If you’ve taken the time to look through the DFARS Interim Rule…
All 80+ (potentially) confusing pages of it…
You might have some questions about how it applies to your business.
Luckily, Scott Armstrong, Sr. Director, Cyber Risk, Analytics, and Insights at Exostar, has answers.
In this episode, he and I discuss everything DIB firms need to know about the CMMC Interim Rule
What we talked about:
- “Legalese to English” translations of the three new regulations
- Best practices on how to score your self-assessment
- How and when the DoD will start adding “CMMC language” to contracts
- How the interim rule will impact new contracts and contract modifications/extensions
- Why the interim rule will accelerate CMMC Level 3 compliance across the DIB
- How Exostar can help your organization prepare for compliance
To hear this episode and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (00:06):
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no-B.S. answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:24):
Hey there, and welcome to another episode of The Virtual CISO Podcast. I’m your host John Verry, and with me as always the Dale Doback to my Brennan Huff, Jeremy Sporn. Hey Jeremy.
Jeremy Sporn (00:37):
Hey, I’m feeling like I’m in a good mood today. I feel like our show is kind of like a fucking Catalina wine mixer. You ever had one of those?
John Verry (00:47):
Yeah. You don’t get many chances to work a stepbrother’s reference into everyday conversation in the business world. So, I’ll give you a few points here for making that one work.
Jeremy Sporn (00:58):
I’ll take whatever points I can get John. What’s up?
John Verry (01:01):
So on the more important side, what did you think of my conversation with Scott?
Jeremy Sporn (01:04):
I’ll be honest. It was a bit humbling for anyone who spent the time like I did to grind through the 80 plus pages of the DFARS Interim Rule, and came out on the other end not too confident in what was actually said, like me listening to you and Scott talk about it with such confidence knocked me down a peg or two. It was cool to listen to you guys riff on that stuff.
John Verry (01:27):
Maybe not the best time to point this out, but as they say, in the kingdom of the blind, the one-eyed man rules. So, I’m not so sure we knew it quite as well as you think we did, but if we got away with it, that’s a pretty good sign.
Jeremy Sporn (01:39):
It was just cool, as we were talking before clauses 19, 20, 21 were things I did not quite understand too well. And really whether you’re already managing DoD contracts through Exostar, where Scott’s from or not, you will walk away with a great understanding of the DFARS Interim Rule, especially those clauses and what they mean to you. You’ll also get a lot of what I would call real world glimpses into what it’s like to leverage Exostar’s new certification assistant tool, which is super cool to help you achieve and manage CMMC compliance. Anyone concerned with CMMC compliance will find this conversation extremely helpful I know I did.
John Verry (02:20):
Agreed. That was definitely the idea of having Scott on the show. Anyone who’s got experience working with what 135,000 of the DIB members. Probably going to know a little bit about this stuff, so with no further ado, let’s get to the show. Scott thank you for joining us today. How are you?
Scott Armstrong (02:39):
I’m doing well.
John Verry (02:41):
So I always like to start easy. Tell us a little bit about who you are and what is it that you do?
Scott Armstrong (02:46):
Sure. Scott Armstrong, senior director for the risk products here at Exostar, where I run the product management team for our solutions both for large government contractors or many of the suppliers and contractors in the DIB.
John Verry (03:02):
So obviously now that makes sense as to why we invited you here to talk about the new interim rule, because obviously that’s going to impact an awful lot of your client base and I’m sure some of the products that you develop have something to do with your being here today. So before we get down to business, we always like to ask, what’s your drink of choice?
Scott Armstrong (03:21):
My drink of choice is typically a single malt scotch. I’d like a PD, one of my favorites is Laphroaig. I’m probably mispronouncing it, I always have always will. But it’s probably definitely one of my favorites.
John Verry (03:34):
So first of all, I’m tempted to end the podcast now because there’s no better way to ruin a good whiskey than to add Peat, but I’m going to allow you that mistake. But it’s just you’re warned. That’s your first mistake. Second thing, on the Laphroaig’s side. So it is funny you say that a good friend of mine is a scotch drinker. And I bought him rece…not recently probably a year or two ago now but as a gift, a bottle of Laphroaig and it’s apparently… and I’d probably mispronounced it as well. Apparently that’s absolutely one of the best bottles out there. So at least you have good taste in your bad taste, if that makes any sense.
Scott Armstrong (04:10):
Sure sure.
John Verry (04:11):
All right. So September 29th was the day we were all waiting for, even if we didn’t know that was going to be the exact date. And as expected, we got a a new DFARS regulation, that specifically calls for CMMC but I don’t know if you were expecting, I wasn’t sure what to expect but we also got two additional regulations. So just to add to the confusion, we have three not one. So let’s kind of help people shush this out. Understand what the difference is. So let’s start with 7019. How would you summarize 7019?
