1
00:00:00,000 --> 00:00:07,040
Welcome to the Quick 10 Podcast brought to you by Quick Track, focusing on all things

2
00:00:07,040 --> 00:00:12,880
FedCon and cyber defense from different perspectives and different personalities, all in 10 ish

3
00:00:12,880 --> 00:00:21,920
minutes. Here's your host, Derek White.

4
00:00:21,920 --> 00:00:27,560
All right. Welcome back to another episode of the Quick 10 Podcast. I am your host, Derek

5
00:00:27,560 --> 00:00:34,200
White, Chief Product Officer here at Quick Track in Beryllium. My guest today is none

6
00:00:34,200 --> 00:00:42,360
other than Regan Edens, who is the, we'll see the Chairman of the CMMC Industry Standards

7
00:00:42,360 --> 00:00:48,520
Council and Key Compliance Officer at DTC Global. And Regan, how are you doing today?

8
00:00:48,520 --> 00:00:51,320
I'm doing great, Derek. Thanks for having me.

9
00:00:51,320 --> 00:00:58,040
Yeah, you bet. You know, it's been many, many years since we first originally met and the

10
00:00:58,040 --> 00:01:02,680
previous episodes we've had here, you know, it's been kind of fun to go through some of

11
00:01:02,680 --> 00:01:08,560
these relationships and conversations that sadly hasn't really gone on a long time. But

12
00:01:08,560 --> 00:01:13,120
to see where things are at now and to see where things are going, thank you for being

13
00:01:13,120 --> 00:01:17,700
on and touching on what's going to be a pretty sensitive topic, I think, to a lot of those

14
00:01:17,700 --> 00:01:23,460
that are listening or watching. And we're going to talk about what it means currently

15
00:01:23,460 --> 00:01:31,120
here as we hit the midway point of 2024 on starting or restarting your CMMC program.

16
00:01:31,120 --> 00:01:36,280
So we know some things happen at the end of the year. We've had some things happen this

17
00:01:36,280 --> 00:01:39,620
year. We've got things that we're speculating that will happen as the rest of the year goes

18
00:01:39,620 --> 00:01:45,960
on before CMMC is something that can be in a requirement in a contract.

19
00:01:45,960 --> 00:01:54,240
So the question to get right into it today is the scenario of we're talking to an organization

20
00:01:54,240 --> 00:02:01,260
right now. Okay. I'll say our audience is in a scenario where CMMC has been prioritized

21
00:02:01,260 --> 00:02:08,840
off and on. Sure. This organization has DFAR 7012. So this is not a new thing to them.

22
00:02:08,840 --> 00:02:15,920
This is something they have to be doing. They are required to be doing. But maybe the organization

23
00:02:15,920 --> 00:02:20,880
lost somebody, they left, and now somebody is there to pick up the pieces. And maybe

24
00:02:20,880 --> 00:02:26,680
that organization hasn't been left in the best scenario. Or maybe leadership has put

25
00:02:26,680 --> 00:02:31,960
it back on the radar after having it sit still waiting for things to be more formalized.

26
00:02:31,960 --> 00:02:42,000
So it's back on the radar. Where are you advising and telling this organization to start today?

27
00:02:42,000 --> 00:02:53,800
Well, that's actually pretty common. And let's start at the beginning. Right? So the organization

28
00:02:53,800 --> 00:03:00,500
has current requirements right now. So we know that the DFAR 252-204 7012 clause is

29
00:03:00,500 --> 00:03:06,880
in their contract. That means that there's a related clauses of the 7019 and 7020. So

30
00:03:06,880 --> 00:03:11,560
likely they have to meet the 7012 requirements. They have to testify to those requirements

31
00:03:11,560 --> 00:03:18,520
and have an updated SPRS score and have that score for them to be eligible for either the

32
00:03:18,520 --> 00:03:24,280
current prime contracts or their current subcontracts. So laying that foundation is really important

33
00:03:24,280 --> 00:03:28,560
because what that does is that says, yeah, we've got a sense of urgency and priority

34
00:03:28,560 --> 00:03:34,520
for CMMC. But reality is that we've sort of been juggling or maybe dropped the ball with

35
00:03:34,520 --> 00:03:40,680
the DFAR 7012 requirements right now. Right? So now we've got really equal footing, which

36
00:03:40,680 --> 00:03:47,680
is we got to own our current liabilities and risks, and we've got to really get position

37
00:03:47,680 --> 00:03:53,560
and focus to be able to meet this impending timeline and deadline that we're going to

38
00:03:53,560 --> 00:04:00,680
see emerge underneath in 2025. So let's take a very close look at what are our requirements

39
00:04:00,680 --> 00:04:04,680
as they are right now, not CMMC, just the DFAR requirements right now.

