I think there’s going to be evolution of how they do the appraisal and the skills of the auditors, because in order to be able to come in, you know, if they’re saying, how are you checking the logs to know that there’s no inaccurate or malicious activity? The old answer was. Well, here’s my IT person. This IT person sits down every Tuesday and looks over the logs and then fills out a Word document that says, I looked at the logs, everything looked okay, and signs their name, or says this was suspicious and copies it in there. Now you’ve got real time AI looking at all of this on a regular basis, and there are real time alerts that would come out. And so, It is a different level of understanding of what’s going on to be able to look at system generated notes and say, okay, this is, this is the result of log aggregation and analysis that was happening from a machine. I’m not going to see a process written up necessarily because there’s a tool that does this. And in a lot of ways, some of those tools, their process and their algorithm are proprietary for their risk modeling. So you can’t show them. Well, how are you predicting? No, I bought this from a company that does this. So that’s the tool that I’m using. Um, Yeah. And I think also, you know, something that is from the interim rules perspective, it’s easy enough to fill out a self assessment and send that in and log it into the system by the time that you have to. I think, um, I think that’s not that hard. 

Kevin Long: For us. They’re getting plenty of companies out there. Yeah. That that find this to be completely onerous. I just just I predict much gnashing of teeth. 

Adam McNair: Well, I think there’s two areas where you’re gonna have major issues for companies. I think the first issue is if you are in a in a reactive mode and you have been waiting for your customers to tell you things that you need to do. And I, I see this all the time, and I’m sure you guys do too, where the work quality in a given area of a contract is a little bit subpar, but you hear somebody say, well, the customer doesn’t care that much. It’s okay. Or I’m waiting for the customer to decide if we need to do something about that. If you’re at a responsive stance and you are waiting for your customer to say, I just got the chief acquisition officer for our agency who sent it to the contracting officer who told me that I need to tell you that you need to do this. You’re at zero time. Um, the other thing. This has been, I don’t want to call it easy, it was a tremendous amount of work. And Mary has spent an inordinate amount of time learning and working through all of this and the whole IT team and we had a, you know, multiple appraisers that were in working with us to audit this and, but we are starting from a framework. First off, our I. T. is process driven, so the I. T. organization is ISO 20000 certified, and so we have documentation for how we create an account, how we off board someone. You need that as a foundational input to doing this. If you don’t have any of that, this is a monumental process. The other thing when we started doing 27, we started with comprehensive risk analysis across the organization. So that’s not just, oh, here’s some high level risks. That’s okay. The recruiting organization. What are the risks there? Do we have plans around that? And in it, Bust conversation because there are things like capabilities of the systems that we have. When do our, our software platforms come up for renewal? Because here’s the really hard part. And this kind of gets into what a companies need to do to prepare for this. A lot of the capabilities that are necessary here are Are not policy. They are not process. They are not abilities of people. You need actual I T tools that will allow you to do things. And that comes with number one cost that the amount of time. to identify the tool, negotiate it, buy it, and implement it, and then sustain it. Now you’ve got this whole project. You might have a dozen of those that you have to do in order to be able to be compliant with this. The other thing is, certainly at our size, I, I think you might, maybe when you get to be the, you know, one of the top 10 government contracting companies, they may have enough scale that it’s a little bit different, but I imagine they have some of the same challenges. Oh, but the 

Kevin Long: number of business units and the, And the mergers and acquisitions that they do, they’re always bringing on new companies and stuff. Like, I mean, if you’re Lockheed or Kaki or Northrop, I mean, they’re the work for them to be able to integrate and do this across their entire enterprise. Yeah, so fair.

Adam McNair: So I’m glad 

Kevin Long: that we’re doing it at our size and being able to scale up from it as opposed to having to lock it down from a, you know, a 20, 000 person company. 

