Podcasts

Episode #10 | Everything CMMC

  • we@designindc.com
  • October 21, 2020
podcast_webgraphic

Transcript

Kevin Long: Broadcasting from Fairfax, Virginia. You are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Welcome to the Highlight Cast again. I am joined as usual by Kevin Long. Hi, Kevin. How’s it going, Adam? Good. And also by Mary Padberg who leads our internal operations. Hi, Mary. So today we’re going to talk about CMMC. Uh, this is the Cybersecurity month and it is also we have a lot of things coming to head Uh from the perspective of cmmc. This is the dod department of defense cyber maturity model that they have created and Unleashed on the world. Absolutely And they gave they gave some heads up and some notice. I think this has been a long time in being developed uh, there’s certainly a lot of Content to it. It is much more complex than your standard It compliance model. Most of the things that we see that are compliance related, whether it’s Department of Labor or security clearance, most of the times it’s a lot of policy stuff and a little bit of things you really have to do. Right. Um, this is not that way. And so the, It’s being enacted. I completely understand why it’s being enacted. Um, you know, we, we all work in environments where we have customers and we have systems that. Are not air gapped from each other. So you can be inside of an environment and have protected information and have somebody email it to your, to your home network. Um, you can have people working with company equipment, accessing customer data, and you can tell everybody not to download things to the laptop, but. That’s how information spills happen and people just do things. So, um, I mean, it, it seems like it makes sense, right? It does. 

Kevin Long: And, and this was being enacted way before everybody started working from home. But I mean, even still now, it’s less and less work is being done on, on government site itself, which means there’s more and more risk being, being put out into the world for, for IT systems that the government has. So it’s, Very apropos of the moment and, you know, came out in a great time. Yeah. Yeah. Yeah.

Mary Padberg: And I think with the bring your own device environment, um, that we have and all these cloud systems, you know, we have email on our phone and we have, you know, Teams chat on our phone and, you know, being able to define in scope, um, you know, how the data secured where it is. And yeah, it makes a lot of sense.

Um, but 

Kevin Long: yeah, if it was just a tick box for yes, we’re secure, it would have been a lot like, you know, uh, other government policies, but wouldn’t have actually actually helped demonstrate data. Which is, I mean, so it’s more painful to, to, to, to actually do, which I’m sure Mary can wax poetic on for, for hours, but it, uh, actually has an opportunity, I think, to do some real good.

Adam McNair: It’s an interesting scenario for us as well, because so we’ve been having. Conversations in our IT meetings for in literally the last three or four years where we would talk about risk posture and risk profile and we implemented ISO 27000 which put a little bit more rigor around, you know, and think well we It was kind of under the assumption that it, you know, as long as things work, we’re okay. And we don’t really have a lot of data. And you know, the IT team was really not really a team at one point. And so as we grew to have an actual IT team and an infrastructure and more and more, uh, company owned devices and more contracts, we’ve had conversations. At least monthly and and done a real threat landscape kind of analysis once a year about what’s the landscape look like to us and what should we be worried about? And frankly, from a corporate perspective, fishing have we see a lot more of that than we have seen Concern about information leaks, because again, most of our people are working on government furnished equipment and working in government environments. And so the overall threat, you just assume that that it probably is not that high, but we certainly had policies around it and told everybody don’t save these things on these systems. But as we recently won a new contract that, you know, in normal work times, everybody would be in the customer environment on GFE. And it would be an air gap network that doesn’t have Internet connectivity, where we’re. Looking at how do we make sure that these people are going to be supporting this environment that, you know, we are, um, you know, that we are as stringent as we can be. And luckily, we had started that whole process and had more rigorous conversations around it, uh, as we started down the CMC. Certification self assessment process. We actually were, supposedly, according to our, our assessor, uh, the partner that we, that we worked with, uh, Michael West and his team, and, um, some of the folks from BroadSword, we were theoretically the first company in America to do a self assessment. Um, Which, as you can imagine, was very much kind of both process building and assessing at the same time. Um, but it feels very assessors. Yeah, but it feels very much like a real live in depth audit. I mean, Mary, you want to talk a little bit about. What it took to actually do the, the appraisal, the, the, the self assessment.

