February 20, 2020


As CISO for Acquisition and Sustainment at the United States Department of Defense, she’s well beyond needing analogies to understand cyber security news and trends.

Yet, she had the best analogy on hand to explain Cybersecurity Maturity Model Certification (CMMC, for short).

“At the end of the day, the CMMC is your cyber driver’s license to participate in the DoD supply chain.”

Katie is the very first guest of the Virtual CISO podcast. She joined John Verry to discuss recent changes to verifying contractors’ ability to protect unclassified information.

We also chat about:

  • How the Department of Defense CMMC program will ensure the supply chain is properly protecting unclassified sensitive information
  • When RFP’s will begin requiring CMMC certification
  • How and when CMMC audits will begin
  • What companies should do now to remain viable and competitive

You can find this interview (and many more to come) by subscribing to The Virtual CISO Podcast on Apple Podcasts or Spotify.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:26):

Hello there and welcome to the very first official episode of the Virtual CISO Podcast. I’m your host John Verry and with me as always the Donkey to my Shrek, Jeremy Sporn. Hey Jeremy.

Jeremy Sporn (00:00:38):

Hello everyone. How are you doing today Shrek?

John Verry (00:00:41):

I’m doing pretty good. Pretty amazing. I mean, you and I have been chatting about a podcast for gosh, the better part of a year and a half or two years?

Jeremy Sporn (00:00:48):

Yeah, it’s got to be that long and it’s got to be at least two years now that I really think about it. It was a just a spark in your eye at one point and here we are.

John Verry (00:00:56):

Yeah, it’s kind of exciting. So I’m looking forward to this and I’m personally pretty excited about this first podcast. Did you have a chance to listen to my conversation with Katie?

Jeremy Sporn (00:01:06):

I did. It is just absolutely staggering what a threat exfiltration of data is to our national security. You know, someone who is a little less technical in the information security space, I just had no idea. I mean the number is staggering. $600 billion a year lost in exfiltration of data. I mean this has to put CMMC the cybersecurity maturity model certification, that’s a mouthful, as one of the most important initiatives the DOD is currently pushing.

John Verry (00:01:36):

Yeah. Well you know, if you go back, and I had heard this through the grapevine, it was very interesting because Katie acknowledged the exact same issue, the F-35 jet, I think I’ve talked with you about that before. I forget what the number was, a trillion dollars in 15 years and two years later they’re flying something down to the screw diameter and color of the wingtips that’s virtually identical.

Jeremy Sporn (00:01:59):

Yeah. It’s so sad that that’s a story that we have to live. You know, fortunately we have people like Katie in this world who are trying to make a difference, which is really cool. And if you’re someone who listens to a lot of podcasts and especially has a, I call them like podcast heroes, people that you really enjoy listening to because you appreciate their intelligence and how they carry themselves. Katie falls into that world for me and there’s this commonality I find between all of them, is that they have this sense of gratitude in their life and she is so gracious towards the people in the industry that she calls. There are people who are in the DOD supply chain who are supporting her and supporting the initiative. She just thinks that if you’re one of those people, pat yourself on the back, you’ve done a great job supporting a phenomenal initiative to date.

John Verry (00:02:45):

Yeah, I think grateful is a great word for her. She was also, I think, equally grateful to the support that she has had from the rest of the folks there at the DOD on her team upstream and downstream. So, yeah, I would say grateful and gracious is a good word for her because I mean they’ve done a really good job over there.

Jeremy Sporn (00:03:02):

Agreed. 100%. So if you’ve made it this far, do not stop now because the conversation between Katie and John is quite remarkable. To give you guys a bit of an intro into Katie, she is the Chief Information Security Officer for Acquisition and Sustainment at the Department of Defense.

John Verry (00:03:18):

Do you think they pay her by the length of her title. Because if they do that’s a, well done.

Jeremy Sporn (00:03:26):

Smart and move on her part, yeah. And she’s the one leading the way at the DOD for creating the CMMC amongst other things. She’ll explain this a little further, which I think is really cool. But her background is absolutely perfect for her role there and she’s one of those people that really make you proud of your government. When you hear her talk you think, hey, you know what, I’m happy my tax dollars are going towards someone so competent and so aggressive in going after a really important goal. So it’s just, I couldn’t say enough about how proud I am.

John Verry (00:03:58):

Happy might be a little bit strong. How about we go less unhappy about the tax dollars.

Jeremy Sporn (00:04:05):

I’m more glass half full kind of guy, John. So I’m just going to go-

John Verry (00:04:08):

All right, so you’re in the gracious bucket with her.

Jeremy Sporn (00:04:10):

Yes.

John Verry (00:04:11):

Anything else you want to cover before we roll to the show?

Jeremy Sporn (00:04:14):

I would. Just some expectations for you to walk away with. There’s the big questions that you always want answered. The why, what, when, who, how. And they’re in that order because that’s how we answered them throughout the show. Why the DOD is pushing so hard on the CMMC rollout, what the CMMC will look like for organizations in the DOD supply chain or, and there’s a bit of a spoiler but stick with me, any organization that holds a federal contract in general. So definitely want to hear that part. When you can expect to see CMMC referenced in RFIs and RFPs, who you can turn to for help, and then the last one is how to leverage the CMMC to benefit you, the DOD, and really the whole nation. Some cool win-win-win scenarios there.

John Verry (00:04:59):

Sounds great. So with no further ado, let’s get to the show. Katie, thanks for joining us today. And just for the record for everyone listening, I screwed up and Katie was nice enough to rerecord the first 15 minutes of this. So I’m so sorry.

Katie Arrington (00:05:15):

No. Please don’t worry about it. I am honored and pleased to be here. It is my privilege and I didn’t say it on the first run, but I’ll say it on this one. I work for the US taxpayer, I assume that you’re one of those, so I’m kind of your employee and I’m kind of okay with having re-tape it, so we’re good.

John Verry (00:05:33):

All right, so, I like to start super simple. Tell me a little bit about who you are and what is it that you do.