Adam McNair: Yeah, and the one thing that I think at larger scale, there are enterprise class tools that cover some of these. But it’s interesting when you get down into, like, just for device management, when we started looking at MDM solutions, you go, well, here’s the CMMC requirements. Oh, here are the top five most popular MDMs. They must all do this. They don’t. And so, you then have these conversations about, like, how many tools are we really going to have in this environment? And a conversation that Mary and I had just the other day was, As we do this, it’s increasing the complexity of the IT architecture, and we’re gonna come to a point where we’re gonna need assist admin or two just to maintain the tools that are necessary for compliance.

Mary Padberg: Right. 

Adam McNair: And the, that, that’s if you didn’t have anything installed, if, if you did have something installed, do, do you turn it off? Do you set up a parallel environment? I mean, the licensing on things like this, if you signed a four or five year deal for storage, for backup, for, um, for MDM. What if it’s not compliant?

Kevin Long: Yeah. 

Mary Padberg: You’re in a bad situation. 

Adam McNair: Yeah, 

Kevin Long: government contracting is not MDM’s major market. Right. Right. Right. That is. 

Mary Padberg: Yeah. That’s why you think bombs are so long. 

Kevin Long: Right. And they’ve only published, I mean, when was the CMMC, you know, first announced? I mean, we’re looking at, at stuff just now, if they, if a company put it on their product roadmap the day that it was dropped, I mean, we’re probably starting to see versions that That have CMMC right from back in the day, you know, starting to come on to it if they really want to go after the federal market.

Mary Padberg: Right? Well, and something interesting is that, you know, um, I’ve had people call me, right? Because it accounts they’ll call and say, Hey, you know, we have this product and, you know, we’re CMMC, you know, they have a word for it. It’s not certified, but we’re CMMC ready or something like that. Right. And you talk to them and it’s like, well, no, you’re not CMMC ready because you can’t argue that that meets all those control requirements. And so it’s really, um, it’s an art of piecing together, especially in a colorful cloud environment. So piecing together these tools and, you know, not only do you have to have the data has to be. Meet these requirements at rest and in transit and during crossing. And so if you have an API that connects to systems that has to be meeting tip 140 dash 2, it has to have all these requirements for authentication. And so back to what we’re talking about with the actual audits that go on and, you know, Does the auditor need to have a technical expert next to him? Because I can sit here as an IT person, and if they don’t know what’s going on, I can show them an audit log that’s not even relevant, right? Um, and so that’s why they focus so much on the, the SSP, the system security plan and having your system architecture laid out so that when You know, you might have a different auditor come back for your, your renewal. Right. And so, so that plan is there and established and they can reference that and they’re not starting from scratch, um, and make sure that as the threat landscape evolves and as these tools evolve that, you know, they still meet all of these requirements. 

Adam McNair: And I think the biggest, probably one of the biggest sources of gaps in, in the capabilities of these tools that are available is that because they are commercial products, they are trying to cover. What is most commonly cared about and any kind of security cyber. It’s true as well is a balance between the user experience and functionality and locking it down. You know that the most secure network that you can operate on is unplugged. Is unplugged. And so, but that doesn’t work. In the same way, encrypting every file, requiring a PKI key to be able to send anything to anybody, uh, dual factor authentication, you know, and so App timeout at 70 seconds. Absolutely. All of those things. And so, we have baby stepped over the last four years from the perspective of What’s what’s the next logical step, 

Mary Padberg: right? 

Adam McNair: What’s the just noticeable difference where we can be a little bit more secure without ruining the computing experience of the users and you know things like we’re going to require you to have a password on your machine. OK, we’re going to require you to have one. OK, we’re going to require it to be a little bit stronger. We’re going to require Tell you to not save to your to your hard drive now by policy. We’re going to not let you save to your hard drive. And the thing is when those policies started to come out. I mean, I remember when people first said you should save it to the network drive. Pre cloud not to your local machine. Yeah, well, but sometimes I can’t connect to that now that they have all of the ability to synchronize data. I mean, my one drive, I hardly ever notice if it is connected or not connected because it is. It synchronizes so so frequently that. If something drops if something wasn’t connected, it really is not that big a deal. Um, you know, we started to push the idea of your password needs to be 97 characters and have special, you know, special symbols and everything else in it. Now we have password managers that help sort that the integration is pretty good. There are. They’re just a little slow to catch up. Always. They’re like one stage or two stages behind, uh, where the commonly adopted cyber methods are. Um, you know, when dual factor authentication was a thing, you’re like, you’re really going to make me now check a code on, uh, On my phone, and we’ve rolled that out across the entire company at this point, and I don’t hear anybody ever say anything about it, and I bet if we had done that three years ago, there would have been massive hand wringing over, why are you making us do this?

