Navigating Cybersecurity Requirements in Government Contracts w/Brian Hubbard and Shel Phillips

[00:00:00] Welcome to the first episode of season two of Climbing Mount CMMC. And today Bobby is

[00:00:12] joined by Shell Phillips and Brian Hubbard. Shell and Brian both have over 40 years of

[00:00:18] cybersecurity experience with many certifications under their belts. Today, Bobby, Shell and

[00:00:25] Brian are going to go through an actual RFP and how to break it down. We're so excited

[00:00:31] for you guys to join us in today's podcast and we hope that you enjoy.

[00:00:36] I want to talk to you, let's just dive right into some of the meat and potatoes. And how do you

[00:00:41] guys see kind of this game of chicken that's happening with the, with the dib space? A lot

[00:00:46] of the contractors are, are kind of waiting to the last second to veer. What does that look

[00:00:52] like? And what are the dangers in that? It's like veering a battleship. You can't just

[00:00:57] cut at the last second. It's going to take miles to prepare. And I think that's the biggest

[00:01:03] challenge that we're facing right now as far as this whole compliance to, to CMMC

[00:01:09] and the new rule 2.1. So Brian, for you, you know, you're starting to see more involvement

[00:01:16] with pre-assessments than I'm sure happening. How do you feel the ecosystem, if you have

[00:01:20] your finger on the pulse perhaps of like how are organizations, are they starting to turn

[00:01:25] the ship and starting to implement those controls or are they still, still heading

[00:01:28] straight for the iceberg as much? Yeah. I mean, there's certainly some, there's an upswing

[00:01:33] definitely in the, in the number of companies that are starting to pay attention and moving

[00:01:36] out on it. No, I think one of the dangers is that people aren't thinking that, well,

[00:01:42] I already have this requirement in my contract. And at most, most of the, most cases

[00:01:47] they already have contracts that have these requirements in them and they're just now

[00:01:51] starting to comply. Yet they've already signed up that they are, they're meeting all these

[00:01:56] requirements. Right. I think that's a real danger for them from a contract risk perspective.

[00:02:03] Well, I think the DOD as well as the federal government has made sure that everybody

[00:02:08] starts to understand it's not business as usual. Like the, the proposed rule that came out

[00:02:13] clearly drew the line in the sand and they're not veering. They're, they're serious about

[00:02:18] making this commitment and organizations are either going to be early or they're going to

[00:02:23] be late to the bowl. Right. And this kind of moves me to the next question. And that is

[00:02:30] like, what kind of requirements and expectations would you see shell? Because, you know, as a

[00:02:36] organization that is helping people prepare, what kind of requirements or expectations would

[00:02:42] you think that should be transparent and shared between the organization you're supporting

[00:02:48] that does have those in their contracts, as well as the IT company, the MSP or MSSP or however you

[00:02:54] want to look at it? Like how does that work and that they, they're helping them and how do

[00:03:01] they need to communicate those requirements that they have that are flowing down to,

[00:03:05] you know, the OSC, the contract? That's a great question, Bobby. Historically,

[00:03:09] there has not been a lot of communication. They basically just say, make me secure and,

[00:03:15] and we'll take care of sort of reporting and that sort of thing. But I'm finding with,

[00:03:18] with new requirements that MSPs, number one are going to have to be certified.

[00:03:23] Right. Therefore, we need to get our act together as we perform these, these things.

[00:03:27] And one of the things that I've found and I've, I've switched to is asking them to share

[00:03:32] the, the cybersecurity requirements in their RPs or their contracts so I can have a better

[00:03:37] understanding of exactly what they're trying to comply to. One of the things I'm doing

[00:03:43] nowadays is, is working on the East Coast with a, with a mentee who's trying to break into the,

[00:03:50] into the business and we're starting with level one clients. And so the question is,

[00:03:55] how do you tell the difference between level one and level two? And so I've, I've actually

[00:04:01] sort of been teaching him how to look at contract portions under NDA and figure out

[00:04:07] exactly how to determine whether this is a level one or level two client.