Mary Padberg: Yeah, sure. So, um, Michael’s team, they came in and, uh, we worked for months beforehand to, um, go through all of the requirements. So CMNC has five levels of maturity, um, similar to the CMMI certifications you’re going to see. Um, and so we were doing a gap analysis against level three. And so the. Do you consider that good cyber hygiene and level three is expected to be kind of the standard level that you’re going to need to bid work and be on teams on the BD side. But, um, so we went ahead and ahead of time kind of mapped out, you know, What we had, you know, what controls are in place, you know, what, uh, procedures and policies from like 000, and just the basic, you know, FedRAMP stuff we comply with as a contractor. Um, and then we sat down for several days and went through it. And so we talked through a couple of things and something that was interesting about that was, you know. The requirements that are written up in the standard right now. Um, they’re not set in stone, right? The concepts are, but there’s details about implementation and clarifications. And so, you know, it’s a conversation about, you know, what does this really mean? What are they asking for? What’s the spirit and intent of these, you know, these requirements? So that was going on while we’re simultaneously saying, okay, we, we can agree that I think this is what this means, you know, so let’s look at what’s in place. And so we basically just. You know, said, okay, either pass or fail or needs improvement and took, took record of that and then produced a action plan and, um, you know, presenting that to Adam and the team, um, to, yeah, kind of show where we’re at. And I think we did pretty well, um, you know, against the model. And so there’s always areas to improve and it was those questions about, you know, what is this really going to mean once they finalize, you know, certifying these auditors and everything. Because right now I’m. You know, as you know, there’s people are still getting registered as an auditor, you know, so we’re kind of in a weird spot where, you know, we know we have to be compliant and the version 2 or whatever is out for CMMC. But, you know, all of the implementation pieces are kind of variable. 

Adam McNair: So I, I think that’s a really good point about kind of the, the, the strategy or the thought process or the underpinning of some of the requirements is going to stay the same, but because this is a highly technical model, this is not like any of the other ISO or even the CMMI standards, they, they look at it and say, okay, well, we say that you have to collect metrics. We’re not going to tell you what metrics you have to collect. You decide which ones are important for you and then show us how you’re doing it. CMMC is prescriptive. Now, the thing is, I do think it makes sense. All the different areas where, for example, they say, look, you should be able to have device management so that you can lock down workstations and not allow them to have removable media. Yeah. I mean, there’s, There’s no reason why that, that anyone would want to argue that that’s a thing that you shouldn’t do. So I, I agree with them. Um, I do think there is some, some challenge from the standpoint of it is a moving target. You know, they, they published this. Interim rule that there’s now a deadline in November where companies are going to have to log a, you know, a self assessment essentially to say whether they have at least looked at themselves at some level. They’re already dropping contracts that have 

Kevin Long: it as a requirement. So, 

Adam McNair: yeah, is it something that you’ve heard? Customers on your side talk about at all? 

Kevin Long: So from my side, not by CMMC, but by NIST 801 7 1 dash 1 7 1 And like, like the, the pieces that are underneath, uh, that, that sort of build up the, the actual implementation of. Of CMMC? Absolutely. Um, like, uh, across all, all of the contracts that, that I have that are DOD that operate, uh, in, in an environment where we have to be cyber aware, uh, that we’re not just using their GFE in, in, in their, in their spaces where there’s a whole other team or contractor Group of folks that that are worrying about it. Absolutely. I mean, when we were working with Kessel run, I mean, we had to absolutely put in network and device security to those standards and report up to them on it. And as seems. CMMC extraction. More and more questions were coming to us about, hey, show us how you’re compliant with these different things.

Mary Padberg: Right. Right. 

Kevin Long: Yeah. Yeah. 

Mary Padberg: That’s a good, 

Kevin Long: I’m sorry. Good. Right. 

Mary Padberg: Yeah. So that’s a good point. Um, CMMC is one of the foundational, you know, NIST, you know, standards is 800 171, but, um, there’s also a lot of other things that go into it and something that, you know, we were looking at was, you know, well, NIST 800 171 has been out for years, you know, and this, this model is really a way for, um, for companies to have a stepped approach to compliance and meeting those controls, but, um, you actually don’t reach like level 100% Compliance with this data and I wanted to hit level 3 on the model. And even then there’s non federal org controls that you have to meet. Usually, if you’re 27, 000, you’re going to meet them. But there’s additional things. And so it’s kind of interesting to see the relationship between. You know, NIST 800171, which won’t go away, and then CMMC and how those meet up and where the gaps are there as well. Um, I think it’s easy to just kind of like, oh, we’re CMMC compliant, you know, we’re good. Well, no, there’s other things that back that up. 