Katie Arrington (00:05:41):

So I’m Katie Arrington. I am the Chief Information Security Officer for Acquisition and Sustainment here at the lovely Department of Defense. I am a definitely different breed of government employee right now. I’m an HQE, a highly qualified expert. I am only given a certain amount of time to work in the Department of Defense in this capacity. And the reason I was chosen to come and do this is because of my past career. I’ve owned my own small business, I worked in the defense industrial base at a large business, a service disabled veteran-owned small business, I worked at a non traditional. Then I became a legislator to write, one of my big passions was fiber policy and understanding how all that worked together. So I firmly believe that the road of my career led me to this moment where timing is everything. I do not believe in coincidences. I really believe that the time is now, the need is so urgent that it was just an opportunity that was laid out for me over a career to get to this point.

John Verry (00:06:53):

All right, so before I dig in, right, into why you’re here, to talk about CMMC, I have to ask one simple question. Are you absolutely exhausted? Because I’ve seen your face and your photo more in the last six months than I’ve seen Kim Kardashians.

Katie Arrington (00:07:09):

And you know, I will say again, that is huge right? Because she is everywhere. She is a social media mogul. But I am-

John Verry (00:07:16):

I think you are as well at this point.

Katie Arrington (00:07:18):

I am really, right now it’s after, it’s 4:30 on a Friday that this podcast is being recorded on a long weekend, here in the Pentagon is like a ghost town. And just being able to talk to you has re-energized me. Every time I’m able to communicate to people about why this is important and why I’m so passionate, I get energized. Everybody has a superpower, mine is the ability to convey excitement and why we should want to work together as a collaborative body to solve big problems. So no, I’m tired but I’m energized.

John Verry (00:07:59):

Okay. So you mentioned big problem and you definitely have been assigned the task of solving a big problem.

Katie Arrington (00:08:04):

It’s a huge problem.

John Verry (00:08:04):

So I want to ask your question. Yeah. So I wanted to ask you this question. So in the old days, as of last week or actually January 30th right? We had NIST SPA 171 and that was a way that you would self attest to implementing an appropriate level of controls to secure CUI. We’re now moving from that to the CMMC, which requires third party certification or a third party audit of these controls. Was there a particular straw that broke the proverbial camel’s back that created this effect, this change?

Katie Arrington (00:08:37):

Sure. So the NIST is actually referenced in something called the DFAR, the Defense Federal Acquisition Regulation 252.204.7012, and that’s how the NIST 171 was put into defense contracts. And the self-attestation, when President Obama actually signed us in an executive order and it became the DFAR clause I just mentioned, we just said that a company had to self-attest. And self-attestation is never a great idea when it’s an issue that we have to assume risk with each other. And I say this and I half-heartedly, because I always like to poke fun at myself, but every morning when I get up I think I look perfect. It’s only when I walk outside and someone else sees me that I realize I only have half of my face put on. I’m missing an eyebrow. Self-attestation, it’s really hard to be critical about oneself because we’re doing the absolute best we know how to do. I don’t think anybody ever has woken up in the history of all time and said, today I want to be unsuccessful and I want to fail. We all go out with the greatest of intent and I really believe that industry tried. And the NIST, the National Institute of Science and Technology, they really worked hard on creating this model of what we needed to do. The problem was it got lost in translation, right?

John Verry (00:10:06):

Mm-hmm (affirmative).

Katie Arrington (00:10:07):

It was, yeah, I see I’ve got to do that and I have a plan of action to get better at doing that and I have a plan to implement that control and I’ll do it within three years. The problem is our adversary isn’t sitting at the local coffee shops saying, all right, I’ll wait until you’re ready. They have used that and exploited it against us. And how do we know that? There was a plane flying around very similar to the F-35 in China. That is not a joke, folks. That is literally, they stole that from you. They stole it from a US taxpayer, that’s what they did. And we’re losing $600 billion a year in data exfil, cyber espionage. There’s no way to say that there, I mean, look at it, what they’re doing. So we needed, we saw clearly in the department the need, the urgency. Congress saw the need and the urgency and it’s not like we don’t know that commonly out there, the financial sector sees it, the healthcare sector, it’s just got to become commonplace. So there was an urgent need, why it was so important and time-sensitive to get this done.

John Verry (00:11:18):

Yeah, you know, I think it’s ridiculously important. I’m a big fan of what you guys have accomplished and I’m amazed that you’ve accomplished it in such a short timeframe. You know, I love the idea that you’re really going from a trust to a trust but verify, right?

Katie Arrington (00:11:35):

Amen. Yes. Yes. That’s actually Miss Lord, the under Secretary of Acquisition for Sustainment as well. That was actually her statement in 2018, she actually came out and said that we needed to have a unified cyber security standard, that we needed to trust but verify, that companies were doing what we needed them to do to protect controlled unclassified information. We clearly saw this. There were several reports out at the same time. If any of your listeners haven’t read Deliver Uncompromised by MITRE, they should read it. The Navy Cyber Readiness Review came out at about the same time, and we also have something called the DOD, the Department of Defense, IG Inspector General Report on contractor networks. And what everybody was saying in those reports, and what Miss Lord saw, and my boss Mr. Fahey, the Assistant Secretary of Defense for Acquisition, all saw clearly that there were fundamental basics about critical thinking around cybersecurity that we weren’t doing as a community of interest, we were not updating our passwords, we were not doing two factor authentication, and we weren’t marking the data appropriately.

Katie Arrington (00:12:48):

So there was a confluence of A, we could clearly see how our adversaries exfilled our data, there were flying it around, they are flying it around. We saw that loss and I believe there are no coincidences in life. I think that everything happened in 2018 and 2019 to bring us to where we are right now. And timing was of the essence. I mean, you look at the acquisition cycle, it’s a pretty robust, long cycle. It takes anywhere from seven, five to seven years to get a program through the RFI process, the RFP process, get the contract award and give it to the end. And you have to think, 2025 is around the corner, we had a ticking time bomb on our hands where we needed to get something in place for the industry, for those small businesses most especially, to be prepared for what we see as this confluence of technology along with capability that are burgeoning. And that would be quantum computing become commercially available capability 2025 timeframe and 5G becoming commercially available in the same timeframe.