[00:04:12] So, so the point is, is that we need to start asking questions, real questions and get real

[00:04:19] answers based on their true experience. Historically, they've just said, oh,

[00:04:23] we do our spurs reports and we're fine. Well, it seemed like in the past kind of the thought

[00:04:28] was we'll put the requirement on the OSC or the organization that that's getting that contract

[00:04:34] and then they'll just tell the people that they need to tell us, right? MSP,

[00:04:39] that they've got to be doing these types of things. And I think clearly with the proposed

[00:04:43] rule and how things are going, that's not the case anymore. They're expecting us to get parity

[00:04:47] and certification with them. So now we're going to have to get level two. We have to meet

[00:04:51] with them shoulder to shoulder. Brian for, for that situation, what type of things is an

[00:04:56] auditor, you know, having your kind of your auditor hat on, what are you going to be looking

[00:05:00] at to see that the MSP and the OSC as they're getting audited together,

[00:05:07] what are you going to look for to see that they're understanding the contract requirements

[00:05:11] and how they're meeting each other in the middle? Yeah. Well, I mean, the first thing

[00:05:14] is to understand how the MSP is engaging, right? So are they staff, are they doing staff

[00:05:19] audit, you know, basically staff, you know, coming, coming in as a member of the, of the

[00:05:23] OSC's team. And they're just working on the OSC's equipment and that sort of thing.

[00:05:29] But the information is never going to their environment. If that's the case, then they're

[00:05:34] not considered an external service provider by the DOD, right? They're just part of the team.

[00:05:41] So understanding whether they're doing that or whether they're actually processing,

[00:05:45] storing or transmitting CUI through their equipment or whether they're just storing,

[00:05:52] processing or transmitting security protection data through their own environment is the

[00:05:59] important first step to understand how they need to be engaged and what they need to be doing.

[00:06:04] Yeah, those are, and the auditor is going to be looking for that and both parties, the OSC

[00:06:09] and the MSP or the external service provider, they need to understand those rules of

[00:06:13] engagement because that's what they're going to be measured against, right? Ignorance is not

[00:06:16] bliss in that category. Exactly. It's really part of the scoping exercise at the beginning.

[00:06:20] Right. So, Shell, you've had experience in that. I was hoping that maybe you might kind

[00:06:27] of walk us through your experience in looking at RFPs that have come in and what kind of

[00:06:35] requirements because as you kind of read through this, you'll start to notice that it's not purely,

[00:06:40] hey, are you doing 800.171A? There's more to it than that. And so let's just kind of walk

[00:06:48] through that, Shell, from, can you kind of like get us up to speed on what you're about

[00:06:54] to discuss with us so everybody's on the same page? Sure. Let's do it this way. I did an analysis

[00:06:59] on an RFP for one of my clients recently and I looked at the whole contract. They actually wanted

[00:07:05] me to answer the questions, yes or no, and so on for the cybersecurity section. So I went

[00:07:10] through and I actually pulled out all the pieces that applied to them and what they needed

[00:07:16] to comply with. And what I thought might be interesting is as Brian, as the assessor

[00:07:22] from his standpoint, if I read the question and sort of the response, he can sort of explain

[00:07:28] what's covered and why it's important. And I will start by saying this contract was

[00:07:35] a number of pages long and it started out with four pages of flowdowns. Brian,

[00:07:42] can you explain what a flowdown is? Sure. So when a prime contractor receives a contract,

[00:07:50] there's a certain number of clauses that are in the contract. The FAR clauses are the defense

[00:07:58] supplement to the FAR, which is the DFARs clauses in that contract and many of those have

[00:08:03] to be flowed down all the way through the contract. So what that means is that any

[00:08:08] subcontract track that they issue has to have those clauses in it.

[00:08:13] Let me ask you, I've heard this misnomer and I'm like, I don't think this is right,

[00:08:18] but I want to put you on the spot here. I've heard people say, oh, it's just a few,

[00:08:23] like there's some magic number where it stops flowing down. Can you elaborate on that?

[00:08:28] There is no magic numbers. So the prime contractor has to review the clauses

[00:08:36] and understand whether they have to be flowed down or not. They can choose to

[00:08:40] flow down everything or they can choose to flow down only those things that have to be

[00:08:45] flowed down. But it's not an option for them to, let's say if they have the DFAR 7012 clause,

[00:08:52] which we'll talk about here in a minute, but if they have that clause in their contract,

[00:08:55] it's a flow down. It doesn't matter. They have no choice. If they don't flow it down,

[00:09:00] there's some contractors, they're actually in violation of their own contract.

[00:09:04] And then even subsequent, so if you're a third tier, fourth tier, fifth tier sub,

[00:09:11] all that clause has to flow down all the way, all the way to the lowest level subcontractor.

[00:09:21] I suspect it's probably a cut and paste, don't you think, Brian?

[00:09:25] 100%.

