Karen and Bobby dive into the complexities of cybersecurity audits, particularly focusing on the distinctions between CMMC and FedRAMP. They discuss operational challenges, the assessment processes, and the importance of recommendations in FedRAMP. The conversation also highlights misconceptions about FedRAMP, the implications of equivalency versus accreditation, and the future of cloud services in relation to these frameworks.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:12] Well, welcome back everybody. We are super excited about this one. Today we're going to be talking
[00:00:16] about FedRAMP from a satellite perspective and then we're going to kind of start to get into some
[00:00:20] more of the history and detail out of it and how it might relate to CMMC and how it doesn't relate
[00:00:26] to CMMC. I think a lot of people throw this term around. They have some assumptions about it and
[00:00:32] it is a very significant topic in the CMMC Dib ecosystem and I thought who better to bring back
[00:00:39] on our show than Karen Stanford. Karen, thank you for joining us. Hey, nice to join. Okay, so first off,
[00:00:46] just so that since we're going to be getting into the FedRAMP conversations, why don't you just sort
[00:00:51] of tell us, Karen, kind of how you came in the back door or the front door, however you want to look at
[00:00:56] it and your experience with FedRAMP and so that way our viewers can kind of understand,
[00:01:02] you know, your history and why you can speak so authoritative about it and then also if you could
[00:01:07] just tell us a bit of the history of FedRAMP and its existence. Sure, so I might start a little bit
[00:01:13] with the inception of it because as cloud services evolved, you know, the way the government has
[00:01:20] typically enforced cybersecurity or safeguards, you know, anything that's to do with their data,
[00:01:26] they could do contractually. So if they have a vendor that they're working with,
[00:01:29] they would indicate the, you know, you need to comply with the following requirements. But when
[00:01:32] the cloud model evolved, you just sign up, right? Like there's no specific contract between AWS and
[00:01:39] the DOD, AWS and GSA. So there was no means to push down the security requirements to those cloud
[00:01:46] service providers. So I didn't think about that. Wow, that's yeah. Yeah. So and it was like at the
[00:01:51] time it was a big, you know, it was one of those, you know, like there's a bunch of questions
[00:01:55] swirling about CMMC that that was the case with cloud because, you know, agencies were signing up
[00:02:00] to use it. And the intelligence, you know, everyone in the federal space was freaking out about the
[00:02:06] risk. So so what they ended up doing was the DOD and a bunch of different agencies got together and
[00:02:13] formed a joint advisory board. I think it's GSA, DOD, and I'm going to forget the other one. But anyway,
[00:02:21] they all came together and came up with an idea, which was basically that they are going to require
[00:02:27] any system that's in use in the federal government needs to have a FedRAMP accreditation.
[00:02:32] And they took the FSMA requirements, basically, that were in scope for a moderate data set in the
[00:02:37] government. And they overlaid some additional controls related to cloud. And so that created the
[00:02:44] FedRAMP baseline. And then organizations, well, there's a the way that in CMMC, you have a C3P,
[00:02:51] there are three PAOs, third party, independent third party assessment organizations. And so I
[00:02:56] worked at one of the biggest ones when they first came out. And so we had a lot of FedRAMP work in
[00:03:02] the beginning. But those now at that time, was it was it predominantly the government needing to use
[00:03:12] cloud based apps? And it was just really being pushed by the government's need to want to consume
[00:03:17] those resources? Is that the I think the initial push seems to be more that like, we're already
[00:03:23] using this product. And now we're going to make them go do this, you know, like they were already doing
[00:03:27] it, and they were concerned. And so they were saying, you need to do this. So, you know, they definitely
[00:03:32] prioritize by whether the system was in use in the government initially, and those people got priority.
[00:03:37] But eventually that, you know, it also became an avenue to, to have a marketplace for cloud
[00:03:43] compliant products for the feds to use. But initially, it was like, you need to go get this
[00:03:48] FedRAMP accreditation. That was a lot of the initial customers being told, right, you need to go do this.
[00:03:53] Yeah. Interesting. And now, with that push to have that happen, let's just maybe not so because I,
[00:04:02] you know, FedRAMP has been around for quite a while. So and let's just focus more about the now.
[00:04:08] So if someone were to now have to go through the process or want to go through the process,
[00:04:13] because there's things like jabs, which sounds like some kind of boxing match and ATOs and all
[00:04:19] this other stuff that just lots of acronyms, everybody loves those. Can you maybe sort of
[00:04:24] just explain so if an organization wanted to get that, what would that process sort of look like?
[00:04:30] And who could and couldn't go through it? And then let's kind of go from there.
[00:04:34] Sure. So FedRAMP currently is a it's like a consortium of different government representation
[00:04:41] from both the DoD and the civilian side. And they are the ones who are in charge of it. There's a
[00:04:47] FedRAMP program management office with a number of people. They have ISSOs. On the DoD side,
[00:04:54] DISA has some technical representatives in there as well. So if it's a DoD specific system,
[00:04:59] the DoD is involved. But basically, it's the entity wide way to get your system cloud accredited.
[00:05:06] And that's the PMO that everybody talks about when they say that.
[00:05:09] Yeah, there. Yeah. The FedRAMP program management office is the one who will, you know, orchestrate
[00:05:14] getting you in FedRAMP ready status, getting your accreditation, getting you in the marketplace,
[00:05:18] all that stuff. Yeah. So and the paths right now, I believe the jab route, it's currently not
[00:05:24] available to the website. I think that they are in the process of revising that. I have heard that
[00:05:31] there will be a sponsorless path in the future. But right now, the only way to get a FedRAMP
[00:05:36] accreditation would be to go the agency route. So that would mean that you have an agency sponsor
[00:05:42] who either uses your product or wants to use your product and will sign up to make all the risk
[00:05:47] based decisions and to do the continuous monitoring that the process requires. So agency is the only way.
[00:05:53] So let's pause for just a second, back up a little bit, because I think that is that's a really good
[00:05:57] point. You said agency, I'm assuming you mean a federal agency. So you have the federal agency,
[00:06:02] you have to sweet talk an agency into saying, hey, looks nice, huh? And then they say yes.
[00:06:07] And then now they're on the hook for making sure, you know, it's kind of like when they remain
[00:06:13] compliant. Exactly. Right. Yeah. So it's kind of like you have your kids come over to your, your,
[00:06:17] your, your kids have somebody come over and you're like, okay, who are you letting into my house? And
[00:06:23] you're responsible for it. Yeah. When you're a cloud sponsor, it's like inviting all the
[00:06:27] neighborhood kids over into your house. All of a sudden you're responsible for all of them,
[00:06:31] you know? So, so that is becoming increasingly harder. There are, um, you know, the concerns in
[00:06:36] the cloud space that they have a product that actually could probably be well utilized in the
[00:06:40] federal space, but, uh, it needs to be federally accredited. And to do that, you need to sponsor
[00:06:45] and they're not always sure, right. You know, especially for some of the newer products,
[00:06:49] they don't know how well it's going to work with their infrastructure or anything like that. So
[00:06:53] sponsors are leery, you know, sponsors are not like, Hey, over here, we'll see you. They're very,
[00:06:58] very picky. And so that's been frustrating for cloud service providers.
