1
00:00:00,000 --> 00:00:16,320
Welcome to the Quick 10 podcast brought to you by Quick Track, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10 ish minutes. Here's your host, Derek White.

2
00:00:16,320 --> 00:00:38,440
All right, everybody. Welcome back to another episode of the Quick 10 podcast. I am your host, Derek White with Quick Track. And today I have a very special guest, Vince Scott, CEO and founder of Defense Cybersecurity Group joining me. Thank you, Vince, for being on.

3
00:00:39,400 --> 00:00:41,520
Derek, thanks for inviting me. Really enjoyed being here.

4
00:00:41,520 --> 00:01:11,520
Yeah, this is going to be a, it's going to be a good topic. Big fan of the stuff that you put out in the industry. Today we're going to get into the challenge of documentation specific to cyber regulations like CMMC and some others. But more importantly, I would like to let people know that, you know, if you're a first time listener or watcher, links below in the comments, you can go on our website, you can go on some other areas, subscribe, like, share, comment. We've had people submit some questions for future topics, which has been really

5
00:01:11,520 --> 00:01:25,960
fun. But more importantly, take a look out for that. And then we're going to get into a brief conversation here, as brief as we can. There have been some updates from the industry that we're probably going to touch on. So we may go slightly over as we normally do.

6
00:01:26,880 --> 00:01:41,120
Yeah, so Vince, thanks for joining me. You know, we, just to kind of let the listeners and watchers know, you know, give us a little bit about you and who you are and what you do so that people don't think that I just went to the supermarket and asked somebody to join me.

7
00:01:41,120 --> 00:01:46,600
So a little bit of that so that we can get into this topic so they know that it's coming with some real world experience.

8
00:01:47,880 --> 00:02:02,880
Yeah, I'm a Naval Academy grad. I was one of the early computer science majors out of the Naval Academy, retired from the Navy in 2010. I was a U.S. Navy cryptologist.

9
00:02:02,880 --> 00:02:15,200
I actually started out as a regular old ship driver and then moved into cryptology as my career field. Think offense. I had everything to do with offense and nothing to do with defense as a Navy cryptologist.

10
00:02:16,720 --> 00:02:26,520
And then since 2010, I've had a number of different roles in academia and industry around cybersecurity, cyber defense, etc.

11
00:02:26,520 --> 00:02:40,440
I'm currently the founder and CEO of Defense Cybersecurity Group, where we help focus on helping defense companies do the cybersecurity that they need to do and be compliant.

12
00:02:40,440 --> 00:02:51,040
So I like to see the compliance requirements as a leverage point to actually do cybersecurity. So we're better protecting these companies and our national defense information.

13
00:02:51,040 --> 00:03:07,360
Yeah, well said. And thank you for your service. That's the kind of background that, you know, it goes without saying is the real world experiences, specifically maybe four or five years ago where things were, or even 10, 15 years ago where things were and where we're going really do change.

14
00:03:07,360 --> 00:03:16,320
And I appreciate the comment on compliance because we want to see this done. The good people want to see this get done. They don't want to see people continue to struggle with anything on the cyber defense side.

15
00:03:16,320 --> 00:03:29,440
As mentioned before, we have had a little bit of an update as of this recording. The CFR, 32 CFR 170 has been moved on and we expect that any day here to be.

16
00:03:29,440 --> 00:03:37,040
So maybe by the time this is out, it is out. But that's a little bit of a big milestone, big movement here on the CMMC front.

17
00:03:37,040 --> 00:03:46,640
Do you want to share just a couple seconds on what that means to the industry and those that are monitoring and hopefully working on their compliance, but what that really means to those that are listening?

18
00:03:46,640 --> 00:03:54,160
Yeah, I think it's kind of confusing because there are actually two rules in progress simultaneously, right?

19
00:03:54,160 --> 00:04:03,520
The leading edge of this is the 32 CFR 170, which is the CMMC program rule, the Cybersecurity and Maturity Model Certification.

20
00:04:03,520 --> 00:04:19,520
So that's the DOD's new audit and assessment process for companies in the defense industrial base to ensure that they are actually doing the cybersecurity that they have been signed up to for the last eight years or so.

21
00:04:19,520 --> 00:04:30,080
They have also added the requirements and expanded the scope of where those requirements apply in this new regulation.

22
00:04:30,080 --> 00:04:35,600
So a lot of times the DOD will say, hey, this is just what we've always been asking you to do.

23
00:04:35,600 --> 00:04:42,960
And I feel very strongly that that's not the case. We have expanded the requirements as a part of this regulation.

