Jason Pufahl 00:44
So I throw out a couple of acronyms out right out of the gates. And I think some of the listeners probably know, but do you mind spending a minute on CMMC? I know that FutureFeed is really closely linked with sort of the CMMC-AB, so I’d love to know a little bit from your perspective.
Jim Goepel 01:00
Sure, so CMMC is a Cybersecurity Maturity Model Certification, which is a giant mouthful, which is why everybody goes with the acronym. What it is, is a DoD initiative, they realized several years ago that they need to get their arms around their supply chain security and some of the earlier steps that they took really weren’t working that well. So they’ve created this new thing in 2019, called CMMC. It’s basically a regulatory requirement that says that you have to get a third party certification of your environment, if you’re going to be handling any controlled, unclassified information. There’s some asterisks associated with that, but basically that’s the high level overview of it. I was on the CMMC Accreditation Body, the nonprofit that’s there to help manage the CMMC ecosystem. I was one of the founding members there, I helped create it. And actually, ironically, they just recently changed their name to the Cyber Accreditation Body. But that was all the same group, we helped stand everything up. Actually, the owner of FutureFeed, Mark Berman, was also on the board with me, we help set everything up. It’s really neat, CMMC is a great foundation for many organizations. There’s, it’s based on NIST’s 800-171, which that’s the National Institutes of Standards and Technology, they publish a guide for any government contractor that’s handling government information that’s controlled, unclassified information, and basically sets out the security requirements that you have to have in place and CMMC basically copies 800-171, adds the third-party assessment and certification requirements to it and makes it so now everybody’s got a little more skin in the game, and that kind of ups the ante as far as what the government contractors need to do.
Steven Maresca 02:52
So from, you know, our customer base, we work a fair amount with the DoD contracting end of the spectrum. But we also work a lot with higher ed, they share similar requirements for controlled, unclassified information with the same standard. I think, I’m interested to know in a practical sense, if you don’t mind, what it means to both of those at both ends of that spectrum. You know, if higher ed needs to deal with federal government from the perspective of research, they also have to participate to ensure that they receive federal financial aid, where does all that fit together?
Jim Goepel 03:32
So when you stop and look at what the government calls controlled, unclassified information, all it really means is sensitive information. It’s stuff like social security numbers, which every company has, and information about students or about different org, different types of people or other kinds of sensitive information. At the end of the day, it’s the kinds of things that everybody should be putting in place. Drilling down a little bit deeper, when it comes to the government contractors, the government is saying, look, if we’re going to give you this information, and you’re going to process it, or if we’re going to ask you to collect this information, and you’re going to be the one actually storing it, we expect you to take really good care of that information, because it is sensitive. And same thing when it comes to the higher ed when when you’re not, even though you may not be in that government supply chain role and may not be doing research for the government. You’re still expected because you are collecting student information and you’ve got again, social security numbers, braids and other sensitive information about the students. The government is saying, look, because we’re going to give you funding, and we’re going to, we’re going to add some additional strings because we know that you are collecting this kind of information, we need to make sure you’re protecting it properly. So that’s really fundamentally what this is all about. Both 800-171 and CMMC are again, two sides of the same coin. The only additional complexity really that CMMC brings into it is that you have to have a third party come in and do a formal certification of your environment, but the requirements, the fundamental requirements are all the same.
Jason Pufahl 05:06
So I really like the way you describe that, right? Because it’s not, you left out a lot of technical jargon, and in it’s root, 800-171 has got a fair amount of technical qualities to it, but ultimately, it’s understanding the data that you have, and doing the best to protect it. And in many ways, I think Vancord is really good at that assessment side, right, understanding the data, that that’s in scope, understanding all the controls that are in place. But we’ve always managed those assessments via sort of your more traditional Excel spreadsheets and things like that. And when we were looking to mature our practice, we’re looking for a partner that I think had a lot of expertise and I’d say you demonstrated that right out of the gates with your involvement with CMMC-AB. But I think also have really developed an application or toolkit that really aids in the sort of initial assessment and the ongoing and I think this is an important part of the ongoing tracking and reporting around 800-171, right?
