If your organization is in the DIB, CMMC compliance is a big deal.
It’s probably the biggest thing to happen to information security in history.
And you need to prepare. Your business could depend on it.
That’s why for this episode, I sat down with Chris Lank, Founder and CEO at Ivis, a company offering a solution for monitoring any compliance, not just CMMC, year-round.
Chris goes over the ins-and-outs of the changes CMMC will bring for your business — especially for smaller DIB organizations — and how to prepare.
What we talked about:
- Why CMMC is necessary
- What your organization needs to start doing right now to prepare
- How tools like Ivis’ can make the compliance process a whole lot easier
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Speaker 1 (00:06):
You’re listening to the virtual CSO podcast, a frank discussion providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:26):
Hey there, and welcome to another episode of the virtual CSO podcast. As always, I’m your host, John Verry, and with me, unfortunately as always, the share to my sunny, Jeremy Sporn. Hey Jeremy.
Jeremy Sporn (00:37):
See John, I always knew we had this special relationship. I don’t care how many times you say unfortunately as always, it’s just, I know how you really feel about me.
John Verry (00:46):
Yeah. Thanks for that. I’ll have the, I got you babe running through my brain the rest of the day.
Jeremy Sporn (00:53):
You’re welcome.
John Verry (00:56):
And the only reason you probably know about that is through a Groundhog day, right? That’s the song that came on every morning. Right?
Jeremy Sporn (00:59):
I actually do know that movie. See, you know me so well.
John Verry (01:04):
And so what do you think of my conversation with Chris.
Jeremy Sporn (01:06):
So Chris is just really sharp guy. What I like about Chris is he is so checked in with the challenges that small and medium suppliers in the DIB are facing. As a guy who has started a business, runs a business and needs to keep his own business secure, he just really gets those challenges small to medium sized businesses in the DIB are facing.
John Verry (01:30):
Yeah. I mean, I think it’s that exposure and the fact that he’s so plugged into the DIB that helps him really understand both the security and the compliance challenges they’re in.
Jeremy Sporn (01:40):
Exactly. And the episode’s focus was geared around the benefits of leveraging a tool to hit CMMC certification. Chris certainly has a bias there as a CMMC vendor [crosstalk 00:01:53]. Yeah. But he really does a great job of explaining the realistic benefits without saying, do this or else, as a career marketer. I really am impressed about how genuine he is. He’s someone who just wants to help people succeed.
John Verry (02:07):
And many of the organs in the DIB don’t necessarily have a super well developed information security program. So I do think that the idea of using a tool will be both appealing and helpful for a lot of them.
Jeremy Sporn (02:18):
So if the CMMC is an acronym you have heard of before, this is a critical lesson for you. The decision to leverage a tool or not to reach CMMC certification is an important one for you and your business. And I think Chris does a great job of helping make that decision.
John Verry (02:33):
Agreed. So with no further ado, let’s get to the show. Chris, how are you, sir?
Chris (02:44):
Good, John. How are you?
John Verry (02:46):
Thanks for coming on. Good to catch up again.
Chris (02:48):
Yeah. Good to be… We made it to another Friday.
John Verry (02:53):
Yeah, we did. In COVID world that’s about all you can hope for.
Chris (02:56):
That’s right.
John Verry (02:58):
So let’s super simple. Tell us a little bit about who you are and what it is that you do.
Chris (03:04):
Yeah. Again, my name is Christopher [Lank 00:03:06]. I’m the CEO and founder of a company called Ivis technologies. What Ivis does is we help organizations in the aerospace and defense industry manage their risk and compliance programs. This is something we’ve been doing for quite some time. We work closely with a couple of the very large primes out there. Our main partner in this is a company called Huntington Ingles industries, that is one of the top 10 primes out there, our nation’s biggest ship builder for the Navy. This was a partnership that we developed with them back in 2015, when the organization was actually looking around how they could look at risk around their compliance programs. And it has been a very successful partnership with us that’s also been very successful going forward with the products and services that has come out of it.
John Verry (04:04):
And most importantly, relative to those products and services and why we wanted to chat with you of course, is some of the stuff that you guys are doing around helping organizations conform with and prove so, things like CMMC level one, level three and in this SBA-171, correct?
Chris (04:21):
Correct. Correct. And we look at compliance from a very holistic point of view, understanding that it’s not a one size fits all, and that organizations out there even a very small mom and pop type shops that do business within the defensive industrial base, have to have these programs in place in order to continue to doing business with the government. And now we’re starting to see some of those mandates trickle over to the commercial side as well. So I think we’re very well positioned to help any size of organization to get these processes and these procedures and these compliance programs up and going and help them out.
John Verry (05:03):
Got you. So before we get down to business, I always have a very critical question we need to ask, what’s your drink of choice?
Chris (05:09):
So I actually, over the last few years have become quite the bourbon connoisseur, that is something that I-
John Verry (05:18):
I’m going to gauge whether you’re a connoisseur or not, because I like to fancy myself as a connoisseur.
Chris (05:23):
So I would say probably my favorite bourbon right now, and I kind of belong to a club of gents where we are out there trying to find the best bottles under $50. So it’s kind of a little bit of a challenge.
John Verry (05:39):
I used to be getting something under 50 that was really remarkable, it used to be pretty easy before bourbon became hot again, four or five years ago, now it’s pretty hard. And now you got to get into that even 60, $70. So I’ll be interested to hear what you found for under 50.
Chris (05:54):
So the one that I like and it kind of depends on where you might catch it, if it’s on sale or not, a lot of times people just don’t have it anymore. I’ve always liked Basil Hayden. I was always a big Basil Hayden fan, Angel’s envy, some of the more contemporary ones, but if you’re out and about then you’re in a liquor store or a wine shop or whatever, and [inaudible 00:06:17] there’s a special Basil Hayden that is matured in cognac barrels and you’ll know it because it has a different look to it. It doesn’t have that sort of light amber color to it, it almost looks like a very light wine almost, so to speak. But is vast to becoming one of my favorite bourbons, is something that I enjoy drinking, especially if you’re just kind of sitting outside and whether you’re a cigar person or just after a nice meal, it’s just probably one of my favorite bourbons right now.