24
00:04:42,960 --> 00:04:51,280
And so the 32 CFR rule is sort of like everything CMMC, how it works, how it's put together, what the ecosystem looks like, et cetera.

25
00:04:51,280 --> 00:04:56,560
And then trailing that, you've got the 48 CFR rule, which is currently proposed.

26
00:04:56,560 --> 00:05:01,040
So it's draft and it's out for comment right now. Comments close on October 15th.

27
00:05:01,040 --> 00:05:05,520
And we expect to see that in the new year. What does this mean?

28
00:05:05,520 --> 00:05:13,840
It means CMMC is real. The DOD is going to be checking your cybersecurity homework.

29
00:05:13,840 --> 00:05:18,080
I think that's the biggest message for companies out there.

30
00:05:18,080 --> 00:05:28,720
And the vast majority of companies, I would argue over 75 percent of the companies in the defense industrial base today really haven't done this.

31
00:05:28,720 --> 00:05:33,520
They really haven't implemented the required security controls.

32
00:05:33,520 --> 00:05:38,360
They really don't have programs to protect the DOD's information.

33
00:05:38,360 --> 00:05:46,760
Yeah, sure. It's been another one of the stack of contract clauses that's included by reference in every contract that honestly,

34
00:05:46,760 --> 00:05:55,160
in federal government contracting, it's very typical for contractors to not pay attention to all the clauses.

35
00:05:55,160 --> 00:06:06,440
If you printed them all out and you would have fill a room with regulation in and it's just this huge volume of stuff that's thrown on the contracts.

36
00:06:06,440 --> 00:06:15,000
Right. So it's not just cybersecurity that companies don't necessarily pay attention to all those clauses.

37
00:06:15,000 --> 00:06:18,000
But now the DOD is saying, hey, we're going to come check your homework.

38
00:06:18,000 --> 00:06:27,560
We're going to come look to see if you're actually doing this or we're going to have a commercial assessment organization, a C3PO come and look.

39
00:06:27,560 --> 00:06:32,440
And we want them to certify that you are doing this.

40
00:06:32,440 --> 00:06:41,360
That means that you need to be doing it. And so the biggest impact of 32 CFR is that no CMMC is real.

41
00:06:41,360 --> 00:06:47,680
We expect that rule to be final, as you said, Derek, in the next few days, if not few weeks.

42
00:06:47,680 --> 00:06:56,080
Right. So when that'll really get released out of the Pentagon into the federal register is always kind of opaque to the rest of us out here in the real world.

43
00:06:56,080 --> 00:07:06,760
But it's definitely done. And they're putting the final polishing points on the public affairs release and all that stuff before it comes out.

44
00:07:06,760 --> 00:07:18,240
So we will see this very soon. And I expect that we will also see 48 CFR probably final in the first quarter of next year.

45
00:07:18,240 --> 00:07:23,720
Maybe it'll go into the second quarter. I honestly would be surprised if it went any further than that.

46
00:07:23,720 --> 00:07:30,720
I fully expect that sort of March, April next year, we're going to see a final 48 CFR rule.

47
00:07:30,720 --> 00:07:35,760
And with both those rules together, man, CMMC is live. It's in contract. It's going.

48
00:07:35,760 --> 00:07:48,440
So this is another major step forward for the program and for companies that have been sitting on the fence and saying, oh, I'll wait until the rule is final to do this.

49
00:07:48,440 --> 00:07:53,400
Now is the time to get serious. It's past time.

50
00:07:53,400 --> 00:08:04,480
We often recommend that it's probably a year or 18 months to go from zero to fully implemented on this and CMMC assessment ready.

51
00:08:04,480 --> 00:08:07,400
What I the timeline I just talked about was six to nine months.

52
00:08:07,400 --> 00:08:14,120
So you're you're already inside the window of a cold start as we we see it.

53
00:08:14,120 --> 00:08:25,320
So please encourage every company to be looking at this and be serious about, hey, we're we're going to have to have an assessor come in.

54
00:08:25,320 --> 00:08:28,200
And those assessments are going to be pretty demanding. Yeah.

55
00:08:28,200 --> 00:08:38,360
And you're right. And there's obviously there's a difference between people who have had these requirements and said we are versus those that are trying to figure out how this plays into it.

56
00:08:38,360 --> 00:08:42,960
Because maybe they don't have the contracts yet. And that's a conversation we can go on and on about.

57
00:08:42,960 --> 00:08:48,000
But, you know, that that that's almost sounded like a rehearsed transition into what we're going to get into,

58
00:08:48,000 --> 00:08:56,240
because there is a difference between having things and buying stuff and looking at it and dusting it off later.