40
00:04:04,680 --> 00:04:05,680
Yeah.

41
00:04:05,680 --> 00:04:09,520
So we have to have an updated system security plan. And that system security plan has to

42
00:04:09,520 --> 00:04:16,120
be updated annually. That's DOD policy. Right? We have to have conducted our risk assessments

43
00:04:16,120 --> 00:04:23,320
and our security assessments as prerequisites to updating that plan. Okay? And documented

44
00:04:23,320 --> 00:04:27,120
that by the way, even though the NIST standard 171 says, you know, you don't necessarily

45
00:04:27,120 --> 00:04:33,640
have to document it, but we know that for the SPRS score, it requires adequate and sufficient

46
00:04:33,640 --> 00:04:40,280
evidence to justify the score. Right? So for every point value that we have, assuming that

47
00:04:40,280 --> 00:04:43,840
folks in the audience, probably a mixed audience, some of them may know what SPRS is and some

48
00:04:43,840 --> 00:04:50,720
of them may not. But SPRS is a point-based system used to evaluate your current readiness

49
00:04:50,720 --> 00:04:57,840
and compliance with the DFAR 7012. For every single point value, that has to be justified

50
00:04:57,840 --> 00:05:02,720
with adequate and sufficient evidence. If we don't have the evidence and it's not adequate

51
00:05:02,720 --> 00:05:08,800
and sufficient, then we shouldn't be giving ourselves credit for that score.

52
00:05:08,800 --> 00:05:14,560
So now we understand that not only do we have to have meet these current requirements, but

53
00:05:14,560 --> 00:05:20,440
we have to have the appropriate documentation in place, very detailed, in order to sustain

54
00:05:20,440 --> 00:05:27,160
and support the current eligibility requirements. So, you know, oftentimes, the very first questions

55
00:05:27,160 --> 00:05:31,920
that I ask is, all right, when was the last time that whoever's in charge now took a look

56
00:05:31,920 --> 00:05:36,600
at the system security plan? When was the last time that they conducted their risk assessment

57
00:05:36,600 --> 00:05:42,840
or their security assessment? DTC Global will call them RSA, right? You know, combined together.

58
00:05:42,840 --> 00:05:47,360
So when did we do that last? And, you know, many people call that a gap analysis, but

59
00:05:47,360 --> 00:05:52,360
in my humble opinion, that's not enough because we're looking at gaps, we're looking at non-conformities,

60
00:05:52,360 --> 00:05:56,440
and we're also looking at areas of conformity, right? So we just don't want to understand

61
00:05:56,440 --> 00:06:00,840
where our gaps are. We have to understand where we're not compliant and we thought we

62
00:06:00,840 --> 00:06:09,520
were compliant. And we also have to understand the areas that we really need to address in

63
00:06:09,520 --> 00:06:15,360
order to have adequate and sufficient evidence to sustain the score we give ourselves. So,

64
00:06:15,360 --> 00:06:21,200
that foundation, that foundation sort of lays the groundwork for where are we now? Who's

65
00:06:21,200 --> 00:06:27,080
been involved? Who's in charge, right? Do we have advocacy at the senior executive level?

66
00:06:27,080 --> 00:06:34,600
Do we have participation led by the IT team? Do we have participation led by our CUI stakeholders?