Mary Padberg: Right, right. One part of that’s also, I think, the, you know, we’ve evolved from only a text code available to having an app read top approved. Right. And, you know, CMNC, for example, um, they do require multi factor authentication and in reality they do. And so, you know, it doesn’t say that I need to have a 60 hour timeout, right. It says that I need to have a timeout. And so that’s a business decision and a usability decision of, well, what is the risk of, can we, can we have it at seven or 14 days versus, you know, a day. And then, you know, because we can. You know, make a decision to make that a longer session token, then people aren’t having to as frequently open their phone and approve things. And so, it’s the, the little details of how you implement this and how you interpret the standards and, um, don’t over prescript yourself based on your assumptions of the model, I think is important. 

Adam McNair: Yeah, and, you know, I, um, I, I always thought for a lot of years, you know, I just, you know, I work for this little government contractor, who’s really going to come look at this stuff? Like, the, the, the information that I have access to I can’t envision anybody really caring, right? And I’ve read in past months that someplace where both Kevin and I, you know, worked for a while got hit with ransomware and they had a whole bunch of user salary, payroll data leak. It ended up on the internet. It published for everybody. It was a black eye. 

Kevin Long: Stolen shortly thereafter again. 

Adam McNair: Yeah, black eye for them, black eye for their, um, you know, for their customer. And so it, it is rapidly approaching the amount of cyber attack that happens anymore. I think we really firmly are in a space where it’s like, uh, we just really don’t want something bad to, to happen. You know, to, to happen, uh, 

Kevin Long: got two phishing attempts today, right? 

Mary Padberg: And that’s not right. They’re not, they’re not, you know, misspelling on, on the test. I mean, they’re, they’re very sophisticated. They’re getting 

Kevin Long: more and more sophisticated too. 

Mary Padberg: Right. And, and this is what happens. And so, yeah, absolutely. It’s a business requirement. I think it’s no different than having a lock on your office door, you know, with some of these controls and, um, you know, Yeah, you have to be really progressive about about your your policies, whether that’s technical or internal and training is huge. You know, the CMMC all focuses on training a lot. We see the ISO standards increasingly focusing on that as well because your users are your best asset and your biggest risk, right? So that’s interesting. 

Adam McNair: And it’s, it’s a, and this is something that I’ve, it’s a, a lesson that I’m continuing to carry forward from, uh, from Jeff Dalton, who is, is, works for broadsword from his process side is that, um, Processes are, are only one thing. Behaviors are what are actually important. And so you can have a process, but if nobody follows it, it doesn’t make any difference. And so that training aspect, you know, I, I won’t speak for everybody, but I’ll at least say for me, I, I don’t know how many years I had the same slide deck that I had to sign off on for the annual security training. That was just, Yep. Yep. I know if I’m going to travel overseas, you know, yes, I please don’t misuse government equipment. Yep. I got it. Understand. Sign my name and I’m good. The, the, the, what we’ve gone to the, um, the vendor that we, we implemented for, for 

Mary Padberg: fishing and, Training, it’s in real time. So we basically, you know, set up phishing campaigns and we’ll target our own people. So if we know that, you know, it’s, um, it’s tax season, we’re going to target people with, you know, very highlight specific tax fraud emails, and then we can run through the statistics on who clicked on what, how far they went. 

Kevin Long: The fact that I got fished with a free doughnuts, uh, 

Mary Padberg: That’s awesome. No, I mean, we have fun with it too. I think we have some interns and I almost flipped on that one 

Kevin Long: too. I mean, it was a, it was a really good one and free doughnuts. 