Kevin Long: Yeah. So since it is such a technical thing with, with cyber being such a moving target, do you expect CMMC to have to get updated more frequently than say, uh, You know, CMMI are the types of things that are similar with it, because when I was first seeing this, I was looking at it going like, wow, I mean, this is a big framework around something that that literally changes every day.

Mary Padberg: Yeah, yeah, that’s a good point. And, um. Yeah, I think the way that it’s written, I think it will need to be updated in some areas, but it’s prescriptive, but not overly so. And so I think they’ve really tried to hit on both the requirements for security controls on an on prem environment and in a cloud environment. And so because of there’s that ambiguity there, um, and that discrepancy, It leaves enough room for the order to make a decision based on the landscape at that time. And so, you know, we could be sort of, if we had two assessments or two appraisals in one year, you know, and something huge happens in the cybersecurity landscape, a new encryption algorithm comes out, or, you know, there’s a new threat, that same auditor might come back. Six months after our initial one and say, Hey, actually, I think, according to this requirement, which may be, you know, authentication standards or the way that we’re encrypting right now. It’s 140 dash two. They might say, once 140 dash three comes out, you need to meet that. I think they’re going to leave that up to the auditors. Um, and so they’ve tried to be careful not to make it too, too prescriptive, but. Yeah, I do think it will. The implementation and the spirit and intent of it, you know, will adjust as things move forward. 

Adam McNair: Yeah, I think also there will be more and more parts of this. There will be a lot of companies that are able to automate a lot of these things. Uh, there are tools in the marketplace now that you can do log aggregation and start to do a lot of the checks and searching and things that you need to be doing automatically. I, I think there’s going to be evolution of how they do the appraisal and the skills of the auditors, because in order to be able to come in, you know, if they’re saying, how are you checking the logs to know that there’s no inaccurate or malicious activity? The old answer was. Well, here’s my IT person. This IT person sits down every Tuesday and looks over the logs and then fills out a Word document that says, I looked at the logs, everything looked okay, and signs their name, or says this was suspicious and copies it in there. Now you’ve got real time AI looking at all of this on a regular basis, and there are real time alerts that would come out. And so, It is a different level of understanding of what’s going on to be able to look at system generated notes and say, okay, this is, this is the result of log aggregation and analysis that was happening from a machine. I’m not going to see a process written up necessarily because there’s a tool that does this. And in a lot of ways, some of those tools, their process and their algorithm are proprietary for their risk modeling. So you can’t show them. Well, how are you predicting? No, I bought this from a company that does this. So that’s the tool that I’m using. Um, Yeah. And I think also, you know, something that is from the interim rules perspective, it’s easy enough to fill out a self assessment and send that in and log it into the system by the time that you have to. I think, um, I think that’s not that hard. 

Kevin Long: For us. They’re getting plenty of companies out there. Yeah. That that find this to be completely onerous. I just just I predict much gnashing of teeth. 

Adam McNair: Well, I think there’s two areas where you’re gonna have major issues for companies. I think the first issue is if you are in a in a reactive mode and you have been waiting for your customers to tell you things that you need to do. And I, I see this all the time, and I’m sure you guys do too, where the work quality in a given area of a contract is a little bit subpar, but you hear somebody say, well, the customer doesn’t care that much. It’s okay. Or I’m waiting for the customer to decide if we need to do something about that. If you’re at a responsive stance and you are waiting for your customer to say, I just got the chief acquisition officer for our agency who sent it to the contracting officer who told me that I need to tell you that you need to do this. You’re at zero time. Um, the other thing. This has been, I don’t want to call it easy, it was a tremendous amount of work. And Mary has spent an inordinate amount of time learning and working through all of this and the whole IT team and we had a, you know, multiple appraisers that were in working with us to audit this and, but we are starting from a framework. First off, our I. T. is process driven, so the I. T. organization is ISO 20000 certified, and so we have documentation for how we create an account, how we off board someone. You need that as a foundational input to doing this. If you don’t have any of that, this is a monumental process. The other thing when we started doing 27, we started with comprehensive risk analysis across the organization. So that’s not just, oh, here’s some high level risks. That’s okay. The recruiting organization. What are the risks there? Do we have plans around that? And in it, Bust conversation because there are things like capabilities of the systems that we have. When do our, our software platforms come up for renewal? Because here’s the really hard part. And this kind of gets into what a companies need to do to prepare for this. A lot of the capabilities that are necessary here are Are not policy. They are not process. They are not abilities of people. You need actual I T tools that will allow you to do things. And that comes with number one cost that the amount of time. to identify the tool, negotiate it, buy it, and implement it, and then sustain it. Now you’ve got this whole project. You might have a dozen of those that you have to do in order to be able to be compliant with this. The other thing is, certainly at our size, I, I think you might, maybe when you get to be the, you know, one of the top 10 government contracting companies, they may have enough scale that it’s a little bit different, but I imagine they have some of the same challenges. Oh, but the 

