1 00:00:00,000 --> 00:00:07,040 Welcome to the Quick 10 Podcast, brought to you by Quick Track, focusing on all things 2 00:00:07,040 --> 00:00:12,920 FedCon and cyber defense from different perspectives and different personalities, all in 10-ish 3 00:00:12,920 --> 00:00:13,920 minutes. 4 00:00:13,920 --> 00:00:22,240 Here's your host, Derek White. 5 00:00:22,240 --> 00:00:23,240 All right, everybody. 6 00:00:23,240 --> 00:00:26,040 Welcome back to another episode of the Quick 10 Podcast. 7 00:00:26,040 --> 00:00:27,820 I'm your host, Derek White. 8 00:00:27,820 --> 00:00:32,920 With me today, I've got Wayne Bolin, cyber compliance community contributor. 9 00:00:32,920 --> 00:00:35,360 Wayne, thanks for being here, man. 10 00:00:35,360 --> 00:00:36,760 Great to be here. 11 00:00:36,760 --> 00:00:38,440 I look forward to it. 12 00:00:38,440 --> 00:00:45,400 Today, we are going to talk about all things SPRS, at least as much as we can in the abbreviated 13 00:00:45,400 --> 00:00:48,440 time that we do for these podcasts. 14 00:00:48,440 --> 00:00:54,280 Very much a topic that I know personally for you is a huge deal. 15 00:00:54,280 --> 00:00:55,520 You present on this a lot. 16 00:00:55,520 --> 00:01:00,680 I really wanted to just have you on, have you talk about SPRS here and now kind of stuff 17 00:01:00,680 --> 00:01:06,240 and separate maybe the conversations that these podcasts have covered over the last 18 00:01:06,240 --> 00:01:11,560 couple of months regarding things like CMMC, but the here, the now, the what's going on. 19 00:01:11,560 --> 00:01:15,320 A lot of people are going to have a lot of questions and navigate. 20 00:01:15,320 --> 00:01:18,440 You see this front hand, we see this front hand, but you really have that experience 21 00:01:18,440 --> 00:01:20,640 here to walk through it. 22 00:01:20,640 --> 00:01:25,600 Flora is kind of yours here, Wayne, just to kind of tell us a little bit about what you 23 00:01:25,600 --> 00:01:29,640 do when it comes to this topic and what points you hit on. 24 00:01:29,640 --> 00:01:33,160 Then from there, we'll just talk through a few different things that might be relevant 25 00:01:33,160 --> 00:01:34,160 for people that are listening. 26 00:01:34,160 --> 00:01:35,160 Yeah. 27 00:01:35,160 --> 00:01:42,160 To be honest, I really have no idea how I became so attached to SPRS in this 70-19-20 28 00:01:42,160 --> 00:01:48,440 rule, because prior to this, I have a background in incident response and things. 29 00:01:48,440 --> 00:01:53,200 My boss at one point, I think in 2019, asked me to lead a compliance team and I'm like, 30 00:01:53,200 --> 00:01:55,360 compliance, who wants to do that? 31 00:01:55,360 --> 00:02:00,080 I did that for a while and just when this rule came out, I just dove in. 32 00:02:00,080 --> 00:02:03,760 I have no idea why, but I've become really versed in it. 33 00:02:03,760 --> 00:02:10,400 It's probably the only rule I've read front to back, printed, beat up, yellow, highlighted. 34 00:02:10,400 --> 00:02:12,320 It's just crazy, but here we are. 35 00:02:12,320 --> 00:02:15,080 So I've become an expert on it. 36 00:02:15,080 --> 00:02:21,160 For those who don't know, SPRS stands for supplier performance risk system. 37 00:02:21,160 --> 00:02:26,840 One of the things I cover in the very beginning of the presentation I speak to is SPRS has 38 00:02:26,840 --> 00:02:34,640 been around for a long time and is much more broad than us Johnny-come-lately cyber self-assessment 39 00:02:34,640 --> 00:02:35,640 sort of thing. 40 00:02:35,640 --> 00:02:40,360 There's a lot of other things that supply chain type folks on the government and industry 41 00:02:40,360 --> 00:02:45,200 side have been using this for way before we come in. 42 00:02:45,200 --> 00:02:50,400 Our little carve out for posting these cyber self-assessments is a very small part of the 43 00:02:50,400 --> 00:02:56,480 overall supplier risk part of this government. 44 00:02:56,480 --> 00:03:01,760 So they're very good about providing documentation. 45 00:03:01,760 --> 00:03:06,520 If you're a user of this, make use of the documentation. 