Mary Padberg: It pulls on your emotions. You’re like, I really want that doughnut. It’s an excuse to drive out of the house with COVID, right? Um, Yeah, absolutely. But yeah, so we do those trainings and instead of just having, you know, we have our annual security training and all the standard stuff we do for everybody, but we can target the most vulnerable people, right? We can identify who is most likely to click on something and then make them take additional training versus having my IT manager. Have to take a bunch of compliance training for no reason when he’s creating, you know, creating all of that. And, you know, we still train RIT, RIT people and are more sophisticated people in finance and all of that. But 

Kevin Long: I get called, I’ve literally gotten a call from a new hire, which is, is good. Cause he, He, he, he was looking at his email on his cell phone where it’s harder to see the, the metadata and things like that on it, and, and he fell into the phishing trap. He was like, oh my God. And he, he, he hung up the phone and he or, or he closed out the email. Then he, he picked up the phone and called me and was like, I clicked on this. It’s like, okay. So did you learn something? It’s like, well, yes. It’s like, so what’s going to happen? It’s like, well, you’re going to have to go to training. You’re going to be more careful about what comes through on your cell phone now and you’ll check. He’s like, yeah. I mean, it’s, it’s the type of lesson that, I mean, it’s great when people. Make the mistake when we’re 

Mary Padberg: hitting them. Right, right. And that’s the key. That’s the key, right? Well, you know, um, you know, it goes back to the Paul, you know, if you have a policy, nobody follows, it doesn’t matter. Well, you know, how do you get by it’s organizational psychology. How do you get buy in from users? How do you make them see how important something is? And, you know, when somebody clicks on a, yeah. Right. When somebody clicks on a phishing email and put their social security number into a phone number. Fraudulent link because I think it’s paycom, you know, that gets their attention. Um, and so, you know, I think it’s, it’s effective in all ways. 

Kevin Long: I haven’t seen that one yet. 

Mary Padberg: No, I don’t want to do that. 

Adam McNair: We’ll see. And I have reverted back. I, uh, I am now moving to a typewriter, so I will be sending out emails by actual just mail. Um, the response time will be shorter, but I don’t think that there’s any way to have anybody fish that.

Kevin Long: Maybe I like the little mini cassette recorder. And just dictate everything. I just, I snail mail small cassettes to everybody. 

Mary Padberg: I fully support both of those efforts, but they’re not in our service catalog, so your turnaround time on tickets is going to be really long. 

Adam McNair: Right, right. Please tell Kevin to stop emailing the help desk for more tiny little cassettes.

Kevin Long: I need more tiny cassettes. 

Adam McNair: You’re awesome. I love it. So to wrap up the CMMC conversation, um, I guess, you know, Kevin, do you think we’re going to end up seeing companies that specifically decide, I mean, likely on the small business side, that it’s just too much work and that they’re just not going to support DoD? I mean, you think that’s a thing many companies are going to decide? 

Kevin Long: Not without failing first. I mean, I mean, if you’re a government contractor, that’s where the I mean, uh, I mean, a lot of it. So, um, I mean, if you’re a government contractor and you don’t have a facility clearance and you’re, and you’re focused on an agency, like if you’re, if you’re an FAA company and you’re going deep into transportation, maybe, but honestly, this fully implements in five years, in 10 years, Civilian agencies. are going to have the same flipping requirements. 

Adam McNair: Yep. GSA STARS III already listed the ability to insert CMMC. I mean, how do you not? How do you go in and say, hey, if you’d like us to put this clause in, we can make sure your vendors have good cyber security. Who’s going to say, no, I don’t think we need that.

Speaker 4: Yeah. 

Kevin Long: I mean, unless all you do is OTAs or things that don’t comply with the FAR. Yeah. Um, Could you do that? And then the best case scenario is you’re a small that develops something really cool, a niche, and then gets bought by a company that has the processes that, that they can, can umbrella you under it. But yeah, no, I, this, I think that it’s going to be painful and I think Boone for for certification companies, but yeah, it is it is at at a company’s peril to not to not do this. 