Katie Arrington (00:14:04):

And the analogy that I’m going down here is if you look at a home that you live in, you live on blah blah blah Maple Street, and you go home at night and you lock your doors and your windows and you turn on your security alarm. And you do that for security, you buy down the risk of somebody breaking in and you buy down the risk of the elements coming into your environment by building walls, and putting doors, and windows, and a roof. And if you look at encryption as your locks on your doors and your window and you look at the network, the 4G or LTE network as your house in 2025 imagine there are no, if you use basic encryption, quantum computing breaks it, now it breaks basic level, so you’ve lost your doors and your windows, and because 4G will be usurped by 5G, there’s nothing controlling the element from coming in.

John Verry (00:15:08):

Yep. Yeah. We are definitely, look, your timing is ridiculously good because you’re right. If you blend in stuff we’re not even talking about then there’s privacy frameworks and things of that nature. We blend in the IOT, the internet of bodies, all these things, even blockchain and the implications it’s going to have, the time was right. You guys did, I think personally, a great job with the standard. I’m a longtime information security practitioner and what I like is that you A, you unified a lot of standards when you did it. B, I thought you guys did a great job of taking a super sound fundamental approach, right? It’s begin with scoping and understanding the CUI and the information you need to protect, then it’s understand the risk associated with that information, and then it’s implement the controls in accordance with that risk and in accordance with the government’s requirement, DOD’s requirement. So, job well done.

Katie Arrington (00:15:58):

Thank you. And I will give the credit. I was the forcing function. My nickname was-

John Verry (00:16:09):

Wait, wait, wait. This is a PG-13 show, are you sure?

Katie Arrington (00:16:12):

Oh no, no ,no. When I was a legislator in South Carolina, the nickname they gave me was Pit bull and I really appreciated, it’s because when I see something that needs to be done, I am a pit bull. I’m, going to, the other one was LD, a Little Dynamite, but I loved my pit bull analogy that you know, I am fiercely loyal, I am extraordinarily dedicated to the mission in front of me. I would be remiss if I took onerous for the work that was done from and with my team and I need to give props to the work force that did this.

Katie Arrington (00:16:54):

There’s a gentleman by the name of Mr. Buddy Dees, Dr. John Choi, Stacy Bostjanick, Ms. Bostjanick. They were really the forcing function in working with APL, Johns Hopkin, and Carnegie Mellon SCI. The other two people that really need a kudos is my boss, Mr. Kevin Fahey, the Assistant Secretary of Defense for Acquisition. He is one of the most remarkable human beings in the fact that he really loves this country. He really loves the Department of Defense. And he saw from a vast career, I think he had retired at 34 years and then came back to serve, saw where all the pain points were and really was one of those people that who said, I will give you top cover, go get it done. And then Miss Ellen Lord, the honorable Ellen Lord, who is the Under Secretary of Defense for Acquisition and Sustainment, being a thought leader and saying we needed to get a unified standard.

Katie Arrington (00:17:52):

The other entity that I need to thank is industry, right? Because I came from industry, I knew very clearly that if I opened the doors to the Pentagon, and I said, because anything we develop that the industry has to implement, they have to be in the collaborative process of creating it. So when I said, can you help me? Would you? Industry, as they always have done, has supported the Department of Defense, rallied around, and we couldn’t have done this without the collaboration between industry, academia, and the Department and using great solid work that had been led, the charge was led by NIST, the National Institute of Science and Technology. ISO, the international standards organization, they had 27001. We had great foundational tools we could reference from our international Five Eye partners like the UK, Australia. They both had cybersecurity standards, the EU has them, and we took all those great standards and actually put them into a critical thinking methodology about what it was we wanted to do, how to take critical thinking to cybersecurity, and creating a maturity model that would take people from absolutely no cyber hygiene, all the way up to a level five, from one to five and five being the absolute exquisite.

Katie Arrington (00:19:15):

But it couldn’t have been in the timeline. I mean, it was crazy aggressive when I started this. You know, everybody told me you’re nuts, there’s no way you’re going to be able to meet that schedule. And I’ve said when there’s a will and there’s a way to get it done. And when we clearly say in the department we need something, I mean, look how fast we did the MRAP, look how fast we did something called Chapter 33 the 9/11 Bill where we needed to be able to produce a product that those honorable men and women who served after 9/11 when they wanted to be able to turn over their GI bill or their benefits to their children or their loved ones, we had to create a system to do it. And when we go to industry and we say, solve our problems, help us. Industry has always answered the call. And this was no different. It was just done in a more aggressive timeline than most.

John Verry (00:20:07):

Yeah. And listen, I mean, the timeline was pretty remarkable. And from my perspective, the government works in dog years, like seven to one the wrong way. So if you guys get this done in a year it was pretty remarkable. But I do think that you had, and I’ll discuss a little dramatic, but a national urgency, right?

Katie Arrington (00:20:26):

Oh, amen. Totally.

John Verry (00:20:29):

I mean, you have huge economic impacts, but you also have potential loss of life and limb for our people. Correct?

Katie Arrington (00:20:36):

Well, absolutely. So you think about what’s been going on since the Iran issue of a few months ago, right? Have you been paying attention to how much ransomware has been going on, right?

John Verry (00:20:47):

Yeah, yeah.

Katie Arrington (00:20:47):

Ransomware attacks.

John Verry (00:20:49):

Yeah, oh yeah.

Katie Arrington (00:20:50):

So I literally, there’s a gentleman who works in the department here with me, he is the Director of Defense Digital Services, name is Brett Goldstein. He literally starts, and it is refreshing to.

PART 1 OF 3 ENDS [00:21:04]

Katie Arrington (00:21:03):

… 15. He literally starts… It is refreshing to have people because everybody in this building… I have to say, it’s amazing the people that come here every day because they love this nation. They want to make a difference. So everybody that works on in the building and out, we all want to solve the problems. But you have people who come across your path and they remind you every day. Brett starts every day off. People are dying out there. People are dying out there. And it really is. It’s about the US economy. It’s about the global economy. But there’s also more importantly, young men and women have volunteered to serve this nation, to defend our freedoms. They sign on the dotted line. My first husband did it. He’s one of the main reasons that I’m here today. My daughter, my son in law, all serve.