John Verry (06:52):
Yeah. It’s funny. I’ve had a few that are like Sherry cask or something of that nature. I actually have a bottle. I’m not typically a rye drinker, but someone gave me a very, very good bottle of Crown Royal that was aged in equivalent cast years. And it is, it does take on a distinct characteristic flavor, which I think is really good.
Chris (07:09):
It is. I would say anybody that is just now starting to get into it, one of the piece of advice that I would give them is if they’re at like Costco or any of these other places where you… because they sometimes get these really good deals, look for the single barrel stuff because the single barrel means that they let it sit in there probably an extra couple years, but there was no transfer around, so you don’t get an uneven flavor.
John Verry (07:36):
Right. Although the other one, which is interesting, I don’t know if you’ve seen any of the, where they call it solarium aged or solely aged. What they do is it’s an intentional mixing of barrels. It’s an old school style where in the Rick house, what they do is they rotate a little bit from the bottom barrel, into the next bottle up and they refill the bottom barrel. So by the time it hits the top of the bottle, what you end up with is let’s say if it’s a nine year old bourbon where you’ve got some nine year, you’ve got some eight year, you’ve got some seven year. So it’s an interesting way of doing it, it’s sort of… they’re not blending different producers of bourbon, which someone like bourbon barrel, I don’t know if you’ve ever had any barrel select. A guy’s famous for what he does, what he does each year as he sources his own bourbons and then blends them to create these unique characteristics.
And he’s usually in the top 20 bourbons every year, if not winning it. He’s got some really good stuff. I got a couple of his bottles that are real special. My favorite, I might go to like reasonably priced bourbon is Knob Creek. And if you ever get a chance, Knob Creek has a 25th anniversary blend that’s out there right now. That is, it’s expensive but it’s [inaudible 00:08:41]. I mean, just super. And then that same price point, I agree with the Angel’s Envy is great. I don’t think you can go wrong with some of the standards like the makers marks of the world. It’s a very solid bourbon. Jack is a very solid bourbon. I don’t know if you have ever had a… I’ll advocate for non Tennessee, non Kentucky stuff. I don’t know if you’ve ever had anything from Widow Jane out of Brooklyn. That really good. Jefferson’s reserve is a fun bourbon. There’s so many now, it’s crazy.
Chris (09:11):
There is. I think it’s kind of funny. I’m a kid of the 80s and so you always had these Jack Daniel parties or things like that. And there’s a couple of bourbon channels on YouTube that I like to follow these guys and-
John Verry (09:27):
I know the guys you’re talking about [crosstalk 00:09:29] 10,000 bottles in that one.
Chris (09:31):
Yeah. Exactly. Yeah, yeah. And they’re talking about some of their go to bourbon. Sort of like the day in, day out, I can go to, doesn’t really break the bank, and these guys are drinking things like Michter and a few others, but the one that they kind of turned me on to is when you ever hear the word Wild Turkey, you’re thinking, oh, that’s just junk, but the Wild Turkey 101 is-
John Verry (09:57):
It’s actually very good.
Chris (09:59):
Oh, it is amazing. And that’s about a $20 bottle of bourbon. It’s fantastic.
John Verry (10:04):
Yeah. And listen Jim Beam Black is an underrated bourbon as well. I mean, I think it’s eight years but it’s a really good bourbon at the price point. I mean, and it’s funny, like my next door neighbor across the street, and we’re spending way too much time on bourbon, but my next door neighbor across the street-
Chris (10:21):
It’s Friday.
John Verry (10:22):
… has literally has 115 different bourbons in his bourbon collection. So I know what you’re talking about with those guys. And again, it’s amazing, after a while you start going back into re tasting some of these old ones that are kind of the less pristine, because he’s got every version of Vanwinkle that you can have. He’s got an Eagle Rare 17, which is really a unique bourbon. He’s got George Stag, not just the Stag jr., George Stag. He’s got all the legendary stuff. And you go back and taste some of this stuff that you’re talking about and then you realize, you know what, there’s a lot of great bourbon at a very reasonable price point.
Chris (10:58):
There is. I actually had my first taste about a month ago, Pappy Van Winkle, and this is not one of the real, real expensive bottles, but it was close to 200 bucks and it was worth every dime. It was absolutely amazing.
John Verry (11:14):
Yeah. You know what’s funny though is that with the Van Winkles, and I’ll screw up the years here, there’s an 18 to 21 and a 15 and a 10, I think. But anyway, we did literally, did a tasting of like… I thought the 15 was the best and I thought some of the bourbons, like I’ve got some bourbons that are, Elijah Craig, 23 year old, I’ve done some of the old, the Orphan Barrels. I don’t know if you’ve ever done any of the Orphan Barrels that are like really old. These barrels became orphans and they’re 23 years, 24 years, 26 years. I got to be honest with you, after 15, I don’t know that it gets better in most cases.
Chris (11:51):
Yeah. I think that’s more of a wine thing, to be honest with you. I think wine is one of those that just as the older it gets, it just gets better. But I would agree with you. I mean, I’ve had some pretty stout stuff past the 25 year mark, and I think I would agree with you. But the other thing that I’ve been drinking a little bit more lately is some of the Scottish whiskeys and some of those like Glenlivet and the other one with the deer, I can see the label.
John Verry (12:20):
[inaudible 00:12:20]?
Chris (12:20):
No, it’s a… Oh, I can’t remember the name [inaudible 00:12:25] but yeah, some of these single malt whiskeys come out of the Scottish whiskeys are just amazing too.
John Verry (12:32):
Yeah. And as long as they’re not peated I could drink them. Like Jameson’s does a cask, If you’ve ever had Jameson’s Caskmates, that’s really special.
Chris (12:39):
Yes. Yeah.
John Verry (12:40):
All right. So enough alcohol, Jeremy-
Chris (12:43):
We could just stay on this all day.
John Verry (12:45):
Yeah. I was just going to… I mean, we’re going to have to make sure we put a warning and fast forward five minutes if you actually want to hear about CMMC. All right. So let’s get to the important thing. So many of the organizations that are in the DIB, the Defense Industrial Base are small and or they have relatively informal information security programs. So really what I wanted to chat with you about, because you’re the maker of a tool that provides… that they can leverage as they’re moving towards full 871 provable full conformance or CMMC level three, or even CMMC level one, I want to talk to you about how much value a tool brings in helping them get from where they are to where they need to be.