67
00:06:34,600 --> 00:06:40,640
That's what I call those folks who send and receive and develop CUI in performance of

68
00:06:40,640 --> 00:06:46,880
their contract, right? Do they even know that they develop CUI or likely, very likely in

69
00:06:46,880 --> 00:06:52,400
a manufacturing environment, that they develop CUI in performance of their contract? So,

70
00:06:52,400 --> 00:06:58,040
do we have folks like Quality involved? Do we have folks, do we currently produce or

71
00:06:58,040 --> 00:07:04,720
handle export controlled information? So, the next real step on that process is who

72
00:07:04,720 --> 00:07:11,080
are our stakeholders and then begin that CUI discovery process? Are they aware of the types

73
00:07:11,080 --> 00:07:19,440
and categories of CUI that they actually receive and develop in performance of their contracts?

74
00:07:19,440 --> 00:07:23,320
So, very likely, it's going to be controlled technical information and export controlled

75
00:07:23,320 --> 00:07:29,080
information. And do we have any in-house expertise about those two different types of information?

76
00:07:29,080 --> 00:07:33,000
Because yes, they are very similar, but they're very, very important differences according

77
00:07:33,000 --> 00:07:39,120
to DOD policy. So, now we establish the fact that we need some stakeholders on the business

78
00:07:39,120 --> 00:07:43,240
side. This isn't an IT project. And if we leave it to the IT folks, we're absolutely

79
00:07:43,240 --> 00:07:51,360
going to fail. So, there's no way to survive a US government audit or an audit by a prime

80
00:07:51,360 --> 00:07:54,840
contractor if we leave it to the IT people, right?

81
00:07:54,840 --> 00:08:01,600
Yeah. And that's not a knock on the IT side either. It's that this is an IT and security

82
00:08:01,600 --> 00:08:06,200
working together problem, right? That's what the requirements say. And I think the scenario

83
00:08:06,200 --> 00:08:10,200
that we're talking about here, and then I'll let you obviously finish here, is you've seen

84
00:08:10,200 --> 00:08:17,120
a lot of this in the last two years where it was an IT project and that person or people

85
00:08:17,120 --> 00:08:21,600
don't work there anymore. And it's not necessarily because they were told to leave. They were,

86
00:08:21,600 --> 00:08:25,720
I think, personally, I think we see this, like they can see that this is going to be

87
00:08:25,720 --> 00:08:30,040
a tough to not get buy-in from leadership and try to have a successful outcome here.

88
00:08:30,040 --> 00:08:34,440
And they've gone somewhere else, right? And now because they put it on one person, that

89
00:08:34,440 --> 00:08:38,000
person's not there anymore. The new person who comes in is looking at a mess. Like, how

90
00:08:38,000 --> 00:08:42,960
do I make something of this? So, yes, I think that's a huge point when it comes to passing

91
00:08:42,960 --> 00:08:48,520
an assessment is a totally different scenario than getting something put together to then

92
00:08:48,520 --> 00:08:50,520
run an assessment. So, sorry, keep going.

93
00:08:50,520 --> 00:08:57,680
No, no, no. I mean, you're spot on, Derek. Remember that my responsibilities as an IT

94
00:08:57,680 --> 00:09:03,040
person are to provide the infrastructure and the resources for a business to run on the

95
00:09:03,040 --> 00:09:09,400
IT side, right? And to provide security for those requirements and provide compliance

96
00:09:09,400 --> 00:09:15,680
for the things that I'm responsible for. And if I switch hats, who's responsible for the

97
00:09:15,680 --> 00:09:23,400
actual information? Because as the IT guy, I'm not responsible for the information. I'll

98
00:09:23,400 --> 00:09:28,880
defend or I will make compliant whatever the information is, but I don't know where the

99
00:09:28,880 --> 00:09:34,640
information is. I don't develop the information. I don't receive the information. So, the IT

100
00:09:34,640 --> 00:09:39,200
stakeholders have, in my mind, actually the greatest responsibility because they're a

101
00:09:39,200 --> 00:09:45,040
living breathing thing that's taking place during the performance of the contract. And

102
00:09:45,040 --> 00:09:49,000
oftentimes the IT teams don't know that much about the actual contract performance and

103
00:09:49,000 --> 00:09:50,200
what's taking place.

104
00:09:50,200 --> 00:09:51,200
Yeah.

