1
00:00:00,000 --> 00:00:14,000
Welcome to the Quick 10 Podcast brought to you by QuickTrack, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10-ish minutes.

2
00:00:14,000 --> 00:00:17,000
Here's your host, Derek White.

3
00:00:17,000 --> 00:00:42,000
All right, welcome back to another episode of the Quick 10 Podcast. I'm your host, Derek White, Chief Product Officer at QuickTrack. Today, we have a very special guest who, in my opinion, doesn't need much of an introduction. But this is none other than Ryan Bonner, founder of DefCert. Ryan, thanks for joining me today.

4
00:00:42,000 --> 00:00:44,000
Glad to be here.

5
00:00:44,000 --> 00:01:11,000
Well, good. We get to do the fun thing of talking about identifying CUI and why that matters to your applicability. So we're going to spend a few minutes getting into some of the, we'll call it the trenches, if you will, and some of the areas of what you guys see over at DefCert and why this matters. And this is probably the hot button topic and has been for quite some time, but really, really getting turned up here recently.

6
00:01:11,000 --> 00:01:39,000
So, so one of the first questions I wanted to just throw out there right away, and really just as a conversation roller, I think a lot of people understand the controlled, unclassified, or covered defense information, CUI, CDI, and applicability and how that impacts scope. And, you know, a lot of advice might come from those out there that says just assume it is and expand your scope. It's just easier that way.

7
00:01:39,000 --> 00:02:02,000
I would like to hear your opinion and your experiences on the opposite of that, like the over scope. You get your meat hooks in there and you start talking to this customer and you turn out, yeah, maybe it's not. And now it's not. Here's why it's not. Can you talk a little bit about that so that gives the people who might be, you know, listening to this or watching this that are in cold sweats right now feel a little bit better?

8
00:02:02,000 --> 00:02:16,000
Sure. Yeah, I think that one of the biggest things you have to identify when it comes to CUI is that if someone gives you like a really simplistic answer, like, just this contract generates CUI or just think of it all as CUI.

9
00:02:16,000 --> 00:02:43,000
That's a short term fix to a long term problem. And there's a saying we like to go by around here, which is easy decision, hard life, hard decision, easy life. And I think that sometimes working on a good definition of CUI for your organization based on the contracts that you get and the data that you both receive and generate on contracts is a difficult set of steps to go through.

10
00:02:43,000 --> 00:03:03,000
But once you have that, it brings clarity to so much of the other things in your 800 171 implementation. And that's where there's even more cost and complexity. So we see it as a real force multiplier to be able to positively impact both cost and overall scope and complexity for your safeguarding burden.

11
00:03:03,000 --> 00:03:22,000
So when we have organizations who are told something like, you know, everything on this contract is CUI. Well, on some level, we know that can't be true. I mean, think about it. You've got federal contract information as a category of information, which is information generated on federal contracts.

12
00:03:22,000 --> 00:03:36,000
So we know that on some level, not everything can be CUI. If we've got these other categories, you know, we also know that, you know, over in academia, there's other categories like, you know, fundamental research and things like that. So that can't be universally true.

13
00:03:36,000 --> 00:04:05,000
So when we really get into the weeds, you know, we want to have better ways to interpret things like what we're being asked to generate on a contract and also, you know, sort of how we could interpret markings on documents when they come in the front door and, you know, really put ourselves in a position where we can define some of those things for ourselves without being completely, you know, at the mercy of our customers, whether it's Prime or, you know, the company.

14
00:04:05,000 --> 00:04:08,000
Whether it's Primes or agencies.

15
00:04:08,000 --> 00:04:24,000
Well, and that, you know, to expand on that a little bit too. So we often hear, and I know you guys do on a regular basis, the argument of, well, I can't get an answer.

16
00:04:24,000 --> 00:04:41,000
I'm trying to figure this out. A lot of, specifically the smaller, the medium size, maybe those that are not fully invested in the DoD side for now. This is a part of their business. It's a big enough part where they don't want it to go away, but they, you know, they want to expand it.

17
00:04:41,000 --> 00:05:04,000
That makes it very difficult to make decisions, right, on how to, how do I take on more business if I can't tell? And when it's not clear, you know, it should be, but, you know, if it's not clear or they can't get the answers that makes them confident, you know, through that, where, where do you start? Where do you become a, a small, medium, large?

18
00:05:04,000 --> 00:05:21,000
Medium, large doesn't matter, but this is a, this is a huge, huge initiative for, for a customer if you need to be compliant with the requirements. You know, where, where do you start with the unknowns, determinations, therefore impacting directly the applicability of now what do I do?