[00:07:01] That makes a lot more sense about why it's so hard to get into the space because you,
[00:07:05] you have to, there's more at stake than just stepping into the market space and
[00:07:08] planting your flag. Now the, the jab route you talked about, can you talk a little bit about what
[00:07:13] that was and why perhaps it got taken off the table?
[00:07:15] Sure. The jab was the most, the, the jab is, uh, an, uh, you know, assortment of federal,
[00:07:22] uh, representatives who have pretty much no risk tolerance, right? Like they, if you get a jab
[00:07:28] authorization, it means that the, the representatives from the government have said there's almost no risk
[00:07:34] in the system, you know? So because they're speaking for the system's ability to be used
[00:07:38] anywhere in the space, they don't want to accept a lot of risks. So the jab ATO was extremely
[00:07:43] portable in that, uh, if you get a ATO issued by one agency, you might look at their results and go,
[00:07:49] I can't believe they decided to use that product, which federal agencies do. They look at the results
[00:07:54] and go, Ooh, you know, too many risks for me, but the jab, you don't have that problem. There are not
[00:07:59] going to be a lot of risks that the jab accepts. So that was considered like the highest, the highest
[00:08:04] value ATO, but it was, it was hard to get because they have, yeah, they have no risk appetite at all.
[00:08:12] Interesting. And so now you're saying that there might be a, a self-sought path.
[00:08:19] There's talk of there being a sponsorless path of, um, you know, in the, in FedRAMP 2.0,
[00:08:25] uh, that there's a route for organizations to, to, you know, cause at that point they can demonstrate
[00:08:31] their compliance with it without necessarily having to suck in government resources to do it.
[00:08:36] So there's talk about it and I don't know, you know, haven't heard too much about it. They're
[00:08:40] piloting a lot of new things over at FedRAMP. So, um, I know they've taken the jab list off their
[00:08:47] website. So I don't know if that will be replaced with something different, but, um, all TBD at this
[00:08:53] point. So with that being said, um, why would someone want to do it? Why would someone want to go
[00:08:59] the FedRAMP space and how could that positively or negatively impact their presence in defense
[00:09:07] industrial base? Uh, yeah. So, you know, the, the federal government is increasingly pushing,
[00:09:14] you know, and especially with cloud adoption and their data lives everywhere. Right. And so it,
[00:09:20] you know, what, what you'll typically see happening is organizations are getting pressured from their
[00:09:24] customers or their clients to demonstrate that they have a certain accreditation. And that's
[00:09:29] usually, you know, that's one that's coming up a lot, especially with the FedRAMP equivalency from
[00:09:34] the DOD. Um, and then there's also, you know, those who are like the feds really need to use
[00:09:39] my product. I should go get an ATO. And, you know, that's a different kind of story, but for a lot of
[00:09:44] folks, they don't actually want to sell to the government. They need to satisfy their clients who
[00:09:48] aren't the government, but who had to comply with federal requirements. So. Yeah. And it seems like
[00:09:54] really interesting because you have, uh, the, the federal government being the consumer, which sort
[00:10:00] of drove this ecosystem to grow, but now you have a CMMC that is, that's coming. It's, it's, it's
[00:10:08] happening now. The ecosystem, this assessments at the time of this recording, haven't been officially
[00:10:12] started yet because 32 CFR has yet to be finalized, but it we're anticipating any day now. Uh, but
[00:10:20] because of the CMMC requirements for cloud, uh, utilization and because the government is giving
[00:10:28] you data that's theirs, right? That's what controlled unclassified information is. They
[00:10:32] say, here's data that is ours and we're entrusting you with it. And if you're going to put it in the
[00:10:36] cloud, you need to put it in a place that's going to be safe of which FedRAMP is an option. And that's
[00:10:41] why you're starting to see a lot more organizations that aren't necessarily being consumed by the,
[00:10:47] the federal government wanting to participate in that space so that people in the CMMC space can say,
[00:10:53] okay, I'm using a FedRAMP approved product. Is that accurate summarization?
[00:10:58] It is. It can be a differentiator. There's a bunch of organizations right now that are trying to be
[00:11:02] the first to the market and, and, you know, in a certain product type to get a FedRAMP accreditation
[00:11:08] because the need's there to use the tool. And, you know, now that the DOD is pushing out,
[00:11:12] you know, more requirements to, to industry, that's definitely becoming a bigger thing.
[00:11:19] Gotcha. So let's, um, I do want to talk about equivalency. You did mention that, but let's,
[00:11:24] let's save that in a little nugget of joy to discuss a little bit later in the conversation, but
[00:11:28] let's get a little deeper into the FedRAMP space. Let's kind of peer behind the curtain.
[00:11:33] Can you maybe walk us through, uh, like if someone decided they want to do, to do it,
[00:11:40] like the life in the day of someone over the course of year or years, how long when someone said,
[00:11:46] I think I'm going to do this, would this whole process take to, Hey, here I am holding my
[00:11:50] accredited, you know, I'm approved. Yes. You know, what does that look like? You know,
[00:11:56] can you just sort of explain satellite view for those people that aren't as familiar? Cause
[00:12:00] I don't really know that process for sure. So I think the first thing that I would recommend
[00:12:05] if someone is trying to get into this space is to do a gap analysis with somebody who's either
[00:12:09] a FedRAMP three PAO, or there's some good practitioners in this space who, who have gotten
[00:12:15] other organizations accredited, right? So I would do a gap analysis with them if you can
[00:12:20] to have an understanding as to what FedRAMP is, because one of the biggest shocks that folks have
[00:12:25] is to, you know, a lot, we'll assume that it only applies to their SAS product, not to the under,
[00:12:29] you know, the underlying infrastructure that supports their cloud. So do something like
[00:12:35] that to get an understanding as to what the requirements are. They'll give you some specific
[00:12:39] recommendations and you can make your mind up from there because the cost is considerable.
[00:12:45] So, you know, if you do that, the gap analysis, the price will range based on the output of the
[00:12:51] data you get. You could get some really specific detailed recommendations, or you may just have a
[00:12:56] conversation with someone where they're like, you need to do this or that. So the price will vary,
[00:12:59] but, you know, we're talking at least a couple dozen thousand dollars, you know, two or three,
[00:13:05] to much higher for that gap analysis. And then the assessment process itself is going to
[00:13:11] be well over six figures in most cases. So, so you need to know what you're doing,
[00:13:16] you know, about this, you need to, you know, offset the cost of what it and then there's an
[00:13:20] annual assessment every year thereafter that people are going to need to complete that is
[00:13:25] not a full subset. It's not like completely redoing the first year, but it's about two
[00:13:29] thirds of the effort. So, and the price tag matches that. So there are, yeah, there are a lot of costs.