Adam McNair: Yeah, I do wonder if there’s the ability. I mean, when FedRAMP came out, FedRAMP was hard. I did one of those and it it costs. We were well north of two and a half or 3 million to build out a FedRAMP private cloud instance and. It’s really, really hard, but there’s a lot of FedRAMP, you know, the process has gotten better, more, there’s more people that know how to do it, etc. So it’s, it’s much more achievable than it was, you know, five years ago or six years ago, whenever that was. Um, I wonder if there’s the ability for, for FedRAMP CMMC. You, you buy your IT service already hardened like this. Um, It’d be expensive. I mean. It would be. That’s, that’s the hard part is. 

Kevin Long: CMMC AAS. 

Adam McNair: Yep. 

Kevin Long: Yeah. 

Adam McNair: CMMC is a service and I, I think, I think you could, uh, the investment on the front end would be pretty steep. Yeah. Um, the complexity of being able to have multiple instances that are, that are all compliant would be pretty hard. And I think it would be expensive to buy, but I think maybe from a, you know, if I, if I’m a 50 person, 100 person company, Yep. I don’t know, I don’t know how you, I don’t know how you do this, 

Mary Padberg: to be honest with you. Um, Yeah. Yeah, it’s hard. It’s hard. Um, yeah. 

Adam McNair: But I guess we’ll see, you know, as as time goes forward here, we’ll see how that evolves. We’re certainly, you know, based on our self assessment, we’re pretty well compliant and we’re going to line up some of the capabilities that that. We have known some of our tools we wanted to upgrade anyway, uh, over time. And so we’re gonna upgrade those. And so we’re, um, you know, we’re on track for it. It, it has been certainly effort and work, but I think way less disruptive than where I would envision it to be for, um, you know, for organizations that hadn’t already started with a built real framework of process driven approach and, and risk management to, to a lot of these things. Um, so that’s C-M-M-C-I. I guess, you know, one thing that we are gonna start talking about. Uh, as we, as we wrap these podcasts up is, so we’re all still working from home and quote unquote home. Um, you know, some of us have worked from different locations throughout this. Now, Kevin, have you been at home the entire time? Have you done any, like, have you guys gone on trips? Have you been in some Airbnb trying to work remotely? Or have you just been home, home? 

Kevin Long: Uh, I took a long weekend for our. Anniversary in early June, but didn’t bring my laptop. So if I, if I’ve been, I mean, I had my cell phone with me and I can do, I can do like 80 percent of my job from my cell phone, which is amazing.

Mary Padberg: Right. 

Kevin Long: Yeah. Um, I mean, it just takes a long time to, to type with these meat paws that I have. Um, but no, I mean, if I’ve been working, I’ve been in one of, Two rooms in my house this whole time. Um, yeah, it’s, uh, when you have, we’ve got three cats and we had a puppy and that, that is not Airbnb travel, 

Adam McNair: uh, friendly at all. So, so what’s the most challenging thing that’s happened to you since you’ve been trying to work from home? 

Kevin Long: Oh, um, my wife buys the puppy, uh, uh, squeaker toys and, uh, just, I mean, I’ve literally. Last week had had pixel, you know, the, the border colleague come into our room where I’m working and just start squeaking the Jesus out of, out of her, out of her toys. So, yeah, I mean, I’m trying to have a, a, Have a meeting and you just hear something like again and again. Yeah. And there’s, it is, she’s a, she’s, she’s a musical prodigy. Um, but, but yeah, she’s also really entertained by it for a really long time. And you can only. Go on mute and say go away pixel for so long because as soon as you say her name, you’re playing with her. So, yeah, um, so what I’ve learned now is, is, uh, only work in a room that has doors that can separate you from the dog. Um, And, and make sure you throw the frisbee for the dog for, you know, seven minutes of no joke sprinting tires her out. So you, when you have a must have meeting, you start seven minutes early, you throw the frisbee for her, and then she’s just panting in the corner and happy. And none of the squeaky, so, but yeah, so my fails are all so are recently dog related.

