Transcript
Opening
Hello everybody and welcome to What's the Problem, the podcast where we dive into the most pressing issues facing cyber or data security leaders today. In each episode, we're joined by a guest expert. They share their insights, their experiences on the challenges and the goings ons of what's happening in the world of security. So whether you're a seasoned veteran or a new leader to our field, this podcast provides valuable info and strategies to get organizations to the next level. Join us as we explore the landscape of cyber and data security, and discover new ways to tackle problems in the industry. This is What's the Problem and I'm your host, Mike Krass. Let's get started.
Conversation
Mike Krass: Today we are joined by Chase Richardson. Chase, say hello to our listeners.
Chase Richardson: Hi, nice to be here today.
Mike Krass: Chase, can you tell our listeners why you are qualified to talk about security? Tell us about your background.
Chase Richardson: Absolutely. So I have been a cybersecurity analyst, associate director, and now principal for the better part of a decade. Out of business school, I started a cybersecurity consulting firm with a few others. There were about five of us. We grew that firm, over five years, to a little over 60 with a whole suite of cybersecurity services. I exited that and started the US side of where I currently am at Bridewell, another cybersecurity consulting firm that hosts a number of different cybersecurity solutions from consulting to security operations to offensive testing and data privacy. So I lead the US side of the firm, in that regard. I have a handful of certifications: security plus, CISSP, CIPP. So data privacy as well as advanced cybersecurity certifications. And I've worked with hundreds of different businesses in various industries with their cybersecurity, compliance with their security operations, policies, procedures, you name it for this last decade or so. So I'm happy to share with the audience the things that I've learned along the way. Especially in the last few years, as compliance has really been a big topic of conversation here in the US.
Mike Krass: That's a great segue Chase. I'm hearing this rumor around the old internet pipes about the CMMC. Charlie, Mike, Mike, Charlie, because I know those letters all sound very together when you say them. It's the CMMC: Cybersecurity Maturity Model Compliance. We’re talking about compliance, which you just touched on. I'm hearing something about the government, the United States government to be clear, requiring that DOD contractors follow that model, both as a prime as well as a sub or a JV. Is this just all watercooler nonsense? Or is there any truth to what I'm hearing around the way?
Chase Richardson: Yeah, absolutely. No, you're absolutely correct. This compliance has been, it's been in development for some time. So the requirement that the DOD supply chain prime contractors and subcontractors follow some level of cybersecurity compliance is nothing new. It's been around for over a decade in various forms. Now, the Cybersecurity Maturity Model of compliance. The first announcement of it was about four years ago in 2019. And it took it up a notch. So before that, and actually how it currently is. Just to be clear, this is not in contracts, as of right now, to have this level of compliance. Before that, it was really the contractors and subcontractors attesting to their level of compliance. Saying, you know, I'm following a cybersecurity protocol. Or what we call it in the space: cybersecurity hygiene. I'm following all these things so you can send me over sensitive materials or even not so sensitive materials, but private materials. And I'm safe. I am following everything, so don't worry about it. But with CMMC, it's taking it a notch further because of the increase in cyber attacks that we read in the news every day. We need to be even more careful with that sensitive data. So for the prime contractors… there are a couple of levels, and we can get into that later. But for a majority of these prime contractors and subcontractors, there will need to be not just an attestation anymore, but an independent third party that can come in and give you that stamp of approval that says, yes, I've checked their policies. I've checked their controls. And they are doing what they attest that they have been doing for a while. And so that is, in a nutshell, this compliance that's been in development for the last several years. Hopefully it's in what they call the rulemaking phase. So it should be coming down the pipe in the next couple of years.
Mike Krass: So you said something about primes and how there's multiple levels to that. What did you mean by that?