Chris (13:27):
Sure. Sure. So let’s kind of rewind a little bit and go back to right now, the [inaudible 00:13:35] point out near state R171. Okay?
John Verry (13:27):
Mm-hmm (affirmative).
Chris (13:40):
And technically, in any location that has to have that in place can be compliant if they have an SSP, so a System Security Plan and a POEM, a Plan Of Action and Milestones in place. So for all intensive purposes, you could, within a matter of a day, fill out your SSP, do your POEM and say, I’m going to get to this in six to nine months, and technically by the government standards, you would be compliant. That is the reason why CMMC has come into existence. The government talks about, in fiscal year 2018 that we lost over 600 billion in IP through hacks and intrusions from our adversaries, whether it’s Russia and China or whomever, it may be. And realistically, no one’s going to really come out and say this, but people were just phoning it in, they really didn’t have these things in place.
John Verry (14:34):
They sent Crayon a piece of construction paper, a big red crayon, an X, and they sent that upstream to the prime and said, yeah.
Chris (14:47):
Yeah, we’re good.
John Verry (14:48):
And he said “Good, we got the paperwork to put in the file.”
Chris (14:50):
Exactly.
John Verry (14:51):
Yeah.
Chris (14:51):
And what was happening is now with CMMC, they’ve gone to what they’re saying trust but verify. And this is why with CMMC, it’s no longer that I have to do these things, but now I’m going to have to present these findings and what I have done and put in place in front of what they’re calling the three PAOs, so a third party assessment organization to actually assess what they have done and completed, and then give them a certification on top of it. That’s what the radical changes here. It really, CMMC is a way of taking 871 and giving it some teeth.
John Verry (15:32):
Right. Right. And just to be clear, you’re referring to CMMC level three, which is a slight lift from 800-171 versus CMMC level one, which would be a logical subset of [inaudible 00:15:45] 171, which only applies to a federal contract information. Correct? FCI?
Chris (15:50):
Yeah. Correct. So if you look at 800-171, there’s 14 families, 110 controls. CMMC level one only has the bare minimum, what the government calls poor hygiene, and there’s only 17 controls. But in CMMC, those controls are now called practices. And so those are just the bare bone minimum, and I think most of the primes out there, if you do any type of business with them in any way, shape or form will have to be level one certified. And that can be as anybody who is a janitorial service who comes on site or someone who brings food onsite. What the government points out is the target hack that happened a few years back and the hackers didn’t attack target directly, they attacked an HVAC company there doing service at one of their retail locations.
So the government’s attitude is, is that if I had a catering company and I got a van with my name and my URL plaster on the side and they see me there delivering food, I’m low hanging fruit to a hacker, I’m a lot easier of a hack than let’s say if I was delivering to Boeing. So you’re going to start seeing the government really push the primes, and I think the primes have gotten this message already that we have to make sure if you do business with us, if we exchange money with you for any types of goods or services, whether you handle CUI so covered on classified information or not, you’ve got to at least have this bare minimum level one in place.
John Verry (17:26):
Yeah. So you said something interesting there. So you said that the government is going to push the primes. It’s interesting. I think that was what we all thought, but I don’t know if you’re seeing the same thing I am, but it seems like the primes are now pushing downstream even faster and harder than the government’s talking about it. Right? You know what I mean? I mean, because if you look at the CMMC roadmap, realistically it phases in over about a five year period, to a 2025, 2026, I can’t remember from chatting with Katie Arrington about this. But what we’re seeing is that a lot of these primes now in order for orange to be part of a pursuit or captured team, we’re starting to hear whispers that they’re going to push them to CMMC level three sooner than that even if some of the bids don’t require it, are you hearing the same thing?
Chris (18:12):
We are. We are, because here’s something that’s a bit different. So let’s go back to [inaudible 00:18:18] 800-171. I am a supplier for Lockheed Martin, let’s say and I make a widget. And I have said to Lockheed that I have my 800-171 in place, and I end up finding out that I have been breached. [inaudible 00:18:33] I have 72 hours to go ahead and let the DOD CIO’s office know that I’ve had a breach, and if I report to the prime directly or to a first year underneath the prime, I need to let them know immediately. That would… and again, if I had been hacked in CYA or CDI had been compromised, then you’re going to get a visit from DCMA, which is pretty much the carnitine arm.
John Verry (18:59):
Right. Quick question. Define CDI for people who might not know what it is, and please define DCMA as well, please.
Chris (19:05):
So, and you’re asking me these things. So DCMA-
John Verry (19:10):
I mean, you used an acronym [crosstalk 00:19:11] reasonable Chris, to would know what an acronym stands for?
Chris (19:17):
You would think that was the case. So and by the way, I’m just buying a second here when I look it up. Okay. So DCMA is Defense Contract Management Agency. I’m completely blank-
John Verry (19:27):
And that’s the guys that employ, like with the [DIBCAC 00:19:29] below that, which is the guys that do the actual auditing. Is that right?
Chris (19:33):
Correct. So if DCMA comes in, they’re going to audit you, you always hear about they follow what’s called 800-171 alpha. Alpha stands for the assessment. So that is their guide, So that’s what they always tell people. It’s like, listen, we’ve publicized this guy And so you know that if we have to ever come in here, you know what we’re going to be looking for. Okay.
John Verry (19:55):
Quick question for you there. So that’s something I am not familiar with. So is that guide… I’m familiar with 871, R1, R2B, is there actually a document out there called the A for the guy?
Chris (20:08):
Oh, absolutely.
John Verry (20:09):
Oh, I haven’t seen that. Thank you.
Chris (20:11):
Yeah. So that’s just it. And again, if we kind of have a little bit of a sidebar here, this is when you’re looking at right now, the CMMC accreditation body that is formed. And I think they’re finally kind of jelling together and they’re moving in the right direction, but you’re going to… I believe you’re still going to see direction coming from DCMA to the accreditation body to train these third party assessors out there on what they should be looking for within, let’s say, if they’re going for CMMC level three, because if somebody has CMMC level three and they have a breach, they’re still going to have the same reporting structure as before. I don’t think that’s going to change. And if they’re the same structure, DCMA is probably going to, like I said, going to start off because CMMC encompasses… level three, encompasses all of 800-171. It’s there. Plus 20 additional practices, plus 49 additional processes that come from the non-federal organization controls and appendix E or D or something like that. Okay?