46 00:03:06,520 --> 00:03:12,400 SPRS is access through what's called PI, P-I-E, which is a government, basically a platform 47 00:03:12,400 --> 00:03:18,260 that hosts a whole lot of different applications the government uses. 48 00:03:18,260 --> 00:03:23,760 So you get to PI and then SPRS is one of the options. 49 00:03:23,760 --> 00:03:33,560 So generally I start with the very basic route of what drives you to having to post a SPRS 50 00:03:33,560 --> 00:03:34,560 self-assessment. 51 00:03:34,560 --> 00:03:39,240 And at the base is something we know and love and that's DFAR 712. 52 00:03:39,240 --> 00:03:48,080 DFAR 712, I'm not going to regurgitate it, but basically says covered contractor system, 53 00:03:48,080 --> 00:03:54,120 adequate security, blah, blah, blah, basically boils down to being compliant with NIST 800171. 54 00:03:54,120 --> 00:04:02,240 However, 18 months or so ago when I was first building this presentation, I tried to figure 55 00:04:02,240 --> 00:04:06,920 out what is there that actually says you have to be compliant? 56 00:04:06,920 --> 00:04:09,360 Because I've always foot stomped 712 isn't enough. 57 00:04:09,360 --> 00:04:14,960 712 goes in all the contracts and a lot of people would tell you if you have 712 in your 58 00:04:14,960 --> 00:04:17,960 contract, you must be NIST 800171 compliant. 59 00:04:17,960 --> 00:04:19,960 And that is not true. 60 00:04:19,960 --> 00:04:26,160 And that's when I come across the DOD procurement toolbox, FAQ revision three. 61 00:04:26,160 --> 00:04:30,120 And I think we're going to put, you're going to post that link in the notes. 62 00:04:30,120 --> 00:04:31,120 For sure. 63 00:04:31,120 --> 00:04:32,120 Yep. 64 00:04:32,120 --> 00:04:38,160 So, 712-6 has an extract, which basically you get out of jail free card, and it says 65 00:04:38,160 --> 00:04:43,760 you only have to implement the security requirements of 800171 if your contract includes the DFAR 66 00:04:43,760 --> 00:04:50,320 clause, and you are provided covered defense information by the DOD and you are processing, 67 00:04:50,320 --> 00:04:55,000 storing, or transmitting that covered defense information on your information system slash 68 00:04:55,000 --> 00:04:56,600 network. 69 00:04:56,600 --> 00:05:02,040 So you can have DFAR 712 in your contract all day long, but if you're not getting any 70 00:05:02,040 --> 00:05:05,200 CUI, it does not apply. 71 00:05:05,200 --> 00:05:10,160 Now I've used the phrase and too much chagrin to certain people in the community. 72 00:05:10,160 --> 00:05:13,200 I like to call this a self-deleting clause. 73 00:05:13,200 --> 00:05:18,600 What that means is there's a whole cookie cutter list of clauses of going government 74 00:05:18,600 --> 00:05:21,320 contracts that we receive. 75 00:05:21,320 --> 00:05:25,280 If you don't get CUI, it's just kind of self-deletes itself and you can ignore it. 76 00:05:25,280 --> 00:05:26,760 It does not apply. 77 00:05:26,760 --> 00:05:33,280 And I'm so glad I found this FAQ question 6 that validates my thinking. 78 00:05:33,280 --> 00:05:36,200 Prior to that, I really had nothing to stand on. 79 00:05:36,200 --> 00:05:42,040 So people need to check that out and grab that if it needed to. 80 00:05:42,040 --> 00:05:45,960 Well, not to mention the 712 questionnaires and stuff, right? 81 00:05:45,960 --> 00:05:49,040 They just get thrown in these boilerplate questions and that causes a lot of confusion 82 00:05:49,040 --> 00:05:53,560 for those that haven't seen CUI and haven't had it detailed in their terms and conditions 83 00:05:53,560 --> 00:05:57,840 and say, well, what does everybody do when there's a million contract clauses? 84 00:05:57,840 --> 00:06:01,680 They go through it, they reach out for resources and start putting stuff into place. 85 00:06:01,680 --> 00:06:02,680 And to your point, yes. 86 00:06:02,680 --> 00:06:06,200 Then all of a sudden it's like, oh, maybe I don't need that. 87 00:06:06,200 --> 00:06:07,200 Who's telling them that? 88 00:06:07,200 --> 00:06:08,200 Yes, you're right. 89 00:06:08,200 --> 00:06:12,600 That is a really good Q&A definition of that for sure. 90 00:06:12,600 --> 00:06:17,840 So then operating from that and assumption that you get CUI and you have the 712 clause, 91 00:06:17,840 --> 00:06:23,520 then in order to actually do the SPURS self-assessment and enter that in SPURS, you need to have 92 00:06:23,520 --> 00:06:26,800 the 7019 and 7020, which came out together. 