Katie Arrington (00:21:55):

Those young men and women and those people put their lives in our hands, in the industrial base hands to do the right thing, to have the right technology at the right time so that they can thwart our adversary. When I go and speak, I can’t help but be who I am. And I love my country. I love democracy. I love what she offers. And I do say she, because I’m a girl and you always do that. He, she, but our democracy is something that countries like China, that’s not part of how they’re culturally… It’s a communist country. They do not believe in your freedom. They believe in a different ideology all together. And their objective,…they very clearly said we want to be the world’s economic dominator.

Katie Arrington (00:22:43):

Well, the only problem with that is A, I want to be, but more importantly is we are about the individual freedom, right? We want people to have the right to make a choice. They don’t. We have to see that as that is… Lives are on the line. A global economy is on the line, on us getting this right. The pressure is huge. The timeline… The one thing that secretary Esper has said, and I really do appreciate his leadership and the department, is we need to be more okay with taking risk because this was risky, right?

Katie Arrington (00:23:22):

I went out early on and I clearly said these are the dates that we’re going to meet. We’re going to do it. This is a collaborative. We’re not going to shut the doors of the Pentagon. We’re going to bust them wide open. We’re going to be completely transparent. We’re going to let industry talk to us every chance we can possibly get to craft this the right way. Taking that with a known risk, right? We’re not going to be perfect right out of the gate. I pray we’re not. I don’t want this to become a checklist. I don’t want us to become complacent because this model, the way it lives today is the threat that we know today. In a year from now, two years from now, five years from now, that threat will change. And if this model, the CMMC, becomes a checklist we have all failed. It needs to be critical thinking about cyber.

John Verry (00:24:16):

It was interesting. Yeah, you did take a big risk, but I think you had a bigger risk not to take your risk, if that makes sense.

Katie Arrington (00:24:21):

Amen, yeah.

John Verry (00:24:23):

So well said. I think we’ve done a great job to this point of I think explaining how we got to where we are and why it’s so damn important for all of us. So thank you. Let me bounce into some questions that I think a lot of people, at least that I’m talking to every day are asking. From your perspective, when do you think RFPs and RFI will actually start referencing CMMC levels? I know you originally said in June-ish, but has that changed?

Katie Arrington (00:24:51):

Nope.

John Verry (00:24:51):

Because I know that the audit program… Okay. So you still expect it to be around that time. Okay, cool. I understand that a couple of days before you released version one, which was January 31st, you established the audit program. You put a gentleman up that may be from Darton in charge of that program?

Katie Arrington (00:25:08):

No, no, no. They self formed. So the accreditation body was self formed by… We asked industry, we said we in the government-

John Verry (00:25:16):

Ah, I misunderstood that.

Katie Arrington (00:25:17):

Oh yeah, no we did not do that. We put out a request for information to give everyone that we were going to with professional service council, PSC. We did an industry day per se where we came and we said, “This is what we need. What we think would be the right thing to do.” We would love industry to self form an accreditation body and nonprofit that could take the model and take it away from the government to train and certify the C3POs, the cyber third party auditing organizations, to train and certify the auditors.

Katie Arrington (00:26:02):

There was a group, about 250 people were in person to that meeting. They did a live stream. There were over 1,000 attendees. So for government, that’s huge, right? To come in and say we need a coalition of the willing. They self formed, they stood up, they are doing everything they can possibly do to do the right thing. And the fact that they’re a nonprofit, that needed to happen because we really need that. So they stood up and we worked the MOU, the memorandum of understanding, of what the department and the accreditation body would do. And that was what we turned… On the 31st when I was able to turn something over, it was to them only because industry had taken care of the need.

John Verry (00:26:50):

Excellent. Excellent. So question for you. You may not be able to answer this, because like you said it’s an independent body, but I’m sure you some insight. What do you expect the next three months, six months, whatever is, where do you think it will take before we know what the program looks exactly like, we know how a audit firms will be accredited, how individual orders may or may not be accredited and there’ll be entities authorized to conduct one? What’s the timeline look like right now?

Katie Arrington (00:27:19):

What we gave the accreditation body is the training materials for the certification classes, the curriculum. We created user guides. We created training and curriculum to give to them because ultimately we appreciate them standing it up, but they needed to have a baseline. The AB works with us. They’re working with something called DCMA, the DIB CAC, the Defense Industrial Base Cyber Audit Committee or Council. I can’t… But that’s what DCMA has been doing to audit companies on cyber security. And DAU to create this training right now so we can get that done. They’re looking to start certifying C3PAOs and individuals to want to become small businesses. Individuals who want to become auditors, they’ll be launching… They have their website up. They’ll have a marketplace up in the next few weeks where you can start to register to go to the training classes.

John Verry (00:28:23):

Wow.

Katie Arrington (00:28:23):

Yeah, I mean, when I say that-

John Verry (00:28:25):

Yeah, you guys rocked and rolled. To be honest with you, I thought it would take longer than. You mentioned a website, do you offhand know that or would you be able to send it to me [inaudible 00:28:33].

Katie Arrington (00:28:33):

Of course I do. Sure. It’s the CMMCAB.org. Really complicated.

John Verry (00:28:41):

Yeah, I would have never guessed that.

Katie Arrington (00:28:44):

CMMCAB.org. They have a website right now you. If you’re interested in becoming an auditor, they actually have a portal. You can put your information in and as soon as the classes are ready to go, which will be starting in late April. In May, we’ll actually have auditors going through the courses with the intent as we roll RFIs out in June, that we’ll have our first round of certified auditors to be able to go out and start doing assessments.

Katie Arrington (00:29:16):

So know that all of this hinges on a few really important things. First, we are going through a DFR rule change. At the start of this podcast I gave you all the DFR rule. We’re going through a rule change. This will cost money. It will impact the US economy, so we’re working with OMB and OIRA who are being phenomenal with us on what the cost is to industry and to the government and to the economy for this to happen. We’re into that process. There will be a public comment. There will be a date in late April, early May where everybody will be able to come and actually discuss the financial impact. And then we’ll go to rule change in October, 2020. I picked those dates when the very beginning very judiciously because I understood what would need to be done between the rule change. So the reason why I’ve said you’re not going to see it in RFPs until October is because the rule change needs to happen before I can put into RFPs.

John Verry (00:30:22):

That makes sense.