John Verry (21:23):
Mm-hmm (affirmative).
Chris (21:24):
So they’re going to be looking for that continuity across the board. So that’s that. So you asked for CUI and CDI. CUI is Covered Unclassified Information. CDI is Covered Defensive Information. CUI is, kind of a layman’s way to look at this is if I have a small piece of the pie of, let’s say built in the F35, that would be considered a CUI. CDI has a little bit more of a higher, if I remember correctly, we don’t hear about CDI that much, because I believe it’s mostly with the primes, but that’s really sort of a higher classification of like secrecy. I could be mistaken on that one, but I believe that is the case. We just never really run into it that much.
John Verry (22:11):
Yeah, I know. I don’t see it very often either. So, and it’s actually interesting, and I guess in a weird way, it makes sense because if you think about it this way, if you’ve already been D47024 required prior, you’ve asserted that you’re 800-171. So a prime committee even saying you might as well get CMMC level three, make sense because it’s only adding 20, right? You’re already 85% of the way there, adding 20 controls on top of the 110. So from their perspective, it makes sense to push you because they’re saying, hey, this shouldn’t be a lot of work for you because you’ve already told us you’re almost all the way there.
Chris (22:48):
Correct. I think what is happening, and whenever we’ve done these events with like Katie Arrington or Kevin Fahy or some of the others, people are pushing back on, well, this is an expense, this is an expense. And the response from the DOD has been, wait a minute, you’ve been telling us you’ve been doing this already.
John Verry (23:09):
Exactly.
Chris (23:10):
And I think we kind of need to drop the pretenses here and just assume that a vast majority of people have just founded in. And what a lot of people don’t realize is when you tick that box and you say to a prime, I have done this, but you’ve not done this, that’s not a good position for you to be in because you’re essentially saying to them, I’m not lying to you here, but if you’ve not done it, you are lying to them and that’s not a good place for you to be. And I think that’s why CMMC again, came into existence. It was, we’ve got to now verify that are doing these things because obviously they’re not doing it, 600 billion is a lot of IP.
John Verry (23:51):
Right. Right. And on top of that, I mean, and to your point about not doing it, I mean, that’s the genesis of the false claims acts that we’re seeing. Right?
Chris (23:59):
Correct. And by the way, in the past, and I may be off a little bit on my timing here, but I was told that in the past 18 months, there has been more fines against the false claims accident than in its entire existence.
John Verry (24:13):
I heard the same thing.
Chris (24:14):
And I think that this is only going to get worse. And this is why we’re talking to small suppliers out there who may make a, like I said, widget for Northrop Grumman. And they say, yeah, we’ve got to get up and get the CMNC in place. We remind them that last year DCMA did 20 audits and it was 20 audits of the largest folks out there who will remain nameless, but you can guess who they are. Out of those 20, only two we’re ready for 800-171, and those two still had POEMs in place. So now we’re talking about organizations that have probably unlimited resources, unlimited cash to throw at this and they still can’t get 800-171 in place. Now we’re saying to a small supplier, you not only now have to do this 110 controls of 800-171 to get to level three, but there’s 20 additional controls on top of that plus 49 processes you have to manage.
John Verry (25:15):
Right. Yeah, I know. Yeah.
Chris (25:15):
We’re telling people to get started now, don’t wait.
John Verry (25:20):
Listen, I couldn’t agree with you more. And the good news is that I think the vast majority of people are, and I guess it’s because so many of the people that service the DIB, very often a large percentage of the revenue comes through the DIB. I mean, we have a couple of clients who we’re chatting with now that 10 or 15 or 20%, they’re like, ah, maybe we won’t do this. But the vast majority of our clients that we’re chatting with now about this, who are starting already engaged in projects on are saying like 90% of our revenue comes through DIB, if we don’t get certified, we’re out of business. All right. So let’s talk about [crosstalk 00:25:50]-
Chris (25:49):
Well, and it’s also… by the way, it’s already starting to cross over outside the DIB. A few weeks ago, Katie was on a webinar for the guys at [inaudible 00:25:59]. And she essentially said that it’s now going to come out that if you are a publicly traded company and you have to be Sarbanes-Oxley, I believe it’s 404 compliant that you’re going to start, it’ll be probably in 2021, you’ll have to start being probably up to at least level, I would say level one or two, for sure, but possibly at the level three certified and CMC. We knew that this standard was going to start migrating outside of the DIB to all the parts of the federal government, and that’s already starting to happen.
John Verry (26:36):
Just for the record, we’ve already seen it. I reviewed a contract for a eDiscovery client of ours. That’s ISO 27001 certified, and it had 800-171 CMMC language, where they’re saying, hey, this is where we expect you to be. And so that’s even ahead of the real [inaudible 00:26:52].
Chris (26:52):
Yeah. And then eventually it’ll start migrating down, so it’ll be federal and then it’ll hit state and then it’ll hit local. So if you, let’s say you’re a small supplier out there right now, and let’s say you just do something for the state of New Jersey or the state of Arizona, right now you may not be required to do this, but odds are within 24 months, you will be required to do it in order to get on those state contracts.
John Verry (27:17):
Yeah, this is just a insanely inflection, an insane inflection point in information security if this goes the way that folks like you and I are thinking about it. I mean, in a sense, it becomes a US standard for information security, and then beyond that, and I’ve already talked with people in Canada, the UK, Australia, Singapore, about, because we’re hearing the fact that other countries are looking at what we’re doing and saying, hey, how do we piggyback on this? Or how do we leverage this? Or how do we interact with this? Right?
Chris (27:55):
Correct. Well, and it’s funny you bring that up because most of last year I was on the road, when the DOD were doing their presentations I was at a many of them. And one of the things they talked about was ISO 9001, and how it came into being. Originally, it was a-
John Verry (28:15):
It was an AS 9100. It wasn’t from the aerospace industry. Was it?
Chris (28:21):
No, no. It came out of, there was a NATO standard and then there was another standard that escapes me at this point, but they essentially brought those two standards together to create the ISO standard. And so as you look at CMMC, you see it’s not just 800-171 in there, you see inputs from all different standards, from different parts of the world. You see things coming in from, and again, I don’t know the exact ones, but from Australia-
John Verry (28:50):
Yeah, the UK essentials is in there, the cyber essentials out of Australia in there.