Scott Armstrong (04:45):
7019 is really reinforcing the 171 requirements and how it gets used for acquisitions, so that the offer’s got to verify the summary level scores based upon the DoD assessment methodology for all their covered contractor information systems, that manage, control and classify the information. So it really ties that into the procurement process tightly, more than just a reps and certs but where they actually need to be provide scores that are auditable portray ability that’s used for part of the acquisition process.
John Verry (05:23):
Yeah. So a question for you. So if I’m not mistaken they use a term that will be in all solicitations and contracts. Do you interpret that as being that like if you’ve got a 20 or 21 requirement, the 19 requirement comes along for the ride? Was that just in the interpretation of what I read I might’ve misinterpreted that.
Scott Armstrong (05:42):
In my interpretation. It’s an all the contracts no matter what and –
John Verry (05:46):
[inaudible 00:05:46] too, which I thought was odd.
Scott Armstrong (05:49):
And it’s also I believe for any contract extensions or enhancements and things like that. So it could affect legacy contracts as well.
John Verry (05:56):
Okay. So insured right. So we’re going to see a 7019 in virtually all of the contracts or all of the contracts that are coming out. And that obligates the organization to conduct this DoD assessment?
Scott Armstrong (06:11):
Yes.
John Verry (06:12):
And then once they conduct that DoD assessment, what are their obligations beyond that?
Scott Armstrong (06:18):
They’re going to have to submit it into the, what’s called the SPRS system. Which is the government contracting system where the acquisition folks can verify the contractor’s performance to include the assessment score as part of that acquisition decision.
John Verry (06:36):
Got you. And that’s a supplier performance risk system that way, I think that’s what that means?
Scott Armstrong (06:42):
Yes it is.
John Verry (06:44):
Okay. And who sponsors that? I mean like is that the DoD that actually is responsible for maintaining that registry?
Scott Armstrong (06:52):
It’s DoD. I believe it might be sponsored by the Navy but it’s a DoD registry. So it’s open to all DoD staff, acquisition wise to build a review. Each company will be able to view their own ratings within it though.
John Verry (07:06):
Okay. So I’ll upload my ratings there, I’ll have the ability to see my ratings. So the DoD agencies will have access to. Well the primes have access to that as well as that if they’re forming like a pursuit team, is that how they would know where you stand, or would you have to grant them access? Do we have any idea yet how that part going to work?
Scott Armstrong (07:23):
The most clarity that I’ve gotten right now is that each company will only see their own scores. So a prime contractor is not going to be able to go and see everybody else’s score. So you’re going to have to… If you’re building a team, you’re going to have to be asking those scores directly from your teammates.
John Verry (07:41):
I got you. All right. So that’s 7019 which will end up as a great summary. Let’s talk about 7020. What is 7020, and how does that compare to 7019?
Scott Armstrong (07:53):
So 7020 as I understand it, and again applies to the contractors covered information systems that manages control and classified information. They’ve got a Delta, provide the government access to those systems in case they want to do either a medium or what’s called a high assessment. So when you do your own self assessment, they consider that a basic assessment itself at a station, so it hasn’t been verified. So when do this, it requires you can submit that to the SPRS. If there’s already another score there, however you’ve got to now allow the government to come in and do their audits if required. And you’ve also got to insert the clause of all sub contracts that you have before, awarding those sub contracts as a prime contractor. So that’s key. So that’s where they really want the flow down of this capability to really follow the controlled and classified information with all your subcontractors.
John Verry (08:54):
Got you. So in terms of and the government reserves the right to audit. If you see a 7020 clause that doesn’t mean they’re going to come in. That means that you’ve got to file your self assessment. And then based on those answers I’m assuming, or based on what the criticality of the information that particular contract is how they’ll decide whether or not they’re going to come and audit you?
Scott Armstrong (09:15):
Yes. That makes sense. And the medium audit is less invasive than the high audit. It’s basically looking at your system security plan and a few other items. The high audit is where they’re going to be onsite for a period of time. And they’ve published some cost estimates where the number of medium high audits are in the hundreds. So they’re not going to be in the thousands on an annual basis.
John Verry (09:39):
Yeah, I thought I saw something like that. A few, of like 200 and something there maybe on the medium and like a hundred and something on the high, or something crazy like that.
Scott Armstrong (09:48):
Yeah, that’s about right.
John Verry (09:50):
200 medium, 110 high. Yeah I actually took a note when I read it. Because I thought it was interesting. So it’s not going to be a ton of people that are going to get hit by that. But that being said, depending upon where they see that score. I imagine that they might… As John Ellis from DCMA says, “We reserve the right to audit anyone based on our…” I forget what the word is our prerogative, or something of that nature.
Scott Armstrong (10:16):
That’s true. It could be due to a cyber incident that he decided to go on it or spillage, or something else with a-
John Verry (10:22):
Whistleblower [crosstalk 00:10:24].
Scott Armstrong (10:24):
Whistleblower? Could be another one?
John Verry (10:25):
Yep. And that’s an important thing I think, if anyone that is listening. I just went through that RP training from the CMMC RP. And I was not aware of that on these false claims hacks, that there’s a whistleblower component to that, and whistleblowers can get somewhere between 20 and 30% of the settlement?