59
00:08:56,240 --> 00:08:59,720
But there's also something more to be said about the compliance side.

60
00:08:59,720 --> 00:09:03,920
What are they going to be looking for, to what depths and what responsibilities?

61
00:09:03,920 --> 00:09:10,360
And this topic is all over the board because this is the reason that we have guests on like you is your opinion.

62
00:09:10,360 --> 00:09:14,480
Vince might be different than someone else's opinion on how to do it and what it means in the depth.

63
00:09:14,480 --> 00:09:20,880
And some things have to be very agreed upon when it comes to third party attestation and assessment certifications.

64
00:09:20,880 --> 00:09:24,200
But this is unprescribed and you can do things different ways.

65
00:09:24,200 --> 00:09:29,880
But a lot of people focus on documentation first without having everything in place, which makes it very difficult.

66
00:09:29,880 --> 00:09:35,560
And we've got people over here, you know, starting with tools and things and they don't document deep enough.

67
00:09:35,560 --> 00:09:38,000
So today we're going to get into the challenge of documentation.

68
00:09:38,000 --> 00:09:41,760
I got a couple of questions for you.

69
00:09:41,760 --> 00:09:45,200
Real quick, Derek, before you jump into questions, let me say one thing.

70
00:09:45,200 --> 00:09:51,160
So I am a huge believer when I was a PLEBE at the Naval Academy,

71
00:09:51,160 --> 00:09:56,320
they made us memorize quotes from famous naval leaders.

72
00:09:56,320 --> 00:10:08,760
And there was one from John Paul Jones that is a standard part of PLEBE rates that has grown more and more and more true as I've gotten older in my career.

73
00:10:08,760 --> 00:10:10,440
You know, when you're a PLEBE, you just memorize them.

74
00:10:10,440 --> 00:10:14,000
But now you look back and go, man, they really had something there.

75
00:10:14,000 --> 00:10:23,280
So in the Revolutionary War, John Paul Jones said, men mean more than guns in the rating of a ship.

76
00:10:23,280 --> 00:10:31,560
And for all that it's not PC for today, what he was really talking about was people are more important than my hardware,

77
00:10:31,560 --> 00:10:39,120
more important than the tools that I have on deck or the people that I have manning and using those tools.

78
00:10:39,120 --> 00:10:52,080
And so I think that absolutely every cybersecurity and compliance program should start with not what technology I have or how have I documented that,

79
00:10:52,080 --> 00:10:56,840
but should start with who do I have doing this work?

80
00:10:56,840 --> 00:10:58,880
Do I have the right people?

81
00:10:58,880 --> 00:11:03,640
Have I have I assigned the right people to the job?

82
00:11:03,640 --> 00:11:09,640
People mean more than hardware is something that's often lost in the cybersecurity space.

83
00:11:09,640 --> 00:11:13,600
We tend to look at the CEO, senior executives, look at this and say, yep, I see.

84
00:11:13,600 --> 00:11:15,960
I see. What is that? Oh, it's a cybersecurity thing.

85
00:11:15,960 --> 00:11:19,240
That means I.T. I.T. go take care of this.

86
00:11:19,240 --> 00:11:22,680
That is not necessarily the right answer.

87
00:11:22,680 --> 00:11:24,360
I don't think it ever is.

88
00:11:24,360 --> 00:11:28,760
This is really a business problem for which I.T. cannot solve all the equation.

89
00:11:28,760 --> 00:11:31,280
They're a big part of it, but they're not totally.

90
00:11:31,280 --> 00:11:32,920
People are more important than hardware.

91
00:11:32,920 --> 00:11:34,600
Yeah. No, that's a great quote.

92
00:11:34,600 --> 00:11:36,320
And no, that's awesome.

93
00:11:36,320 --> 00:11:37,560
Then totally agree.

94
00:11:37,560 --> 00:11:43,920
And as we go through right now, it's the defense industrial base, but across FedCon,

95
00:11:43,920 --> 00:11:47,880
the last small businesses, a lot of disadvantaged, a lot of resource constraints.

96
00:11:47,880 --> 00:11:51,120
And you're right that cybersecurity is one part of the requirement.

97
00:11:51,120 --> 00:11:55,800
There's a lot of other requirements that they have to do within contracting that have nothing to do with cybersecurity.

98
00:11:55,800 --> 00:11:58,800
And that's probably the same same quote, right?

99
00:11:58,800 --> 00:12:01,520
Yeah. Who and who and what is not the same thing.

100
00:12:01,520 --> 00:12:03,720
So who do I have doing this work? Yeah.