[00:13:35] Well, it's, it's, it's funny because, and you've said this before, we've had you on our first season.
[00:13:40] If you haven't checked out the first season discussions we've had with Karen, they've
[00:13:44] been amazing. So definitely go back, hit them up and hopefully Kelly can put those in the
[00:13:47] descriptions. But one of the things that you said, which I thought was really great is you talked
[00:13:51] about how the FedRAMP space can almost be a little bit of a tea leaves about how the DOD and other
[00:13:56] organizations in the government are going to possibly want to handle the CMMC space to some
[00:14:01] extent, because they're trying to learn from the lessons that they've already had from FedRAMP.
[00:14:06] And that annual reassessment sounds very familiar to how 32 CFR and the 48 CFR have been aligned that
[00:14:14] you're going to have those annual assessations about where you're at and the three-year renewals.
[00:14:18] So for the FedRAMP space, is it three years like it is with CMMC or is there a different
[00:14:24] cadence on that?
[00:14:25] There is a different cadence. It's like you do the full set the first year, all the controls
[00:14:29] are in scope the first year. And then every year thereafter, there's a set of core controls
[00:14:32] that will always be evaluated. And then they'll rotate through the remaining controls, selecting
[00:14:37] at least a third every year. So there will be no full reassessment at any point. It's just,
[00:14:43] they're going to rotate. So all of the more- Who decides that?
[00:14:46] The FedRAMP PMO, you know, which there's really no equivalent for the CMMC process currently.
[00:14:54] Right.
[00:14:55] But they, yeah, they'll basically distribute, they will every, you know, when Rev5 came out,
[00:15:02] they distributed a new list of control, a new rotation, you know, so they're the ones who
[00:15:06] control all of that.
[00:15:07] And, and the, the 3PO that's involved, like how did, how are they involved in that process
[00:15:12] with the PMO? Is it similar to almost like a joint surveillance?
[00:15:16] Is that-
[00:15:17] No, they, I mean, they're really not involved. You need to communicate with the PMO about kicking
[00:15:21] off assessments, doing things like readiness, you know, so there's some touch points in certain
[00:15:25] of the official actions, but for the most part, uh, the FedRAMP PMO needs to know that you're
[00:15:31] doing the assessment and then they will get the results and they'll say, well, where's your
[00:15:35] this, where's that, why is this testing so bad? You know, like they'll, they'll, they'll look
[00:15:39] it over for certain things. And, um, and then they're the ones who are responsible for holding
[00:15:45] the package, basically all of the results from our assessments. Um, this is another kind
[00:15:50] of misconception with, within the CMMC space, but that entire FedRAMP package is intended for
[00:15:55] the other federal agencies to use. So if, uh, Google gets a FedRAMP ATO, uh, GSA might go
[00:16:02] and say, Hey, we, we're going to pick up this ATO and use it. So it's designed, it's very specific,
[00:16:07] highly secure results who are designed to be, that are designed to be used by other federal
[00:16:11] agencies. So, but they're the ones who coordinate all that. They're the ones who, you know,
[00:16:15] Interesting. So it's almost like a library and they just kind of go through the Rolodesk and go,
[00:16:19] Hey, this looks great. And then they, they're, they're kind of going, is that, is that, is that,
[00:16:23] is that what I'm hearing? Right. Uh, well, there's a, there's some, it's got a new name.
[00:16:27] It used to be called OMB max and now it's got a different name, but it's, uh, if you have a CAC
[00:16:31] or PIV card, you can just go and look at the packages because you're, you know, allegedly a
[00:16:35] Fed because you have the CAC or PIV, but they're the ones who coordinate getting everything in there
[00:16:39] for the agencies to use and listing you in the marketplace. And that's public. So, you know,
[00:16:45] once you've finished your readiness, they're the ones you're going to make sure that it's published
[00:16:48] in the marketplace and that you get that recognition. I'm glad you mentioned the marketplace. So,
[00:16:52] you know, you can get in the marketplace, you can search, maybe Kaylee can throw that link on
[00:16:56] there as well, but you can search it and it is a sort of a marketplace, right? But the,
[00:17:02] but there's different like labelings of things about the statuses of where they are. Can you
[00:17:07] maybe talk to us about that and what the significance is and how that might apply in your CMMC journey,
[00:17:14] either in a positive way or a negative way? Yeah. So that's a great question because I think
[00:17:18] that there has been some confusion around it. So in the, the FedRAMP marketplace, uh, if you have
[00:17:23] started to engage with Fed, you know, the FedRAMP PMO over anything, getting a readiness or getting an
[00:17:28] assessment, uh, you ultimately may end up, you know, getting listed in the marketplace and you
[00:17:34] can have multiple different statuses. So if you are, if you've just submitted, uh, FedRAMP readiness,
[00:17:40] they may, you may be listed as in process for FedRAMP readiness, which isn't telling you anything.
[00:17:44] So it's like, if you're a CMMC, uh, practitioner, you need to comply with CMMC and there's someone
[00:17:50] listed as in FedRAMP readiness and progress on the marketplace, then, uh, that doesn't mean anything.
[00:17:56] You know, that means that there's, they're trying, they're trying to get in there. Right. So,
[00:17:59] but, uh, fully accredited, uh, you know, that those are the products that are safe to use.
[00:18:04] So, uh, there's also FedRAMP in process and that, I mean, you know, this is, there are lots of
[00:18:11] arguments break out over this, what in process means, whether it's okay to use it or not. Um,
[00:18:17] I don't know that there's an official answer and either got, either the guidance are coming out
[00:18:20] of the DOD for CMMC, but, um, in process is a status showing like now we're working with the
[00:18:26] three PAO, you know, we're, we're, we're attempting to get this. It's going on, right. It's happening.
[00:18:31] So that, uh, they just don't have it quite yet. Um, wouldn't that be awesome if they had that in
[00:18:36] the CMMC space to some extent? Well, that's where I think that they do and they're going to need to,
[00:18:41] because, uh, the, where practitioners who are managed service providers or need to comply with
[00:18:46] CMMC is they need to know what products have the ATOs and don't. And then they also need to know
[00:18:51] what other managed service providers in the space. Like if there's managed service providers who've
[00:18:55] gotten their infrastructure CMMC compliance and you have a need for that, you need to know who they
[00:18:59] are. Right. And that's a, that's a big challenge that I'm having as a managed service provider
[00:19:03] ourselves is we're working with potential clients and we're like, okay, here's where we're at.