Kevin Long: number of business units and the, And the mergers and acquisitions that they do, they’re always bringing on new companies and stuff. Like, I mean, if you’re Lockheed or Kaki or Northrop, I mean, they’re the work for them to be able to integrate and do this across their entire enterprise. Yeah, so fair.

Adam McNair: So I’m glad 

Kevin Long: that we’re doing it at our size and being able to scale up from it as opposed to having to lock it down from a, you know, a 20, 000 person company. 

Adam McNair: Yeah, and the one thing that I think at larger scale, there are enterprise class tools that cover some of these. But it’s interesting when you get down into, like, just for device management, when we started looking at MDM solutions, you go, well, here’s the CMMC requirements. Oh, here are the top five most popular MDMs. They must all do this. They don’t. And so, you then have these conversations about, like, how many tools are we really going to have in this environment? And a conversation that Mary and I had just the other day was, As we do this, it’s increasing the complexity of the IT architecture, and we’re gonna come to a point where we’re gonna need assist admin or two just to maintain the tools that are necessary for compliance.

Mary Padberg: Right. 

Adam McNair: And the, that, that’s if you didn’t have anything installed, if, if you did have something installed, do, do you turn it off? Do you set up a parallel environment? I mean, the licensing on things like this, if you signed a four or five year deal for storage, for backup, for, um, for MDM. What if it’s not compliant?

Kevin Long: Yeah. 

Mary Padberg: You’re in a bad situation. 

Adam McNair: Yeah, 

Kevin Long: government contracting is not MDM’s major market. Right. Right. Right. That is. 

Mary Padberg: Yeah. That’s why you think bombs are so long. 

Kevin Long: Right. And they’ve only published, I mean, when was the CMMC, you know, first announced? I mean, we’re looking at, at stuff just now, if they, if a company put it on their product roadmap the day that it was dropped, I mean, we’re probably starting to see versions that That have CMMC right from back in the day, you know, starting to come on to it if they really want to go after the federal market.

Mary Padberg: Right? Well, and something interesting is that, you know, um, I’ve had people call me, right? Because it accounts they’ll call and say, Hey, you know, we have this product and, you know, we’re CMMC, you know, they have a word for it. It’s not certified, but we’re CMMC ready or something like that. Right. And you talk to them and it’s like, well, no, you’re not CMMC ready because you can’t argue that that meets all those control requirements. And so it’s really, um, it’s an art of piecing together, especially in a colorful cloud environment. So piecing together these tools and, you know, not only do you have to have the data has to be. Meet these requirements at rest and in transit and during crossing. And so if you have an API that connects to systems that has to be meeting tip 140 dash 2, it has to have all these requirements for authentication. And so back to what we’re talking about with the actual audits that go on and, you know, Does the auditor need to have a technical expert next to him? Because I can sit here as an IT person, and if they don’t know what’s going on, I can show them an audit log that’s not even relevant, right? Um, and so that’s why they focus so much on the, the SSP, the system security plan and having your system architecture laid out so that when You know, you might have a different auditor come back for your, your renewal. Right. And so, so that plan is there and established and they can reference that and they’re not starting from scratch, um, and make sure that as the threat landscape evolves and as these tools evolve that, you know, they still meet all of these requirements. 

Adam McNair: And I think the biggest, probably one of the biggest sources of gaps in, in the capabilities of these tools that are available is that because they are commercial products, they are trying to cover. What is most commonly cared about and any kind of security cyber. It’s true as well is a balance between the user experience and functionality and locking it down. You know that the most secure network that you can operate on is unplugged. Is unplugged. And so, but that doesn’t work. In the same way, encrypting every file, requiring a PKI key to be able to send anything to anybody, uh, dual factor authentication, you know, and so App timeout at 70 seconds. Absolutely. All of those things. And so, we have baby stepped over the last four years from the perspective of What’s what’s the next logical step, 

Mary Padberg: right? 