105
00:09:51,200 --> 00:09:58,300
You've got this harmonious relationship between the IT infrastructure and what happens, Derek,

106
00:09:58,300 --> 00:10:05,160
if we outsource part of that, right? Do they know what responsibilities are on their plate?

107
00:10:05,160 --> 00:10:09,080
Do they know what the expectations are? Do they know that compliance is coming for those

108
00:10:09,080 --> 00:10:14,960
outside services that we may external service providers that we may outsource? What happens

109
00:10:14,960 --> 00:10:20,300
if we, you know, we may be a medium or small size ship, but what happens if we have a mothership?

110
00:10:20,300 --> 00:10:27,040
Does the mothership know that they might be involved, depending upon the shared services,

111
00:10:27,040 --> 00:10:31,120
involved in actually being compliant, being required to be compliant? So, we've got these

112
00:10:31,120 --> 00:10:37,560
real challenges about, that are happening on both sides of the fence. The most important

113
00:10:37,560 --> 00:10:45,160
control of all the controls is 313, which is, how do we control the flow of CUI? At

114
00:10:45,160 --> 00:10:50,120
the end of the day, every single one of the controls and safeguarding requirements is

115
00:10:50,120 --> 00:10:55,960
about the protection and the confidentiality of CUI. So, where does that CUI flow, wherever

116
00:10:55,960 --> 00:11:00,360
it goes, inside of our business process and wherever it goes, inside the IT infrastructure

117
00:11:00,360 --> 00:11:04,280
that supports that business process, in order to deliver the products and services that

118
00:11:04,280 --> 00:11:10,120
we're contracted to do. So, we have to be able to have a situation, awareness and knowledge

119
00:11:10,120 --> 00:11:15,440
that controlling the flow of CUI is a bifurcated process. You've got one side of the fence,

120
00:11:15,440 --> 00:11:19,640
you've got the business process stakeholders. The other side of the fence, you've got your

121
00:11:19,640 --> 00:11:24,920
folks out there who are providing the IT infrastructure or coordinating those services, right?

122
00:11:24,920 --> 00:11:30,720
So, now that we laid that foundation, that I'm not just the IT person sitting inside

123
00:11:30,720 --> 00:11:36,480
of my cube, wondering, how am I going to possibly get all this done, when I'm frustrated or

124
00:11:36,480 --> 00:11:41,480
that I don't really understand the requirements very well and I don't understand what CUI

125
00:11:41,480 --> 00:11:46,480
is and I really don't understand how these requirements really apply, in terms of the

126
00:11:46,480 --> 00:11:51,760
management, operational and maybe some of the technical controls, yes, but the management

127
00:11:51,760 --> 00:11:56,160
and operational controls that are going to take place, again, beyond my air of responsibility,

128
00:11:56,160 --> 00:11:59,800
beyond my air of accountability. Now, I can't hold, you know, I don't have the power to

129
00:11:59,800 --> 00:12:05,720
hold people accountable. And so, I need that senior executive buy-in. So, that sort of

130
00:12:05,720 --> 00:12:13,760
foundational reset is really, really important, in order to make progress. Because what's

131
00:12:13,760 --> 00:12:20,700
going to end up happening is, if I'm the IT person and I open up the good book, NIST 800-171

132
00:12:20,700 --> 00:12:25,560
and I started Access Control, I'm going to realize that I'm going to get three-fourths

133
00:12:25,560 --> 00:12:30,640
the way through the controls, I'm going to get into configuration management. I'm going

134
00:12:30,640 --> 00:12:38,040
to get into controls like 346, 347, 313-1. And I'm going to realize that there are parts

135
00:12:38,040 --> 00:12:41,760
of the company that I thought were going to be in scope, that are not allowed to be in

136
00:12:41,760 --> 00:12:48,600
scope because they're not essential capabilities. And we've got the split environment that we

137
00:12:48,600 --> 00:12:54,040
do. We don't do all military stuff. We do about 20 or 30% of our stuff is military or

138
00:12:54,040 --> 00:13:00,400
DoD stuff. So, we've got 70% of our work is not even, is not, has no relationship to the

139
00:13:00,400 --> 00:13:09,600
DoD work at all. So, now, how do I manage those resources and that IT flow and the challenges