101
00:12:03,720 --> 00:12:07,840
But in the now, what we see here is we've got the technology piece of this right.

102
00:12:07,840 --> 00:12:16,000
And Derek and I am talking for the audience decided that, hey, let's talk about the documentation side of this.

103
00:12:16,000 --> 00:12:19,280
And that's a much more tactical question.

104
00:12:19,280 --> 00:12:23,360
But what does that look like for CMMC?

105
00:12:23,360 --> 00:12:30,920
Yeah. And I was so the question that always comes up because there are a lot of a lot of there's a lot of focus on on policies and procedures

106
00:12:30,920 --> 00:12:38,360
and documentation and all this other stuff. So, you know, how much how much documentation is is needed?

107
00:12:38,360 --> 00:12:43,800
I know it's a little bit of a relative answer here, but specifically, you know, how much work goes into that?

108
00:12:43,800 --> 00:12:46,120
And I have a little follow up question, depending on how you answer this.

109
00:12:46,120 --> 00:12:53,840
But, you know, how much documentation is needed for this to pass the assessment, you know, to show your compliance?

110
00:12:53,840 --> 00:13:03,160
I normally say that we need 300 to 500 pages of documentation specific to your company.

111
00:13:03,160 --> 00:13:09,480
This is not I went out and bought templates and I said, well, I'm doing those templates.

112
00:13:09,480 --> 00:13:14,080
Every template has to be tailored for your company and the way you do things.

113
00:13:14,080 --> 00:13:20,480
There is no getting around that. In fact, I don't even my company, we don't sell templates.

114
00:13:20,480 --> 00:13:29,480
I sell tech writer time with access to our templates so they can bring those to the table to help you in your company.

115
00:13:29,480 --> 00:13:38,880
But it's such a matter of tailorization that that I don't even try to push blank templates out for people to use and try to fill in themselves.

116
00:13:38,880 --> 00:13:41,680
I don't find that a good approach.

117
00:13:41,680 --> 00:13:56,720
I also say that of that 300 and 500 pages of documentation, there's really very little in the CMMC specification that tells you how to formulate that.

118
00:13:56,720 --> 00:14:04,560
I like to say you could probably have, you know, one hundred three page documents or three hundred page documents.

119
00:14:04,560 --> 00:14:10,800
I don't really care as an assessor, but everything that needs to be documented needs to be documented.

120
00:14:10,800 --> 00:14:16,600
And there's a lot of requirements to document things in CMMC.

121
00:14:16,600 --> 00:14:20,080
So it could, you know, so then answer.

122
00:14:20,080 --> 00:14:26,400
So let's let here's my next question. So there's probably not something.

123
00:14:26,400 --> 00:14:30,680
About too much documentation as it might be more confusing and how it's documented.

124
00:14:30,680 --> 00:14:37,880
Right. So that's one of the big things we see is, you know, you hear people here, 300, 500 and, you know, OK, well, if you have it's tailored,

125
00:14:37,880 --> 00:14:44,000
which it absolutely should be specific to the company and not just everybody can buy whatever you want.

126
00:14:44,000 --> 00:14:51,360
But we also see if it's not documented correctly or it's all over the place that an assessor might say, hey, I can see it.

127
00:14:51,360 --> 00:14:53,680
I just don't know where to find it. You know, who's going to pull it.

128
00:14:53,680 --> 00:15:05,640
So you talk a little bit about not so much the too much, but the the too confusing and some of the things that you see that really help the assessor and the organization make it more efficient.

129
00:15:05,640 --> 00:15:12,440
Yeah, I have seen Dibkak turned down a joint surveillance assessment because they found the documentation too confusing,

130
00:15:12,440 --> 00:15:18,240
not because they didn't think it was right, was because they couldn't figure out whether it was right or not.

131
00:15:18,240 --> 00:15:25,080
So there there is something to be said about making sure that we've got this organized and focused.

132
00:15:25,080 --> 00:15:31,120
I also like to keep the total number of documents constrained.

133
00:15:31,120 --> 00:15:39,520
So there are template stacks out there that you can buy that will give you a hundred different documents that need to be filled in.

134
00:15:39,520 --> 00:15:49,880
I think that's too many. There are some, you know, there's some tactical pieces of how I divide up documentation.

135
00:15:49,880 --> 00:15:54,520
Sometimes it's based on the organization and politics inside your company.

136
00:15:54,520 --> 00:16:01,120
Hey, Fred's in charge of this stuff. So let's make a document that it's the stuff that Fred's in charge of.

137
00:16:01,120 --> 00:16:04,880
And that covers these areas. That's OK. Right.