93 00:06:26,800 --> 00:06:34,160 And I have a heck of a time keeping those straight as far as which one requires you 94 00:06:34,160 --> 00:06:40,200 to make yourself available for DIP CAC assessments and all that stuff versus what makes you load 95 00:06:40,200 --> 00:06:43,280 the SPURS into SPURS. 96 00:06:43,280 --> 00:06:47,360 But everybody can read 7019 and 7020. 97 00:06:47,360 --> 00:06:49,840 Generally they're put out together. 98 00:06:49,840 --> 00:06:56,000 And then those clauses require you to then perform that self-assessment posted. 99 00:06:56,000 --> 00:07:02,000 I have a few minutes later that I'll kind of touch on that so I won't get ahead of myself. 100 00:07:02,000 --> 00:07:04,480 Yeah, you're right. 101 00:07:04,480 --> 00:07:10,800 For those that this is new to 7019, 7020, we've been around since way before that. 102 00:07:10,800 --> 00:07:16,400 So it was a big shift to all of a sudden say, hey, you're going to enter this score into 103 00:07:16,400 --> 00:07:19,480 a system that the government manages. 104 00:07:19,480 --> 00:07:24,600 And be available for when they say we want to show up, which unfortunately had to, I 105 00:07:24,600 --> 00:07:28,320 guess, kind of be labeled as a clause because I guess technically some people could have 106 00:07:28,320 --> 00:07:30,160 said, nah, we're not going to do that. 107 00:07:30,160 --> 00:07:32,840 So it's an accountability push on our side. 108 00:07:32,840 --> 00:07:37,440 That's how I would kind of explain it is, I mean, if you are required to do these things 109 00:07:37,440 --> 00:07:42,120 because you handle that type of data, then you should be ready for that and you should 110 00:07:42,120 --> 00:07:43,120 be doing this stuff. 111 00:07:43,120 --> 00:07:47,760 And if there's not a mechanism for finding out if that's true or not, or at least hold 112 00:07:47,760 --> 00:07:52,400 somebody's feet to the fire to make sure that it's accurate, then we know how that looks. 113 00:07:52,400 --> 00:07:53,400 That's how it used to be. 114 00:07:53,400 --> 00:07:54,400 Yeah. 115 00:07:54,400 --> 00:07:58,800 Now I'm going to make a statement with no definitive evidence whatsoever, but my thinking 116 00:07:58,800 --> 00:08:06,440 is these two clauses were created to be a bridge between 7012 and 7021 CMMC because, 117 00:08:06,440 --> 00:08:13,040 you know, when they were pitching CMMC, they said CMMC is driven because people were signing 118 00:08:13,040 --> 00:08:20,520 7012 and just ignoring it where 70, you know, the SPURS requirement to do the self assessment 119 00:08:20,520 --> 00:08:27,800 and load it is a step higher than 7012 where you just signed the contract and that says 120 00:08:27,800 --> 00:08:34,240 you're compliant by a simple signature versus 7021, which is a third party assessment. 121 00:08:34,240 --> 00:08:36,160 This is kind of the bridge in the middle. 122 00:08:36,160 --> 00:08:44,520 And I'm being really big on conspiracy theories, it also adds additional evidence for a false 123 00:08:44,520 --> 00:08:50,280 claims act because, you know, just signing a 7012, that's kind of weak if you want to 124 00:08:50,280 --> 00:08:52,760 prosecute a company for false claims. 125 00:08:52,760 --> 00:08:58,400 If you have a self assessment and you enter the score in a government database, that's 126 00:08:58,400 --> 00:09:04,280 a little more ammunition to use for a false claims act. 127 00:09:04,280 --> 00:09:07,360 Yeah, and then go ahead. 128 00:09:07,360 --> 00:09:08,360 Yep. 129 00:09:08,360 --> 00:09:13,120 This self assessment is based on the DODAN, the DOD assessment methodology, probably should 130 00:09:13,120 --> 00:09:14,120 include that link too. 131 00:09:14,120 --> 00:09:15,120 For sure. 132 00:09:15,120 --> 00:09:16,120 Yep. 133 00:09:16,120 --> 00:09:20,360 I want to assume everybody knows where that is, but the DOD assessment methodology has 134 00:09:20,360 --> 00:09:28,120 a background purpose, talks a lot of information about what's behind the methodology. 