Adam McNair: What’s the just noticeable difference where we can be a little bit more secure without ruining the computing experience of the users and you know things like we’re going to require you to have a password on your machine. OK, we’re going to require you to have one. OK, we’re going to require it to be a little bit stronger. We’re going to require Tell you to not save to your to your hard drive now by policy. We’re going to not let you save to your hard drive. And the thing is when those policies started to come out. I mean, I remember when people first said you should save it to the network drive. Pre cloud not to your local machine. Yeah, well, but sometimes I can’t connect to that now that they have all of the ability to synchronize data. I mean, my one drive, I hardly ever notice if it is connected or not connected because it is. It synchronizes so so frequently that. If something drops if something wasn’t connected, it really is not that big a deal. Um, you know, we started to push the idea of your password needs to be 97 characters and have special, you know, special symbols and everything else in it. Now we have password managers that help sort that the integration is pretty good. There are. They’re just a little slow to catch up. Always. They’re like one stage or two stages behind, uh, where the commonly adopted cyber methods are. Um, you know, when dual factor authentication was a thing, you’re like, you’re really going to make me now check a code on, uh, On my phone, and we’ve rolled that out across the entire company at this point, and I don’t hear anybody ever say anything about it, and I bet if we had done that three years ago, there would have been massive hand wringing over, why are you making us do this?

Mary Padberg: Right, right. One part of that’s also, I think, the, you know, we’ve evolved from only a text code available to having an app read top approved. Right. And, you know, CMNC, for example, um, they do require multi factor authentication and in reality they do. And so, you know, it doesn’t say that I need to have a 60 hour timeout, right. It says that I need to have a timeout. And so that’s a business decision and a usability decision of, well, what is the risk of, can we, can we have it at seven or 14 days versus, you know, a day. And then, you know, because we can. You know, make a decision to make that a longer session token, then people aren’t having to as frequently open their phone and approve things. And so, it’s the, the little details of how you implement this and how you interpret the standards and, um, don’t over prescript yourself based on your assumptions of the model, I think is important. 

Adam McNair: Yeah, and, you know, I, um, I, I always thought for a lot of years, you know, I just, you know, I work for this little government contractor, who’s really going to come look at this stuff? Like, the, the, the information that I have access to I can’t envision anybody really caring, right? And I’ve read in past months that someplace where both Kevin and I, you know, worked for a while got hit with ransomware and they had a whole bunch of user salary, payroll data leak. It ended up on the internet. It published for everybody. It was a black eye. 

Kevin Long: Stolen shortly thereafter again. 

Adam McNair: Yeah, black eye for them, black eye for their, um, you know, for their customer. And so it, it is rapidly approaching the amount of cyber attack that happens anymore. I think we really firmly are in a space where it’s like, uh, we just really don’t want something bad to, to happen. You know, to, to happen, uh, 

Kevin Long: got two phishing attempts today, right? 

Mary Padberg: And that’s not right. They’re not, they’re not, you know, misspelling on, on the test. I mean, they’re, they’re very sophisticated. They’re getting 

Kevin Long: more and more sophisticated too. 

Mary Padberg: Right. And, and this is what happens. And so, yeah, absolutely. It’s a business requirement. I think it’s no different than having a lock on your office door, you know, with some of these controls and, um, you know, Yeah, you have to be really progressive about about your your policies, whether that’s technical or internal and training is huge. You know, the CMMC all focuses on training a lot. We see the ISO standards increasingly focusing on that as well because your users are your best asset and your biggest risk, right? So that’s interesting. 

Adam McNair: And it’s, it’s a, and this is something that I’ve, it’s a, a lesson that I’m continuing to carry forward from, uh, from Jeff Dalton, who is, is, works for broadsword from his process side is that, um, Processes are, are only one thing. Behaviors are what are actually important. And so you can have a process, but if nobody follows it, it doesn’t make any difference. And so that training aspect, you know, I, I won’t speak for everybody, but I’ll at least say for me, I, I don’t know how many years I had the same slide deck that I had to sign off on for the annual security training. That was just, Yep. Yep. I know if I’m going to travel overseas, you know, yes, I please don’t misuse government equipment. Yep. I got it. Understand. Sign my name and I’m good. The, the, the, what we’ve gone to the, um, the vendor that we, we implemented for, for 

Mary Padberg: fishing and, Training, it’s in real time. So we basically, you know, set up phishing campaigns and we’ll target our own people. So if we know that, you know, it’s, um, it’s tax season, we’re going to target people with, you know, very highlight specific tax fraud emails, and then we can run through the statistics on who clicked on what, how far they went. 