[00:19:08] And like, we just lay it out. Like we have had our gap assessment, the organization that
[00:19:13] is going to do our, our assessment is the same person that did our gap assessment. We have our,
[00:19:18] our, uh, our assessment scheduled in January. Like we have it all mapped out and we kind of tell
[00:19:23] them what we have. We show them what we have. We're just super transparent in that process,
[00:19:26] but a lot of other MSPs or other vendors or MSSPs, they, they're kind of doing this almost stiff arm
[00:19:35] process and they're keeping their clients at, at, at length. And it would be great if the CMMC,
[00:19:40] if the cyber AB had some type of mechanism to kind of say, prove to me where you're at right now.
[00:19:46] So that when people go to the market space, they can, they can have an idea of who they're dealing
[00:19:50] with and where they're at. And I think that would be great.
[00:19:52] They're going to have to, I mean, the, because I don't think anyone's thinking about this
[00:19:57] operationally right now, because there's going to be agencies, there's going to be internal DOD
[00:20:00] audits who need to know if something is, is happened. And the only way to do that right now
[00:20:05] is, I mean, I guess you can make inquiries through, you know, through the joint surveillance process,
[00:20:11] if there's been any records there, but, um, and through the AB, but it's not readily available.
[00:20:17] No. Yeah.
[00:20:17] Problem.
[00:20:18] It's very, very interesting concept where that would be cool if that was the case.
[00:20:21] Yeah. I think they'll have to, I think it'll eventually have to happen.
[00:20:24] Yeah. And that kind of goes back to the tea leave idea, right? I mean,
[00:20:27] I think there's going to be some lessons learned now, obviously, uh, the cyber AB has a big hand
[00:20:32] on that because of the fact that they're the kind of the governing, uh, independent body.
[00:20:37] Yeah. You know, so that's something that they could initiate if they wanted to, whether they
[00:20:41] do or not, I have no idea.
[00:20:43] Yeah. That model is different, different from FedRAMP in that, um, you know, the PMO is federally
[00:20:49] funded and I don't know, you know, so the government can decide to do whatever they want and just have
[00:20:54] the PMO execute it. And I'm not sure that that's the same relationship with the cyber AB.
[00:20:59] So yeah, they, because they're a nonprofit organization and has really hamstrung their
[00:21:03] ability to be as efficient in the market. So Matt Travis, sorry about that, bud.
[00:21:08] Yeah.
[00:21:08] I'm not sure why they did that to you, buddy, but they've been modeled.
[00:21:12] Yeah.
[00:21:12] Yeah. They have been super, because the assessments haven't really been starting in earnest.
[00:21:16] And because of that, it's like, they've been just living on life support because the money
[00:21:20] hasn't been coming in for that organization because the assessments and the whole
[00:21:24] ecosystem hasn't been fully primed and running.
[00:21:27] So, uh, Andrew, anyway. Um, so I, I do want to go further down the path of the FedRAMP space.
[00:21:34] So, so now they have a, they've got a three PAO, right. Um, and they have gone through talking
[00:21:44] with the PMO. They've got it scheduled. Now they go through it. Talk me through that assessment
[00:21:50] as far as in what are the things you can sort of do that you can't like with, with CMMC, uh, when they
[00:21:58] go through like 60% is a straight fail. Like there's no thanks for the fish, appreciate you
[00:22:03] trying, but it's a big F, you know, it's not that. How's that different in the FedRAMP?
[00:22:08] That, and this is another interesting distinction between CMMC and FedRAMP is that it's a risk-based
[00:22:14] process. So, uh, with, uh, there will be, you know, we've certainly, when I worked, um, at,
[00:22:21] at, at our three PAO, we certainly said, you guys aren't going to get an ATO, right? Like,
[00:22:25] you know, we could just tell you right now you're, you're missing too much. Um, but you know, we know
[00:22:30] that there are critical showstoppers. You'll see a lot of those control requirements in the FedRAMP
[00:22:34] readiness template. So like, can you comply with certain mandates? Those are going to be showstoppers,
[00:22:39] right? But outside of that, it is a, um, process whereby they put their package and their test
[00:22:45] results out for the feds to say if it's good enough or not. So, uh, there's no minimum bar,
[00:22:50] but you know, your three PAOs will tell you if it's just a no-go for the most part, but there's no
[00:22:56] number or anything. How many controls are we talking for a moderate? Uh, well, there's, I don't know about
[00:23:03] we're at five. Uh, I think there's 400 something now, but you know, there, it really depends on the
[00:23:08] controls, right? Like if there are a bunch of documentation findings, you know, I don't know
[00:23:13] if I really care too much if I found that if they didn't have a policy saying that something needed to
[00:23:18] be done, but they were doing it for me, you could have a ton, right? Like it's not going to take you
[00:23:23] too long to update that documentation. It's all a risk-based approach. So all of the decisions should
[00:23:29] be made from that perspective. There's no shortcutting. There's certain controls that you're,
[00:23:34] you know, I wouldn't expect to get your ATO if you can't do DNSSEC or if you can't do FIPS or you
[00:23:40] can't do multi-factor, you know, those are showstoppers. But outside of that, it's really
[00:23:44] just, uh, somebody looking at it and saying, those aren't that big a deal. Or I think those are,
[00:23:49] those are problems, but those are easy problems to fix. So we're okay with it.
[00:23:53] Oh, interesting. So, so, uh, is it a finite set of controls or is it risks based,
[00:24:00] based on where they're coming from? Um, does that make sense of what I'm saying?
[00:24:04] Yeah, it does. The set of controls sometimes, you know, based on if the, if you have a federal
[00:24:10] client, they may say you need to be FedRamp moderate, you need to be FedRamp high. So the,
[00:24:14] the categorization you'll have in FedRamp is based on whatever data type you can support. Uh, so if you
[00:24:21] have a FedRamp moderate, you'll have one set of controls. And if you have a FedRamp high, you will
[00:24:25] have additional controls. And then there are things from DISA, um, uh, DISA IL four, five,
[00:24:31] and six, which are additional overlays of control. So your client or the need will dictate what the
[00:24:36] level needs to be. And then the number of controls is based on that. And then you can further refine
[00:24:41] it based on if they're inheriting stuff from the cloud. So who's deciding that that needs to happen?
[00:24:46] Is it the type of data and what you're trying to accomplish, or is it a combination of all of those?
[00:24:51] It's supposed to be the, or, you know, the organization who is seeking the FedRamp accreditation,
[00:24:56] they should document in their system security plan, all the controls that are their responsibility and
[00:25:01] those that are out of scope. And they can choose if they want to be moderate or high. Like if you're
[00:25:06] going into the FedRamp marketplace, let's say the sponsor list routes up, you can pick to go
[00:25:10] moderate or high and then just choose the baseline and you'll get assessed against that. But, um,
[00:25:15] for the most part, people go in at moderate because high is a significant uplift. And,
[00:25:20] um, most of the data you're going to see in the federal spaces is going to be moderate though.