140
00:13:09,600 --> 00:13:14,040
regarding scoping and regarding isolation and regarding essential capabilities and central

141
00:13:14,040 --> 00:13:18,040
programs and essential services? How do I manage that when I'm three-fourths the way

142
00:13:18,040 --> 00:13:22,720
through the book and then I discover that I've got to, and I don't know anything about

143
00:13:22,720 --> 00:13:26,600
the essential capabilities, what does it take to execute the contract? Well, I mean, I've

144
00:13:26,600 --> 00:13:31,640
got some idea, but I don't know everything. So, now, I have to three-fourths the way through

145
00:13:31,640 --> 00:13:37,000
the book. I've got to stop if I realize where I've gone wrong. Then, I've got to find my

146
00:13:37,000 --> 00:13:41,160
IT stakeholder, my CY stakeholder, and find out what is it that they need to do their

147
00:13:41,160 --> 00:13:47,920
job. And now, I have to undo all the previous work that I just did because now, I realize

148
00:13:47,920 --> 00:13:51,880
that there's these other responsibilities that we have to incorporate of people I don't

149
00:13:51,880 --> 00:13:58,280
control. So, having that reset and understanding the fact that the requirements, number one,

150
00:13:58,280 --> 00:14:04,040
should not be implemented. This is not a romance novel. We're not starting at page one of this

151
00:14:04,040 --> 00:14:07,480
page 171 and reading it from front cover to back cover, right?

152
00:14:07,480 --> 00:14:10,440
Yep. Spoiler alert, the good stuff is the middle

153
00:14:10,440 --> 00:14:15,480
towards the back, right? That's the stuff that the IT people should be aware about because

154
00:14:15,480 --> 00:14:18,960
that sets the boundary of the environment along with the scoping guide.

155
00:14:18,960 --> 00:14:22,120
Yeah. Scoping guide, Reagan, what's that, right?

156
00:14:22,120 --> 00:14:28,600
What are these other resources that I need? So, now, I have to realize as an IT person

157
00:14:28,600 --> 00:14:35,320
that not only do I need the NIST 800 171, the revision two is a primary resource, but

158
00:14:35,320 --> 00:14:42,440
I also need these additional resources that I may have, if I was there previously, in

159
00:14:42,440 --> 00:14:47,120
the previous years, I may have thought that the CMMC assessment guide or something like

160
00:14:47,120 --> 00:14:52,400
that was the Bible and that I was going to use that as my primary reference. And of course,

161
00:14:52,400 --> 00:14:58,120
we know, you and I both know that that was never true, but we're thankful that the rule

162
00:14:58,120 --> 00:15:00,280
actually caught up with it, right? Yeah.

163
00:15:00,280 --> 00:15:04,200
And so, we know that those changes are important and we got to be aware of those changes.

164
00:15:04,200 --> 00:15:09,680
Yeah. And we're going to have to wrap up here because that's all. So, first off, yes, thank

165
00:15:09,680 --> 00:15:14,320
you for walking through that because we've seen way more conversations as I'm sure you

166
00:15:14,320 --> 00:15:19,000
have to in the last six months of I need help. I got to figure out where to start. And I

167
00:15:19,000 --> 00:15:25,240
will say from our lens and what we've seen because you can't be required to be CMMC certified

168
00:15:25,240 --> 00:15:30,440
yet. So, what seems to be working really well is for these individuals or these teams who

169
00:15:30,440 --> 00:15:35,280
are trying to clean up a mess is that when they develop a really strong plan of how they're

170
00:15:35,280 --> 00:15:39,040
going to do it, that gets accepted, builds a lot of confidence with their mothership,

171
00:15:39,040 --> 00:15:43,800
if you will, or somebody, right? To buy in leadership is, hey, you know what? I wasn't

172
00:15:43,800 --> 00:15:48,280
here. To your point on responsibility, this is where we're at. This is a moment in time

173
00:15:48,280 --> 00:15:52,360
assessment which they're required to do. This is where we are short, but here is what we

174
00:15:52,360 --> 00:15:56,280
are capable of doing and here is what we're not. So, we're going to allocate these resources

175
00:15:56,280 --> 00:16:00,160
to these, right? And like build an actual plan, like you said, rather than read the