Chris (28:55):
Correct. And then that’s an-
John Verry (28:57):
There’s ISO in there as well.
Chris (28:59):
The idea is that eventually this will be the worldwide standard.
John Verry (29:04):
Interesting. Well, we are at a fun point. All right. So I think we’ve explained what it is, right? So let’s talk about some of the key or critical requirements that you think that in your experience, that the companies that might be moving towards this stumble on.
Chris (29:20):
So I think one of the premier areas that people are going to have to start focusing on that they haven’t before is what we’ve been calling… we kind of stole this from the DOD. It is basic IT hygiene. And what we mean by that is a lot of folks don’t realize how wide open their organizations and their infrastructures are. And really, when you start going through… so the CMMC, they’re called practices, not controls, but you start going through these practices, even in level one, the basic 17 practices it really sort of kind of gives you that two by four upside the head moment of, I haven’t even been looking at some of this stuff.
Have I been looking at a continuity, let’s say, of all of the antivirus software within my organization? Have I been looking at if we’ve got WiFi, what is our policy for changing up the passwords on that? What is our policy if somebody gets fired? Or we move them out or what do we do? It really calls into question is what are you doing here? And there’s all these different questions. And people are like, wow, I never thought about it, because a lot of the small vendors they’ll call up to dell.com and order a computer. And in some of the some of the meetings I’ve been in with the aerospace industry association, Admiral Lewis used to talk about you get some guy who’s got his nephew who comes in on the weekends and does his IT for him.
John Verry (30:59):
Cotton, my son who’s a junior in college. Who’s taken… he’s taken a couple IT courses does my IT for me.
Chris (31:07):
Correct. And there’s a big problem with that because you don’t know, it’s like, are they just doing the bare minimum, getting that new laptop or a new computer you just got from Dell hooked up to your network, right? Have they trained the person is going to be using this thing, hey, listen, you should really have a policy in place where you change your password every 30 days and make sure it’s not anything goofy like password. It’s things like that. I think that’s where you’re going to see a lot of the smaller players, it’s kind of this brand new, I wasn’t even looking at it like this.
John Verry (31:44):
Right.
Chris (31:44):
The medium to large players, they have formal IT groups, they have formal compliance groups and security and they have like a CSO in place who is waking up at midnight worried about stuff. And so they go to work every day making sure policies, procedures, trainings are all occurring within the organization. That’s what’s really missing for the vast majority of the DIB that is 50 people or less within their organization.
John Verry (32:12):
Yeah. And if you look at it, I don’t know what the numbers are, but you mentioned the CSO, most organizations aren’t getting to a CSO till they hit 1,000 people, right? Or 750 people or something of that nature. And even then a lot of them don’t have it, especially if it’s like a manufacturing concern. So when you really think about it, what percentage of the DIB is an org that’s that mature from a security practices? Is it 20%? Yeah. It’s not a large percentage of them.
Chris (32:37):
It’s not a large percentage. I don’t know how to gauge it, I would say it’s less than 10%.
John Verry (32:45):
Yeah. That would be my guess as well. And the vast majority of people we’re talking to right now, they’re in that anywhere from five sales guys that are selling, that Raytheon’s pushing down on through 300 or 500 person manufacturing companies with manufacturing facilities in three or four States. But again when you look at the fact that they’ve got three to 500 people, 150 of those are people that are on a shop floor that really are not PC users anyway. So I mean, technically they’re pretty small companies.
Chris (33:16):
Correct. Correct. Well, and you have… let’s use that example. One of the things that’s happening is one of the areas that we worked with with Huntington Ingles on, one of the… I would call it methodologies is what’s called the fraud triangle, it looks at rationalization pressure and opportunity. And let’s just zero in on pressure. A lot of these organizations are always under pressure. They’re under pressure to get the contract, which a lot of times their margins are extremely thin, getting any of these contracts in the first place, then as soon as they get the contract, they’re pressuring them to get through it as quickly as possible to get it out the door so they can get paid.
And it’s usually if it’s a prime, it’s 60, 90 days before they even get paid. So there is all this pressure within these small firms, and a lot of times cyber security is something that’s sort of pushed off to the side, it’s not thought of as like it’s an immediate need. But the problem with that is it’s so shortsighted because it’s sort of like driving down the road without insurance and your seatbelt. You might get away with it for a while, but eventually something’s going to happen.
John Verry (34:29):
Right. Right. So let’s shift gears a little bit. Right? So from your perspective, when I asked you that question, I wasn’t sure where you were going to go with your answer and I suspected you were going to go more towards specific practices. Oh, most stores don’t have this SIM or most stores don’t have the NSSP or most orgs don’t do risk assessment, which is probably true for all those. But I actually liked the way you took it, where I think most orgs are not yet formal in the way that they manage their information security requirements, including all of these practices below that. So if we’re talking about that, how hard would you say it would be for a midsize organization to get fully conforming, and from your opinion, and I know this a loaded question because you’re a tool manufacturer, if you will, right? You develop this wonderful software. Tell me from your perspective, does using a tool like the one that you guys have help do that?
Chris (35:23):
So let me take your second question first. The reason why I think our solution right now is getting the traction it’s getting is, like I said, with 800-171, I could very quickly put together an SSP and a POEM. I can do those things on just internal documentation spreadsheets, and I’ve got it. CMMC is going to require that you have to provide evidence that you’ve done these practices, you’ve done these processes. Anybody that’s done any type of auditing knows that, they’re just not going to accept a spreadsheet from you. You’re going to have to know the who, what, when, where and why. Now a little side note, these three PAOs are also going to be under a bit of a microscope as well, meaning if it was let’s say John3PAO, and let’s say all of a sudden you’ve done a CMMC certification level three for 10 clients, right?
And within, let’s say a course of… and I don’t know what the timeframe this is, I believe they’re still working on this framework. Let’s say within the course of a year, four out of year 10 have a breach, but you’re going to get a question like, John, how are you getting these people through? You’ve got a 40% fail rate here, so to speak, how are you doing this? So these three PAOs are not going to be taking this stuff at face value. If I say I’ve done this practice, or I’ve done this process, I had better be able to show the documentation that goes along with it. I’d better be able to show the people that were involved in doing this. I have to show the training that we instituted, and that’s all I got to be backed up with more than a spreadsheet saying, yeah, I ticked the box on that one.