Scott Armstrong (10:45):
Yes.
John Verry (10:47):
Some of these settlements run into the millions. I mean you can make a career just blowing whistles and going and laying on a beach somewhere. Just gotten me and you work way too hard.
Scott Armstrong (11:01):
That shows you the importance of when you’re submitting these scores into that database though, you better be sure of what you’re doing.
John Verry (11:08):
I think that-
Scott Armstrong (11:08):
If you do get audited, the false claims act is definitely a hammer they’re looking at using.
John Verry (11:13):
That’s actually an interesting question for you. So really what we’re getting to is that prior to CMMC, before you have to get to a full CMMC, if you have to stay in the 871 world, you’re going to need to submit this assessment to SPRS. Do you think most organizations are going to self-assess? Do you think most organizations are going to use a third party? How do you think people are going to attack that?
Scott Armstrong (11:32):
I think it’s going to be a combination. I think people are going to start off with a self-assessment if they understand their gaps well enough. If you really being risk-averse, you should probably be reaching out to have a third party help do that gap analysis to make sure your interpretation is correct. Especially when you get into the scoring methodology which we might get into it a little bit.
John Verry (11:52):
Yeah let’s go there now. Because I think it’s more logical to kind of fit that into this part of the conversation. So let’s talk about that. So this assessment is done using the “DoD assessment methodology” correct?
Scott Armstrong (12:06):
Yes
John Verry (12:06):
What is that?
Scott Armstrong (12:07):
So it’s a methodology that’s been developed by DCMA, the defense contract management agency. And they’ve got the audit teams that have stood up, and they started doing over the last year 171 audits and they were charged to come up with a scoring methodology to help manage risks and to score it appropriately at least from a DoD perspective. And some of the common problems that they found with some of the control areas is where they did penalties of different sorts, if you were partially implemented in a control or not. But if you have a perfect score, somebody where there’s 110 controls, you would score 110. But with the way they’ve done the weightings you can actually get penalized for not having a control by greater than a one point score, could be five points for instance. So you can actually potentially go negative.
John Verry (12:57):
I was going to ask you that. [inaudible 00:13:01] Yeah there’s one point, three point and five point. You can think about it logically, you could end up with like a minus 220 or something like that perhaps. Which I guarantee you’re going to be one of those [inaudible 00:13:11] a minus 220, I think they’re knocking on your door.
Scott Armstrong (13:14):
They’re probably not going to be awarding you any new contract that’s for sure.
John Verry (13:20):
So folks that are interested can do a search on DoD assessment methodology. That’ll get them to that particular document which defines the process and the scoring and things of that nature. And then the methodology calls another document NIST SP 800-171-A. Want to touch on that?
Scott Armstrong (13:39):
That’s really the assessment guidance that NIST has published. So what assessors should be looking at when they go do an audit to say, “Have you met these controllers or not?” And it includes, for testing a control objective it might be, the asking for particular types of evidence or testing the control and things of that nature. It’s probably along with the duty assessment scoring methodology kind of the authoritative guidance that’s out there from a government perspective of how to do those assessments, and what they would be looking for when they do those.
John Verry (14:15):
Okay. So somebody who’s listening that says, “Oh crap this applies to me probably.” First thing is they download a copy of this DoD assessment methodology, read through it. It’s probably about a, I remember like a 12 page document and really most of it is about the scoring and just setting some of the rules and guidelines and refers to 171. They download a copy of 171A and they would actually try to conduct an audit against themselves using 171A in the criteria on a control by control basis. Correct?
Scott Armstrong (14:43):
In theory, now that assumes that you are skilled in the art of reading this special puzzle. Well I-
John Verry (14:54):
Everybody is. Well I will say this, is that I think 171A is, they did as good a job as they can. And I would encourage, I don’t know if you’re familiar with NIST HB which is weird because everything’s usually SP. HB 162 or 162B but it’s 162, is a handbook that’s associated with 800-171. I think that’s another good document that you can use to augment the 171A, if you’ve got any questions. Because that also gives you an idea of what you should be looking for when you’re implementing the controls. I think you could use it in the same way from an assessment perspective. So I think that’s another great document to augment 171A and then there’ll be responsible for scoring per the assessment methodology.
John Verry (15:36):
So they’re either going to give themselves a zero deduction for that. Basically I guess it works on a deduction basis. You look at every control, you start at zero because if you can achieve the control you get a point. If you don’t achieve the control you get minus one, minus three, or minus five. And then you move to the next control, and you submit that. And then do yo know how does it work with I’m assuming that anywhere where you don’t achieve the control, that you’ll probably have to submit a poem associated with that?
Scott Armstrong (16:06):
Well my understanding with this middle of the summary score, you’ve got to submit the data, the final poem that gets implanted, that clears out. So when you would be fully a hundred percent compliant with all 110 controls. So you might have five poems but you go with the data the latest one.