138
00:16:04,880 --> 00:16:13,520
There's there. Maybe that's a good fit because now Fred has a piece of work that is and he's doing it back to the people being more important.

139
00:16:13,520 --> 00:16:26,120
But in general, I like to keep this below 25 documents, you know, sort of 18 to 25 somewhere in there is generally where we land.

140
00:16:26,120 --> 00:16:35,600
I like to put it so there's one document that you have to have to pass the CMMC certification assessment, and that's a system security plan.

141
00:16:35,600 --> 00:16:38,400
It is mandated in the standard.

142
00:16:38,400 --> 00:16:45,640
There is a standard NIST template for that that's posted to the NIST 800 171 revision to web page.

143
00:16:45,640 --> 00:16:55,680
Most people start with that, although you should start with that understanding that it doesn't actually cover everything that needs to be covered in your SSP.

144
00:16:55,680 --> 00:16:59,360
So it's a beef I've got with the template that NIST did.

145
00:16:59,360 --> 00:17:04,160
I think they should have put a spot, a placeholder in for everything that had to be in there.

146
00:17:04,160 --> 00:17:07,600
And that that isn't the case, in my view. But.

147
00:17:07,600 --> 00:17:12,600
Better than. Yeah, no, it's a it's a great it's an 80 or 90 percent starting point, right?

148
00:17:12,600 --> 00:17:16,480
It is the place to start with and you're not going far wrong.

149
00:17:16,480 --> 00:17:21,080
But at the final tweaking and making sure that every I is dotted and T is crossed,

150
00:17:21,080 --> 00:17:29,000
there are some things that we always add to that SSP template in order to make sure that our clients are good.

151
00:17:29,000 --> 00:17:32,680
So you've got to have an SSP. You've got to have one.

152
00:17:32,680 --> 00:17:36,080
You can reference other documentation in there.

153
00:17:36,080 --> 00:17:42,080
So I've seen this question a lot. Hey, can do I have to put it all in there or can I reference something else?

154
00:17:42,080 --> 00:17:45,840
Highly encourage you to reference other things.

155
00:17:45,840 --> 00:17:47,760
So a great one for that.

156
00:17:47,760 --> 00:17:54,360
And I think one of the first other documents that I like to see is an incident response plan.

157
00:17:54,360 --> 00:17:58,520
This is a very industry standard document.

158
00:17:58,520 --> 00:18:07,480
There's a NISP on how to write one that actually follows the control set in 171 that's required of you.

159
00:18:07,480 --> 00:18:11,720
Those things match pretty closely, which is great.

160
00:18:11,720 --> 00:18:17,000
But I think companies should have an incident response plan and that should probably be a separate document.

161
00:18:17,000 --> 00:18:22,320
So when you get to the incident response section of your SSP, a lot of times it see my incident response plan.

162
00:18:22,320 --> 00:18:28,440
No problem with that whatsoever. Yeah. Well, not to mention, you meant one of the things I was going to bring up earlier when you mentioned people is

163
00:18:28,440 --> 00:18:35,920
getting into the details of incident response, for example, is a single point of failure and these other things that just enormously drive the risk up.

164
00:18:35,920 --> 00:18:45,640
Right. And for a leadership team or maybe companies that are less expertise driven internally, that's a big thing for C-level.

165
00:18:45,640 --> 00:18:53,320
We see this, you know, owners and general managers of companies and stuff when they start to see, well, yeah, I guess, you know, Ron is doing that.

166
00:18:53,320 --> 00:19:01,800
But if Ron disappears, then what happens? And is there is there ways to keep our compliance in place or do we have do we have the right people in place to back up?

167
00:19:01,800 --> 00:19:05,560
Documentation helps with that traceability. All that stuff helps a lot.

168
00:19:05,560 --> 00:19:10,120
So you made a comment there when it comes down to referencing other things.

169
00:19:10,120 --> 00:19:16,440
So question, is it policies for each control, each domain?

170
00:19:16,440 --> 00:19:22,720
You walk through that a little bit to kind of tie that up a little bit more on what that means from a documentation standpoint?

171
00:19:22,720 --> 00:19:30,440
Sure. There are 110 controls. I think a policy per control is a little bit much.

172
00:19:30,440 --> 00:19:38,960
I started off when I did this four or five years ago, kind of did my initial implementation where I'm the chief.

173
00:19:38,960 --> 00:19:45,160
I continue actually to be the chief security officer part time at a medium sized defense contractor.

174
00:19:45,160 --> 00:19:54,640
We did a policy per domain, but over time, I'm actually shrinking even that.