Katie Arrington (00:30:25):

And I did the RFIs, the OTAs, the SBIRs, the STTRs, all of those in that timeframe so that we could start working through the Pathfinders to get to the RFP process. Like I said, this isn’t going to be perfect. There will be challenges, but I think that very clearly when we say, let’s be collaborative to solve this problem, we can solve these problems. We put a man on the moon. I think we can work through how to get a certification done in that timeframe and make sure it’s right.

Katie Arrington (00:30:58):

There’s a lot of things that are happening in coordination. We’ve got the adaptive acquisition framework, which is the rewrite of the 5,000 series. We have a new document coming out on what CUI is, new definitions. There’s a lot happening of acquisition reform and cybersecurity reform in the department that is changing the way the nation does business. I mean the DOD is the biggest buyer of many things in this country and in the world. And when we say we need something done, when we say clearly what it is we need, how we need it done, and that we have metrics and accountability for it, industry answers. And the CMMC I don’t see any differently.

John Verry (00:31:41):

Yeah, so that’s interesting. Two questions. One quickly, you said that the budgetary implications, things of that nature, this ties into this concept of allowable expense. What will or won’t be, whether or not there will be allowable expense, whether it’s just… Is that the implication of what you talked about with the dollars and cents?

Katie Arrington (00:32:04):

Absolutely. Security is an allowable cost, right? If we value it, we pay for it. Now, this is where it gets a little tricky, because industry has been self attesting that they’re doing those NIST 171 controls.

John Verry (00:32:15):

Yeah. Suddenly we need a SIM. Wait a second. The last two years you signed off on the fact you had logged management.

Katie Arrington (00:32:21):

Right? So what I clearly am work-

John Verry (00:32:25):

The plot thickens.

Katie Arrington (00:32:26):

Right? You all have been saying you’re doing it and you’re billing us for it. But what I did… We had all of these things. The DCMA had been doing these DIB CAC audits on companies. We’ve understood what it takes to ramp up to get ready for an assessment. So we had that, right? We’ve gotten the costing, we’ve done a few of these. So we understood how much it would cost a company to get ready to be assessed. Then because we’ve done these DIB CACs, we understood the time of assessment. And then the third thing is we’ve been able… Because we added 20 controls in CMMC3 to the NIST 171, we were able to price out what those controls look like. So costing, we have a really good understanding of the implication of cost, but let’s go back to level one, right? So most Department of Defense-

John Verry (00:33:21):

Yeah, that’s very small. I mean, what, 17 controls? I mean, it’s a pretty low bar, I would say.

Katie Arrington (00:33:27):

It as right now, because it’s simple things like do you have passwords, do you know how to change? There are no costs things to do except for having an antivirus software protection. So level one is just giving some critical thinking behind why you’re doing it. Doing an audit in person from an assessor saying, “Okay, you have these. Why doing the physical… Why do we have to have an auditor go to your site?” A, it buys down the risk of shell companies being stood up. That if you’re going to be a shell company, you’re going to have to go through an awful lot of pain to get ready to have an auditor, trusted agent from the government, coming to your facility. So it’s buying down risk on shell companies. It’s buying down risk on FOIA, the foreign investment. And it’s buying down the risk of [inaudible 00:34:23].

Katie Arrington (00:34:26):

We had a reason why we set it up this way. Very clearly one of the core essential missions of the CMMC was it needed to be low cost enough that a small business could be ingested. So if CMMC level one costs the company more than $3,000 we’ve missed the mark. It needed to be somewhat automated, to which it is, but it needed to do multifaceted. It can break down a lot of barriers that we have, [inaudible 00:13:57], foreign ownership, FOIA. I always get FOIC, I say it wrong, so forgive me everybody. But foreign ownership in corporations. We needed it simply.

Katie Arrington (00:35:08):

Now when you go to CMMC3, that’s when you’re instituting the current NIST 171, which you should be doing already if you have that DFAR clause in your contract, and I’m clearly paving the way to make sure that we get security as an allowable cost, the cost of the certification, the cost of the additional controls. We have cost realism so that we ensure that you have the financial resources to do what we need you to do. So we’ve really done a lot of homework on this and learning from things that we’ve done in the past, but also understanding that at the end of the day this was going to be something that was an allowable cost, which means ultimately tax payers and programs needed to be set up. So we’ve been for a good year on this, and we think we’re on really solid ground.

John Verry (00:35:57):

Listen, it sounds to me like it’s a worthwhile investment. If we’re talking five or 10 or 15 or $20,000 to do an audit, but we’re saving 600 billion, you can do a lot of audits for $600 billion a year, right? So the ROI should be huge, just dollars and cents, let alone national defense and life and limb and economics and everything else.

Katie Arrington (00:36:17):

We can’t afford not to do it. We can’t afford not to do it.

John Verry (00:36:22):

So question for you. I don’t know if this is your decision, if it’s the accreditation bodies decision, is the thought process that you’ll have to recertify each year or every other year? Will it be some type of-

Katie Arrington (00:36:32):

No. That was the MOU. It’s going to be every three years for companies.

John Verry (00:36:36):

Every three years. Okay. I missed that. Sorry about that.

Katie Arrington (00:36:39):

Oh no, no, no. Listen, there are a lot of details about this. If I wasn’t so 15 hours a day in it, I wouldn’t know it either. We were looking for a certification for a company to be once every three years. We want the certification to be good for the whole of the Department of Defense. So if you’re bidding on work for the Army, you’re bidding on work for the Air Force, the Marine Corps, the Navy, it’s the same certification. So we’re buying down the cost on that. Because right now the cyber requirements for the Navy aren’t the same as the Air Force and companies are having to invest to meet those. It’s level setting.

Katie Arrington (00:37:19):

The second thing that it does for small businesses. People have said, “This is an unfair burden for small business.” It actually level sets, and here’s why. Currently the self attestation says that you’re technically acceptable. Okay. If you self attest that you’re doing the 110 controls, you are technically acceptable. If you’re bidding on work and somebody, a competitor, is only implementing let’s say 80 of these controls and they have a plan to get better on the rest, it’s in their POA, their plan of action, their rate is going to be lower than that of a company who is actually doing all 110. They don’t have a POA. But both would be technically acceptable in the current standing of the way the DFAR rule is today. That is unfair because the the lowest price technically acceptable wins and we had to level set. So it actually helps small business.