John Verry (16:24):
You only going to submit one?
Scott Armstrong (16:25):
That’s my understanding. So you’re not saying what the poems are but you’re just giving that completion date.
John Verry (16:30):
Okay cool. And just for the record, this is October 14th that we are recording this. I think it’s November 30th of 2020 this will go into effect. And we’re in a.. What do you refer to comments period? So anything we’re saying right is subject to comments, interpretations, clarification’s that I’m sure are going to happen between now and then.
Scott Armstrong (16:54):
Yes. And the interesting thing with the interim role, because this is published as an interim role and those comments are allowed, but it goes into effect while the comments are being submitted. So the changes might not occur for two, three, four months. If there are changes based on those comments, for when this becomes a final role. So it could stay as is, or could be modified by the time it comes to final role but it’s effect of November 30th.
John Verry (17:22):
Okay cool. So either way what we have is going to go into effect and then they may or may not change it. And they may or may not change it on November 30th, or December 15th, or January 23rd.
Scott Armstrong (17:33):
Whenever they decide to.
John Verry (17:34):
Okay cool. So my guess would be, and I didn’t see this but it was 83 pages so I may have dozed off a couple of times. I’m assuming that DCMA and DIBCAC would be the entities that are conducting the audits being they’ve been doing 800-171 auditing to this point?
Scott Armstrong (17:56):
Yes. Certainly for the highs they’d be doing, I’m assuming they are for the mediums, but I’m not sure if there could be other agencies involved for the mediums.
John Verry (18:03):
Okay. That makes sense. So 7019 sets us up for a new requirement to do these DoD assessments, 7020 adds on the idea that you’re signing on for the government potentially conducting an audit. And it also establishes flow down. So there’s no flow down in 7019 I guess.
Scott Armstrong (18:24):
Not in 7019 that’s correct.
John Verry (18:27):
All right. So the big things to move from 7019 to 7020 is flow down, and the potential DoD audit call that DCMA made, DIBCAC audit.
Scott Armstrong (18:39):
Yeah. So without flow down, you’ve got to make sure your suppliers have their scores in SPRS before you can subcontract with them.
John Verry (18:48):
Got you. All right. Makes total sense. All right, so we covered 19, we covered 20, 21 was the one I was looking for. Because we had all of this [inaudible 00:18:59] CMMC, but there was no contractual obligation that could be made to it. So 7021 wIll go down in history, I think is one of the single most important DFARS clauses. So let’s talk about 7021. Tell me about that.
Scott Armstrong (19:17):
So this is finally where we’ve got CMMC language in the DFARS that it can start being used from an RFI and RFP perspectives, which has been key. Based on my understanding of what Ellen Lord has published. They’re going to be hand selecting the contracts for year one, and expanding it on every year through to the next five years until they get full coverage. So this enables CMMC to be selectively used and rolled out the industry, both getting accreditation’s done, certifications as well, all those sorts of things. So this has been instrumental right now I think we’ve had a few RFIs like some GWACs Governmentwide Acquisition vehicles where they put in CMMC requirements may be used in that vehicle. And they haven’t been used in any true acquisitions today and this language really enables that.
John Verry (20:11):
Got you. So we see a 21 clause, you’re on the hook for CMMC, the level to be established by the RFI or contract, correct?
Scott Armstrong (20:22):
Yes. And that would probably outline for that contract, different levels for different parts of it, potentially for teammates. Because you might have some level one requirements, versus say some level three requirements. But then it would all be spelled out.
John Verry (20:37):
Just give me an example of how that would work, like where contract might specify, would that be for different components someone might be providing or what would be an example of where a contract would have two requirements, let’s say a level one and a level three ?
Scott Armstrong (20:51):
Let’s say there’s a requirement for a controlled unclassified information for design thing that we all know is controlled and classified information. And it’s known that’s going to be probably pieced out to a subcontractor that specializes in it. That that’s a type of thing where they would wrap language around it. So from a task order, or subcontract perspective it could be traced down there. But there could be support functions in more labor staff type support functions that might be subcontracted that really you’re not going to have access to controlled and classified information. You could be doing a help desk-
John Verry (21:26):
It was interesting when… Again I’ll refer back to the RP training. It was something the RP training by the way was difficult but had some really interesting things that I learned from it. Like one which was really interesting is that there’s the concept, and this might be another great example of what you’re saying which is why I brought to mine, is that they showed an example where the contract holder for a contract that included both FCI and CUI. Was only a level one, only authorized for FCI. But yet they actually could control a contract that had CUI. And what they were doing is that the FCI would flow back and forth to that. But the CUI would flow back and forth to their subcontract without them having any access to it.
Scott Armstrong (22:08):
In a separate enclave private manners that way.
John Verry (22:10):
Yep. That’s exactly it. So that would be a great example where you might have these different requirements. And it is a really cool concept that somebody who’s level one certified could have a contract, that’s got a level three requirement in it. If they structure the enclaves and access to the enclaves optimally.