Kevin Long: The fact that I got fished with a free doughnuts, uh, 

Mary Padberg: That’s awesome. No, I mean, we have fun with it too. I think we have some interns and I almost flipped on that one 

Kevin Long: too. I mean, it was a, it was a really good one and free doughnuts. 

Mary Padberg: It pulls on your emotions. You’re like, I really want that doughnut. It’s an excuse to drive out of the house with COVID, right? Um, Yeah, absolutely. But yeah, so we do those trainings and instead of just having, you know, we have our annual security training and all the standard stuff we do for everybody, but we can target the most vulnerable people, right? We can identify who is most likely to click on something and then make them take additional training versus having my IT manager. Have to take a bunch of compliance training for no reason when he’s creating, you know, creating all of that. And, you know, we still train RIT, RIT people and are more sophisticated people in finance and all of that. But 

Kevin Long: I get called, I’ve literally gotten a call from a new hire, which is, is good. Cause he, He, he, he was looking at his email on his cell phone where it’s harder to see the, the metadata and things like that on it, and, and he fell into the phishing trap. He was like, oh my God. And he, he, he hung up the phone and he or, or he closed out the email. Then he, he picked up the phone and called me and was like, I clicked on this. It’s like, okay. So did you learn something? It’s like, well, yes. It’s like, so what’s going to happen? It’s like, well, you’re going to have to go to training. You’re going to be more careful about what comes through on your cell phone now and you’ll check. He’s like, yeah. I mean, it’s, it’s the type of lesson that, I mean, it’s great when people. Make the mistake when we’re 

Mary Padberg: hitting them. Right, right. And that’s the key. That’s the key, right? Well, you know, um, you know, it goes back to the Paul, you know, if you have a policy, nobody follows, it doesn’t matter. Well, you know, how do you get by it’s organizational psychology. How do you get buy in from users? How do you make them see how important something is? And, you know, when somebody clicks on a, yeah. Right. When somebody clicks on a phishing email and put their social security number into a phone number. Fraudulent link because I think it’s paycom, you know, that gets their attention. Um, and so, you know, I think it’s, it’s effective in all ways. 

Kevin Long: I haven’t seen that one yet. 

Mary Padberg: No, I don’t want to do that. 

Adam McNair: We’ll see. And I have reverted back. I, uh, I am now moving to a typewriter, so I will be sending out emails by actual just mail. Um, the response time will be shorter, but I don’t think that there’s any way to have anybody fish that.

Kevin Long: Maybe I like the little mini cassette recorder. And just dictate everything. I just, I snail mail small cassettes to everybody. 

Mary Padberg: I fully support both of those efforts, but they’re not in our service catalog, so your turnaround time on tickets is going to be really long. 

Adam McNair: Right, right. Please tell Kevin to stop emailing the help desk for more tiny little cassettes.

Kevin Long: I need more tiny cassettes. 

Adam McNair: You’re awesome. I love it. So to wrap up the CMMC conversation, um, I guess, you know, Kevin, do you think we’re going to end up seeing companies that specifically decide, I mean, likely on the small business side, that it’s just too much work and that they’re just not going to support DoD? I mean, you think that’s a thing many companies are going to decide? 

Kevin Long: Not without failing first. I mean, I mean, if you’re a government contractor, that’s where the I mean, uh, I mean, a lot of it. So, um, I mean, if you’re a government contractor and you don’t have a facility clearance and you’re, and you’re focused on an agency, like if you’re, if you’re an FAA company and you’re going deep into transportation, maybe, but honestly, this fully implements in five years, in 10 years, Civilian agencies. are going to have the same flipping requirements. 

Adam McNair: Yep. GSA STARS III already listed the ability to insert CMMC. I mean, how do you not? How do you go in and say, hey, if you’d like us to put this clause in, we can make sure your vendors have good cyber security. Who’s going to say, no, I don’t think we need that.

Speaker 4: Yeah. 

Kevin Long: I mean, unless all you do is OTAs or things that don’t comply with the FAR. Yeah. Um, Could you do that? And then the best case scenario is you’re a small that develops something really cool, a niche, and then gets bought by a company that has the processes that, that they can, can umbrella you under it. But yeah, no, I, this, I think that it’s going to be painful and I think Boone for for certification companies, but yeah, it is it is at at a company’s peril to not to not do this. 