John Verry (37:12):
So that’s interesting to me. And again, you surprised me with your answer. So from your perspective, the primary value proposition is that this creates those auditable artifacts, if you will, that are going to be necessary to demonstrate conformance of 800-171 to someone or in the event that you go for CMMC level three, that you’re going to be able to sit in front of the system or give the auditor actual access to the system if thy were like a CA3 auditor from the CMMC level three. They’ll actually, you’ll give them access to the system to allow them to do that. Right?
Chris (37:46):
Correct. Correct.
John Verry (37:47):
Thank you. Sorry, Chris, I’m sorry. Refreshing my refreshments. And remember, just for the record, I was on vacation. Anyone watching this or listening to this, I was on vacation so [crosstalk 00:38:01].
Chris (38:00):
If I’d had known that I would have started this on vacation too. So-
John Verry (38:07):
Go grab a bourbon, I’ll wait.
Chris (38:09):
So you’re absolutely correct. And I will do that in a second, but the other thing too is as a solution provider with our system is compliance and doing these things should never be a one and done proposition for folks. They need to be looking at this as a cultural change within their organization, in which these are good best practices. You want to do these things. Think of it as I buy a car, but I never tune it up, eventually something’s going to go wrong. So we’re always going to be in that process of always keeping our cartoon to make sure that we’re checking the oil, making sure it’s not getting overheated, that sort of thing.
It’s the same thing, let’s say, for cyber security. We’re going to work hard to get everything we need in place, but then after we have our level three certification, I can hang the plaque up on the wall, whatever they end up producing for that. It’s not like we’re going to stop doing these things for the next two years or till the next time we have to be certified again. They’re talking about the ongoing, the monitoring that’s going to take place.
John Verry (39:19):
That’s con mon, continuous monitoring.
Chris (39:22):
Continuous monitoring. And that’s where a system like where, what we’ve done says, okay, congratulations, you got there, but now we’re going to keep you in shape. We’re going to make it so the next time you go for this, it’s not as painful. It’s not as hard.
John Verry (39:36):
Right. It’s funny you should say it, because one of the things it’s like, so as you know we do an awful lot of work with the ISO 27001 framework and [inaudible 00:39:45] help people get certified. And it’s always this fantastic celebration that we got our certificate, and I always like to remind them, this is when the hard work starts, because now everything we documented that we said we’re doing, we actually have to do. So what you’re suggesting is that by using a tool, you can schedule the activities and efforts that are necessary to ensure that everything you document, that actually occurs and keep the evidence of that in the system in such a way that the next year is going to be a lot easier when you go through that revalidation.
Chris (40:17):
Correct. Correct. And I think the other part of this too, is to think about for a lot of these folks that are going to be doing this, let’s be honest, some of them are going to be doing this with the very first time.
John Verry (40:29):
Yeah.
Chris (40:29):
And it’s going to be a very daunting, overwhelming, like hill, a mountain to climb here, but the idea is having a system that’s going to help get you through this process, but then once you are over that hill, just like you said, with ISO 27001, that’s when the real work begins. This is like, okay, now, instead of you put it on cruise control, a good system, a good GRC system out there is going to say, Oh listen, did you know? Did you know it’s three months since the last time you’ve done this? You’ve got to go do this. Did you know? Oh yeah, by the way, we have a training that we have to do. And if you remember on the quality assurance side, we’re talking about CMMC, so cybersecurity, maturity model certification, right?
John Verry (41:17):
Mm-hmm (affirmative).
Chris (41:17):
A lot of this team from the original CMMI certification. So the Capability and Maturity Model Index, I believe was what I stood for. And that was for the manufacturers out there, and you would hear them say, yeah, we got to level five, but we were only able to maintain it for 30 days. And then we had some type of deficiency or something where we had to Institute a corrective action. And that brought us back down to level two or level three or whatever that is. Now we don’t know for sure with CMMC, let’s say on level three and I have a breach and there’s obviously going to be some type of investigation of what happened to that breach. We still don’t yet know if I would lose my level three certification or what type of remediation plan has to go in place yet.
John Verry (42:04):
Right.
Chris (42:04):
Okay?
John Verry (42:05):
Right. The other thing too is like… Oh, sorry.
Chris (42:07):
No, no, no. But a good system is going to… it just is to keep you above the water line and keep you moving in the right direction.
John Verry (42:15):
Right. Yeah. The other thing I was just going to point out is that if, as an auditor, spend a lot of my life doing that. If I come in and you haven’t had problems in your information security program, if nothing has gone wrong and you don’t have POEMs that are intended to correct what went wrong and ensure that, minimize the chance of happening again, then I know you’re really not exercising your information security program. So I do think that that would be another great value prop to using a tool, is that all of this information is centralized in such a way that it just simplifies that ongoing process of… and from a manager’s perspective, having a single pane of glass, a single view and just say, “Oh, we okay,” whereas my business can go off the cliff because we failed to do something.
Chris (43:00):
Correct.
John Verry (43:03):
Yeah, [inaudible 00:43:03].
Chris (43:03):
Absolutely.
John Verry (43:03):
Yeah. I had a question. If a company is using outside consultants and assume the consultants are people like Pivot Point Security who have some expertise in this, and have done this a number of times, does the tool still provide value?
Chris (43:13):
Absolutely.
John Verry (43:13):
Okay.
Chris (43:14):
Yeah, absolutely. Because one of the things that we built into it was guidance. A lot of people just don’t know where to start. So let’s go back to originally 80053, which was just a monster. 800-171 became more of the abridged version of 80053, and then the government came out with 800-171 alpha as the assessment guide, saying, this is how we’re going to come and assess you so you should learn this. And so for each control, there was sort of some basic explanations. To be honest with you, there were still some head scratchers. Then there was a document that came out called MEP 162, which the DOD called sort of cyber for dummies.
John Verry (44:00):
Yeah. So it’s funny. I was about to… brilliant minds think alike, Chris. I literally just pulled up on my screen 162 because I was wondering with 162, how that… because I’ve used that document before, how does that… that’s called the NIST MEP cybersecurity services fan book for accessing 800-171. How does that differ from the one… So the 171A? Because that sounds like it would be the same concept there.