Katie Arrington (00:38:18):

Then the small businesses have come back and they said, “Well, we’re a mom and pop shop. We’re a single supplier. It’s not worth it to do it. We don’t do that much with the Department of Defense. We don’t see the value.” You’re the exact reason why I need this done. Our adversaries know that who you are. They know who that small business is. And more than likely they’re working to put you out of business. You’re the ones I need this the most for. So we’ve worked through multiple small business programs like the PTACs, the Professional Technical Assistance Centers for cyber to get them up to speed on CMMC. Things like Dreamport here are running. They have Project Spectrum, which is a launching pad for cybersecurity education for small businesses.

Katie Arrington (00:39:04):

We absolutely need those that are the weakest link in the supply chain to get secure because my supply chain is essential to national defense. Everyone in it is essential, and you’re only as good as your weakest link. If I don’t shore up that small business and give them critical thinking skills about cyber, if I don’t tell them I’m willing to pay for you to do that, then they’re always going to be a vulnerability. We’re all in this together, so I’ve got to get everybody right.

John Verry (00:39:35):

Right. And I’m always telling clients now, small companies, that you’ll be on the phone. They’re like, “Well, we don’t need Fort Knox security.” And you’re like, “Wait a second. It no longer matters how big a company you are. It matters how big the companies you work for and the value of their information that you’re processing.” Unfortunately, these little guys have to understand, this data needs to be treated properly and we have to ensure that it does. And you’re not alone in the DOD. I mean, we’re seeing this across the banking industry and every other industry as well.

Katie Arrington (00:40:03):

Oh, absolutely.

John Verry (00:40:03):

So I think you’re in good company with what you’re doing.

Katie Arrington (00:40:06):

The fact is, when I first started the speaking tour, and it’s become part of my… I say you have to say things three times for people to remember. When I go out… And because I was a politician at one time, you learn how to communicate. There’s this thing, right? I went out and I spoke and I asked you, it was in a university and I said, “Tell me something in your life that doesn’t have cyber. Tell me.” And this kid looks at me and he’s like, “An apple.” And I’m like, “Well, unless the apple magically appeared, it got there through cyber. It came through a logistics plan. When you bought it at the grocery store, you paid for it. There was a UPC bar code. There’s financing. There’s a whole bunch of cyber behind that apple.”

Katie Arrington (00:40:49):

And then one kid said to me, “Oh well love.” And I said, “Well, I met my current husband on eHarmony. So yeah, that’s out, right? The algorithm works.” We have to understand that in our environment today cyber is an everything we do. This is an analogy everybody can gather around. We as human beings have been able to understand and how to absorb technology and capability and assuming risk since the dawn of time. When the cave man first found fire, they needed to figure how to use that capability, that technology, harness it and understand the risk associated with it. They touched fire, it burned. If you put it near wood, it burned. We had to learn what the critical thinking on how to use fire to our benefit and buying down the risk. We have to do the same with cyber security. We have to learn how to harness the risk. And the CMMC is the start. I don’t think it’s nearly done. I think it’s a piece of a larger puzzle. I think continuous model-

PART 2 OF 3 ENDS [00:42:04]

Katie Arrington (00:42:03):

… piece of a larger puzzle. I think continuous monitoring needs to become a common thing. We need to have supply chain illumination so that we can see a supply chain, we can do continuous monitoring. We need to harness that and get AI and machine learning to do indicators in morning so we can thwart threat, not be reactive to threat. We got to get proactive.

Katie Arrington (00:42:27):

But the CMMC is the start of a new way of doing business. We need to make sure that security and how we communicate threat to each other is equal to how we communicate safety, right? You know clearly when you go to a shop, and I’ll use a manufacturing floor, they know how to clearly convey risk and safety by telling people, “You can’t walk on the shop floor unless you’ve got steel toed shoes, you’ve got to wear pants. You must tuck them in. You must wear a long sleeve shirts, a helmet and goggles,” because safety is something that we all understand. There’s a common language, there this expectations, a common standard, the ISO 9,000. we know how to communicate it. We have to the same about cybersecurity and the CMMC is that first start.

John Verry (00:43:21):

So quick question for you. So recently you discussed, I’ll call it a staged approach where you throw out some numbers, like 1500 entities certified in year one, 725,000. So two questions for you, one, why that specific number? Is it just a timing issue of that October 20th to the end of the year? So that’s one question. The second question is, will those 1500 be a specific 1500 based on some criteria or is those the first 1500 that are able to get through the process, and its self-requesting if you will?

Katie Arrington (00:43:54):

So we clearly understood the acquisition process. So I knew that A, any contract that you currently have with the Department of Defense today does not have the CMMC. So I knew I wasn’t going to walk in and turn on a light switch and suddenly everybody had to be certified. We had to have it rolled out with the amount of accreditors, the assessors, so we could scale it, right? It had to be scalable, and anything that we did, we understood clearly that we needed to start with a few pathfinders to work the bugs out. So why we picked a few RFIs, where they were around critical technologies, they were around what we needed to protect the most in our industrial base and for the nation, and working with those communities of interest to ensure that those few contracts that we start with RFIs, that were really working hand in hand with industry, with the accreditation body, to ensure that the communities of interest get their certifications underway before we released the RFP. 1500 was, if we were to take how many contract actions a year, I had based it on the statistics, how many contracts get let, how many of them had the critical technology. So it was all statistics that we had based in baked in. It was 1500 this year, 75 new. So you figured that 7,500 plus 1500, we’d have 9,000 new contractors in year 2021, and we would move through, so we could scale up to the amount of companies that we have in the DIB over that five year transition timeline as we went through a new acquisitions cycle. So it was a very well thought out process. We also needed to ensure that the programs that would be rolling it out had the budget to do it and ensuring that we had consistency throughout that whole process. So that’s why we did the rollout the way we did, 10 contracts in 2020 that had 150 independent contractors, vendor partners on them, that we could walk through clearly with industry, that was the number, 150 companies per contract, times 10 that’s 1,500.