Scott Armstrong (22:29):
Yes. And that goes back to how the prime contract would probably be structuring their team, and the technologies and [inaudible 00:22:36], for managing the CUI.
John Verry (22:38):
Cool. And then the 21 keeps the 20 requirements to flow down?
Scott Armstrong (22:44):
Yep.
John Verry (22:45):
Okay. Except in this case we’re not flowing down 7020, we’re flowing down 7021 or CMMC.
Scott Armstrong (22:52):
Correct.
John Verry (22:53):
Okay. And it has that same requirement to prior to an award to a subcontractor, you have an obligation to confirm they’re active and appropriate CMMC certification level.
Scott Armstrong (23:05):
And that’s my understanding as well.
John Verry (23:07):
All right, cool. So I think those are the key three things about… Did we? We did a pretty damn good job there sir. We’re 22 minutes into a podcast, it’s 88 pages and we’re done? We must’ve missed something but shhh, maybe no one would realize it. We sounded authoritative. So I mean we must be right.
Scott Armstrong (23:32):
We must be right. There’s still going to be more detailed level evolve on this as we go through the comment period I’m sure.
John Verry (23:39):
All right. So let’s talk about what do you think, or do you know exactly, what if I’ve got a existing 7012 contract? Does my 7012 contract suddenly become a 7019? Will that only happen through some type of contract extension, contract update? And this might be a question I should know the answer to and I don’t. Does the government have the right to update a contract? I mean, because if you think about it logically, 7012 said you need to be at [inaudible 00:24:09] anyway. So if you suddenly start barking and saying, “Wait a second, you can’t push a new contract requirement on me to be 7019.” Because that would be not have to be [inaudible 00:24:17] 171 compliant which… Oh yes right, I was already that. So what’s going to happen with 7012 contracts that exist we know?
Scott Armstrong (24:24):
My understanding is that they probably won’t be touched unless there’s a contract mod or extension or something that’s going to drive the contract to be modified. I’m not certain if the government would have the right just to retroactively do it without having a business need to do a contract mod extension. But if there is a new contract action against that existing contract that’s where the new clause will definitely apply.
John Verry (24:47):
Got you. So if you’ve got a 7012, maybe you don’t have to… So you don’t think the existing 7012s, if they don’t get modified, we’ll have to put anything into SPRS?
Scott Armstrong (24:56):
Probably not for that contract. So if they’re going to bid on any new work they’re going to have a letter.
John Verry (25:01):
Exactly. So let’s talk about the implication here. So I looked at 7019. 7020, and 7021. Probably a little bit differently than end user clients will. Because I look at the three of them is saying, Oh okay. I have two different things that might happen. I either have to conduct a DoD assessment and upload it to SPRS or I need to get CMMC level three. But logically, if you are going to go to the effort of truly confirming your compliance with 171. That puts you roughly 85% of the way to level three.
Scott Armstrong (25:41):
Yes.
John Verry (25:42):
So logically, like I look at this and I don’t know if the government did this intentionally. I think the net effect of this is going to be that this is going to drive more people to level three faster. Because if I’ve already got to go to this level to have a formal assessment done, why wouldn’t I just go the next step and now have the CMMC level three and differentiate myself and be ready for any contract.
Scott Armstrong (26:05):
That’s the logical extension. As soon as you either looking at that contract or you’ve got the availability of C3POs to give you a certification, that’s a logical next step because from a marketing perspective that’s how these groups should want to be positioning themselves.
John Verry (26:20):
Got you. So I mean I looked at all three of them and I was like, okay this is interesting. I just think every conversation with a client is going to be like… I think you’re going to have some clients that are going to say… You know what, I think the more sophisticated clients that have a strong information security team, I think 7019, 7020 probably makes sense for them. Because they’re going to be able to do it themselves. They’re not going to have to go through that. But I think if you’re looking at a 250 person manufacturer organization with an outsourced IT. I think doing the assessment yourself is going to be challenging, and at least challenging and be comfortable that you’re not going to file something that’s not accurate and you’re going to end up at risk. So I think they’re going to end up in court using third parties. And if they are I think, why not go the extra 20% of the way or 15% of the way in and be done with it, and be CMMC level three.
Scott Armstrong (27:13):
I mean most people if you’re going to go through that process, especially engaging with a third party, the most cost effective way would do it both at the same time. .
John Verry (27:21):
Yeah I think so too. So I thought it was very interesting you read the tea leaves the same way I did. I got the impression that they were trying to lessen the pressure into the CMMC program, because the government is absolutely worried. That we’re not going to have enough consulting resources, there’s not going to be enough RPOs out there, there’s not going to be enough C3POs out there to get let’s say 40,000 companies through the pipeline 2021. Which is why they put… What do they have? It’s 150 contracts and 1500 I think it was the number that they were taking for 2021?
Scott Armstrong (27:55):
I think it’s 15 contracts expecting the prime to have about a hundred subcontractors. So roughly-
John Verry (28:01):
1500.