[00:09:27] Yeah. So here's an example of the flow downs. It just started at the top of the list.

[00:09:31] 52.202-1 definitions, 52.203-3 gratuities, 52.203-5 covenant against contingent fees

[00:09:42] and on and on and on for four pages and it's small print. It's like 10 point print.

[00:09:47] Yeah. A lot of times it'll just be a checklist. It'll just be a checklist.

[00:09:51] Here are all the clauses that are flowing down to you. It'll just be this page,

[00:09:56] two pages, three pages of just purely a checklist of clauses.

[00:10:00] Yep.

[00:10:01] Should you trust Shell that your client knows to look for those types of things?

[00:10:08] As a consultant myself, I have to suggest to them, hey, maybe you better look at this

[00:10:14] a little bit closer and have a good look at what they are. I mean, a lot of them are obvious.

[00:10:19] I mean, the definitions, yeah, it's going to be pages and pages of definitions

[00:10:22] and gratuities, it's going to be a couple of paragraphs about, okay,

[00:10:25] you can't take gratuities to get an advantage, that sort of thing.

[00:10:29] So the titles kind of suggest what they are, but there are some that actually go into the

[00:10:34] details of cybersecurity and that sort of thing. And you have to be sure

[00:10:38] that you don't miss any of those. You have to actually be aware.

[00:10:42] And I think after you've gone through one of those as a client,

[00:10:45] you probably then begin to know what to recognize when you look at the next one

[00:10:48] and the next one and the next one. So let's go back to this contract

[00:10:53] and actually look at some of the language in it. And on page three of this,

[00:10:59] I mean, this was like a 15-page RFP, actually a request for a quote.

[00:11:03] It was very simplistic. And the product design specifications

[00:11:08] were in a separate document. So it didn't even actually

[00:11:11] have the pages and pages of product definition. It was referring to other documents.

[00:11:17] And they had the title and what to look for. But here's the compliance section.

[00:11:23] First question, does the information systems network, which will be utilized by your company

[00:11:28] in performance of any work concerning this solicitation, comply with the requirements

[00:11:33] of FAR 52.204-21, basic safeguarding of covered contractor information systems?

[00:11:40] Okay. So that's the very first question.

[00:11:42] What are we talking about there? What's FAR 52.204-21, Brian?

[00:11:48] Well, so first the FAR, right? The FAR is the Federal Acquisition Regulation.

[00:11:53] So that is the big umbrella, right? That's every executive label agency.

[00:11:59] So whether it be Health and Human Services, DOD, the IRS, whoever's issuing a contract,

[00:12:06] they use the FAR. The FAR is actually what they have to use. It's not an option for them

[00:12:11] either. And there are certain clauses that are showing up in every contract.

[00:12:18] They have to. They're required to include the acquisition of professionals,

[00:12:22] are required to include certain clauses. This clause, 52.204-21 is one of them.

[00:12:29] It's just basic safeguarding of information. So the government wants their data protected,

[00:12:35] right? And this is, I would say, the bare minimum that they could do and not cause a

[00:12:44] whole upheaval in the community. And basically what they did was they picked 15 high-level

[00:12:52] controls that they felt were just the basic security controls that everybody should abide by.

[00:13:02] Quite frankly, it's not enough. There's 15, but that doesn't cover a lot of areas.

[00:13:06] But this equates, I mean, if we're on CMMC, this equates to CMMC level one. One for one match.

[00:13:15] There's 15 controls in 52.204-21. There's 17 controls in level one of CMMC.

[00:13:24] But there are 17 controls mapped exactly to the 15 controls.

[00:13:29] Right. So that's the starting place. Your federal contract information has to

[00:13:36] comply to those 15 level ones. So that's where they start. Okay, question two.

[00:13:41] Well, hold on. Before you hit that though, if you haven't checked out

[00:13:46] Jacob Horn's recent reference to the movement in the FAR rule that's coming out very soon,

[00:13:53] they're now starting to see where there's going to be, finally the ruling is going to come

[00:13:59] out where it's going to say, okay, here's FAR's approach to CUE. The DOD has already

[00:14:05] published theirs, but now the FAR is going to release theirs. What that looks like,

[00:14:08] no one's 100% sure how that's going to play out. But you can bet your bottom dollar it's going

[00:14:13] to be pretty large in scope because you're talking all of the organizations that fall under

[00:14:18] FAR, basically the whole government that is going to be doing acquisitions of something