John Verry (00:46:17):

That’s pretty cool. So quick question for you. So I’ve had this conversation with a bunch of people and they’re saying even if we’re not bidding on one of those RFIs, we might want to get CMMC level three certified because we think that it’ll be advantageous in the marketplace. For example, joining pursuit team. So will there be anything that would prevent, like I know this might be tricky with allowable expense, maybe it’s not allowable expense yet, but either way, like if I’m a firm that wants to get ahead of the curve, will I be able to go out and get certified?

Katie Arrington (00:46:44):

Absolutely.

John Verry (00:46:44):

Okay, good. That seems to be a common thought process.

Katie Arrington (00:46:48):

So because I actually sit on something called the Federal Acquisition Security Council. This was stood up, there was a law passed in 2018, it’s called the Secure Technologies Act. What it did is it created this federal acquisition security council that we have to create unified standards and processes to secure the federal government. So I’ve already leaned in, Chris Krebs over at CISA for DHS. I’ve talked to many other federal agencies. This framework is something that they’re all looking to adopt and support.

John Verry (00:47:26):

That’s so funny, I have that on my list of questions and I was like, “Man, should I surprise her with this?” Because the there’s word leaking around, and in fact it was funny, an e-discovery company today, a client of ours, I was looking at a contract and I won’t say what federal agency it was from, but I’ve never seen a federal agent use NIST SP 800-171, in the way they did. They actually referred to a [3POA 00:47:49] doing the audit. To me, I was looking at this going, “Yeah, this is going to be a CMMC audit in a few years from them.”

Katie Arrington (00:47:55):

Absolutely.

John Verry (00:47:56):

So that’s legit. You guys have actually talked to other agencies about potentially-

Katie Arrington (00:48:02):

Oh my gosh, yes. I literally had talked to as many agencies and it only makes sense.

John Verry (00:48:12):

It makes so much sense. Not only from the government’s perspective, but from my customer’s perspective because now you’ve got this … Think about it. If you had a sort of a national certification, that okay, “You can work with any government entity that processes data of a certain classification level using the same validation mechanism.” I mean that’s win win for everybody right?

Katie Arrington (00:48:31):

So let me give an easy way for your listeners to understand this. So back when we created the first automobiles came out, right? There were no rules. There was, you did not understand, there were no roads, there were no rules, you could drive wherever you wanted to, right? As we realized that because we would have to use the same modes of roads to get to where we had to get to, there had to be a common understanding of risk and that I understood that you were qualified with the same understanding as I was, to drive on the road. Hence we created roads, and the risk grew because you could drive into me, I mean the automobile could kill, that’s the reality. We created a way that we could all get a trust and buy down the risk, a common understanding called driver’s licenses.

Katie Arrington (00:49:28):

You had to go get a license to drive. You had to pass a test that you understood the critical thinking around driving a car. What happened then? Then, you start driving around, what was the next thing that came out? We needed a way that I could assure that you understood the risk and you were obeying the law, something called insurance came out, so we all have to have a driver’s license. We all have to be trust, but verify we know how to drive. How do we verify, is that we have insurance rates based on how well we follow the rules. Take your driver’s license in the United States of America.,You go to any country in the world and they’ll give you what? They’ll let you rent a car. Why? Because they know we understand how to assess the risk to test against it and validate it. At the end of the day, the CMMC is your cyber driver’s license.

John Verry (00:50:25):

Well, you just piqued my interest a little bit. So you might be familiar, in the privacy space, we have this concept the US has a program called privacy shield, and it’s supposed to provide some level of assurance that we’re doing the right things from a personal information perspective. So any nation might look at that and say, “Okay, we can ship our data there.” That’s kind of an interesting idea that once we get to that point, if we’re ahead of the game relative to most other countries, that’s going to make American companies that you’re sharing data with perhaps have an advantage over companies from other countries that don’t have that same level of assurance. So it’s kind of a cool idea.

Katie Arrington (00:51:00):

The UK, the EU, Australia, Canada, all have cyber standards, they’ve already have that.

John Verry (00:51:07):

Yeah. Correct me if I’m wrong, but most of those, you’ve actually baked into CMMC, right? That’s the cyber essentials, I think they’re referred to, right? In Australia, UK, I think both call the cyber essentials?

Katie Arrington (00:51:19):

Yeah. They call them cyber essentials. Canada has a volunteer program that they set up a few years ago, that they’re moving towards adopting. So most of these countries, our Five Eye partners have already leaned in. I mean, I met with Canada again today. I’ve been to Canada, I talked to the Ministry of Defense at the UK pretty regularly. How we’re going to do reciprocity because this-

John Verry (00:51:39):

[inaudible 00:09:39]-

Katie Arrington (00:51:40):

Yeah it’s really taken a global … and you go back and you think, how did we come to where we are today? So I always say there’s nothing new under the sun, right? It’s just a new way of looking at it. So you think about after World War II, the Department of Defense had something called a MIL-SPEC and the MIL-SPEC is how the Department of Defense clearly defined how they needed a quality and safety standards to be imparted into the manufacturing of product. Right?

Katie Arrington (00:52:09):

At the same time, we started doing more global and international partners. We were building tanks together. So the NATO partners stood up with something called the NATO Standard. We had a very clear language, each of us on how we thought we can convey quality and safety. Well, when we realized that we needed a common language, that’s how ISO was started. The International Standards Organization was started because the DOD led in with the MIL-SPEC, NATO responded and created an international standards. We’re doing the exact same thing with the CMMC. We are the world’s largest buyer. We’re determining how to do the buy, therefore everybody will jump onboard.

John Verry (00:52:48):

It’s funny, it’s us and BS 7799, the British Security Standard was the basis of ISO 7799, which is like the root of ISO 27001 and two. So it’s a big circle, right? Yeah. So this was awesome. You did a great job of getting all of the questions that I had answered in a way, which was fantastic. Anything else that you want to bring up?

Katie Arrington (00:53:12):

Yeah. First I want to remind everybody that in electronic warfare, and that’s what we’re in, what the threat looks like today, it will be different, and we needed the capability to be agile to that. So the CMMC shouldn’t become a checklist. It should be a tool that we can constantly tweak as threats change, we need to change our thinking around them. So know that you’re never going to be 100% secure. Anybody that sells you that is selling you a false bill of goods. But the best thing that the CMMC can do, and we can do as a nation, right? We excel as a country, as this amazing democracy, when we can buy down the risk and buy up the uncertainty and widen the delta between the two, that’s when Americans do the most good. That’s when the human spirit and everything that we stand for in this country really excel.