135 00:09:28,120 --> 00:09:32,640 Then it has a step by step for each control and the score. 136 00:09:32,640 --> 00:09:37,520 And that's the calculus you use to perform the self assessment and come up with that 137 00:09:37,520 --> 00:09:38,520 score. 138 00:09:38,520 --> 00:09:41,000 However, I foot stomp this big time. 139 00:09:41,000 --> 00:09:47,960 If you're not using this 801 71 alpha to help with that, you could end up with a big swing 140 00:09:47,960 --> 00:09:57,400 in the mix because the scoring matrix or whatever you want to call it, it's very weak on content. 141 00:09:57,400 --> 00:10:02,240 It basically names the control and then tells you what score you get or how much you would 142 00:10:02,240 --> 00:10:03,240 lose. 143 00:10:03,240 --> 00:10:10,480 And then I have an assessment guidance from that, that I talk about to show people that 144 00:10:10,480 --> 00:10:15,880 shows the level of detail you can get when you're using 171 to help you. 145 00:10:15,880 --> 00:10:18,160 And then it typically has discussions in there. 146 00:10:18,160 --> 00:10:22,600 So if you're somebody trying to do it yourself without IT support and you really kind of 147 00:10:22,600 --> 00:10:27,720 lost that narrative and that 171 may be very helpful. 148 00:10:27,720 --> 00:10:30,640 Yeah, for sure. 149 00:10:30,640 --> 00:10:33,880 And obviously we should probably disclaim too that everything that we're talking about 150 00:10:33,880 --> 00:10:38,200 is personal opinion here, not the organization's opinion. 151 00:10:38,200 --> 00:10:44,640 So yeah, no, but yes, that's, that's, that's right. 152 00:10:44,640 --> 00:10:45,640 Yes. 153 00:10:45,640 --> 00:10:49,080 It's like, that's how, you know, sporting fans should be thinking about their teams 154 00:10:49,080 --> 00:10:50,080 and stuff too. 155 00:10:50,080 --> 00:10:54,640 So that's all I'm going to say about the actual self assessment process, because that's not 156 00:10:54,640 --> 00:11:00,840 what I think is the most important part of my presentation. 157 00:11:00,840 --> 00:11:06,280 And that is you can have the best process for self assessing the best self assessment 158 00:11:06,280 --> 00:11:08,160 score in the world. 159 00:11:08,160 --> 00:11:15,240 But if you don't do and address the logistics of spurs and its relationship with sam.gov, 160 00:11:15,240 --> 00:11:17,160 you're never going to get that in there. 161 00:11:17,160 --> 00:11:23,520 And what that is, is for those not familiar, sam.gov is the government database where if 162 00:11:23,520 --> 00:11:28,800 you are a new company and you want to get a cage code, which is necessary to do contracting 163 00:11:28,800 --> 00:11:32,640 work with the DOD, each contractor will have a cage code in it. 164 00:11:32,640 --> 00:11:38,480 And everything about assessments, cyber assessments, whether it's a DIPAC or a SPUR self assessment 165 00:11:38,480 --> 00:11:40,680 revolves around that cage code. 166 00:11:40,680 --> 00:11:43,000 That cage code starts in sam.gov. 167 00:11:43,000 --> 00:11:48,120 That's where you enter financial information, tax information, you identify contracts, POC, 168 00:11:48,120 --> 00:11:51,840 electronic business, POC, all that. 169 00:11:51,840 --> 00:11:56,240 And that is a POC mess at times. 170 00:11:56,240 --> 00:12:02,600 So there are two key fields in there that are critical to get the cage code that your 171 00:12:02,600 --> 00:12:09,720 company or codes that your company is identified as over to the spurs database. 172 00:12:09,720 --> 00:12:13,960 There's a immediate owner and highest level owner field. 173 00:12:13,960 --> 00:12:21,040 And if those fields are not populated, your cage code will never populate over to spurs. 174 00:12:21,040 --> 00:12:24,840 And you can never do it in your hierarchy and you can never make an entry. 175 00:12:24,840 --> 00:12:31,440 So it's critical that you have somebody identified to keep that up to date. 176 00:12:31,440 --> 00:12:36,280 And you need to keep it up to date on a regular basis because in about the last 18 months, 177 00:12:36,280 --> 00:12:41,760 the government's made it a lot more difficult to make modifications to sam.gov. 178 00:12:41,760 --> 00:12:48,880 And again, another unfounded thought on why that's true, it feels like maybe there were 179 00:12:48,880 --> 00:12:54,720 some of our adversaries making shell companies and doing some nefarious activity. 