176
00:16:00,160 --> 00:16:04,320
book from the beginning and then get three quarters of the way through the book. And

177
00:16:04,320 --> 00:16:07,880
now someone says, well, show me your plan. Like, how are you actually going to get there

178
00:16:07,880 --> 00:16:11,240
by then? So, I don't really know. We're just trying to figure it out. So, I think that's

179
00:16:11,240 --> 00:16:16,640
a really good topic point. Again, we've talked about this on the previous episodes. We're

180
00:16:16,640 --> 00:16:22,560
going to revisit these topics and we'll call it six months or so once the rule is in place

181
00:16:22,560 --> 00:16:27,200
and things are starting to happen and there's more feedback from whether it's DOD or assessors

182
00:16:27,200 --> 00:16:32,520
or whoever on how it's going. I think topics like this are going to be very, very important

183
00:16:32,520 --> 00:16:36,960
for people to do something, right? Get in there and start doing what you can. So, last

184
00:16:36,960 --> 00:16:37,960
thing for you.

185
00:16:37,960 --> 00:16:44,200
Derek, I just wanted to summarize. The theme of what I just talked about over the short

186
00:16:44,200 --> 00:16:48,920
few minutes is that the IT team needs to discover what they don't know.

187
00:16:48,920 --> 00:16:49,920
Yes.

188
00:16:49,920 --> 00:16:53,960
Right? And by discovering what they don't know, they're going to find out that they

189
00:16:53,960 --> 00:16:58,880
cannot do it alone and they really need to buckle down. And it is a team effort, as you

190
00:16:58,880 --> 00:17:00,880
just said, Derek.

191
00:17:00,880 --> 00:17:08,880
Well, where can people go to talk to Reagan and his team for help?

192
00:17:08,880 --> 00:17:17,240
Sure. So, you can reach out to us at DTCGlobal.us, okay? And there's another DTC Global out there,

193
00:17:17,240 --> 00:17:23,040
I guess, in Florida or whatnot, but they do IT support. You can also reach out to the

194
00:17:23,040 --> 00:17:29,560
CMC Industry Standards Council and we established that as a mechanism for good folks out there

195
00:17:29,560 --> 00:17:34,760
who are anxious and worried about discovering what they don't know, right? You've participated

196
00:17:34,760 --> 00:17:41,280
in this for many years now, Derek, you and Eric both, along with other folks from Creek

197
00:17:41,280 --> 00:17:47,240
Track, Brooke, and so on and so forth. And reach out to us in the CMC Industry Standards

198
00:17:47,240 --> 00:17:54,320
Council and submit the questions and we'll make sure that you get the answers that you

199
00:17:54,320 --> 00:17:59,520
can depend on with reliable and consistent information that's really consistent with

200
00:17:59,520 --> 00:18:02,320
the standard and give you the guidance and direction that you need.

201
00:18:02,320 --> 00:18:07,400
Perfect. Love it. Thank you, Reagan. Appreciate you having time on. I know it's hard to get

202
00:18:07,400 --> 00:18:11,840
through some of these topics in 10-ish minutes, but when they're relevant topics, we need

203
00:18:11,840 --> 00:18:16,960
to get through them and give people a real good lens. So, thanks for those for listening.

204
00:18:16,960 --> 00:18:21,880
And if you want to subscribe on YouTube or go to your favorite podcast platform and follow

205
00:18:21,880 --> 00:18:26,560
along for past episodes and future episodes, you know the drill. Thank you again, Reagan,

206
00:18:26,560 --> 00:18:31,560
for joining us and we'll talk to you next time. Absolutely. Look forward to it, Derek.

207
00:18:31,560 --> 00:18:36,480
Take care. Thank you for listening to this episode and

208
00:18:36,480 --> 00:18:41,680
make sure to subscribe to the Quick 10 Podcast wherever you get your podcasts and check us

209
00:18:41,680 --> 00:18:50,920
out on YouTube as well. For more information about Quick Track, visit our website at www.quicktrack.com.

210
00:18:50,920 --> 00:18:54,640
That's C-U-I-C-K-T-R-A-C dot com.