Adam McNair: Yeah, I do wonder if there’s the ability. I mean, when FedRAMP came out, FedRAMP was hard. I did one of those and it it costs. We were well north of two and a half or 3 million to build out a FedRAMP private cloud instance and. It’s really, really hard, but there’s a lot of FedRAMP, you know, the process has gotten better, more, there’s more people that know how to do it, etc. So it’s, it’s much more achievable than it was, you know, five years ago or six years ago, whenever that was. Um, I wonder if there’s the ability for, for FedRAMP CMMC. You, you buy your IT service already hardened like this. Um, It’d be expensive. I mean. It would be. That’s, that’s the hard part is. 

Kevin Long: CMMC AAS. 

Adam McNair: Yep. 

Kevin Long: Yeah. 

Adam McNair: CMMC is a service and I, I think, I think you could, uh, the investment on the front end would be pretty steep. Yeah. Um, the complexity of being able to have multiple instances that are, that are all compliant would be pretty hard. And I think it would be expensive to buy, but I think maybe from a, you know, if I, if I’m a 50 person, 100 person company, Yep. I don’t know, I don’t know how you, I don’t know how you do this, 

Mary Padberg: to be honest with you. Um, Yeah. Yeah, it’s hard. It’s hard. Um, yeah. 

Adam McNair: But I guess we’ll see, you know, as as time goes forward here, we’ll see how that evolves. We’re certainly, you know, based on our self assessment, we’re pretty well compliant and we’re going to line up some of the capabilities that that. We have known some of our tools we wanted to upgrade anyway, uh, over time. And so we’re gonna upgrade those. And so we’re, um, you know, we’re on track for it. It, it has been certainly effort and work, but I think way less disruptive than where I would envision it to be for, um, you know, for organizations that hadn’t already started with a built real framework of process driven approach and, and risk management to, to a lot of these things. Um, so that’s C-M-M-C-I. I guess, you know, one thing that we are gonna start talking about. Uh, as we, as we wrap these podcasts up is, so we’re all still working from home and quote unquote home. Um, you know, some of us have worked from different locations throughout this. Now, Kevin, have you been at home the entire time? Have you done any, like, have you guys gone on trips? Have you been in some Airbnb trying to work remotely? Or have you just been home, home? 

Kevin Long: Uh, I took a long weekend for our. Anniversary in early June, but didn’t bring my laptop. So if I, if I’ve been, I mean, I had my cell phone with me and I can do, I can do like 80 percent of my job from my cell phone, which is amazing.

Mary Padberg: Right. 

Kevin Long: Yeah. Um, I mean, it just takes a long time to, to type with these meat paws that I have. Um, but no, I mean, if I’ve been working, I’ve been in one of, Two rooms in my house this whole time. Um, yeah, it’s, uh, when you have, we’ve got three cats and we had a puppy and that, that is not Airbnb travel, 

Adam McNair: uh, friendly at all. So, so what’s the most challenging thing that’s happened to you since you’ve been trying to work from home? 

Kevin Long: Oh, um, my wife buys the puppy, uh, uh, squeaker toys and, uh, just, I mean, I’ve literally. Last week had had pixel, you know, the, the border colleague come into our room where I’m working and just start squeaking the Jesus out of, out of her, out of her toys. So, yeah, I mean, I’m trying to have a, a, Have a meeting and you just hear something like again and again. Yeah. And there’s, it is, she’s a, she’s, she’s a musical prodigy. Um, but, but yeah, she’s also really entertained by it for a really long time. And you can only. Go on mute and say go away pixel for so long because as soon as you say her name, you’re playing with her. So, yeah, um, so what I’ve learned now is, is, uh, only work in a room that has doors that can separate you from the dog. Um, And, and make sure you throw the frisbee for the dog for, you know, seven minutes of no joke sprinting tires her out. So you, when you have a must have meeting, you start seven minutes early, you throw the frisbee for her, and then she’s just panting in the corner and happy. And none of the squeaky, so, but yeah, so my fails are all so are recently dog related.

Adam McNair: gotcha. Now, now, Mary, every time we see you on video, you are frequently at a different location. I have thought at times that they might be just different teams, backgrounds that you decided to download, but yeah, 

Kevin Long: the itinerant ops manager is, is, yeah, 

Adam McNair: So of the various adventures you’ve had in teleworking as we’ve, from March to now, does any, do any of them stick out in your head?