Katie Arrington (00:54:08):

The CMMC is everything we can do to widen that, that delta. Let’s give ourselves the opportunity to excel by buying down risk, and buying up the uncertainty, making it harder for our adversaries to exfil our systems, making it harder for them to break into our critical infrastructure, to weaken our country. Do these things. Do them not because the government says it’s what they want. Really look at it as, “Why wouldn’t I do this for my own family? Why wouldn’t I put this kind of security around how I access the internet, how it is able to affect me.” So yes, the CMMC is about your business, but it’s also that level one, CMMC Level 1, those core fundamental cyber hygiene practices are what you should be doing every single day, because there are people, it’s not just China, North Korea, Iran, Russia, it’s those … it’s cyber criminals that are looking to steal your identity. They’re looking to steal your money.

Katie Arrington (00:55:13):

These are simple things that we need to do to really function as a society, in this environment that we live in. We’re not going backwards. We’re only going to greater things. Let’s get the simple down. I liken this to General Honoré will always go down as one of the key things, and Occam’s razor is the simplest solution. General Honoré said it after hurricane Katrina, “Keep it simple.” Keep it simple. If you do the simple things every day, when hard big challenges come, we’re in a much better place to deal with them.

John Verry (00:55:47):

Yeah. As you were speaking there, I couldn’t help but think of, I think it was Jerry McGuire, with, “Help me help you.” I mean literally that … I mean, look, this is win, win, win, right? It’s good for the companies, it’s good for the government, it’s good for our country. So I’m onboard. I got one last question for you. So when this audit program gets a little further established and we kind of have a better sense in the allowable expense all and stuff, might I ask you to come back if there’s something interesting?

Katie Arrington (00:56:17):

Absolutely. So listen, I do as many public engagements, I try really, because I said at the beginning of the podcast I worked for the US taxpayer. I am doing this on behalf of the US taxpayer. So anytime that I can help communicate, I am all in. This has been a wonderful conversation. I appreciate the opportunity, the Department of Defense appreciates the opportunity, and I can speak for the hundreds of thousands of people that work inside the building and outside the building is, it’s an honor and a privilege to work for the best country that has ever been on the surface of this globe. We do it all with pride every day.

Katie Arrington (00:56:59):

The last thing is that to all of those people who work on both sides, contractors and people that work in the government, direct for, thank you, thank you for what you do everyday, thank you for your passion, thank you for your dedication because look at where we are as a nation. The events of 9/11 were horrific. But think about how our country has managed to thwart cyber threat, and stay functioning, and stay open every single day. It’s only because of great people like you on the phone and those people listening to this podcast, doing the right things for the right country at the right time at the right place. So thank you.

John Verry (00:57:43):

Sounds great. So this is called the tease. I’m going to tease hopefully your next appearance and I’m going to say that you’re going to promise to … what was the term you used? Animal spirit?

Katie Arrington (00:57:54):

My animal spirit-

John Verry (00:57:55):

[crosstalk 00:57:56].

Katie Arrington (00:57:58):

Everybody has their spirit animal. I have mine.

John Verry (00:58:01):

I know, and we’re going to tell them about it in the next podcast. All right, so before-

Katie Arrington (00:58:05):

That’s awesome.

John Verry (00:58:08):

They probably won’t know, where the heck did that come from? I’ll remind them that I screwed up the original recording and you were gracious enough to let me restart it. So real quick for you, before we say farewell, what’s the right way, if somebody has a question about CMMC, how would they get that [crosstalk 00:16:25]? Who would they reach out to it at your org there?

Katie Arrington (00:58:29):

So go to the website, the CMMC website, and all you have to do, make it simple. Google, D-O-D C-M-M-C and you’ll see the OSD website for it. There’s a portal there that you can ask questions, be more than happy to go there, go to the [AB 00:00:58:46], that’s an easy way to ingest. We get about 300 questions a day. We have a team answering them. We’re doing our absolute best. Go to the website for FAQ, frequently Asked Questions. We upload those pretty frequently and so does the accreditation body.

Katie Arrington (00:59:03):

For those people that have … they really, really need me either A, to come talk to their leadership, they need help with that, or they have a very specific question. I asked you to use this judiciously because I am one individual, but I will give your listeners my email address at the DOD, and that’s K-A-T-H-E-R-I-N-E dot E dot Arrington, that’s A-R-R-I-N-G-T-O-N dot civ, C-I-V, at mail, M-A-I-L dot mil.

John Verry (00:59:44):

[crosstalk 00:59:44] We’ll throw that in the podcast notes. That way in case somebody had trouble keeping up with, they’ll have it.

Katie Arrington (00:59:50):

Yeah. Because I am a quick talker. I ask you don’t, don’t use that for a sales pitch, that’s goes to the AB. If you have a product, we need to get you over to the accreditation body to get you into the network for that because we do see cybersecurity as a service product, how people will meet the need of the CMMC, especially small businesses. But if you have a question and you need help or you’ve listened to this and you think your corporation would be beneficial, your leadership needs to hear it. I work for the US taxpayer, I work for you, reach out to me. I do my best to return those emails. How we got on this podcast today is me returning emails. So I do my very best, but try not to do them and it’s not that … I love salespeople and BD, but there’s not a lot … I’ve got to focus in on getting this done. So let me just help with the questions, the products. I’ll generate you to the accreditation body and make sure we get you over there.

John Verry (01:00:47):

Okay, so Katie, it’s 5:22 on a holiday weekend on a Friday, you’re still on the phone with me sitting alone in the Pentagon, so I just paint a nice picture. Get home, have a good time. Thank you so much for coming on the show. I really appreciate it.

Katie Arrington (01:01:00):

No problem. Thank you for the opportunity and everybody out there take care. God bless you all and thank God we live in the greatest country in the world. God bless the USA.

Narrator (01:01:11):

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected], and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.

PART 3 OF 3 ENDS [01:01:53]