180 00:12:54,720 --> 00:12:59,840 And they just decided rightfully so that they need to make it a little more rigid and difficult 181 00:12:59,840 --> 00:13:07,920 to make changes to those records in there because how many things cascade down are directly 182 00:13:07,920 --> 00:13:09,640 related to that. 183 00:13:09,640 --> 00:13:15,960 So step one is you got to be on top of your sam.gov cage registration presence and keep 184 00:13:15,960 --> 00:13:16,960 that current. 185 00:13:16,960 --> 00:13:22,520 Yeah, and this is why we want everyone to be more foundational because it's just got 186 00:13:22,520 --> 00:13:24,280 to be from the top down and organization. 187 00:13:24,280 --> 00:13:25,600 That's all organizational stuff. 188 00:13:25,600 --> 00:13:28,120 That's all things that are important anyway. 189 00:13:28,120 --> 00:13:30,560 Let's get to the myth side. 190 00:13:30,560 --> 00:13:32,000 Some of the things that you've been talking about. 191 00:13:32,000 --> 00:13:39,320 I got one more list of best practices that I like to tell people about. 192 00:13:39,320 --> 00:13:40,320 Yeah, please do. 193 00:13:40,320 --> 00:13:46,840 One of those is controlling access to spurs because those scores that are in spurs are 194 00:13:46,840 --> 00:13:52,560 attestation from your company and the Dibcat can get in there and poke around and say, 195 00:13:52,560 --> 00:13:55,040 you know, this score sounds a little high or something. 196 00:13:55,040 --> 00:13:58,320 Maybe we need to go check out company X. 197 00:13:58,320 --> 00:14:03,240 You need to be really careful about maintaining access. 198 00:14:03,240 --> 00:14:06,440 Now this is more applicable to medium and large organizations that have a lot of cage 199 00:14:06,440 --> 00:14:12,280 codes, a lot of people involved than a small company that may have a handful of cage codes 200 00:14:12,280 --> 00:14:14,200 in a single individual. 201 00:14:14,200 --> 00:14:20,800 But I like to maintain control to the minimum amount of people possible. 202 00:14:20,800 --> 00:14:25,800 Consider building an offline database with the information from spurs. 203 00:14:25,800 --> 00:14:32,040 It's easy to export, put it in a Tableau database, then allow your company contracting legal 204 00:14:32,040 --> 00:14:36,440 cyber people if they want to know what your score is for any given cage code to use that 205 00:14:36,440 --> 00:14:43,200 offline database and look that up and just keep the fingers out of the kitchen in the 206 00:14:43,200 --> 00:14:46,760 master database so that you won't run into problems. 207 00:14:46,760 --> 00:14:51,200 You need to carefully document the score and select the appropriate individual to enter 208 00:14:51,200 --> 00:14:52,520 the score. 209 00:14:52,520 --> 00:14:57,440 And then most importantly, you need to create a process for data review that ensures accuracy 210 00:14:57,440 --> 00:15:00,400 and currency of that entry. 211 00:15:00,400 --> 00:15:07,360 And that process needs to have senior level leadership knowledgeable of that and aware 212 00:15:07,360 --> 00:15:13,520 what that score is given the implications of a false score. 213 00:15:13,520 --> 00:15:15,760 But we'll jump ahead now to... 214 00:15:15,760 --> 00:15:16,760 Yeah. 215 00:15:16,760 --> 00:15:21,080 Well, then I know a couple of things that you're gonna say here. 216 00:15:21,080 --> 00:15:25,840 Some of these are a little bit dated because they're from 18 months ago and people become 217 00:15:25,840 --> 00:15:27,920 more familiar with spurs and everything. 218 00:15:27,920 --> 00:15:30,560 But when I first... 219 00:15:30,560 --> 00:15:34,360 This is the kind of information that caused me to create this in the first place because 220 00:15:34,360 --> 00:15:38,080 there was just so much misinformation floating around after. 