Adam McNair: gotcha. Now, now, Mary, every time we see you on video, you are frequently at a different location. I have thought at times that they might be just different teams, backgrounds that you decided to download, but yeah, 

Kevin Long: the itinerant ops manager is, is, yeah, 

Adam McNair: So of the various adventures you’ve had in teleworking as we’ve, from March to now, does any, do any of them stick out in your head?

Mary Padberg: Yeah, yeah, working anywhere from home. Anywhere but from home, I guess. Yeah. Yeah. Yeah, so, I mean, I was living on the lake for four months, so that was pretty cool. Um, working from the boat, the hammock, The porch, the down from a 

Kevin Long: kayak. Nice. 

Mary Padberg: Yeah. Yeah. I was in the car for a while. That was exciting. Um, on a hotspot. So, you know, in a parking lot because the lake has no, no signal on the phone or internet. So, um, you know, it’s my biggest challenge has been internet really satellite internet hotspot. The hotspot wouldn’t work. So I installed a LTE antenna, like a booster system on a PVC pipe. Um, that was, that was interesting, and there’s all kinds of relay issues with that. Um, but yeah, I’ve been in a lot of places, and now I’m working out of an office that’s not our office, but an office, so more normal. Nice. 

Adam McNair: Yeah, I, I think the, so the most entertaining one to me as, as, as we have, um, as we’ve been working like this is, um, so my, my parents built a small cabin up in West Virginia, like, I don’t know, 30 some years ago, right? And it is, it was built before the internet. So those kinds of things weren’t a consideration. And it happens to be in the National Radio Quiet Zone. This is a 

Kevin Long: It’s by the telescope? Yes, it is about 

Adam McNair: a hundred square mile area located primarily around Green Bank, West Virginia, where they do not allow cell service. They do not allow. Depending on how far away from you, from it, you are, you’re not allowed to have a microwave in your home. They have a little van with a sniffer. They drive around and they knock on your door and say, you know, maybe we can get you a toaster oven, but the microwave’s not going to work. And up until recently, they did not allow any Wi Fi, but the spectrum of Wi Fi is we have now gone to five gigahertz Wi Fi. It does not interfere with their. So I, uh, I called the local telco provider and, um, and asked them if they could, you know, if, if they could turn the, you know, what the wifi speed was and if it’d be, because I asked my father, you have wifi internet up there. He says, Oh, absolutely. We, we have internet and, um, 

Kevin Long: 56 K modem.

Adam McNair: They, that’s exactly what it was. There was a telephone line that you could, the laptop, and I, as I was there, I was like, well, no, I’m, I’m here and I, I need to work. So I, I called down and, uh, very nice folks talked to me and said, well, yeah, we can, um, you know, we can, we can turn the internet on. And I said, okay, but, um, I have a router and everything. I brought one just in case. Can I just get you to turn it on? And they said, well, not until you bring us the cable box back. I said, well, yeah. You won’t turn it on. Could you please turn it on? No, because once you do this, you know, it, it kind of, you don’t need the cable anymore because there’s only one wire coming in. They said we would have to run a new wire, but we can piggyback off of that wire. And you can go out into the box and move it in the box outside. That’ll be the Internet circuit. Now. I said, okay, but when you do that, it’s going to unhook the cable. And I said, that’s fine. So, okay, but what, we won’t turn it on until you bring the cable box back. Because if you don’t, we think you won’t ever bring it back. So I had to, uh, I, I had to at that point, cause again, I have no way to tell anybody cause there’s no cell service. So I, I had to get up early one morning and drive the thing over the mountain and return the box and come back to get the internet lit up so that I could then hurriedly go back and jump on my zoom calls.

Kevin Long: That’s amazing. Yeah. Only a cable company would do it that way instead of just saying, We’re going to continue to charge you rent for the cable box. 