Jim Goepel 06:13
That’s really, I think the key. So from a legal perspective, when a breach happens, that’s what all this is really about, right, It’s not so you’re protecting your stuff, in part, because, well, especially when it comes to regulatory pieces that you’re really worried about when a breach happens, how do I show the government that I was doing all the stuff that they told me I was supposed to be doing and in many cases that I promised them that I was doing? Well, that’s that evidence piece, that ongoing maintenance and the ability to prove it anytime, our tagline is attain, meaning attain your cybersecurity certification, maintain it, which means, you know, keep the environment actually running, and then prove it anytime you want, you need to be ready for that last piece, because the breach can happen at any time. And now the DoD teams of their DIBCAC team is saying that they are going to start doing random assessments of government contractors, they’re already doing some, but they’ve been focusing on the bigger contractors and the ones that are handling some of the really sensitive, unclassified information, they’ve now come up with a new structure where they’re going to be doing even more, less intense, but much more frequent reviews of contractors. So if you don’t have all of your paperwork in a row, they literally will be contacting you on Monday, and they expect you to have the entire package together by Friday. So if you don’t have your ducks in a row, like you’re up the creek, so that’s where something like FutureFeed can be really beneficial because the whole idea is you maintain that information right in FutureFeed, you’re actually using it to maintain your environment. And because you’re maintaining your environment in FutureFeed, we can spit out all the artifacts that you need to be able to demonstrate to DIBCAC, or any other assessor that you’re doing the things that would need to be done.
Steven Maresca 07:54
So certainly, beyond DIBCAC, we’re seeing the same type of behavior from the Department of Education, same types of requests to make attestations, about actual maturity and process and so on. I’m interested to hear in particular, how typically, in your opinion, organizations have struggled to meet their self policing, their self attestation goals over time, because these are not new requirements, right. And we’re talking about years worth of notice from the federal government to invest time and effort into meeting some of the controls and improving process. Some have tried, some have done quite well, some have started and stopped and never completed anything, where were the biggest struggles and, you know, what, in particular, does a platform like yours help to make easier?
Jim Goepel 08:47
So I think that there are two levels of struggles. The first one is understanding what the actual requirements are. So many organizations today know that they need to comply with 800-171. They read the requirements, and they stop there, they say yes, we meet everything. If you actually look, there is a whole other document 800-171 A, or in the CMMC vernacular, there’s the CMMC model. And then there’s the CMMC assessment guide 800-171 A and the CMMC assessment guide are basically the same thing. What those are, are additional details, so the 800-171 has 110 requirements. Any one of those is just basically a single sentence, it’s not that hard to understand at first. And then when you start to actually try to understand what they’re really asking, you realize that it is much more complex than you think, the assessment guides add additional color to it and actually add, it goes from 110 requirements up to 320 individual things that you need to evaluate yourself against. So right off the bat, there’s a relative immaturity on a lot of clients parts because they just don’t understand that they were supposed to do, the more detailed, more rigorous assessment against all 320 individual, what they call outcomes. So that’s a, that’s a big deal. The organizations that have gotten beyond that and have actually started to look at that more granular information, many of the times they treat this like an audit, that is, it’s a once a year requirement, and they just kind of burn through it, they say yes or no, they’ve done each of those individual requirements, and then they stop. And the results get put in a drawer and that, because of the way the law is written, that’s actually all you technically have to do for the majority of the controls, they don’t actually start to address the shortcomings and they don’t follow through and they don’t treat the stuff the way it really should be treated. So FutureFeed helps you with most of those, we put, we take all the information from 800-171 A, we actually have additional clarifications and additional guidance from different sources in there too, to really help clients understand what they need to be doing. Now an organization like Vancord coming in, and providing that expert level of additional review is really helpful. And we think it’s a smart way for most of our clients to go. But many times, you know, the client is still going to be looking at those requirements, they’re the ones who are going to have to make the final attestation to the government that yes, we are doing these things. So there is a certain level of understanding and knowledge that’s necessary on their part, we try to make that a little bit easier, give them the tools and resources that they need to be able to understand it too. And then that next part, the follow-through piece, again, we give you project management tools, we give you other things to give you that visibility to really manage the environment properly, so that you can prove at anytime, a lot of companies will do that self assessment, they’ll realize that they are missing out of 110 controls, they’re missing 70/80 of them, that is not uncommon at all, at least at this time. And so what you need to do then is create a project plan and actually start to close all of those open items. That’s what DoD is looking for, they’re not necessarily looking for you to be perfect, although that would be wonderful. They realize that most contractors aren’t. So how are we going to get there? And if you have a breach in that interim period, if you have some other security incident in that interim period, what they’re looking for is have you been following through? Did you create a plan of action, and milestones? And milestones for each of those actions? And then did you actually start to meet those milestones on your path to getting fully compliant, as long as you can prove that, you’re going to be in really good shape, you’re not going to be perfect, and DoD may not be thrilled with you, but at least you are on the right track, and they won’t beat you up quite as bad.