Chris (44:25):
It is pretty much the same concept. In fact, if you look at the comments piece of it, where you have 171 alpha essentially trying to describe what a specific control is, MEP will have a corresponding one and it was meant to be sort of in non lawyery type English.
John Verry (44:43):
Oh okay.
Chris (44:43):
So-
John Verry (44:45):
More IT, the guy that is going to actually implementing the practice as opposed to the lawyers that wrote the practice.
Chris (44:52):
Correct. Correct. Now, one of the things that, hats off to Katie Arrington and those folks, is they wanted to give guidance with CMMC levels. They always said, we want to make it that an eighth grader could do it. And so if you go into those practices now and look at the practice or its correspondent control in 800-171, the practices, the CMMC the common section in there that talks about, look, this is what this means, or this is a question you should ask, they did a very good job on that. And in fact, I’ll take it a step further. I think with the guidance within CMMC, it is easier for a novice organization by themselves, if they want to do that, to get from point A to point B than it would be if they picked up 171 and said, I’m going to do this.
John Verry (45:45):
Yeah, no question, no question. I find CMMC much more consumable than 171.
Chris (45:53):
But by the way, I’m sitting on a ball. So if you see this, this is what I’m doing. This is not me just being weird. I’ll be on conference calls where people are like, dude, what’s wrong with you? It’s like well, I’m sitting on a ball.
John Verry (46:05):
I just assumed that you were a little ADHD like a lot of us in this industry are. I mean, yeah. I am a little bit, I think so. I think everyone is. Cool. So let me ask you, so briefly describe who Exostar is for someone who doesn’t know. And then tell me a little bit about how you guys are working with Exostar.
Chris (46:27):
Absolutely. So Exostar is one of the predominant names in the Defense of Industrial Base aerospace industry. This is an organization that is all about trust. It is all about having organizations that want to communicate, and I’m probably butchering this, so Exostar guys will call me after [crosstalk 00:46:47]-
John Verry (46:47):
Well, I mean, I… I think I have an easy way to describe it, right? Exostar is a critical player in the DIB in that they act as a platform for primes to exchange information with subs, right?
Chris (47:05):
Correct.
John Verry (47:06):
It’s RFPs, it’s RFID, it’s evidence of 800-171 conformance and things of that nature.
Chris (47:12):
Correct. Correct. So our relationship with them is we have… they are OEM in our technology, specifically for the DIB. It is branded as a product call certification assistant, and it is designed to help organizations get from that point A to point B, B to B, and we are certified up to level five, if they were to need it. The system was designed for simplicity and as a full functioning GRC system that will help a supplier not only do what’s mandated for CMMC, but also manage all of their policies, procedures, any of their documentation. Another piece is the risk assessment part of this. A lot of folks don’t understand that part of 800-171 that is now part of CMMC, is you have to do a risk assessment against your IT infrastructure.
And a lot of people don’t even know that that’s a whole nother level of confusion of, I don’t even know what the heck that is. So this system is going to hold their hand and walk them through on an IT. I think the four main things that 800-30, which is the guide doc to do that type of risk assessment, I think the four main things are hacking, phishing, email, and I forgot the fourth. But our system gets you through those and then actually allows you to use it as your own risk assessment tool, if you want to do other risk assessments as well.
John Verry (48:45):
Yeah. And just for the record, we’ll make sure that our clients go far beyond those four particular threats, because the reality is, and don’t get me wrong, they’re four important threats. But the reality is there’s a lot more things that they’re going to want to make that account for.
Chris (49:01):
Absolutely. Exostar gives it a really nice platform for the dev. I mean, they have 150,000 customers that have access to their platform and they are really solid when it comes to their authentication and communication and documentation, things like that if you’re doing business within the DIB.
John Verry (49:22):
So it sounds like Ivis has got [inaudible 00:49:24] in a good spot, right? You’ve got 150,000 people that might end up using your platform through Exostar and then anyone that doesn’t, has access to your platform independent of Exostar.
Chris (49:34):
Correct. And one of the things that’s then kind of drilled into our heads for the last few years working with a few of the primes, is we’re doing this podcast right now talking about cyber. But cyber is only one area of compliance that a lot of these folks have to deal with. If we make a widget and we have to buy raw materials, we have to make sure that we’re compliant with a firm called Conflict Minerals. We need to make sure import, export, ITAR, there’s all these different areas where people have to make sure of that they have these compliance programs in place, because if they run into an issue, people just don’t understand if you breach it or you have a breach or you do something wrong, I guess some of these compliance programs, it’s the old ignorance of the law’s not an excuse.
You’re going to end up paying somehow. There’s a story that uses as an example for conflict minerals. Well, the story goes that this company decided to get on a couple of commercial contracts and they ended up winning a contract and it was for a couple of buildings and they had gone through one of the buildings. And as the government will often do is they’ll do just a quick independent audit. And it came to find out that he had bought one piece of his materials that he used to mix the cocky material from sort of a no go place. And the remediation was not only a fine, but they had to go through the building and tear it all out.
John Verry (51:12):
Oh, boy.
Chris (51:16):
And so, like I said, this is where folks just need to kind of come to an understanding. It’s like it’s sort of like if I speed down the road, I know I’m speeding, if I get caught, I’m going to have a consequence. It’s the same thing in the compliance world, working with the government. If you don’t have these things in place, if you’re not following the rules, you may get away with it for a little while, but at some point something’s going to happen. You may have a rogue employee, you may end up having a breach. You may have some instance of fraud or misconduct that occurs and you’d have to by law report that. That’s not something you cannot not report. And when you do report, I really hope you have your ducks in a row, because if you don’t, it’s going to be painful.
John Verry (51:58):
Got you. Long story short, I’m assuming that you’ve got some mechanism within your software if people want to add something like this ITAR and this materials conformance, you can add that into your software as wee?
Chris (52:11):
Absolutely. Our system is very agnostic. So we have a one to many thought process. You have one company but you may have many different compliance programs and risk factors you need to look at, and the system manages that.
John Verry (52:25):
Cool. To go over my list of things I want to chat about, I think we hit them all. Anything else you want to chat about?
Chris (52:33):
Yeah, no, I just thank you for the time and-
John Verry (52:34):
Wait, wait, wait. You’re not getting off that easy.
Chris (52:35):
Oh, sorry. I was [inaudible 00:52:40] to go get the bourbon, but that’s okay.