Scott Armstrong (28:01):
1500 yep.
John Verry (28:02):
So I think that they know that if the number gets much above that, there’s going to be a queue of people waiting to get through this. The second thing too is that, and any anyone listening should really think this through, the other thing which they really specified in the RP training was that the audit process sounds like it’s going to be reasonably onerous. So they have this idea of two forms of objective evidence, from two different classes of objective evidence. And the cumulative evidence needs to show, call it integration, or that this security practice has been baked into operationalized into the culture. Which basically means that you can’t get done standing this up, write a policy and say, okay let’s go for the audit. So we’re going to need what we call in the consultations I’m called a soak period. You’re going to need some period of time that you’re going to have to let this environment run to make sure that these controls execute and we generate the evidence. So I mean I think you’re going to be minimally talking about three months for the soak time.
Scott Armstrong (29:03):
I’ve typically been saying three to six months, depending on the organization. How much change they have to do to do it.
John Verry (29:11):
Yeah I agree with you about the six months. I was saying three conservatives, because if you think about it logically. Periodicity of controls is usually daily, weekly, monthly, quarterly, biannual, annual. I think they’re going to give you a pass on an annual control, but if you’ve got bi-annual controls or control that fires once every six months, you probably have to wait for that control to fire before you’re going to go through the audit at least to play it safe. It’ll be interesting, like one of the things that we might do, and one of the things I’d recommend that people do, even if you want to eventually have a control that’s every six months. In your initial implementation, if you’re just updating your controls now make it every three months. That way you might be able to-
Scott Armstrong (29:54):
Good idea because you can get the evidence trail going because that’s the key part of it from an auditor’s perspective.
John Verry (29:58):
Yeah. It’s going to be interesting. I’m really anxious to see the guidance that comes out on the audit programs. All right so let’s talk about, we’re fans of a product that you guys offer called certification assistant. Tell folks what certification assistant is and then let’s talk about whether they’re dealing with 7019, 7020, or 7021. How that product might be something that would make sense for them to think about.
Scott Armstrong (30:26):
Sure. So it’s software as a service
John Verry (30:29):
Wait Scott, real quick for you. Just in case, can you also take a step back? maybe some of the people listening, a lot of them you manage relationships with like 135,000 of the 300,000ish plus entities. But that means half the people listening or more may not know who Exostar is and what your place is in the DIB. So maybe start with who Exostar is and what the services you provide as a whole. And then the fact that you’ve introduced this new new set of services that are specific to this called certification assistant and then talk about that.
Scott Armstrong (31:01):
Sure. That’s great. So Exostar has a secure managed community on behalf of the Defense Industrial Base. Working with large prime contractors like Lockheed Martin, Boeing, Rolls-Royce and others. Where we connect together their supply chains and many of the suppliers and subcontractors that work with the large prime OEMs are part of our community, where we’ve got secure credentials and a managed access gateway where it’s a very secure environment for handling the transactions and collaboration between these communities. And it includes things that you might call controlled and classified information as well as part of those collaboration actions.
Scott Armstrong (31:44):
So it moved around for 20 years doing that, recently we’ve gone under a new ownership with a private equity firm Thoma Bravo. We used to be a joint venture that was owned by a larger [inaudible 00:31:55]. What we’re doing now for CMMC and looking at this opportunity and challenge for the DIB, is we’re trying to bring solutions out to that entire community. And they’re part of our community now where they’re collaborating with their partners and [inaudible 00:32:14]. And we want to help give them kind of the guided tour and pathway of how to achieve and get ready for both CMMC as well as the challenges around 171.
Scott Armstrong (32:25):
And when I look at that it’s really an ecosystem of what’s got to be brought to Bare. We’re bringing some software tools to Bare where a supplier contractor can do their own self-assessments. They can collect the evidence that’s needed to be able to go through an audit. When we saw the DoD scoring assessment methodology, and how this regulation was coming out, we’ve made some recent updates so that you can view your compliance both from a CMMC like level three perspective, versus the 171 and understand your own gap analysis and do your own assessment scoring based upon the DoD assessment methodology.
Scott Armstrong (33:04):
We’re even adding in a report so that when you get your score, you’re going to have an audit trail, that score was generated at this time for that covered information system. Because that score could be changing over time as well as you knocked down your poems, and you improve your security posture up to get in the full 110 controls implemented or achieving level three certification. And that’s where as part of that solution set, we extended to a partner program with folks like Pivot Point to where we’ve got the ability for consulting partners to collaborate with the community and help review their system security plans, and controls, and things of that nature. To help kind of rise the overall security posture for the companies that need assistance as well.
John Verry (33:52):
What I like about the tool is that it gives, and when we’re chatting with people that we’re working with on the platform right now, is it gives everyone a unified simplistic view of where we are in the process. And I think when you look at many of the DIB companies, [inaudible 00:34:10] supply chain companies make a large percentage if not the vast majority of their revenue through defense contracts. And if they are not successful, they’re out of business. So what I like about it is like, we’re working with a client right now, procurement wants to be involved, the owner wants to know where he is, the guy who runs business development, like that’s how…Bidding, trying to get on these pursuit teams. He needs to know where he stands. The IT director needs to know where he stands.