Jason Pufahl 12:41
Right, so you certainly never want to show or you never want to indicate that you’ve been negligent, right, that you haven’t done anything. And certainly a big part of this is, where are you on your journey towards compliance? Have you sort of taken those initial steps? Can you demonstrate you’ve taken those initial steps? And do you have a plan to address all of the outstanding gaps that are identified through this assessment process? So I have a number in my head, I’m going to put you on the spot. A company that hasn’t done any assessment and frankly, right, a lot of the ones that we work with may not even have a security program really in place at all. What is this take from say, start of assessment, to say end of assessment, I certainly don’t mean end of having everything implemented, but an assessment process itself to get documentation in place to the best of your ability, sort of clarity of where you are in this journey. What do you normally tell people?
Jim Goepel 13:44
So, it depends. It depends on the complexity of the environment. So for simple, for smaller clients in the like one to 20/50 person range. Depending on whether we’re talking about one facility, multiple facilities, and all that kind of stuff, the complexity can vary, to come in and just do a basic, what I would call a gap analysis. So it’s not really collecting evidence, it’s just understanding where are you in this spectrum? It can vary. It can, I’ve seen published estimates of between $5,000 and $15,000 to do that work, to do the gap analysis, with something like FutureFeed, we can actually streamline that process significantly and help you get more information in there. So we’re probably going to be closer to that, to the lower maybe the mid range of that range instead of closer to that 15,000 range.
Steven Maresca 13:44
So I’m curious to sort of piggyback off of that, many of the smaller customers that have started on this journey have engaged with manufacturing extension partners in general. They have perhaps gone through a guided assessment through CSET, which for those who don’t know, is the cybersecurity evaluation tool, you know, they’ve started something, but there’s a gulf between that place and where they need to be. Can you speak a little bit about that, because they’re worlds apart, in my opinion.
Jim Goepel 15:20
They are worlds apart. And honestly, what happens when you go through CSET, or you go through any of these gap analyses, the end result is a really long list of stuff that is, quite frankly, for most clients really intimidating. With, even when you do the 800-171 A base assessment of your organization, as I mentioned, there’s about 320 requirements in there. By the time you’re done, many organizations have 200/250 gaps that they’ve identified. And I’m laughing, but it’s like, that’s normal for many companies. When they get that, that’s really intimidating. They don’t understand how to how to address those, or how to prioritize closing any of the gaps. And quite frankly, that’s why a lot of times that list just goes in the drawer, and nobody ever does anything with it. If you take the time to understand a couple of different key aspects, so there are some controls that are defined as foundational controls. So knocking those out early can make a big difference in your overall cyber posture. There are some controls that are, build on those that are really easy, kind of low hanging fruit. So there’s foundational controls, and then there’s this stuff that’s dependent on them. You can create basic plans that really help you address and clean up your overall, all of those gaps in a structured manner, there are actually third party, so I run a non-profit organization too and we publish a list, of a suggested list of implementation orders, we break it down into five groups, and we say, okay, just do it kind of in this in this order. And that’ll help you get stuff done. Again, in a prioritized way, we looked at potential impact, we looked at the relationship, we looked at a bunch of different things and created that list to try to make everybody’s life a little bit easier. Did that answer your question Steve?