Chase Richardson: So not every contractor is going to have to pass the same level of assurance that the Boeing's of the world or the Lockheed Martin's are going to have to. If you think about that, being at the highest level, with the sensitivity of the data that they had access to, they're going to have to pass. There are three levels in the newest flavor of CMMC, what they call CMMC2.0. And of the three levels, those prime contractors are the biggest contractors. Those are going to be the Level 3s. They are going to have to pass the most rigorous of audits in that level three, in order to get that certification. For the subcontractors that have access to some of that data, what we call and I'll reference this throughout the conversation, but CUI or Controlled Unclassified Information. They might have some level of access to that information in some drawings, or what have you. And they still have access to them. It still passes through their email or shared folder or what have you. So they still need to pass some level and that would be a level two audit. The majority of subcontractors will have to be at that level two, or so the DOD states. And then finally, you've got the level ones that need to have… They might have physical access. Think about the third parties. Maybe it's a managed service that comes in and does some maintenance to servers. It doesn't actually have access to the data itself, but maybe has physical access or limited access. They’re not actually touching that controlled unclassified information. Or it's never going to their inbox or what have you. And so those are going to be the level ones. And then it's a lighter touch. And actually in this newest CMMC 2.0 rolling out, that's not even a third party coming in and doing that audit. That's still remaining as a self attestation.
Mike Krass: Exactly. Tell me, just so I understand. So level two, you do have access to the data. Correct?
Chase Richardson: Correct.
Mike Krass: Yep. Okay. So that’s level two. And level three, the Boeing's, Lockheed, those folks. They actually have access to data. Level one, self attestation. You don't have to have a third party come in and conduct any kind of auditing work. And so those are organizations that are doing server maintenance, I think was the example you just gave. They're not actually accessing and have no accessibility to the data itself. But they're just helping the gears of the DOD machine run, right? They're kind of lubricating the pump.
Chase Richardson: Exactly. They might make a certain custom widget or screw that eventually goes into who knows what at Boeing or Lockheed at these level three prime contractors. But at their level, all they know is that they just got an order for this widget that they're really good at making. So it gets there eventually. They're part of the supply chain, but they don't have access to any of the real sensitive data.
Mike Krass: Now, let's talk about who would realistically be performing these audits. If I'm talking about a level three, and I'm looking for you to correct me if I'm off base here, Chase. I'm thinking of level three, I'm thinking Boeing, Lockheed, something like that. This screams Big Four firm. Just some sort of monstrosity of a consulting firm that has some sort of CMMC auditing process that needs a level three criteria. Is that accurate? Or do you think that… You know, some of our listeners actually do work at or own businesses that could be this third party auditing. This seems like level threes are not really accessible to everybody. And they're also not the majority, as you pointed out. Level two is the majority by company population, or by contractor population. So is that accurate? Level three auditing work is probably going to be done by a very large multinational type Big Four firm.
Chase Richardson: Yeah. There are a few firms. The first couple firms that got approved to be assessors to come in and do these assessments. There have been…the Big Four are definitely in the mix. But a couple of the larger firms that have gone through this just have that focus. That's all that they do. Not only is cybersecurity auditing, maybe they have experience with ISO audits. 27,001 or something like that. They're qualified auditors and that's all they do. And maybe their target market is just the DOD supply chain anyway, so they were naturally in the space to provide that level of service. And they have that experience, they might be able to do that. As for the level threes. Again, a change with this most recent CMMC 2.0. Them coming out with this new flavor of CMMC. The level threes have actually been indicated that they're going to be government led audits. So they're going to be alongside that, maybe it's a big four. And there may be kind of a public private partnership that happens here. But it'll be the DIBCAC, or the Defense Industrial Base Cybersecurity Assessment Center. I know it's a handful. It's part of the Defense Contract Management Agency. And they're the ones that are front and center on this. They're the ones that have been doing some level of audit. Again, not at this level, but some level of audit, as I mentioned before. These contract assurances have been in place for a very long time for years. They've gone through and done spot checks and different audits through this agency in the past. And that same agency is going to be leading the level three audits. However, for the level twos… Level ones, we said they're self assessments. The level two audits are going to be organizations that have gone through a process to be a C3PAO, which sounds like it's from Star Wars. This is a Certified Third Party Assessment Association. Those are the companies that have gone through the process of becoming this assessment org. They have the wherewithal and the understanding to come in and do the audit for those level twos.