John Verry (34:38):
They know they don’t have the bandwidth and expertise to fully implement the control environment. So they’ve given us access into their environment. We’re in their environment, we’re actually populating the tool. We’re popping in the components of your tool that allow a system security plan to be generated automatically once it’s populated. We’re documenting each of the individual controls so in their case they’re going to be CMMC level three. So you’ve broken down across the 17 domains, all 130 controls. For each of those 130 controls, we go in we enter exactly how they meet that control. We attach policies, and procedures, and documentation, I’ll call them design artifacts relative to that. If a control doesn’t yet meet where they need to be, we’re able to put an action item, a poem if you will in place right there. They’re able to track where though each of those is, get a date to it, know who is assigned to.
John Verry (35:28):
So really what it does, is it gives them a single unified view for not only their internal team but their extended team. And then once we go through that and we’re complete, let’s say well now the environment’s fully stood up. Then we can actually assign a different person, let’s say on our team, or they could assign a different person from a C3PAO if they wanted to conduct it. So now they can grant access to an auditor who has their own view, where they can’t edit or alter anything but they can see all of the evidence for each of the controls, they can see the system security plan. So they can now conduct an audit from within there. They can generate poems on their behalf, or they can generate their own poems internally. And now once that process is complete, they can now grant access to the C3PAO and let them go through the same process. So from my perspective this idea that you’ve centralized, this information ,and just kind of the entire process can be managed through a single web based interface is pretty damn well done.
Scott Armstrong (36:27):
Thank you. And that’s the whole design goal we had. And when we looked at the challenge of CMMC and the challenge of scaling to the level of security across the DIB with 220, 300,000 companies. Unless you can really enable that collaborative environment especially when you call about the extended teams, or the C3POs, you’re not going to… My belief is we wouldn’t be able to achieve that scalability that the DoD desired without that collaborative capability.
John Verry (36:58):
Yeah now I think it creates a levels of efficiency that are going to be necessary if the DoD is going to get 300,000 people through the process in the next five years. It is a crap load of work that needs to be done. All right. So Bare’s, pointing out. So you have a 171 based offering, you’ve got a level one based offering, you’ve got a level three based offering, and you have a level five based offering or will have a level of five once we get the clarity that we need.
Scott Armstrong (37:33):
And for 171, that’s part of our either level three offering, or our level five. So once you actually get up to what we call our standard edition, we’ve always got that 171 capability.
John Verry (37:45):
Okay. Level three is like $3,500ish per year?
Scott Armstrong (37:51):
Correct.
John Verry (37:52):
Right. And then I say about that is that you can just maintain your evidence in there year after year and just updated each year.
Scott Armstrong (37:58):
That’s right. And you’ve got to be managing your evidence as-
John Verry (38:01):
Throughout the year?
Scott Armstrong (38:01):
Throughout the year.
John Verry (38:04):
Yeah. So as an example every time, if you’ve got a quarterly user account management review for your [inaudible 00:38:12]. The fact that took place and that someone’s… You’re going to put that evidence right into the platform right away. And then the level one is like 1200… I forgot the number for level one.
Scott Armstrong (38:28):
$199 For the annual supply.
John Verry (38:31):
That’s ridiculous. That’s an [crosstalk 00:38:34]
Scott Armstrong (38:34):
We’ve added in some other features as well just to help drive the value there.
John Verry (38:39):
Yeah. Well listen, at $199 is a no brainer there. Just you will save 10 times that just in managing the external audit, right?
Scott Armstrong (38:49):
Without a doubt.
John Verry (38:51):
So question for you. So if somebody is on your platform, they’re already signing into [inaudible 00:38:58] and all that kind of fun stuff, those are the prices. What if somebody is not already on your platform? Like does it cost them more to join the platform and then add these capabilities?
Scott Armstrong (39:06):
So there’s a required costs that we need to have, the platform your organization could get access to but then different applications about different levels of credentials that are required. In the case of this application we require two factor authentication.
John Verry (39:21):
That’s $26. I know we just had a new consultant and he was like. “Ah it’s $26. Is that a [inaudible 00:39:32]?” All right. So literally like if somebody is listening and says, “Wow, I’m in the DIB, I should be part of this platform.” They can literally come in, they sign up. It costs them $26 to get the first part, for every person that’s going to be on the system. And that’s so that they ended up with two factor authentication. So like on in my case because I’m on the platform. You send me like a text message every time I sign on, to make sure it’s me, and I [inaudible 00:39:57] six numbers and we’re good. And then once they get in there, once they’re on the platform, there’ll be an option to upgrade to, It’s called the product shield certification assistant. They’ll be able to pick the level, and whichever level they pick there’ll be an associated cost. Do you know what the cost is yet on five or are we still working on that?