[00:25:26] You know, some are different. There's a lot more, um, sensitive data in like intelligence agencies.
[00:25:31] So, yeah, yeah. Gotcha. So, so then let's say company a, right. They would pick a consultant,
[00:25:36] uh, or a firm or a body, whoever it is, hire somebody on a contract basis, whatever that
[00:25:42] might be, but they're going to help them come up with their plan of attack about how they're going to do
[00:25:48] it. And then they're going to engage a three PO to help them. Yeah. Talk to me about that
[00:25:52] relationship between the organization that is going to get assessed and the three PAO,
[00:25:58] what type of collaboration is allowed, not allowed? Do you, or can you, can they say,
[00:26:03] we feel like this is not quite right. Maybe you could make this kind of adjustment. What type of
[00:26:08] conversations are allowed? Because in the CMMC space, like that is like a big no, no,
[00:26:13] you have to basically take the gavel out and say pass or fail. And then that's it. You can't really
[00:26:18] talk a lot about it. Um, is it different in the, it is different in that, um, CMMC, like even the
[00:26:26] 800 one 71, I don't think the prohibitions that CMMC has aren't baked into 800 one 71 per se,
[00:26:32] but all the other frameworks in the federal space require the assessor to make a recommendation.
[00:26:36] So we can tell you explicitly what you need to do to fix the problem. And we're required to,
[00:26:41] it's a four, you know, what we have to do when we record our findings is to, you know,
[00:26:46] to do our writeup to indicate if it's passed or failed to do a risk analysis on it, to rate it
[00:26:51] low, moderate, high, you know, et cetera. So, so the auditors doing the, the analysis.
[00:26:56] So all of like all of the FedRAMP three PAOs have to, every single finding has to have a whole,
[00:27:02] whole extra set of work where you discuss the risk, the security impact analysis, the likelihood,
[00:27:07] you know, rate the risk and then issue a recommendation. So, um, there are prohibitions.
[00:27:14] Like if, if I am writing policies and procedures in an SSP for a company, I can't be their assessor.
[00:27:21] Right. So you can't do advisory consulting. Um, but the recommendations are part of the process.
[00:27:28] You know, if you, if you don't make recommendations in FedRAMP, you will get dinged. You will be,
[00:27:34] you will be asking you when we step back to write the recommendation. So what is the, um, gosh,
[00:27:38] that would be so nice. And, and, and correct me if I'm wrong, but I feel like that's all coming from
[00:27:43] the cap, right? That, that these, these hamstring situations are just really, I am frustrated in that.
[00:27:50] I feel like that is, is due to the fact that they set up RPOs and I'm not dissing any of the RPOs,
[00:27:55] but I feel like they want to draw a line between the two. Uh, so now we can't, now we assessors can't
[00:28:02] make recommendations, you know, and for me, that doesn't make sense.
[00:28:05] Just for people who are tuning in and who don't understand what the heck the cap is. I'm not
[00:28:08] talking about a cap you can put in. What I'm talking about is the CMMC, uh, assessment plan. So
[00:28:14] the cyber AB, which is the body that the C3PO is that are doing the assessments for the CMMC space.
[00:28:20] They have to report to and follow, uh, the cyber AB body. And they have the cap, which is this document
[00:28:27] that outlines how assessments are supposed to be done. It's in a proposed phase, uh, for a good
[00:28:34] reason, because it's not very good. Um, just going to call it out and say that it is actually
[00:28:39] probably one of the biggest frustrations about this ecosystem as a whole for me. Um, it, and I think
[00:28:46] if you rewrite that, it could make the CMMC ecosystem considerably more manageable if they rewrote it.
[00:28:53] And I, my, you know, my, my criticisms of the current way that they're doing it, that is that
[00:28:58] it wasn't designed to scale. It wasn't designed to, to be facilitative of ongoing things, you know,
[00:29:06] like their FedRAMP equivalency. Now they're reevaluating that every time somebody using the
[00:29:10] product goes through. Right. So what does that mean if, um, if they opt to rescind FedRAMP
[00:29:15] equivalency for a product that is being used on active contracts, you know, like I, I feel like
[00:29:21] they, they, they haven't thought a lot of this through and you know, all of this will,
[00:29:26] you know, they'll have to solve these problems later, but it's, it is frustrating to me to see
[00:29:31] the cap miss so much that we need to know. For me as an implementer, trying to guide and work and
[00:29:36] help and assist clients get through that process. Let me just tell you, I am going to push it further
[00:29:42] out to make sure they're ready before I send them through just because there's, there's no
[00:29:46] recommendation. And I want to circle back around and ask you about what, what type of corrective
[00:29:51] actions and what that looks like in the FedRAMP space, because in the CMMC space, if you fail 61%
[00:29:58] of the 110 objectives, the controls that are given, it's a fail. There is no corrective action that can
[00:30:05] be done about that in any timeframe. It's just a reassessment over again, once you've got it done.
[00:30:09] And that is a big punch in the gut in any area of your body that you also want to get punched in.
[00:30:14] And it's just not fun. If they had it.
[00:30:17] The cost, the cost is what's frustrating is that, you know, like what FedRAMP allows,
[00:30:23] like we would commonly, uh, you know, we would, we would perhaps charge a firm fixed price P for
[00:30:28] the assessment. And if you guys tested really badly, we might have a bucket of TNM hours for
[00:30:32] remediation if you wanted us to keep testing a little bit more. Right. And that's not really an option
[00:30:37] here. And I don't understand it. And I think, I feel that the constraints are due to,
[00:30:41] um, you know, the, the DibCAC wanting to manage the, um, the scheduling more or less, you know,
[00:30:49] like this is in and out, this is open or closed. And that's just, again, not how things work. So
[00:30:53] they're in, I'm hoping that their engagement currently, and those, those prohibitions currently
[00:31:00] are due, but they're not actually now they've worked it into some of the rulemaking, but that
[00:31:04] once it moves out and they're not involved, that three C3PAOs could be more lax about it. That's,
[00:31:10] you know, your assessment may take course over eight weeks where, you know, you're accepting
[00:31:15] evidence as they do it, because that is certainly acceptable in FISMA and FedRAMP. And I feel like
[00:31:21] they've written a process designed to help them as a unit, not have scheduling problems,
[00:31:26] but in the real world, that's not going to be sustainable.
[00:31:28] Definitely not. So you touched a little bit about what kind of course correction you can have during
[00:31:33] your audit process. And, and that process could go over an extended period of time,
[00:31:37] given the fact that it's so significantly different from CMMC assessment processes.