[00:14:24] is going to go through that FAR. The thing that's important too, Bobby,

[00:14:29] is that the FAR, this clause, 204-21, it applies to every federal contract. It doesn't matter

[00:14:38] whether you're processing CUI or not. You have this requirement, even if it's just

[00:14:44] federal contract information. In other words, just the normal stuff you get as part of your

[00:14:50] contract, it has to be protected according to these controls. Okay, so that's a good call out,

[00:14:57] Bobby. I suspect, and I do a lot of C just work as well, that it'll push down to state

[00:15:01] and local governments as well. I think it's just everybody's going to be under the same

[00:15:06] sort of vertical- If you look at it as an MSP, I go to conferences, I ask this question a

[00:15:11] lot. It's like how many of your clients fall under the CMMC requirement? Typically, it's

[00:15:17] maybe 1%, 2%. But as the FAR rules and some of those other things, you're going to see

[00:15:22] that percentage go to increase every time. Yep, yep. Absolutely. Okay, let's move on

[00:15:28] to the next question. Has your company implemented the requirements of DFAR's 252.204-7012,

[00:15:37] Safeguarding Covered Defense Information and Cyber Incident Reporting for the Information

[00:15:42] Systems Networks that will be utilized by your company in performance of any work concerning

[00:15:47] this solicitation? DFAR, what's the difference between a FAR and a DFAR?

[00:15:52] Good one. There's a D and an S.

[00:16:00] The DFARs is the Defense Federal Acquisition Regulation Supplement. And again, it's just

[00:16:07] an agency-specific additional set of regulations or requirements that the DOD has determined

[00:16:17] that they want specific to their contracts. So that's the DFARs. They're similar

[00:16:24] for other agencies. There's other FAR supplements as well for other agencies,

[00:16:30] not just defense. And yeah, DFAR 7012 is really the DOD's first attempt to have their contractor

[00:16:43] first attempt really, but it's the first formalized attempt to try to implement the NIST

[00:16:48] standards in order to protect controlled and classified information. And so one of the biggest

[00:16:57] things in it is that the requirement to comply with NIST 800-171, the 110 controls. But there

[00:17:07] are other requirements. There's reporting of incident requirement to the Defense Cyber Crime

[00:17:12] Center. There's requirements if you have CUI in a cloud environment that are part of the

[00:17:20] DFARs 7012 clause. And there's a few others that are important. So 800-171 compliance is

[00:17:29] the big kahuna, but there's these other requirements that are critically important

[00:17:34] to protecting the DIV and the defense industry.

[00:17:40] Interesting is some of those rules are going to be rewritten to some extent, right? Or updated,

[00:17:49] I guess, is the right way to say that after the proposed rule becomes final and more of that

[00:17:56] stuff is going to happen. Yeah, right. We just don't know what exactly it's going to have in

[00:18:04] them. But I mean, it's not going to be, oh, we decided we're not going to do this.

[00:18:12] They're just adding on to what's already been expected. Exactly.

[00:18:20] Okay. So then we get into on page 12 of this RFP, we get into sort of the detailed questions.

[00:18:27] Are you doing this? Are you doing that? So on and so forth. And the first question is,

[00:18:30] are your company information systems compliant with the requirements of FAR 52-204-21,

[00:18:39] basic safeguarding of covered contractor information systems? Note to be compliant,

[00:18:44] the 17 NIST FAR controls have to be fully implemented. The requirements cannot be met

[00:18:49] with a plan of action and milestones. What's a poem? Oh my goodness. So a plan of action and

[00:18:58] milestones is really the set of projects that you have under ongoing in order to get compliant.

[00:19:05] And that's what we're talking about here in that question you just asked. So what that means is

[00:19:12] there's some control that hasn't been fully implemented in the company. And what they do

[00:19:18] is they document that and write out a plan of action of how they're going to fix it,

[00:19:23] how they're going to become fully compliant and some timeframes associated with that.

[00:19:27] So not enough to just say, I'm going to do it. You have to actually say, here's how I'm going

[00:19:32] to do it. Here's how I'm allocating resources. And here's what I'm going to be done by.

[00:19:38] So when you're going into an assessment, you cannot have any of those that are

[00:19:42] purely for compliance sake. So for example, if I'm not implementing access control,

[00:19:49] I can't put that on poems. Okay, now evaluate me against these 17 clauses.

[00:19:56] But I have a poem for five of them. No, it's a non-starter.