221 00:15:38,080 --> 00:15:44,720 And at the time, one of the big myths was you're required to have a spurs score now. 222 00:15:44,720 --> 00:15:48,800 When it first come out, there were people shrieking to the top of the mountain that 223 00:15:48,800 --> 00:15:52,960 you gotta go get your spurs score done and entered in the database right now. 224 00:15:52,960 --> 00:15:53,960 Well, no, you don't. 225 00:15:53,960 --> 00:15:57,760 You didn't have to until you got the clause in a contract. 226 00:15:57,760 --> 00:16:00,120 Which is 17, 19, and 20. 227 00:16:00,120 --> 00:16:01,120 Yeah. 228 00:16:01,120 --> 00:16:02,120 Yep. 229 00:16:02,120 --> 00:16:06,840 And it's good to have it calculated and ready to go, but do you really want to enter it 230 00:16:06,840 --> 00:16:08,320 in there before it's required? 231 00:16:08,320 --> 00:16:11,040 I say not. 232 00:16:11,040 --> 00:16:15,400 There's nothing to gain except exposing yourself. 233 00:16:15,400 --> 00:16:21,640 So my guidance was you wait until it's required by contract. 234 00:16:21,640 --> 00:16:23,840 Spurs score is required even if you have zero CUI. 235 00:16:23,840 --> 00:16:25,840 I think we covered that pretty well in the beginning. 236 00:16:25,840 --> 00:16:26,840 That's not true. 237 00:16:26,840 --> 00:16:30,840 Although there were people telling me if you got 70, 12, you gotta have a spurs score. 238 00:16:30,840 --> 00:16:31,840 No, no. 239 00:16:31,840 --> 00:16:34,200 There is a failing spurs score. 240 00:16:34,200 --> 00:16:35,200 Not true. 241 00:16:35,200 --> 00:16:39,800 The rule, the spirit of the rule says you have to have a score. 242 00:16:39,800 --> 00:16:40,800 Doesn't matter what it is. 243 00:16:40,800 --> 00:16:47,200 And to the best of our knowledge, the contracting officers are not using that score as a competitive 244 00:16:47,200 --> 00:16:52,440 aspect of evaluating contract bids. 245 00:16:52,440 --> 00:16:55,240 Hopefully that's true and there's no unbeknown bias or anything. 246 00:16:55,240 --> 00:16:59,920 But the only failing score is no score. 247 00:16:59,920 --> 00:17:04,600 Early on there was a lot of kerfuffle around you have to load your SSP and POAMs along 248 00:17:04,600 --> 00:17:05,600 with your spurs score. 249 00:17:05,600 --> 00:17:06,600 Well, no, you don't. 250 00:17:06,600 --> 00:17:08,640 There is no capability to even do that. 251 00:17:08,640 --> 00:17:11,640 So that is never possible. 252 00:17:11,640 --> 00:17:18,400 Even saw an article that said you had to have an ECA or cap card to access PI and get into 253 00:17:18,400 --> 00:17:19,400 spurs. 254 00:17:19,400 --> 00:17:22,640 While that's a capability, that's not a requirement. 255 00:17:22,640 --> 00:17:27,640 And then there's this concept that I saw people saying you must have a spurs score to do any 256 00:17:27,640 --> 00:17:29,640 work with the DOD, which is not correct. 257 00:17:29,640 --> 00:17:35,360 We covered that back when you said you had that CUI for that clause to apply. 258 00:17:35,360 --> 00:17:38,800 Another one good one is does your company have a spurs score loaded? 259 00:17:38,800 --> 00:17:41,720 Well, I have a whole lot of spurs loaded. 260 00:17:41,720 --> 00:17:48,200 You need to specify what cage code is associated with this all spurs or has got to be associated 261 00:17:48,200 --> 00:17:49,200 with cage. 262 00:17:49,200 --> 00:17:53,560 And then the final one was somebody was really confused. 263 00:17:53,560 --> 00:17:58,200 Your ExoStar score is not your spurs score and that's not going to work. 264 00:17:58,200 --> 00:18:01,240 So the two are not the same. 265 00:18:01,240 --> 00:18:07,920 And a biggie that I speak to as a standalone, there are people who say if you have no SSP, 266 00:18:07,920 --> 00:18:12,120 it's like an immediate negative 200 change. 267 00:18:12,120 --> 00:18:13,120 Not true. 268 00:18:13,120 --> 00:18:20,360 If you look at 3.12.4 in the DOD assessment methodology, it clearly states if you have 269 00:18:20,360 --> 00:18:24,120 no SSP, you cannot do an assessment full stop. 270 00:18:24,120 --> 00:18:31,440 You do not have a score because a maximum negative score would still meet the DFAR requirement 271 00:18:31,440 --> 00:18:35,480 and you could be awarded the contract or no score prevents contract. 