Mike Krass: Chase, here's the last question. I think we've been building up to this. So before I ask the question, here’s context for folks like yourself and others who are very plugged into this space and into this topic. I think that what we've talked about so far has been a helpful refresher for them. So I want to ask this last question not with that specific segment of our listening audience in mind. And the question is, for folks who didn't start living and breathing this four years ago… they've got the date marked on their calendar two years from today. For folks who are not in that audience, what could be some unintended consequences in your professional opinion that could come out of this? And I guess I want to say unintended consequences or benefits. It doesn't always have to be negative. But for folks who aren't living and breathing this, could you just tell those listeners a little bit about like, here's how this might actually affect you.
Chase Richardson: Sure. Yeah, absolutely. I'll start with the negative and move into the positive. The negative would be this is a large undertaking. To follow all these controls, if you haven't done an assessment in a while. If you haven't ever done one or you’re a level two organization you don't know what you don't know. Undergoing a project where you do a gap analysis and you implement things that you're not following in order to be compliant and then you get the assessment organization. Not only does it cost a lot of resources, it’s time and money. So even if you had a lot in the bank to go as fast as possible, it just takes time. It takes a lot of time. So if you're not ready for this…
Mike Krass: How much time?
Chase Richardson: It depends. You know, a consultant’s favorite answer. It depends on what level you're already following. It could take three months or it could take a year depending on what you already have in place. And so when this comes through, and it does eventually hit contracts that maybe are the lifeblood of your organization, you may not be able to bid for those same contracts that are the lifeblood of your organization. So it could have a serious negative consequence. And again, it may be this has been in development for a long time. It may be too late to get certified. So that's the worst. But the best, if you get a head start on it, would be it could be a differentiator. It could be a competitive advantage. Even before these contracts. It's not in contracts yet, right? You don't need to have it right now. But you could say we're taking this seriously, especially in your bid. You can say we've already done an assessment, we're already working on a plan of action and milestones that we're… Maybe we're not perfect yet, but we're actively moving on this. And we're taking this seriously. That could be a differentiator in your next bid, even now, before this comes into effect. Because that's a big conversation with all companies, even outside the DOD, is on supply chain, assurances. So that could be a differentiator in a positive light.
Mike Krass: Yeah, as we come to the conclusion of this episode, I can see that differentiator being a real positive. And I'm always…I'm a naturally curious person, by nature. And I'm always thinking about expanding and doing different things, and kind of like growing, you know, both personally and professionally. And I could even see it as… you come in, for example. Say you are a level two. You meet the level two criteria, but you could actually, as an organization, if you know that you could mop the floor with level three criteria type work, you could bid on that, and then kind of expand your opportunity from there. You could say, hey, just as an FYI, we can do this all day, this level three type stuff. And I know that this… we’re not trying to bid on two projects at once. But I am just trying to tell you we do have all of these certifications up to the level two requirements. So you know, if your needs ever expand past this, we would be able to bid on that. You used a word that I think's important, this reassurance. It's reassuring to say we can do this great work at a level three compliance level. But we're here for you at level two, if and when you ever need us. As folks know who have contracted with the government, once you get into a governmental agency, like the DOD, there's a lot of opportunity for you to help them in other areas, and to be a valued player past that first contract.
Chase Richardson: Yep
Outro
Mike Krass: Well, Chase, thank you so much. I really appreciate you joining the show. And for our listeners, that is a wrap for this episode of What's the Problem. I hope that you found our conversation with Chase Richardson to be insightful, to be informative. I hope you took something away. Remember to tune in next time for more discussions on challenges and happenings in the world of security. Also, I want to give a quick shout out to our host MKG Marketing. MKG is focused on helping cybersecurity businesses get found, drive leads, and close deals. So if your cybersecurity firm is struggling to generate leads or close deals, let us help you. To learn more, you can visit our website at mkgmarketinginc.com. Thanks for listening. Don't forget to subscribe and leave a rating for this podcast. Chase personally told me that he's expecting 10 star ratings on the five star scale so don't let Chase down. We appreciate your support. Until next time, Chase, say goodbye to the listeners.
Chase Richardson: Goodbye, thanks for having me.
Chase Richardson
Chase Richardson is a subject matter expert in both Cybersecurity and Data Privacy. He is the Lead Principal of US Operations at Bridewell.