175
00:19:54,640 --> 00:20:02,160
I'm combining some because there's a lot of overlap, for example, between IA and access control.

176
00:20:02,160 --> 00:20:06,400
There's a ton of overlap between what's in those two domains.

177
00:20:06,400 --> 00:20:12,880
OK, let's put those two things together. So I have one document that I have to manage and I don't have to manage it separately.

178
00:20:12,880 --> 00:20:21,200
I also I think it's really important for companies to think about what is a policy?

179
00:20:21,200 --> 00:20:33,000
Who signs it? Where does it fit into my grand scheme of things or what's a procedure or what's a manual or what's a plan or what's a standard law?

180
00:20:33,000 --> 00:20:41,000
Right. Sometimes this is called the policy to have policy, which sounds kind of silly.

181
00:20:41,000 --> 00:20:52,960
But whether you document this is a separate policy or a thing, I think you need to have in your company.

182
00:20:52,960 --> 00:21:01,360
What are we going to use policy for? Who's going to sign policy or who approves policy?

183
00:21:01,360 --> 00:21:05,680
What's a standard versus a procedure versus a guideline?

184
00:21:05,680 --> 00:21:12,120
So if you go to get your master's in cybersecurity, they're going to teach you or maybe undergrad, wherever you go to academia,

185
00:21:12,120 --> 00:21:18,120
they're going to teach you policies, standards, procedures, guidelines is the standard stack.

186
00:21:18,120 --> 00:21:22,520
Not everybody follows that. You don't have to follow that.

187
00:21:22,520 --> 00:21:33,640
One of the places where I see a proliferation of documents is that I'll have a policy, a standard and procedure as separate documents for a thing.

188
00:21:33,640 --> 00:21:38,680
I really am not a fan of a separate standard and a separate procedure.

189
00:21:38,680 --> 00:21:44,480
I tend to squish those together whenever policy whenever possible.

190
00:21:44,480 --> 00:21:49,400
Maybe I can deal with a single document right now.

191
00:21:49,400 --> 00:21:56,480
My recommended approach to CMMC is to have an overarching policy that covers all the domains, kind of high level touchy feely.

192
00:21:56,480 --> 00:21:59,920
How are we going to do this? Doesn't change very much.

193
00:21:59,920 --> 00:22:07,480
Very standard corporate documentation. I can have one policy that covers all 14 domains, I think.

194
00:22:07,480 --> 00:22:16,560
Then where needed, let's have a procedure document that covers specific things out of specific domains.

195
00:22:16,560 --> 00:22:23,520
And that may not be every domain. Maybe we like I said, we combine things together.

196
00:22:23,520 --> 00:22:35,040
You know, we're grouping stuff or we say, for example, I'm currently a fan of the awareness and training requirements are pretty.

197
00:22:35,040 --> 00:22:39,760
Straightforward and just not real complex about how we do that.

198
00:22:39,760 --> 00:22:44,480
I'm getting rid of my separate procedure for that and putting it in the system security plan.

199
00:22:44,480 --> 00:22:50,400
It's the same words, essentially. I just decided I didn't need a separate document for it.

200
00:22:50,400 --> 00:22:58,160
Incident response plan, I think, oh, absolutely, I got to have a separate document. There's no way I want to put those two things together because I wanted to live on its own.

201
00:22:58,160 --> 00:23:02,880
It's used for a very specific purpose. When I have incidents, I want people pulling that out.

202
00:23:02,880 --> 00:23:12,560
No. But how I do awareness and training relative to my CMMC compliance requirements, I could probably put that all into my system security plan.

203
00:23:12,560 --> 00:23:22,800
So there's opportunities like that based on your business, et cetera, to try and reduce the number of documents that you have to manage while, you know,

204
00:23:22,800 --> 00:23:28,800
if you need a separate document or there's one that's useful, then then do that.

205
00:23:28,800 --> 00:23:35,040
But there's no standard set. Got it.

206
00:23:35,040 --> 00:23:39,440
OK, so we're going over in time and it's OK because this next question.

207
00:23:39,440 --> 00:23:46,000
And then I know I've heard you, I should say I've heard you and I've seen you post about this on on LinkedIn and other areas.

208
00:23:46,000 --> 00:23:54,480
But when should people start the rev three, rev three, rev 171 revision three.

209
00:23:54,480 --> 00:23:59,880
Sorry, I don't mean to add from here versus what's currently being pointed to is the revision two.

210
00:23:59,880 --> 00:24:04,480
At what point here we are in September, October of twenty twenty four.

211
00:24:04,480 --> 00:24:08,120
When is that the time to make the shift?