Steven Maresca 17:17
Yeah, I think so. It helps with clarity I think for organizations who have started there, but at to your point, don’t know where to go next. From a prioritization standpoint, it’s a very common reaction. For example, where that actually gets applied is, hey, you know, we have to plan for budgeting next year, where do we spend? Maybe there’s reticence to spend, maybe there’s tightening belts for other reasons, you know, there, there needs to be careful allocation of effort and funds to close gaps. And I think that many, many organizations struggle mightily with that particular problem. So I appreciate that response.
Jason Pufahl 17:54
And they want to tackle the biggest, sort of the biggest items they can first, right if it’s implemented technology, and that technology will help them close 10% of the open issues, that’s really compelling. And being able to describe that in a way that Jim to your point, makes sense, right? Because that laundry list of 200 open items, not mapped back to a solution, is really overwhelming. And I think oftentimes gets the thing thrown into a drawer. And, you know, they have this hope that nobody will ever ask them to demonstrate where they are in this journey.
Steven Maresca 18:29
And there’s ambiguity about when they’ll be required to meet your requirements as well.
Jim Goepel 18:34
And that’s one of the biggest things, Steven, I completely agree, that’s the CMMC is helping to change that. So we expect to see CMMC requirements showing up in government contracts, as a practical matter, probably in October of 2023. So you’ve got a little over a year to get your ducks in a row. Realistically, is DoD going to have CMMC requirements in every government contract starting in 2023? Probably not. But it’s hard to predict where they’re going to show up. The last time that they tried to do this, there were some interesting candidates that floated to the surface. And so you just really never know which contracts they’re going to choose first. So get your ducks in a row now. But even if you don’t, and this goes to the point that I made before, even if you don’t meet those requirements by October 2023, it doesn’t mean that you even if you can’t meet them by them doesn’t mean that you shouldn’t start because that’s what DoD is looking for is are you in line, they’ve actually said that certain things can be postponed, you might be able to get a waiver, there’s some others other wiggle room built into some of their language but as a practical matter if you haven’t done anything over the intervening year, good luck, you’re not you’re probably not going to get the waiver, you’re probably not going to get all the other benefits that they’re dangling in front of contractors, on the flip side if you have actually taken the time to do this stuff, they’re much going to be more likely to I won’t say they will, but they’re probably going to be more likely to give you the waivers and give a little more leniency.
Jason Pufahl 20:08
Yeah, I mean, I think in fairness, just the assessment alone is going to be an overwhelming task for a lot organizations to complete. Right, which is why I think, you know, we oftentimes get involved in that assessment space to really help people sort of identify, you know, what do you said something like, if you just read the question at its face, it’s reasonably easy to understand. I don’t even know that I agree with that. Like, there’s a lot of questions in there that when you read it, you have to, you’re kind of interpreting what is the intent? And is it possible that you even meet this or not, right?
Jim Goepel 20:50
Absolutely. And that’s, that’s what kind of what I was getting to is that. On a surface, it seems like it’s okay. But then if you take a step back, as you said, like, you realize that there are many different ways to interpret this, and many contractors just were reading the requirement and saying, well, if I read it this way, standing on my head and read it backwards, then yes, it looks like it fits. But, and they don’t take the time to record their justification. They don’t think about why they are recorded anyway, how they’re actually meeting their interpretation of that requirement. When DoD walks in, if tax comes to your door tomorrow and says, hey, you know, we’re ready to do our audit of you, what proof do you have? How do you justify you’re saying yes to that, if you have, if you don’t have that stuff, you’re actually setting yourself up for a potential False Claims Act claim, you’re setting yourself up for a bunch of other potential problems with DoD. So it’s really important to collect that evidence, put it all in one place, maintain it properly, and really get your ducks in a row.
Jason Pufahl 21:52
And not understanding the requirements isn’t an excuse. My litmus test often is if I have a conversation with somebody, and they say, oh, yeah, we’re 90% compliant. I know they’re not. The reality is, I haven’t run across an org yet that has that level of maturity in the security, right? And they’ll say, well, we spent that afternoon, we answered these questions, and we got a 90? I say, well, you didn’t get a 90 after an afternoon of answering, answering those questions, right. I mean, it’s a process.