Mary Padberg: Yeah, yeah, working anywhere from home. Anywhere but from home, I guess. Yeah. Yeah. Yeah, so, I mean, I was living on the lake for four months, so that was pretty cool. Um, working from the boat, the hammock, The porch, the down from a 

Kevin Long: kayak. Nice. 

Mary Padberg: Yeah. Yeah. I was in the car for a while. That was exciting. Um, on a hotspot. So, you know, in a parking lot because the lake has no, no signal on the phone or internet. So, um, you know, it’s my biggest challenge has been internet really satellite internet hotspot. The hotspot wouldn’t work. So I installed a LTE antenna, like a booster system on a PVC pipe. Um, that was, that was interesting, and there’s all kinds of relay issues with that. Um, but yeah, I’ve been in a lot of places, and now I’m working out of an office that’s not our office, but an office, so more normal. Nice. 

Adam McNair: Yeah, I, I think the, so the most entertaining one to me as, as, as we have, um, as we’ve been working like this is, um, so my, my parents built a small cabin up in West Virginia, like, I don’t know, 30 some years ago, right? And it is, it was built before the internet. So those kinds of things weren’t a consideration. And it happens to be in the National Radio Quiet Zone. This is a 

Kevin Long: It’s by the telescope? Yes, it is about 

Adam McNair: a hundred square mile area located primarily around Green Bank, West Virginia, where they do not allow cell service. They do not allow. Depending on how far away from you, from it, you are, you’re not allowed to have a microwave in your home. They have a little van with a sniffer. They drive around and they knock on your door and say, you know, maybe we can get you a toaster oven, but the microwave’s not going to work. And up until recently, they did not allow any Wi Fi, but the spectrum of Wi Fi is we have now gone to five gigahertz Wi Fi. It does not interfere with their. So I, uh, I called the local telco provider and, um, and asked them if they could, you know, if, if they could turn the, you know, what the wifi speed was and if it’d be, because I asked my father, you have wifi internet up there. He says, Oh, absolutely. We, we have internet and, um, 

Kevin Long: 56 K modem.

Adam McNair: They, that’s exactly what it was. There was a telephone line that you could, the laptop, and I, as I was there, I was like, well, no, I’m, I’m here and I, I need to work. So I, I called down and, uh, very nice folks talked to me and said, well, yeah, we can, um, you know, we can, we can turn the internet on. And I said, okay, but, um, I have a router and everything. I brought one just in case. Can I just get you to turn it on? And they said, well, not until you bring us the cable box back. I said, well, yeah. You won’t turn it on. Could you please turn it on? No, because once you do this, you know, it, it kind of, you don’t need the cable anymore because there’s only one wire coming in. They said we would have to run a new wire, but we can piggyback off of that wire. And you can go out into the box and move it in the box outside. That’ll be the Internet circuit. Now. I said, okay, but when you do that, it’s going to unhook the cable. And I said, that’s fine. So, okay, but what, we won’t turn it on until you bring the cable box back. Because if you don’t, we think you won’t ever bring it back. So I had to, uh, I, I had to at that point, cause again, I have no way to tell anybody cause there’s no cell service. So I, I had to get up early one morning and drive the thing over the mountain and return the box and come back to get the internet lit up so that I could then hurriedly go back and jump on my zoom calls.

Kevin Long: That’s amazing. Yeah. Only a cable company would do it that way instead of just saying, We’re going to continue to charge you rent for the cable box. 

Adam McNair: Yeah, it’s like, I’ll pay, we can pay, we’ll pay for an extra month, that’s okay. No, no, no internet until you bring the cable box back. That’s amazing. And again, it’s like 35 miles over a mountain. It’s not like you just run down the street to the red light because they don’t have red lights, so. You hear that? That is the, uh, probably the most interesting part that and crawling around trying to find the phone box and plug the wires in and all of that. So, uh, so that was entertaining, but wild and wonderful. Absolutely. Well, great. Well, thanks guys for getting together so we could talk about CMMC. It’s a big thing in the, uh, in the market. Um, and we will continue so that we’ve, we’ve. Had some blog posts out. We’ll have this out with some articles out on our LinkedIn talking about some of the aspects of this, and then we’ll have some new guests. The next podcast planning is we actually do event planning. As part of one of our contracts and as both industry events and in kind of all events have gone virtual, uh, we have some interesting experiences there and we are supporting a couple of our customers to do virtual events. And so we will be talking about that, but we will talk about that next time. Thank you guys very much. 

Mary Padberg: Thanks, Guys . 

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.