212
00:24:08,120 --> 00:24:13,280
Yeah. So so in my chief security officer had met my medium sized defense contractor,

213
00:24:13,280 --> 00:24:17,240
I had intended to do that shift in twenty twenty four.

214
00:24:17,240 --> 00:24:26,680
Hey, it's coming out. It's got approved. Hey, let's we've got the you know, I was even going to start on the final version and then then move on.

215
00:24:26,680 --> 00:24:35,920
And then CMMC wrote into the regulation, the 32 CFR 170 regulation.

216
00:24:35,920 --> 00:24:41,320
We're going to specific to revision to.

217
00:24:41,320 --> 00:24:50,360
Now, the DOD put out a class deviation that said, hey, you don't have to move to revision three right away

218
00:24:50,360 --> 00:24:54,440
because the current D for seventy twelve clause says current version.

219
00:24:54,440 --> 00:24:58,080
Well, the current version is rev three. But the D said, hold off on that.

220
00:24:58,080 --> 00:25:04,520
Stay rev two. But my. My vision, when they put it in the 32 CFR,

221
00:25:04,520 --> 00:25:12,400
that means in order to move from rev two to rev three, they're going to have to go through rulemaking, which is a multi year process.

222
00:25:12,400 --> 00:25:18,800
So I have put the brakes on moving to revision three for now.

223
00:25:18,800 --> 00:25:28,600
And because I made the decision as well that I cannot possibly chase both revision two and revision three simultaneously,

224
00:25:28,600 --> 00:25:36,240
because revision three is a complete rewrite, it's it's one hundred and fifty percent of the requirements.

225
00:25:36,240 --> 00:25:42,000
So it's another 50 percent more. It is rearranged.

226
00:25:42,000 --> 00:25:48,880
So if I'm tailoring my documentation to the standard, so an assessor can follow it, it's very different.

227
00:25:48,880 --> 00:25:58,120
And so I decided I didn't want to put my, you know, near term CMMC certification of revision two at risk

228
00:25:58,120 --> 00:26:05,560
for chasing the future of revision three when I didn't know that that was going to be in the play, you know, in play.

229
00:26:05,560 --> 00:26:14,160
I feel like and, you know, the D.O.D. and others, you know, have stated various things about this.

230
00:26:14,160 --> 00:26:23,600
As long as this. Stays in 32 CFR 170, I.E. revision two specific,

231
00:26:23,600 --> 00:26:33,120
I won't even start to worry about revision three until they start the process to modify revision the 32 CFR 170 to take it out.

232
00:26:33,120 --> 00:26:39,400
Yeah. Well, well, thank you for for commenting that, because that is that the last six months has been for four months,

233
00:26:39,400 --> 00:26:42,240
six months has been a topic that comes up frequently.

234
00:26:42,240 --> 00:26:46,120
And there are different opinions on that. And now people know why.

235
00:26:46,120 --> 00:26:50,720
And that's that's very and lots of people are like revision three is written better.

236
00:26:50,720 --> 00:26:55,240
It's a better standard, blah, blah, blah. And I don't disagree with those arguments.

237
00:26:55,240 --> 00:27:05,000
Yep. But in my capacity of having a limited number of resources as a defense contractor to go execute on this with high quality,

238
00:27:05,000 --> 00:27:09,560
because to be CMMC certified, I've got to be 110 out of 110.

239
00:27:09,560 --> 00:27:14,880
I cannot afford an 80 percent solution in my revision to implementation.

240
00:27:14,880 --> 00:27:17,760
There is zero wiggle room in that world.

241
00:27:17,760 --> 00:27:21,880
Man, I'm not going to I'm going to do it one way and I'm going to do it right.

242
00:27:21,880 --> 00:27:28,600
And I absolutely refuse to try and fail to do two different standards simultaneously.

243
00:27:28,600 --> 00:27:30,480
Now, I mean, way bigger up, right?

244
00:27:30,480 --> 00:27:37,520
I mean, the impact of not doing it, what you just said is way bigger on a business than when do I start for three?

245
00:27:37,520 --> 00:27:41,200
And when I focus on it, because, yeah, it's it's what's what's called out in front of you now.

246
00:27:41,200 --> 00:27:47,120
Perfect world. You're right. If you have done this in 171 from day one and had it attached to you,

247
00:27:47,120 --> 00:27:53,520
however you could and all these other things and then ramp up to rev three, then maybe that that path looks a little different.

248
00:27:53,520 --> 00:27:56,000
But you're right. There's still a lot of time. It's still 50 percent more.

249
00:27:56,000 --> 00:28:01,440
It's a great way to say it. It becomes a very, very big undertaking and make sure it's scheduled right.