Jim Goepel 22:20
So DoD has said that companies need to not only get ready for CMMC, but they also need to do that self assessment and actually calculate a score. They give a scoring methodology for it. It’s called a spurs court words score, because it needs to be submitted to the Supplier Performance Risk System. DIDCAC recently said that of the 80,000 companies that are expected to handle controlled, unclassified information, DoD kind of thinks that’s about the universe of it, only 20,000 companies have thus far submitted scores to spurs so only about a quarter of the contractor so far,
Jason Pufahl 22:55
That’s fewer than I thought.
Jim Goepel 22:56
And of those, yeah, I was really surprised to because the requirements had been in place for like a year and a half now, so you would think that more of the contractors would have known and submitted scores. But then of the ones who have submitted, something like 75% have given themselves a perfect 110 points for the MCAT, over the past couple of years has been going out and performing assessments of those contractors. And it has been their observation that less than 25% of those contractors who have said that yes, we’re doing things well or perfectly are even close to meeting most of the requirements was the way that they said it. So contractors tend to take a very rosy view of their cybersecurity programs. And until you have a third party coming in and challenging you and asking questions and digging deeper, it’s really hard to be confident. So that’s where again, somebody like Vancord coming in, even if your group thinks that you’re doing well, even if your IT team thinks you’re doing a good job, having somebody independent who’s coming in, who can start asking the tough questions and really kind of not hold their feet to the fire, but just make sure that there’s a real logical foundation for this. That can be huge.
Steven Maresca 24:10
I treat it as frankly, a learning exercise for the customers, can’t delay because very frequently, they have CUI’s, they don’t know they have or that isn’t appropriately marked or is derivative of CUI. So, you know, learning about data flow and their actual obligations is, frankly, where they’re starting. And then the self assessment follows, and actual improvements thereafter. I think so many of them are learning the universe is much bigger and more complex than they imagined.
Jim Goepel 24:44
So I ran a consulting company before I came to FutureFeed. And one of my engagements was with a very large well known research organization and they hired me to do a data discovery process, so just help them understand what they have in their environment. We said, okay, well and figure it out, we need to figure out how much we’re going to charge for this. So give us a rough order of magnitude, like how many people are we talking about? How many systems do we need to look at, all that kind of stuff. And they told us that it would probably take about 30 interviews was their expectation. And so we price it accordingly. This is a again, well known and very sophisticated like they generally have I’s dotted and T’s crossed. If anybody does, they do. We did, they said, 30 interviews, we did over 100 interviews. And we weren’t really done. We just, both sides, my company and that organization decided that that was enough for them to realize that there’s a lot more complexity here than we thought.
Jason Pufahl 25:51
Yeah, it is complex, I think some of the feedback we often get are folks who bemoan the fact that they need to spend so much money meeting some of these compliance requirements and trying to understand really what that, you know, their future budgetary expectations should be, you know, what the timeframe around this. And in many cases, it’s, you know, how do they meet these perhaps with the minimal effort? And I think those are real and legitimate questions, because it does represent a real expense for folks. But I think to your point, it’s not something that people can ignore, right? Even if you’re say, you’re one of the three quarters of the companies out there that haven’t gone through this process yet. I mean, the time to start is now because they’re only going to get sort of more rigorous, and probably more scrutiny.
Jim Goepel 26:40
Well, and even set aside DoD, right, so yes, that is an important revenue stream for a lot of companies. And that’s also fundamentally, as a taxpayer, I’m kind of hoping that the people that our government is giving sensitive information to works, properly protecting that information. But setting that aside, fundamentally, this is where we are as a business entity today. This is table stakes for continuing to do business and if you don’t think that, I guarantee you that in the next three to five years, you are going to have a data breach, and you are going to see the financial impacts that that breach has on you. My old company, we had several clients who we would do the cyber strategy pieces, we would come in and help them define the strategy and make sure that we’re doing things right, kind of like seeing CMMC. And I can’t tell you how many times we would go in, we would do an assessment of a client and find a lot of flaws, they would start to close some of the gaps, which was really good. And then there would be a data breach, because they weren’t done. And so those, the bad guys took advantage of those vulnerabilities. So this is really, honestly, it is table stakes, if you are among the folks who haven’t realized that you’ve been breached yet, and I’ll phrase that very carefully. But if you realize you haven’t been breached yet, that’s good. But you’re basically pushing your luck, you’re kind of driving down the wrong side of the road. And it’s just a matter of time before something’s going to happen.