[00:20:01] Mad Fientist So while we're talking about poems,

[00:20:04] how long does the client have to clear a poem item?

[00:20:07] Dr. John Baxter Well, so until they're assessed,

[00:20:10] they have as much time as they want to take before their formal assessment.

[00:20:14] So when we're talking about assessments under CMMC or formal DIPCAC assessment

[00:20:26] under 8171, they will have 18 months to clear those. So going into the assessment,

[00:20:33] they should have none. As a result of the assessment, the assessor may discover, well,

[00:20:39] you're not quite implementing that the way it's intended. So that would result in a poem coming

[00:20:45] out of that assessment. And then there's 18 months to clear those. Now under the DIPCAC

[00:20:51] 800 171 assessments, there's no real restriction on what can be poammed or how many things can

[00:20:57] be poammed. Under the CMMC proposed rule, there are very tight restrictions on what actually

[00:21:04] can show up in a poem. Mad Fientist

[00:21:06] That was such a deviation from before. It was, I would say reasonable. And then it was almost

[00:21:14] like the DOD just took their toys and left and said, look, there's only certain ones you can

[00:21:21] poem. The timeframe that you can do it is considerably shorter. Wow.

[00:21:26] Dr. John Baxter It seems like a new thing

[00:21:30] to a lot of people, but it's really not. It's what the DOD has been talking about since the

[00:21:35] inception of CMMC. And it actually was embodied in the CMMC assessment process, which was geared

[00:21:42] towards C3PIOs and assessors. It's always been actually spelled out exactly the way it is in

[00:21:49] the proposed rule. It's still a little bit of an overreach, but it's, you know, so it's not

[00:21:57] new to the assessment community. It's kind of just now public. What it is.

[00:22:03] Mad Fientist Okay, so moving along, the next question talks about, it's number two, and it

[00:22:13] just identifies 7012 as being sort of the umbrella for the next question. And part A,

[00:22:19] has your company implemented all 110 controls of the National Institute of Standards and

[00:22:24] Technology special publication 800-171 on your relevant information systems? Now, before you

[00:22:31] answer or explain that in detail, does that suggest what level of compliance does that

[00:22:39] suggest to you? Dr. John Baxter

[00:22:41] For CMMC it's level two. And for 801-71 it's just compliance. For B-SARC 7012 it's just

[00:22:51] compliance. And the key thing is that all 110 controls have to be implemented, right? And they

[00:23:01] have to be meeting those. So basically it says you have to have perfect score. In CMMC

[00:23:07] apartments that means to be completely fully certified, you have to be perfect. It's not

[00:23:13] okay you can't be 109. You have to be 110 to be fully certified.

[00:23:19] Dr. John Baxter So let me ask you this question, Brian. In your observation, how many companies

[00:23:25] that have submitted their supplier performance risk system score, their SPRS score, how many

[00:23:33] of them have said I have 110 score and they also have a poem? How many have you run into?

[00:23:39] Dr. Brian Smith And what does that suggest to you?

[00:23:50] Dr. John Baxter Well, some yes. I would say some are definitely just shading the truth.

[00:24:00] Others don't understand the requirements. See, the problem with the way 801-71 is written

[00:24:06] currently in revision two is it's these high level English language statements. And if somebody

[00:24:13] isn't paying attention to what you really have to do from an assessment perspective,

[00:24:19] they just look at those English language statements and it says something like,

[00:24:23] authorized users are identified. Oh yeah, we do that. Well, there's a whole boatload of

[00:24:30] assessment objectives that have to be met. If you don't look at those assessment objectives,

[00:24:35] you're not going to get it. So you may think you're 110 and then an assessor comes in and

[00:24:39] says, you're really negative 203. Right? Because you can go negative in your score.

[00:24:46] That's not a situation you want to have. Dr. Brian Smith Okay.

[00:24:51] Dr. John Baxter Now one thing I would ask, I just I want y'all's opinion about this is,

[00:24:56] is when you are in a situation, I call it marriage counseling for CMMC. And it's like,

[00:25:07] let's just say that you're the managed service provider and your client turns to you and says,

[00:25:12] hey, how are we on this? And they use the word we because they want to know how are you

[00:25:21] as their MSP or MSSP. And as you're filling it out, like where are we together in lockstep

[00:25:28] on that? Is that a good place to be? In your opinion, I'm just curious.

[00:25:34] As an MSP, that one of the very first documents I produce is a shared responsibility matrix. In

[00:25:40] other words, I spell out exactly and I do it actually to the assessment objectives.