250
00:28:01,440 --> 00:28:07,440
And in your case, you're just asked on additional controls, which is what I expected them to do.

251
00:28:07,440 --> 00:28:12,960
And they just gone from 110 to 150. Yep.

252
00:28:12,960 --> 00:28:18,640
I would probably have those other controls on my list and be working toward them today.

253
00:28:18,640 --> 00:28:22,240
Yep. Because it wouldn't endanger the existing 110.

254
00:28:22,240 --> 00:28:26,240
But they rip the whole thing apart and put it back together again in different places.

255
00:28:26,240 --> 00:28:29,520
So it's kind of the same, but they exist different places.

256
00:28:29,520 --> 00:28:36,080
So in my view, my documentation stack can only ride one horse simultaneously.

257
00:28:36,080 --> 00:28:43,040
That's right. And I am just not going to risk trying to do two at once.

258
00:28:43,040 --> 00:28:47,200
I think it's we don't have a great deal of manpower.

259
00:28:47,200 --> 00:28:51,760
No medium or small defense contractor has a great deal of manpower for this.

260
00:28:51,760 --> 00:28:59,200
I need to use the people that I have very smartly in order to pursue excellence on this.

261
00:28:59,200 --> 00:29:04,640
And I just I'm I'm not going to try to do that in two different places at once,

262
00:29:04,640 --> 00:29:07,360
nor am I going to recommend that to any of my clients.

263
00:29:07,360 --> 00:29:10,080
Now, that's great feedback. That's a good, good approach.

264
00:29:10,080 --> 00:29:13,760
Well, we're we're over in the 10 ish minutes that we try to get this done.

265
00:29:13,760 --> 00:29:17,760
But this is awesome. Obviously, different things to talk about today versus if we would have done

266
00:29:17,760 --> 00:29:22,000
this a week or two ago. So thank you, Vince, for joining again.

267
00:29:22,000 --> 00:29:26,720
Where can people find you if they want more info and they want to talk to Vince at length?

268
00:29:26,720 --> 00:29:38,160
Yeah. Www cyber sec gru dot com is my website and we've got a contact information there.

269
00:29:38,160 --> 00:29:46,000
Or you can find me on LinkedIn, Vincent Scott. I'm I'm very prolific on LinkedIn.

270
00:29:46,000 --> 00:29:51,840
I type, comment, quote, post quite a bit. So it should be pretty easy to come up with me there.

271
00:29:51,840 --> 00:29:57,600
Yeah. And I will second the LinkedIn thing for sure is is your and I'm not just saying this

272
00:29:57,600 --> 00:30:02,240
because you're you're on and your friend. But I mean, this is the clarity on some of these

273
00:30:02,240 --> 00:30:06,960
topics is so important. You know, make it digestible. That's that's what people want to see.

274
00:30:06,960 --> 00:30:11,600
And you are one of the I would say one of the top LinkedIn resources where if I just want to hear

275
00:30:11,600 --> 00:30:16,000
someone else's opinion and see that I'm seeing what I've seen over here in a clear mind,

276
00:30:16,000 --> 00:30:19,120
I would say that you, Vince, are one of one of the best at that.

277
00:30:19,120 --> 00:30:23,680
So thank you again for joining. We're going to have you on again in the future for sure,

278
00:30:23,680 --> 00:30:28,400
because we're pretty much all of the events that have come up in the recent time.

279
00:30:28,400 --> 00:30:31,760
Although I guess we've had these topics are going to be very fun to look back on

280
00:30:31,760 --> 00:30:36,640
in the future and see where things are at. So thank you again for those listening or watching

281
00:30:36,640 --> 00:30:41,920
on YouTube or on your favorite podcast platform. Make sure you go find us. Watch the old ones

282
00:30:41,920 --> 00:30:45,600
that have been out so far. Make sure you pay attention to the new ones. But again,

283
00:30:45,600 --> 00:30:49,280
thank you everybody for watching and listening. And Vince, we'll chat with you next time.

284
00:30:49,920 --> 00:30:52,640
Thanks, Eric. I really appreciate the invite. Take care.

285
00:30:55,600 --> 00:31:00,400
Thank you for listening to this episode. And make sure to subscribe to the Quick Ten podcast

286
00:31:00,400 --> 00:31:04,160
wherever you get your podcasts and check us out on YouTube as well.

287
00:31:05,200 --> 00:31:11,840
For more information about Quick Track, visit our website at www.quicktrack.com.

288
00:31:11,840 --> 00:31:18,240
That's C-U-I-C-K-T-R-A-C dot com.