Adam McNair: Yeah, it’s like, I’ll pay, we can pay, we’ll pay for an extra month, that’s okay. No, no, no internet until you bring the cable box back. That’s amazing. And again, it’s like 35 miles over a mountain. It’s not like you just run down the street to the red light because they don’t have red lights, so. You hear that? That is the, uh, probably the most interesting part that and crawling around trying to find the phone box and plug the wires in and all of that. So, uh, so that was entertaining, but wild and wonderful. Absolutely. Well, great. Well, thanks guys for getting together so we could talk about CMMC. It’s a big thing in the, uh, in the market. Um, and we will continue so that we’ve, we’ve. Had some blog posts out. We’ll have this out with some articles out on our LinkedIn talking about some of the aspects of this, and then we’ll have some new guests. The next podcast planning is we actually do event planning. As part of one of our contracts and as both industry events and in kind of all events have gone virtual, uh, we have some interesting experiences there and we are supporting a couple of our customers to do virtual events. And so we will be talking about that, but we will talk about that next time. Thank you guys very much. 

Mary Padberg: Thanks, Guys . 

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.

6 Tips To Turn Your Internship Into A Job Offer

As the end of winter internship season quickly approaches, a looming sense of uncertainty exists—will the internship you snagged turn into full-time employment or will the job search resume in the spring?

Much like those contemplating this time of year, I logically had to ask myself this question and examine the possibilities of stable employment. My own metaphorical internship clock quickly began to tick closer and closer to an expiration date just as my time at college was reaching its conclusion. To offer some perspective, this August I graduated with an official COVID-stamped degree from George Mason University. I had, however, begun my internship with Highlight Technologies in January 2020 while using the remainder of the year to complete my courses.

I utilized those seven months interning not only to fulfill my basic duties, but to learn new programs, dip my hand in various projects, and invest my professional self into the company. The extra time and effort I spent during my internship certainly helped me develop my professional experience along the way and subsequently, I was given the opportunity to transition from an internship-level position into the Marketing and Communications Specialist position at Highlight the same month I graduated. I discovered that even during our nation’s current post-graduation period of uncertainty there are ways to utilize your internship experience and turn an unpredictable position into secure employment.

Here are some ways I broke out of the internship box and stepped into a stable position at Highlight:

·       Rejecting an internship mindset and investing in permanent thinking not only makes you a useful asset, but a valuable resource for the company as you become more dependable and less disposable. As an intern, I exhibited this by having long-lasting goals at Highlight, expanding my skillset to benefit not only myself but the company, and by approaching the internship with a leadership mindset.

·       Learn the ins and outs of the business.  Demonstrate interest in how the company functions and how other departments depend on one another to operate efficiently.

·       Be proactive with your manager. Continuous communication and responsiveness with your superior are essential to clearly complete required tasks and bridge a way to take on more serious, memorable, and relevant projects.

·       Network within the company. Building connections is not only important when looking for a job, but for securing a job post-internship. Utilizing your internship to develop strong relationships helps establish trust between you and other employees and makes you more desirable to keep within the company long-term.

·       Teach yourself new skills. Going beyond the list of task requirements and taking on additional courses and/or certifications solidifies that you are willing and able to take on new challenges as well as responsibilities. Do not be afraid to utilize the training opportunities offered inside and outside of your company. This could range from Google Analytics courses to HubSpot Academy SEO certifications to training programs offered at your place of work.

·       Do not be afraid to ask about opportunities within the company. You will most likely not be handed a position, regardless of your work ethic or strengths. Taking the initiative to ask about available positions and/or potential openings shows how much you genuinely want to progress within the company.

Internships are a significant way to gain real-world experience; some argue college degrees cannot realistically provide such experiences when students are constrained to a controlled classroom environment. The impact of an internship as opposed to a classroom environment can be invaluable to your professional development, as my internship at Highlight was to mine.

I have learned that an internship is an investment. The more you invest, generally the higher your return will be. Consequently, it is not only about the amount you are investing (time, effort, energy, etc.), it is about how you invest. The number one way to invest yourself into a company and take advantage of potential opportunities is by turning away from short-term thinking and investing in long-term thinking.

How you invest your time and yourself during your internship is key to landing a future position within your company.


Author: Emily Ruffa | Marketing and Communications Specialist