[00:25:45] Every assessment objective, who's going to develop the list of users? Who's going to

[00:25:50] monitor? Who's going to you know, so on and so forth. And I go down all 320 of the

[00:25:54] CMMC objectives and actually identify. Is it me, you, vendor, or both or three or whatever.

[00:26:02] And I make notes about that. Who's going to do what? For example, when you go to patching,

[00:26:07] whose responsibility is it for patching? It's not just mine. You have to turn your machine on

[00:26:11] when it's time to patch. So the client has responsibility as well as the MSP or the vendor

[00:26:17] or whomever. And so you have to really identify that and you start there. That's

[00:26:22] the very first document almost that I put together. And I say, okay, going into this,

[00:26:27] here's how it lays out. And here's who's going to take responsibility for what. So there's

[00:26:31] no question. It warms my heart, brother. Yeah, it is we have to be on the hill

[00:26:41] and be ready to help them know because if we're if we need to be the North Star for them

[00:26:47] as far as in where they're navigating to right. Because if we're moving at the same time

[00:26:53] they're trying to move, good Lord, I couldn't even imagine how you might be able to pull that

[00:26:57] off. That's great. That would be a nightmare. So that implies that we need to be first,

[00:27:04] that we're going to need to get our level to at least so that as we're assisting our clients

[00:27:09] and they you don't want to be working out kind of that matrix like you're saying, shell

[00:27:15] while they're trying to bid on RFP about where our lines of divisions happen and whose

[00:27:21] job is doing what I just that would scare me to death if I was an organization

[00:27:26] and I was having that discussion while I'm about to bid on a job with my managed service

[00:27:31] provider. That just seems madness. And I know it's happening right now as we're recording this,

[00:27:36] people are probably doing that. And I just think that's absolutely nuts. Just crazy.

[00:27:41] Yeah, that's that's the challenge for this year for covenant is to get certified and get

[00:27:45] get our complete act together so we don't have to worry about that. And so that we

[00:27:50] can define very clearly who does what to whom and how and why. So okay, next question.

[00:27:59] Has your company implemented all 31 basic security requirement controls of the National

[00:28:04] Institute of Standards and Technology Special Publication 801-71? 31. That's a new number.

[00:28:11] What's that? What's that mean there, Brian? That's the first thing one to put in there.

[00:28:16] I've never seen that show up in that particular way. So the basic security requirement controls

[00:28:24] are just, I don't want to say arbitrary, but the way the NIST developed the 801-71,

[00:28:33] there's certain security controls that were called basic and then there were other

[00:28:38] controls that were called derived. It's again, I feel it's fairly arbitrary. And actually in

[00:28:50] the proposed REV3, what we're seeing in what's going to happen in the spring here,

[00:28:56] that distinction goes away in the NIST document itself. So basically what it's saying is there's

[00:29:04] 31 controls that were considered basic and those were derived from one of the FIPS

[00:29:11] publications. FIPS 200, or is it FIPS 199? It's either here nor there, it doesn't matter.

[00:29:22] But anyway, there are 31 basic and then the other 69 are derived.

[00:29:31] But it all equates back to controls that were in another NIST publication, this day 100-53.

[00:29:38] And the distinction is neither here nor there really. So it's surprising that the contract

[00:29:45] actually called those out. It actually calls it out. I had to do some digging to sort of figure

[00:29:49] out what the 31 were, but it's out there. It's on the web. Okay, I'm going to skip a couple

[00:29:55] of these. Here's another question. Does your company currently hold a medium level of

[00:29:59] assurance, an MLOA certificate, to access a DibNet portal? That does not make a lot of

[00:30:07] sense about how that's written. What it is is not what it sounds like in my opinion, I don't know.

[00:30:14] I'm curious to see what you guys think. Yeah, what are they talking about, Brian?

[00:30:18] Well, so DibNet is where incidents will get reported under DFAR 7012. DibNet.dod.mil

[00:30:30] is the website. And if you go up there and you click on the button to record an incident,

[00:30:37] it'll prompt you whether to for a medium assurance certificate. What that is, it's a PKI cert,

[00:30:45] right? And it's you have to, and the medium level of assurance is the assurance of the

[00:30:51] certificate. So when you sign up for one, you have to send certain proofs of identity.