19
00:05:21,000 --> 00:05:38,000
Yeah, I think that the most helpful tool, this certainly helped me the most, but is going back to the federal definition of what CUI is. Most organizations have tried to learn about CUI through secondary resources like their DFAR 7012 clause.

20
00:05:38,000 --> 00:05:55,000
And very few organizations go back to the source, which is 32 CFR part 2002. That's the center, the center, the federal CUI program. It's, it's right there in the code of federal regulations. And there's a definition section. I think it's, you know, point four, 2002.4.

21
00:05:55,000 --> 00:06:17,000
That section has the overall definition of CUI and there's some really interesting mechanisms there that you won't necessarily learn about unless you go there first. So, you know, we're, we're reminded of the fact that CUI has to be subject to a law or regulation that governs its, its dissemination or requires safeguarding.

22
00:06:17,000 --> 00:06:33,000
That's not all information, right? Then we're also reminded in the very next sentence that CUI is not proprietary information that the company maintains in their own systems. And NARA has come out and clarified that. And very few people are aware of that element.

23
00:06:33,000 --> 00:06:49,000
But, you know, every private company, especially if you're working with primes on a subcontract where the government has no privity on that subcontract should come to look at the information they're generating on a contract differently when they realize that proprietary information isn't CUI.

24
00:06:49,000 --> 00:07:04,000
So those are, those are critical components that you need to glean from that federal definition from 32 CFR 2002 and then carry into all of your other determinations of what is or is not CUI.

25
00:07:04,000 --> 00:07:19,000
So when, when we get into things like the CUI registry as well, I don't think a lot of people know how to interact with that registry. And that's really difficult, right? They're, they're reading the summary for a category as if it's the definition. You can't do that.

26
00:07:19,000 --> 00:07:36,000
That's just a high level kind of generalization. You have to scroll to the bottom of the page and look at all the laws and regulations that form that, that CUI category and read each one of those because that's the actual definition that you need to be able to read and go through.

27
00:07:36,000 --> 00:07:51,000
And also I think it's super important that you look in the columns to the right of that in the bottom of each category entry where they talk about sanctions. I'm going to want to know if, if everything on a contract is CUI, what category it is.

28
00:07:51,000 --> 00:08:05,000
Some categories have absolutely no sanctions, no penalties for misuse. Some of them are a misdemeanor. Some of them involve 30 years in prison and $15 million in fines. I need to know what category I'm dealing with.

29
00:08:05,000 --> 00:08:19,000
And safe to say that a lot of what is released as reference or resource is done so in a specific way so that the answer can't be, well, I didn't know. Right?

30
00:08:19,000 --> 00:08:36,000
And that's, it's not always the easiest to navigate, but it's, it's not like, well, you guys decide, you know, we hear this all the time. I'm a nobody. I mean, how does this matter? And, you know, there's references out there. There's guides out there.

31
00:08:36,000 --> 00:09:05,000
But it's, it's not always a black and white. Like you just said, that's a perfect example, I think, of how you can, you know, get into the depths of it and make sure. Now, that's where it comes back to if you're looking for clarification on this, because it does have a sizable impact on how things are handled appropriately and where they don't, which kind of is the core of handling sensitive information correctly and in the right systems or the right people and all that kind of fun stuff.

32
00:09:05,000 --> 00:09:20,000
You should want to know where that is, because, you know, certain people shouldn't have access to certain things based on their roles and responsibilities and that's what's trying to be fixed, right? Don't just have it flow everywhere. And, and, you know, because you have a strong password, you should be okay type of thing.

33
00:09:20,000 --> 00:09:40,000
So, so when it comes to everything we just talked about here and, you know, the expertise side of it. So, Def-cert, definitely Ryan Bonner and his team, this is, this is a conversation that could go on for a week if we wanted to. And you have such good, great content down there, Ryan.

34
00:09:40,000 --> 00:10:00,000
I highly recommend that people go find Ryan and his team on LinkedIn, follow along there. You know, you do a ton of, you know, and thank you for being on again, because this is super helpful. And it just, just comes off so much easier hearing it from, from somebody who's, who's living this, breathing this every single day.

35
00:10:00,000 --> 00:10:13,000
But, you know, you have a lot of good content out there. You do a lot of speaking engagements that you've done over the last, you know, year or two have been, been very useful for, I know, our customers and, you know, our friends in the, in the space.

36
00:10:13,000 --> 00:10:27,000
So, so check out Def-cert again if you can. Thank you, Ryan, for joining and looking forward to the next time when we have you on. And we'll probably have some more real life examples that we can get into and, and take it from there.

37
00:10:27,000 --> 00:10:31,000
Looking forward to it. All right. Take care, sir.