[00:31:41] Can you touch on that a little bit more about what corrective actions can be done and
[00:31:44] how the auditing body can participate in that?
[00:31:48] I don't, quite honestly, I'm there, it's not currently in the cap and I've had differing
[00:31:53] experiences in, in real life. I had, I attended one where they would accept nothing.
[00:31:58] You went in with what you went in with. And even if it, you hadn't given them something or,
[00:32:04] you know, something was already in place, but you hadn't provided to them, that was it.
[00:32:09] There were no changes. That was a finding. And, um, and then I was in one where they would allow
[00:32:13] five documentation changes and, you know, no technological changes. And, um, I don't know,
[00:32:20] I don't know what they're doing currently, but again, it's not in the cap. Yeah. It's not in
[00:32:24] the cap that we don't know.
[00:32:26] So in the FedRAMP space, what's that like?
[00:32:29] That is really between the 3PAO and the, the, uh, uh, cloud service provider. So,
[00:32:35] you know, what we would do often is like, if we're, if we get into it in a little bit, we're like,
[00:32:39] you guys have a lot of findings, you know, like, you know, you have a lot of problems,
[00:32:42] uh, where, you know, if we can deploy, redeploy our resources and regroup later,
[00:32:47] that would opt often be the case. But, uh, I, I think that the, the CMMC, you know, the folks
[00:32:55] who are making this decision haven't ever been in charge of running like a transactional audit team,
[00:32:59] because it's just such a common occurrence that things stretch or things move or things,
[00:33:03] you know, people aren't ready and you need to come back and do some retesting later.
[00:33:07] And that seems so reasonable. Cause then in that situation, you could be like, okay, I,
[00:33:10] I feel like I'm a hundred percent, but in reality, when the auditor looks, you might be at 90,
[00:33:15] but that 10%, if you work with an auditor, that's reasonable, they can make the appropriate
[00:33:20] recommendations on the things and you can correctively course, correct, get where you
[00:33:24] need to go, then get the pass. Everybody's happy. And you get your certification and you move on.
[00:33:31] Um, yeah. I mean, the goal is to have the risks be fixed. I have, I see no objective in, you know,
[00:33:37] no, no, nothing is, is gained by kicking them out of the process for multiple months. And then,
[00:33:45] you know, that for me, no, that's not, that's not the way you manage risk, but, but yeah, I think
[00:33:50] they're, they're just, I think they're, they're solving problems as they come up without thinking
[00:33:55] about what this is going to look like in a few years. And I think that, that, yeah, I think
[00:33:59] they'll, they'll have to evolve a little bit to accommodate some of the problems we're seeing
[00:34:03] like this. Yeah. I just didn't know that that was how FedRant worked and man, that has been
[00:34:07] hugely helpful for me just trying to have a better understanding of that process. And it makes me
[00:34:11] have perhaps some hope that some sanity of reading the tea leaves from how things happen in FedRant,
[00:34:16] if they could take that, maybe even some of the ISO processes and just sort of apply that to CMMC,
[00:34:22] so many more companies would go for their audit because there's a greater chance of pass,
[00:34:28] right. Versus, you know, I feel like in some situations I've talked with and had and watched
[00:34:33] conferences and seen auditors, I would be scared that they almost would dunk on you just because
[00:34:38] they just want to make a point, you know, and you're like, concern that, you know, like, because
[00:34:44] they're staffing up people where we don't know if the person doing your audit is new,
[00:34:49] you know, like, and, and I think that the, the risk determination factor,
[00:34:55] the DOD hasn't been big on risk determination, they have avoided it entirely with CMMC, but that
[00:35:00] is such a critical part of FedRant where you can say, okay, this isn't 100% compliant, but look at
[00:35:06] all the compensating controls. I think it's okay. And that's also not possible in CMMC.
[00:35:11] Gosh, that would be great. Wow. I didn't know that. That's very eyeopening.
[00:35:14] Thank you. It is. Yeah. Um, so let's talk a little bit, uh, cause we're running, uh, on time,
[00:35:19] but man, this is such a great enlightening. I'm learning so much just from talking to you. Um,
[00:35:23] but let's, let's talk a little bit more, uh, about the need in the CMMC ecosystem. We sort of
[00:35:30] touched on it. Why FedRant is so important, uh, to help make the CMMC journey, uh, successful.
[00:35:37] Yeah, for sure. So, uh, I mean, cloud service providers present a unique attack vector that,
[00:35:44] uh, you know, traditional infrastructures don't have to deal with and all the whole multi-tenancy
[00:35:49] part is risky. And that if you're, you, if you're putting your federal data into a cloud service
[00:35:54] provider, who's maybe got business to business connections with somebody else, who's going to
[00:35:58] get hacked, you know, like there's a whole bunch of risks in, in extending your data into a boundary
[00:36:03] you don't own or control. So, um, FedRant is going to make sure that there's, you know, guardrails on,
[00:36:09] you know, tenant separation between customers and ensuring that they're forcing multi-factor for
[00:36:15] infrastructure. I think one of the things that's hard for companies to, you know, especially a lot
[00:36:20] of software development is the continual requirements for patching and scanning and remediating those
[00:36:26] expeditiously. Um, that's a lot of work, um, you know, for some organizations, but that is,
[00:36:31] you know, those are the sorts of things that the assurances that an organization will get,
[00:36:36] that the federal data that they are the steward of is going to have in those spaces.
[00:36:40] And so many, uh, MSPs and other organizations are just turning to vendors, vendors going
[00:36:45] FedRant, FedRant, FedRant, FedRant. And the vendors are like, uh, you know, okay, I guess I need
[00:36:50] to get FedRamped. And can you maybe talk about some of the misconceptions? One of the things you said
[00:36:55] was underlying infrastructure and some of those things that happen for these vendors. And, and I have a
[00:37:01] feeling and I know that probably some vendors are thinking or talking to you or other people,
[00:37:07] and they don't really understand what they're looking down the barrel.
[00:37:10] They don't. And I think that a lot of folks don't understand if FedRant is, is applicable or not.
[00:37:16] So, um, you know, it's hard to get into all the different scenarios, but, uh, basically you have
[00:37:22] to be, you have to own a cloud service, a cloud service product that where the model is largely
[00:37:29] that people sign up for it, right? Like it's not a contract thing because if it's a contract thing,
[00:37:33] if you have a contract between a managed service provider and someone who needs CMMC and the
[00:37:37] requirement is for CMMC, then they can push the contract language down. Cloud is really only
[00:37:42] applicable in absence of the ability to push the language down by a contract.
[00:37:46] Because the DFARS can't come to you because you don't have a contract.