[00:30:56] It's individually based, by the way. It's not company based. So you have to prove your identity,

[00:31:02] your identity is investigated and verified. You have to send documents that you really want

[00:31:09] to get back in order to get that certified. And then you get that certificate and once you

[00:31:15] have it, then you can actually log in and report incidents. So you have 72 hours under

[00:31:21] DFAR 7012 to report an incident. So you don't want to do on day one that you discover the

[00:31:28] incident, you don't want to request a certificate because it takes weeks and weeks to get a

[00:31:33] certificate. It takes a couple of weeks to get that. Let me ask you. You don't have it when

[00:31:37] you're doing your readiness for your assessment that you don't have it either. Let me ask

[00:31:42] you this, Brian. That's computer specific. It's a cert that's on a specific computer.

[00:31:48] What happens if that computer fails? Can you transfer that certificate or do you have to go

[00:31:52] through the process again? So it's been a while since I actually had one myself.

[00:31:58] But when I did, I had it on a thumb drive. The cert actually on a thumb drive as a backup.

[00:32:06] So it's typically embedded in your browser but you can also have it on the thumb drive.

[00:32:13] You had to take it to another machine. It's transportable. Yeah, you have to go through a

[00:32:16] process. I'm going through that right now. It's not fun because I got a new machine.

[00:32:23] But when I first heard it, I thought, I don't know about you, I'm just being honest here.

[00:32:27] I thought, is this like cyber insurance? Is this what they're talking about with their

[00:32:30] media certificate? When I first heard it, I was like, is that what that is? I don't know.

[00:32:36] What did you think, Shel, when you first heard it? Did you think it was

[00:32:40] what it really ended up being? I didn't know about it so I had to look it up and

[00:32:45] do some research. What is this? I actually learned about it in my CCP class, to be honest.

[00:32:53] Yeah, we talked about it there. If you go to divnet.dod.mil,

[00:33:00] it'll give you instructions on how to get a certificate. While we're talking about contracts,

[00:33:04] Brian, let's talk about the False Claims Act of, I believe it's 1863.

[00:33:10] What is that and how does it apply?

[00:33:15] Okay, great. So basically what the False Claims Act is, it's the government's way of saying,

[00:33:22] you're signing this contract and it has all these requirements in it, the FAR and the

[00:33:27] DFARs and all this other stuff. If you're not doing things in accordance with those regulations

[00:33:33] and you're basically lying to the government that you are complying, the government can come back and

[00:33:41] hit you with this False Claims Act. In what that says is they can take the contract away from you

[00:33:48] and the other piece is that they can actually sue you for damages or anything else like that.

[00:33:57] Trouble damages? Yes, that's what it's called.

[00:34:01] You know, the lawyer in me didn't know that.

[00:34:04] But the interesting thing is that they weaponize, I guess for lack of a better word,

[00:34:10] your staff to help kind of keep you honest because they get a portion of that when they

[00:34:15] report if it gets approved. Yeah, or the whistleblower.

[00:34:21] So the Department of Justice has been funded by Congress to enforce it.

[00:34:30] So there is a significant uptick in DOJ actions against certainly with respect to cybersecurity

[00:34:39] in recent years because now the Congress has said, yeah, DOJ, we're plusing you up to go

[00:34:46] after this. I think it's reasonable to assume that you're going to see a lot more of those

[00:34:52] happen, especially once the certifications start dropping because they want to know

[00:34:58] the integrity of those. And if you're not adhering to it, I can't imagine

[00:35:03] them turning a blind eye to that, especially if people are bringing forward evidence that

[00:35:12] organizations have turned to their employees and said, hey, you know, I know that you

[00:35:16] object to this, but let's just get it done. Okay. We got to get this contract. So I know

[00:35:23] that you're not happy with this, but we're just going to say it's okay. And if that employee

[00:35:28] turns around and goes, I'm not cool with that and reports you.

[00:35:31] Yeah. And I think you're going to see a lot more whistleblowing happening because of the

[00:35:36] consequences of to CISOs of, you know, of their companies not actually following their

[00:35:44] guidance and then not doing anything about it. CISOs are being called into court now and being

[00:35:51] sued. Right? And so there's several examples of that recently.