John Verry (52:42):
You’re going to have to wait another two minutes. I hope you’re prepared for this question.
Chris (52:46):
Okay.
John Verry (52:47):
What fictional character or a real person do you think would make an absolutely amazing horrible, I’ll just refer as IT director in the Defense Industrial Base, and why?
Chris (52:57):
A fictional character.
John Verry (53:00):
You didn’t prepare, did you, Chris? We sent you this agenda.
Chris (53:03):
I know, you sent me the agenda.
John Verry (53:04):
You were drinking more bourbon than you should have. You should have prepared for this question. Wow.
Chris (53:10):
A fictional or real character that you would not want to have in charge of this? No, I didn’t prepare, so I’m way off on it. I’m not good at question props like this.
John Verry (53:24):
Then I’ll answer it for you. You wouldn’t want to have Chris Lank as your… because his attention to detail is lacking. He didn’t read the agenda we sent, and he was not prepared for his podcast.
Chris (53:36):
I read the agenda that I got about a month ago, but [inaudible 00:53:39] the correct, I should have read it again.
John Verry (53:41):
Well listen, I will give you a lot of props for everything up to this point has been stellar.
Chris (53:49):
All right.
John Verry (53:49):
All right. So one last question, Chris.
Chris (53:52):
Yeah.
John Verry (53:53):
You chat with people in the defense and I’m going to ask the specific to your target environment, right? Defense Industrial Base. You chat with these people on an everyday basis, any other thoughts on a topic for another episode that we should cover from a DIB, CMMC, Infosec’s perspective?
Chris (54:11):
Yeah. I would actually kind of come up a level and start talking about risk.
John Verry (54:16):
Okay.
Chris (54:17):
Because we’re kind of down on the weeds when we’re talking about cyber security, right? There is pretty black and white. Did you do this? Did you do that? But a lot of even small players out there don’t really look at risk within their infrastructure, and risk can come on all forms, shape, sizes. And it’s something that needs to be addressed, because if you’re not looking at risk around, it could be your compliance program, it could be what is your disaster recovery. I mean, with COVID-19, what’s your continuity plan?
You’re bound and determined to have these things pop up, if you’re not anticipating, you’re not doing… Sort of think of when we were kids in grade school, we used to do the fire drill, right? We did those drills because they were trying to show us the risk of if the school catches on fire, what do you do? It’s the same thing in business, especially working with the federal government. If you’re not identifying the risks within your organizations and planning for them, eventually one of them is going to capture.
John Verry (55:18):
Cool. Yeah. I couldn’t agree with you more. A part of that I think was what I was referring to earlier when I said, hey, well, we’ll broaden out that risk assessment, but I think you took it in not only down from where we were talking, but up from where we’re talking more to call it enterprise risk. Right?
Chris (55:18):
Yeah.
John Verry (55:36):
Okay. Yeah. That makes a lot of sense. And I do think you’re right, because I think the DIB has on the information security side, of course, a lot of those risks are going to be the same, but from a business risk perspective, an enterprise risk perspective, I think a lot of those are going to be different.
Chris (55:50):
Correct. Absolutely correct.
John Verry (55:53):
Cool. Last thing how many… so assuming that folks are absolutely wowed by everything you’ve said with the exception of the virtual CSO answer, so leaving [crosstalk 00:56:04]-
Chris (56:05):
I’ve got an answer for you.
John Verry (56:06):
All right. We’re going to give you a chance, and we’re not going to cut it in. They’re going to know that it became [crosstalk 00:56:11]
Chris (56:11):
That’s right. No. You wouldn’t want to have a lot of your Putin as your CSO.
John Verry (56:18):
That wasn’t fair to do that [inaudible 00:56:20] Why not Mr. Putin?
Chris (56:26):
Well, I think you’ve got to have some level of trust at that position, and that’s definitely the fox in the hen house for sure there.
John Verry (56:36):
So it’s funny, just for the record. You know that the trust but verify line that you used earlier is actually a Russian proverb and it’s [foreign 00:56:45] I can’t recall exactly what it is. And you know who made that famous, right?
Chris (56:50):
Reagan. Reagan [crosstalk 00:56:50].
John Verry (56:51):
Yeah.
Chris (56:51):
Absolutely.
John Verry (56:51):
Exactly. So that’s funny that you kind of came back to that. Well done. All right. Last question. If folks want to get in touch with you, because they think that this Ivis product sounds awesome, how do they do that?
Chris (57:03):
Sure. Yeah, they can go to our site, which is Ivis.com, I-V-I-S .com or they can just email me directly. And that’s Chris, C-H-R-I-S at Ivis, I-V-I-S .com. And if they are already working with Exostar, which a lot of them who might see this are, they can go to exostar.com and they will help you out whichever way they can.
John Verry (57:26):
Yeah. If you’re already on that platform, there’s a prominent link to… and you can… what’s actually cool about the way they’re doing it, and this will help, what, two thirds of the people, you can get the level one for free, right?
Chris (57:26):
Yeah.
John Verry (57:43):
Yeah. So you can do CMMC level one for free on the platform, and they only charge for the standard when you go up to level three. Right?
Chris (57:50):
Correct.
John Verry (57:50):
And even then, and I went through numbers out there, but in my opinion, the number that I’ve seen that they’re talking about sounds incredibly reasonable to me.
Chris (57:59):
Yeah. And I think the other piece of it too, that is in there that will help people, especially folks making that transition over from 800-171 to CMMC is there are reporting mechanisms and graphs in there the kind of show you if I’m doing this in CMMC, where does this show up in 171 and vice versa. So they have that vision. It’s not like I got to do two things, it’s designed to do it once, propagate to many places.
John Verry (58:28):
Yeah. And I also liked what you said there because… and it’s probably bears repeating that. If at some point you can have to be CMMC level one, that means you got a D47024 clause, that means you already need to be taking 800-171. So even if you just leverage that package to get to 800-171, that’s a great first start because then you’re only a short leap from there to CMMC level three when you need to get there.
Chris (58:53):
Absolutely. Absolutely correct.
John Verry (58:55):
This has been awesome, man. Thank you.
Chris (58:57):
Thank you, John. I appreciate it, man.
Narrator (58:59):
You’ve been listening to the virtual CSO podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need to know, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there (silence).