Steven Maresca 28:05
I tried to frame it similarly, where you know, it’s a cost of doing business. And it will shift to the way contracts are bid. It’s just the nature of the shift at the moment. And it’s a way to recapture it without feeling too burnt in terms of expenditure.
Jim Goepel 28:19
When we’re seeing that in other industries, the insurance and financial services industriesthere, there are regulations there that say that not only do they have to have stuff in place, good cybersecurity in place, but actually those in their supply chain all have to have good cybersecurity in place, too. So we’re seeing that already and I suspect that we’re going to see it. So we saw it in financial services, we’re seeing it in DoD contractors, I suspect that we’re going to see it in other regulated industries, really soon, drug manufacturers and folks like that, and anybody that’s doing critical infrastructure. And that just means that it’s all going to percolate down to everywhere else. Because once you start hitting even a handful of those industries, you’re gonna get a good chunk of the people that are in the supply chain.
Jason Pufahl 29:04
So I think we’re coming up on time here a bit, I want to give you a chance, Jim, to add any sort of final thoughts. I think as I think through this, what I’d like to say is it’s a complex process, it’s one that manufacturer supporting, Department of Defense are gonna have to go through. The sooner that you start, frankly, the easier it’s going to be to sort of meet these requirements, right, it gives you some time to work through this process. It is a lengthy process, and it’s probably not one that a company oftentimes is fully staffed for, right? So you want to build some time in for that. In my opinion, kind of working with a vendor that has a process that I think that includes a product such as yours, which really allows you to do that assessment, capture as much information in the form of, you know, supporting artifacts, etc. And then have that be basically a living system that you can continually return to, and sort of demonstrate that you did that assessment and you’re making progress and that you’ve got a path forward through that POAM is really important. So I, you know, my opinion really is start now. Try not to make it an exercise that feels too onerous, and also gives you plenty of time to actually sort of sort of meet the controls and address those outstanding gaps that are going to be identified.
Jim Goepel 30:36
And the beauty of starting now is you don’t necessarily have to spend everything right now. By starting now, you buy yourself the time to do this in a phased approach. If you wait until the last minute, all that expense is going to come is going to hit it once and you’re going to pay a premium, because there’s going to be a bunch of other companies out there who are also in the same boat, and there aren’t that many people available to do the work for you. So you’re going to have to pay an additional premium in order to get their attention. And just as a practical matter, so take your time, do it now you can start to build it into your budgets, you can start to do all the things that a normal business would want to do. And you can be proactive, instead of being reactive. Getting somebody like Vancord in I think is a fantastic idea because then you have a group who knows what they’re doing, they’ve done this stuff before. And honestly, there are enough places where you hit roadblocks, where stuff is confusing, etc. And it just makes a lot of sense. By the time you’re done, it’s more cost effective to bring in professional help and do this right, than to try to do it on yourself. Many of our clients actually start off trying to do it themselves. And then they learn that this isn’t quite as easy as we thought it was going to be.
Jason Pufahl 31:56
So, is it fair to say that we’re actually in an industry where having some background and expertise is valuable? You can’t just do all this stuff on your own.
Jim Goepel 32:06
I’m a lawyer, too. Like I see people try to do that side of things to themselves. And some can do it. But most learn the hard way that that’s not really the right approach.
Jason Pufahl 32:16
Yeah, Steve and I, I say play lawyers. Yeah, probably too often for our own good, I’d say. So, Jim, I appreciate you joining in and I’ll go out on a limb, right, we’ve chatted a few times here. If people want to have a further or maybe more in depth conversation around this, and I think it’s a reasonably complicated topic, you know, so this might just wet people’s whistle and make them want to talk more CMMC. Hopefully, you’d be willing to jump on a podcast or maybe even have a more direct conversation sometime in the future.
Jim Goepel 32:47
Absolutely, anytime, just let us know.
Jason Pufahl 32:49
All right. Hey, I really appreciate your time today. It’s been really informative.
Jim Goepel 32:53
My pleasure, guys, thank you very much for inviting me.
Stay vigilant, stay resilient. This has been CyberSound.