[00:37:49] Right. Because your product doesn't enable contracts. So, um, you know, so that's something you
[00:37:54] really need to think about because I think in this space, especially a lot of people are saying,
[00:37:59] well, you're a cloud service provider, but if they're, it's still a custom contract between,
[00:38:04] uh, you know, whoever needs CMMC and you, then they should push in the language, um, and potentially
[00:38:10] push the language for FedRamp equivalency if appropriate. But, um, if you have a cloud service
[00:38:15] provider product that meets the definition of cloud by NIST and there's no contract, the only other
[00:38:21] option is FedRamp equivalency or FedRamp accreditation. Now we've opened the door now we've said it.
[00:38:29] Um, so the equivalency or accreditation, there is a lot of stink about that and memos have been
[00:38:37] flying around. People have taken sides. Can you just satellite view without getting into a lot of
[00:38:43] to you? Cause we do a whole podcast on that, you know, in a few minutes, could you summarize that
[00:38:49] whole situation? A few minutes. Yeah. I need, I need more time. No, um, I think in a, in a nutshell,
[00:38:54] um, I think the DOD and it's, it's DFAR's language acknowledged that data living in the cloud in the
[00:39:01] Dib needs to have controls. And they, they, um, they stated that there should be FedRamp equivalency.
[00:39:07] And when this first came out, like 2016, 2017, um, my company was getting a request to do 800-171
[00:39:14] evaluations on these clients who had been told by their contracting officer. Right. Um, but,
[00:39:19] uh, I've lost the train of thought. We're freaking out to back up. What was your question?
[00:39:24] So my, my question is, uh, so when you're looking at the equivalency versus the equivalency,
[00:39:29] yeah, the equivalency versus the, um, the accredited. So I mean, I kind of messed up there.
[00:39:36] So let's, let's dive more into the accredited versus equivalency with FedRamp and, uh, you know,
[00:39:43] in the, the 7012 DFARs, uh, it, it kind of opened that door of equivalency trying to make some clear
[00:39:52] communication to those organizations out there. They're going to have controlled and classified
[00:39:56] information. If they're going to be storing that somewhere else and it's not in FedRamp,
[00:40:00] they wanted to kind of put some requirements on those people to say, okay, if you're storing it
[00:40:05] into cloud and it's not FedRamp, it at least needs to be FedRamp ish. Uh, and everybody sort of kind
[00:40:11] of said, okay, that makes sense. Right. As, as usual, everybody starts pushing the boundaries and
[00:40:17] there was a lot of, you know, hemming and hauling and finger pointing and accusations. And then the
[00:40:21] memo came out and they basically just slammed the flag down. Can you sort of summarize that?
[00:40:26] Yeah. I think again, goes a little bit back to the lack of risk management because, um,
[00:40:31] um, uh, FedRamp equivalency kind of, you know, FedRamp relies on there being a sponsor to say,
[00:40:37] we think your, your results from your 3PAO are good enough to, to be FedRamp. But absent that,
[00:40:44] it's just a set of results done by a 3PAO that could show all findings. Right. So there's no bar
[00:40:49] on, you know, there's no number, like you said, for CMMC, there is no bar. And, um, so I think the
[00:40:56] DOD realizing that problem decided to mandate a hundred percent compliance, which anyone in the
[00:41:01] FedRamp space knows is just, it's a, it, you, you only get that for a sliver of time and it means
[00:41:07] nothing, you know, and it's almost impossible to accommodate because FedRamp allows for POAMs,
[00:41:12] which the DOD is not allowed for CMMC and apparently now FedRamp equivalency. But a POAM is when,
[00:41:20] uh, you know, your assessor comes in and says, um, you know, this group of people aren't getting
[00:41:24] multi-factor or whatever, uh, that becomes, that finding gets, uh, listed in something called a
[00:41:30] plan of action and milestones or POAM. And, uh, the feds will track your completion of that. So
[00:41:35] it's a list of things that we know you need to fix and the timelines in which you need to fix them.
[00:41:40] And those timelines are, are mandated by FedRamp. So like a higher critical vulnerability needs to be
[00:41:45] fixed in 30 days, moderate 90, lower information, 180. Right. So, um, that process isn't there.
[00:41:53] There's no sponsor for equivalency. There's no buddy at the wheel for equivalency. So they are,
[00:41:59] they have opted to mandate again, a hundred percent compliance, which again, is just going to be a
[00:42:03] brief sliver in time where they scan clean for a split second and nothing needs patching. And, um,
[00:42:10] yeah, and then after, yeah, so you immediately fall out of compliance with that. Literally sometimes the
[00:42:16] next hour, if a new vulnerability hits, you know, if a new patch comes out and a component doesn't have
[00:42:22] it, you're out of compliance. Right. But I don't think that they, again, don't want to have the,
[00:42:26] they don't either don't have the infrastructure to manage that or they don't want to manage that.
[00:42:30] So they're saying a hundred percent. And that again, with no sponsor, you know, FedRamp will
[00:42:34] have a continuous monitoring process that both the FedRamp PMO and your sponsor or the jab will be
[00:42:40] involved in where they're looking, you have to send them your scan results and you can be like,
[00:42:44] you guys are no longer patching, you know, that type of thing. And make sure that they continue to
[00:42:48] comply. And that is not present for FedRamp equivalency and to address the risk, they've just
[00:42:55] gone a hundred percent compliance, which very frustrating for everyone. So let's talk about
[00:43:01] the, uh, different conversations I've heard from some of the government bodies. There's been some
[00:43:09] discussions, people have been saying some things at some conferences and webinars, uh, that are hinting
[00:43:15] that there might be some type of adjustment about the equivalency. Have you, again, this is just
[00:43:21] subjective. There's no, um, rule that we can refer to, but what's your thoughts about what you've been
[00:43:26] hearing? Um, I haven't heard much on the equivalency front. That's all DOD, but I have heard on the FedRamp,
[00:43:32] you know, that there is a sponsorless path being evaluated. And, uh, I think that's necessary. I don't
[00:43:39] know how it will work. I don't know any of the details, but I've heard rumors that there would be a
[00:43:43] sponsorless path where, um, you could get FedRamp equivalency through this route that wouldn't need
[00:43:50] to be, you know, continually monitored by the DOD. It would, it would work more like the model for
[00:43:55] FedRamp does currently, which is, uh, you get one annual, you know, you get the one full assessment,
[00:44:00] then a subsequent annual, and you just have to patch and, uh, you know, resolve your, your,
[00:44:05] your patchable issues and stuff. So that seems that would be preferable. Yeah.