272 00:18:35,480 --> 00:18:44,160 So no SSP, no score, do not pass code. 273 00:18:44,160 --> 00:18:49,760 And then just breaking this week for people who are new to spurs version 4.0 came out 274 00:18:49,760 --> 00:18:51,680 on Monday morning. 275 00:18:51,680 --> 00:18:58,120 Has some additional capabilities, refined interfaces for searching and the entry of 276 00:18:58,120 --> 00:18:59,120 the scores and so on. 277 00:18:59,120 --> 00:19:00,120 It's just a little smoother. 278 00:19:00,120 --> 00:19:06,600 So that in a nutshell are my foot stompers. 279 00:19:06,600 --> 00:19:10,880 No, that's big time stuff and just, you know, this is we're in the middle of October, so 280 00:19:10,880 --> 00:19:12,520 it's time of this recording. 281 00:19:12,520 --> 00:19:17,040 So if you're watching this down the road, then that 4.0 did come out in the early part 282 00:19:17,040 --> 00:19:18,040 of October. 283 00:19:18,040 --> 00:19:20,160 So thanks for jumping through that. 284 00:19:20,160 --> 00:19:24,080 I just want to recap then a couple of those big foot stomp. 285 00:19:24,080 --> 00:19:32,040 So if you don't have 70-19, 70-20 in your claw, as a requirement in your contracts, 286 00:19:32,040 --> 00:19:35,800 then you don't need a SPUR score. 287 00:19:35,800 --> 00:19:39,920 And for the most part, similar to 70-12 though, it's going to be cookie cutter. 288 00:19:39,920 --> 00:19:40,920 That's right. 289 00:19:40,920 --> 00:19:45,440 The big thing that's going to keep you from having to do it is lack of CUI. 290 00:19:45,440 --> 00:19:47,840 Yes, that's my next point. 291 00:19:47,840 --> 00:19:48,840 Yep. 292 00:19:48,840 --> 00:19:56,840 And that Get an NJL Free card is in that question six of that FAQ that you will provide folks 293 00:19:56,840 --> 00:19:57,840 with. 294 00:19:57,840 --> 00:20:03,280 And the CUI versus not CUI and how do I find that out is not always black and white as 295 00:20:03,280 --> 00:20:04,280 we know. 296 00:20:04,280 --> 00:20:09,880 So there are steps you can take to, I guess we'll call it ask up if you can, go through 297 00:20:09,880 --> 00:20:10,880 your contract conditions. 298 00:20:10,880 --> 00:20:11,880 Yep. 299 00:20:11,880 --> 00:20:12,880 Exactly. 300 00:20:12,880 --> 00:20:13,880 Yep. 301 00:20:13,880 --> 00:20:20,320 It can be difficult, but you really need to nail down with who's asserting the contract, 302 00:20:20,320 --> 00:20:21,320 whether or not to CUI. 303 00:20:21,320 --> 00:20:25,320 Because, I mean, honestly, honest, if you don't know whether or not to CUI and you don't know 304 00:20:25,320 --> 00:20:28,320 what it is, how can you protect it? 305 00:20:28,320 --> 00:20:29,720 If you do, in fact, that's critical. 306 00:20:29,720 --> 00:20:33,680 In the default maneuver that most people do is then just try to apply these requirements 307 00:20:33,680 --> 00:20:36,420 to everything so they can say that they're ready for when they do have it. 308 00:20:36,420 --> 00:20:40,000 And then your costs, your management, all these things that go on when you do have that 309 00:20:40,000 --> 00:20:44,360 third party assessment of some sort, regardless of where it comes from, still comes back down 310 00:20:44,360 --> 00:20:47,160 to the data that you handle and what touches it and all that kind of stuff. 311 00:20:47,160 --> 00:20:49,080 So thank you for that. 312 00:20:49,080 --> 00:20:56,960 And I will say the system security plan, NISSI HUNTER 171A, we've referenced that in previous 313 00:20:56,960 --> 00:20:57,960 episodes. 314 00:20:57,960 --> 00:20:58,960 It will continue to come up. 315 00:20:58,960 --> 00:21:03,180 We're still having conversations with people who have focused on the 110 controls. 316 00:21:03,180 --> 00:21:05,600 So this is why we have these conversations. 317 00:21:05,600 --> 00:21:08,760 This is why you want to hear from the firsthand experience that people have been doing this 318 00:21:08,760 --> 00:21:10,720 for a long time. 319 00:21:10,720 --> 00:21:13,720 You have to know that's where you can make decisions. 320 00:21:13,720 --> 00:21:17,120 I see folks mentioning if you got a consultant out there that's going to help you become 321 00:21:17,120 --> 00:21:23,800 compliant, a question you need to ask every consultant is how familiar you are with NISSI 322 00:21:23,800 --> 00:21:24,800 HUNTER 171A. 323 00:21:24,800 --> 00:21:29,320 And for those that say, what's that, you run away screaming. 