Scott Armstrong (40:14):
It’s currently $5,000 for the transcription?
John Verry (40:17):
Okay. That’s a five [inaudible 00:40:20]. And I think the number of people are going to need that is going to be incredibly small anyway. All right. So like I said we’re damn efficient. Is there any last thoughts, anything you think we missed?
Scott Armstrong (40:30):
One thing I will make a call out for people that don’t have policies in place to do it today. We do have another, what I kind of consider a partner solution called PolicyPro that not only has policy templates but it’s got the ability to do, evaluate your existing policies against both 171 as well as CMMC level three. So if you’ve already got your policies in place and they’re robust you might not need to look at it but there are firms out there that I’ve talked to that are starting from ground zero. And that another tool to help facilitate even with extended teams and consultants sometimes to help them customize the policies to their own organizations. Because everybody needs to customize them no matter what.
John Verry (41:13):
Cool. All right. So we always like to have a little fun as we end the call. Hopefully you did your homework and you’re ready for this question because if you’re not, you’re going to look silly and you already looked silly saying you’re like peat in your whisky. So-
Scott Armstrong (41:24):
I’m worried now
John Verry (41:26):
Two strikes and you’re out. We’re not going three here. So give me a fictional character or a real person that you would think either make an amazing or horrible CISO for a defense supply chain company and why? Folks he didn’t prepare. Why don’t you say General Laphroaig or something like that.
Scott Armstrong (41:44):
General Laphroaig, I’ll go with that one.
John Verry (41:50):
Scott this has been incredibly disappointing. This whole meeting, I mean it’s a good thing you brought a little bit of value to the table on the 7019, 20, 21 [inaudible 00:42:00]. You really crapped the bed the rest of the interview. All right, so in fairness to Scott and I hate to take blame, but I will take blame. I didn’t send him the agenda till yesterday afternoon so I’ll take the bullet that he’s got. Not for the Laphroaig but I will take the bullet for the fictional character.
John Verry (42:25):
All right. So you look, you’re chatting with folks every day in the DIB defense supply chain, anything you think would be an interesting topic for another episode?
Scott Armstrong (42:35):
I think watching how this progresses and actually maybe having somebody from a DCMA or somebody on the government side update on what they’re seeing as this progresses as well.
John Verry (42:47):
I think that’d be a good idea.
Scott Armstrong (42:49):
Especially from an acquisitions perspective too.
John Verry (42:52):
What do you mean by from an acquisitions perspective?
Scott Armstrong (42:55):
Some of the details where we’re talking how this will impact certain contracts or not. At the end of the day, that’s where it’s going to make a difference to businesses. When is it going to impact their business and how? I’ve talked to people where they say, “Okay I know the effective date.” But when is the contract going to be coming down to me, that’s going to impact me? Or when do I think they’re going to modify the contract? I told somebody last week it could be December, it could be the first quarter. I can’t judge your business and therefore how aggressive the government wants to start doing those things. And they’re going to be getting very aggressive with all new contract.
John Verry (43:35):
I actually think that they’re going to figure out a way to make changes to a lot of this existing contracts because they are hell bent on getting people to live up to the obligations. And I know that they’re going to be aggressive with the false claims acts. I saw a number, I mean I forget what it was. It was was it like a billion dollars or something that they’ve made in false claims acts in the last year? I mean, it was some number that was just nutty to me. So yeah I think they’re going to try to figure out a way to push the people that have 7012s into it quicker. So we’ll see how it does.
Scott Armstrong (44:07):
If you look at contracts, many of them are like they go out five years. If you’ve only got six months left on it, you might not be at risk. But if you’ve got any number of years left, you’re going to have contract mods coming down without a doubt.
John Verry (44:19):
No question. I think they’re going to make reasons to have contract months.
Scott Armstrong (44:22):
Right
John Verry (44:23):
Yeah. I agree with you completely. And by the way, I think I mentioned earlier, John Ellis from DCMA had been on, and he’s the guy that kind of is involved with DIBCAC and runs all that kind of fun stuff. And he was on the podcast and he offered to come back on late in the year when stuff started. So we will get him on to see if we can answer that question. Because I think it’s going to be fun to see where this all goes. So awesome job. I very much appreciate you coming on. If somebody wants to get in touch with, is interested in getting in touch with you interest in learning a little bit more about certification assistant what would be the best way for them to get in touch?
Scott Armstrong (44:59):
Two ways. I always appreciate people reaching out directly over email that would just be [email protected]. And we also have a [inaudible 00:45:08] that goes out to a broader set of speeds within Exostar that goes, the [inaudible 00:45:14] is [email protected]. And we handle a lot of inquiries across a lot of topics with CMMC as well as the new DFARS ruling.
John Verry (45:26):
Excellent. So great stuff. Thanks again sir. It was fun chatting.
Scott Armstrong (45:31):
All right. Thank you. Very enjoyable.
Narrator (45:34):
You’ve been listening to the virtual CISO podcast, as you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.