[00:44:10] For the Dib for sure. So let's talk now more about, uh, cloud providers like Microsoft, for example,
[00:44:18] they have multiple offerings. For example, they have their commercial offering,
[00:44:22] they're having their GCC offering and they have their GCC high offering. How does FedRamp's status
[00:44:28] impact those three, um, different products that Microsoft offers, uh, just in a very high level,
[00:44:35] obviously we could do a whole podcast about that. It's controversial topics. So, um,
[00:44:39] so the, uh, FedRamp equivalency doesn't require an ATO. Um, so the, the product right now that has
[00:44:48] a FedRamp ATO is FedRamp GCC, not GCC high, uh, which a lot of people are using or need to use for
[00:44:56] CMMC because of ITAR clauses. So, uh, currently the version of O365 and everything that you need to use,
[00:45:05] um, isn't, um, isn't yet FedRamp accredited. And I'm, I'm a little frustrated again here with the,
[00:45:12] with the, um, the DibCax insistence about a hundred percent compliance. So, uh, they are,
[00:45:17] I guess they are, they are not happy with GCC high because it's not a hundred percent compliance,
[00:45:23] but again, in FedRamp, that's not a requirement. So, uh, if, if GCC high were to attain a FedRamp
[00:45:30] moderate ATO, then they should be fine for use. But right now, unfortunately the only one with an
[00:45:36] ATO is GCC high. And then now we have the mess with FedRamp equivalency that we're dealing with
[00:45:42] without a lot of answers. So it's leaving a lot of folks confused about which products they can or
[00:45:47] should use. And, um, but, uh, you can, you know, at this point I'm, I'm pretty sure you can use GCC
[00:45:53] high. I know Microsoft doesn't say so, but it, we have been recommending it for CUI usage.
[00:45:59] Um, for ages, uh, just because it's got a FedRamp ATO, right? You know, it's, it's FedRamp
[00:46:05] equivalent. So, um, but yeah, if you do have ITAR or ear, um, restrictions, then you're going to need
[00:46:13] to use GCCI. And currently it does not have, I don't believe it has FedRamp equivalency. There's
[00:46:18] no marketplace to check for FedRamp equivalency, right? So I don't think it has that and it's not
[00:46:22] listed as having an ATO in the marketplace. So that's very confusing for folks.
[00:46:27] And, uh, Richard Wickman and, uh, Robert Metzger, we're actually going to have him on our podcast
[00:46:32] later. Um, and so we're going to be talking more about that specifically, and we're super excited
[00:46:38] about that. And, uh, Richard came out with a blog that had a lot of information that provides some
[00:46:44] additional guidance. So we're looking forward to having him on here to drill into this because
[00:46:48] organizations just like us, uh, are using GCC high and they're putting a lot of, of faith in there.
[00:46:54] I think it's well placed, but the, you know, it doesn't mean that there won't be some
[00:47:02] skullduggery or weirdness.
[00:47:04] You know, they're not bulletproof right now.
[00:47:06] From other organizations, you know, like the, the government or dibcack or somebody gets a hair
[00:47:10] somewhere and starts making things a little bit harder for the rest of us.
[00:47:13] That's my concern with equivalency. Yeah. Cause like right now GCC high is not bulletproof because
[00:47:17] they don't have a FedRAMP ATO and the requirements for moderate or a hundred percent compliance. And
[00:47:23] with the way, you know, I don't know how the, the, the, the CAC is going to continue to do,
[00:47:28] uh, risk management for anyone who's FedRAMP equivalent. But right now I believe they're
[00:47:32] asking OSCs who use the products to make sure that they have the ATO and that it's maintained and,
[00:47:37] and the package and documentation is all kept up to date.
[00:47:40] So, um, but yeah, I don't think that that's going to be sustainable in that it, you know,
[00:47:47] and that's subject to people's interpretation. So now we can have products that have been used
[00:47:53] and have been accredited, have been used in accredited CMMC environments who suddenly somewhere
[00:47:58] down the road is someone has decided you cannot use. And I understand that's happened for GCC high.
[00:48:03] And it's concerning to me because it looks, you know, I feel like everyone thinks we're in an
[00:48:08] experimental stage now and word goes out, Oh, you can't use GCC high. That's not how it should
[00:48:13] work. You know, like this is going to be different when the products are in use in the federal space.
[00:48:18] And so there has to be something that's going to be more enduring than a, an ephemeral,
[00:48:24] a hundred percent compliant tick mark that they're going to need to comply with at all times.
[00:48:28] And, and, and just kind of a realistic, like put your real thinking cap on, like the government
[00:48:35] has a tremendous amount of infrastructure in GCC high and the infrastructure that they're utilizing.
[00:48:40] So it would be madness to assume that they would then just detonate themselves at the same time
[00:48:47] with some, I mean, it's network there. I mean, the government needs a GCC high type environment,
[00:48:53] like there's a need for it. So, um, to have under the guise of CUI, you know, this is not just
[00:49:01] the, um, you know, the DOD, there are ITAR and EAR requirements for clients who need to use GCC
[00:49:08] high for civilian agencies as well. And right now, apparently there's no option, you know, and that's,
[00:49:14] that's, that's the sort of, you know, stuff that is not going to be sustainable long-term.
[00:49:19] Right. Right. Right. Yeah. Well, Karen, thank you so much for coming on and talking with us. I mean,
[00:49:25] this has been super enlightening. I took a lot of notes and learned a lot through the conversation
[00:49:29] with you. I really appreciate it. Awesome. Happy to be here. So if you guys don't know much about
[00:49:34] Karen, let's, you know, check out her on LinkedIn. Karen, can you share a little bit about how people
[00:49:40] can connect with you? Sure. You can connect to me through LinkedIn. Um, or you can, I have a website,
[00:49:46] artstonesecurity.com and a YouTube channel where I put more educational content related to NIST
[00:49:52] compliance out. So any of those methods, I'm happy to answer any questions. And you do FedRAMP
[00:49:58] consulting for both advisory and assessments. Yeah. If you, if you're, if you're a vendor
[00:50:01] or you're an organization thinking about trying to take that space, uh, I could think of nobody
[00:50:06] better to talk to than Karen. Awesome. Thank you. So, uh, thank you all again for joining us today.
[00:50:13] Uh, this has been super enlightening. It's a space that I don't think has gotten a lot of shined light
[00:50:18] from the Dib and CMMC space. I think there's plenty of people who understand it very, very thoroughly,
[00:50:23] but they're in their own lane. Uh, me, for example, I have never swam in those waters. So this was
[00:50:28] hugely helpful for me. Thank you so much, Karen, for just really being transparent as you always are,
[00:50:34] which we deeply appreciate. Absolutely. So if you haven't been following us on any of the media
[00:50:39] that we have, please, please do. We do appreciate those likes and follows. If you have suggestions,
[00:50:43] please hit us up on those because we want to know about how we can be better for you. And,
[00:50:47] and we always are trying to, you know, follow the methodology of a high tide raises all boats.
[00:50:52] So again, everybody, thank you for joining us and keep on climbing until next time.
[00:50:59] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:51:04] We hope you guys enjoyed today's episode and listen out for the next one,
[00:51:08] but until then, keep on climbing.