324 00:21:29,320 --> 00:21:30,320 Yeah. 325 00:21:30,320 --> 00:21:31,320 Yeah. 326 00:21:31,320 --> 00:21:34,240 I mean, I've had conversations this week with companies who've been working with respectable 327 00:21:34,240 --> 00:21:36,120 companies since 2018. 328 00:21:36,120 --> 00:21:37,720 And they're just starting to talk about that stuff. 329 00:21:37,720 --> 00:21:41,240 And it says, well, what have you, all these things you just covered with the conversations 330 00:21:41,240 --> 00:21:42,240 we were having as well. 331 00:21:42,240 --> 00:21:43,720 What did you enter for a score? 332 00:21:43,720 --> 00:21:45,080 Are you sure that's in there? 333 00:21:45,080 --> 00:21:46,360 And what were you basing that off of? 334 00:21:46,360 --> 00:21:48,080 And what's your documentation look like? 335 00:21:48,080 --> 00:21:53,280 And that's why we're just trying to help and get people on the right page. 336 00:21:53,280 --> 00:21:59,360 And I can't echo enough the system security plan details and having that versus just going 337 00:21:59,360 --> 00:22:00,520 and popping in a score. 338 00:22:00,520 --> 00:22:01,760 There's a lot of bad advice out there. 339 00:22:01,760 --> 00:22:03,960 And you hit that really, really hard, which I appreciate. 340 00:22:03,960 --> 00:22:06,720 It's just going through a score and worry about it later. 341 00:22:06,720 --> 00:22:09,760 That's not how that's not going to end. 342 00:22:09,760 --> 00:22:11,680 No, it will not end well. 343 00:22:11,680 --> 00:22:12,680 So don't do that. 344 00:22:12,680 --> 00:22:13,680 But well, awesome. 345 00:22:13,680 --> 00:22:14,680 Well, thanks, Wayne. 346 00:22:14,680 --> 00:22:19,120 I know we went a little bit longer than normal, but that was good. 347 00:22:19,120 --> 00:22:22,200 The references, everything that you've talked about, if you're watching on YouTube, you'll 348 00:22:22,200 --> 00:22:24,400 see some of this stuff pop up on the screen. 349 00:22:24,400 --> 00:22:29,160 But if not, you're listening on your favorite podcast platform, you can check out the reference 350 00:22:29,160 --> 00:22:33,920 links and other areas that we're sending people to down there. 351 00:22:33,920 --> 00:22:37,160 And as always, subscribe, follow, do all that stuff. 352 00:22:37,160 --> 00:22:41,160 We'll have you on again in the future because things will look different in 12 months from 353 00:22:41,160 --> 00:22:42,160 now. 354 00:22:42,160 --> 00:22:43,160 We'll see where things are at. 355 00:22:43,160 --> 00:22:44,160 We'll see how that goes. 356 00:22:44,160 --> 00:22:47,960 And the next thing is CMMC SPR. 357 00:22:47,960 --> 00:22:48,960 Yeah, there. 358 00:22:48,960 --> 00:22:49,960 Yeah. 359 00:22:49,960 --> 00:22:52,360 Well, that's there's a lot of things that we didn't need to talk about today because 360 00:22:52,360 --> 00:22:53,840 we don't want to be here for a week. 361 00:22:53,840 --> 00:22:58,680 But yes, those are those are going to be the fun nuggets that we'll get into later. 362 00:22:58,680 --> 00:23:01,360 And again, just really appreciate you coming on spending some time. 363 00:23:01,360 --> 00:23:06,280 It's a crazy Friday here for a lot of people involved in this ecosystem and stuff. 364 00:23:06,280 --> 00:23:08,280 So thank you, Wayne. 365 00:23:08,280 --> 00:23:10,560 And we'll catch you next time. 366 00:23:10,560 --> 00:23:14,520 And I think we'll maybe spend a little bit more time than we did today on the next topic. 367 00:23:14,520 --> 00:23:16,200 Always happy to help. 368 00:23:16,200 --> 00:23:17,200 Thank you. 369 00:23:17,200 --> 00:23:18,200 All right, there. 370 00:23:18,200 --> 00:23:19,200 Thank you. 371 00:23:19,200 --> 00:23:22,200 Thank you for listening to this episode. 372 00:23:22,200 --> 00:23:27,360 And make sure to subscribe to the quick 10 podcast wherever you get your podcasts and 373 00:23:27,360 --> 00:23:30,080 check us out on YouTube as well. 374 00:23:30,080 --> 00:23:36,880 For more information about quick track, visit our website at www.quicktrack.com. 375 00:23:36,880 --> 00:24:00,760 And we'll see you next time.