[00:35:57] And traditionally, it's been larger companies, but I think that trend is going to change

[00:36:01] because they're going to want to make some examples of the SMB community as well. What

[00:36:04] that looks like, who knows? Just as a funny aside, do you guys know the history of

[00:36:10] the false claims act? For my CCP course, they did cover it because I took mine through Edwards

[00:36:15] and they did a great job in training us on it. It was called the Lincoln Act and it was

[00:36:21] implemented because the union soldiers were getting faulty equipment and provisions,

[00:36:27] horse meat and so on. And they wanted to stop that. So they implemented, they signed

[00:36:32] the false claim act into law so they could start getting better supplies. But just a

[00:36:42] little point of fact. Yeah, way out there. So to summarize sort of what we're talking about

[00:36:55] here, we've gone through the details of an RFP and it shows just how you can tell what's

[00:37:03] required, how it's required. And I recommend that MSPs get familiar with reading these

[00:37:10] things under nondisclosure. They will have access and they should ask for at least one

[00:37:15] copy and go through it and just see the extent and what's covered. And this will be

[00:37:21] the guarantee that they have to do a level one, level two, maybe even level three depending on

[00:37:25] what's in the contract. If it was an ITAR contract and international trade in arms,

[00:37:33] there would be a glossary of terms of material types that would be included there that they

[00:37:39] would have to use to label files and documents. And so it would be very clear.

[00:37:45] And I think as MSPs we need to know about this stuff. We need to know how to look at it.

[00:37:50] It may drive the decisions we make on bringing on a new client because we can't just automatically

[00:37:56] say, yeah sure, we'll be your MSP. Well, we're not going to sign up for all that security stuff.

[00:38:02] We're just going to keep doing what we're doing. Okay, time out. We don't need those

[00:38:07] kinds of clients. I'm sorry. And I've got a friend who actually supports your kind of client.

[00:38:13] Yeah. Well, if you think about it as a builder, if what you're great at building is bridges,

[00:38:22] you don't try to bid on a deal that's going to have to deal with buildings. And so what ends up

[00:38:29] happening is you've got to know what you're good at. You got to know what you're comfortable

[00:38:35] with and you got to know what your clients are doing so that you can feel comfortable

[00:38:38] that you can appropriately support them because you don't want to find out midway through an

[00:38:41] engagement with them that you're a square peg in their round hole. That's a bad day.

[00:38:47] Yeah, it is for everybody. Yeah, and just, you know, it's going to happen. Sadly,

[00:38:51] it's going to happen. It is just to add to that a little bit too that I mean,

[00:38:54] it's not just we talked about the FAR and DFAR clauses, right?

[00:38:58] Security requirements show up in other places in the contract as well.

[00:39:02] It might be in the statement of work. It might be in other places in the contract that

[00:39:06] they have additional requirements. It's important that the MSPs know that and know

[00:39:11] to ask their clients more than just, do you have the DFAR 7012 clause? Because they might

[00:39:17] have other additional requirements and they might be just expecting that the MSP is providing

[00:39:22] those services in, they may not even, you know, if they don't know what they are,

[00:39:27] they can't provide them. Yeah, it could be 853, could be some version of that,

[00:39:34] some level, could be any number of things. And I've had clients come back and say,

[00:39:38] well, I thought you were doing this already. And it's like, right. We need to have another

[00:39:43] conversation. Like for us, like we have no desire to do level three. If you happen to

[00:39:48] bring on a client and all of a sudden they decide that's the kind of work they're going

[00:39:52] after, then you're gonna have to make a choice. You either have to step up to level

[00:39:57] three to match them or you got to exit stage, right? Or at least they'll have to

[00:40:00] find somebody else that can do that contract support with them.

[00:40:03] Yep. Better to know before you get engaged than finding out later because it is trouble.

[00:40:11] Well, and I think as it's important as an MSP and MSSP, as well as an OSC,

[00:40:17] like be involved in the community, get to know and be part of others. Brian,

[00:40:24] you've got a good organization that can help MSPs start to try to understand some of these

[00:40:29] types of challenges. Yeah. So yeah, MSP Cyber Security Exchange is really trying to do exactly

[00:40:34] that. It's trying to bring those folks that are cyber security compliance professionals together

[00:40:39] with the community of MSPs and work through these challenges, right? Work through what

[00:40:44] does this mean? What does all this stuff mean to me? And how do we navigate these challenges

[00:40:51] with respect to our clients? So it's really, like I said, the boots on the ground. We're

[00:40:55] trying to help the MSP community who are struggling to implement these cyber security

[00:41:01] controls and understand really what they mean. So we're working at that level in the MSP Cyber

[00:41:09] X. Happy to have you two gentlemen on the steering committee for that to help me make

[00:41:15] sure we stay on the right mark with MSPs. And I think that's critically important. This is an

[00:41:20] MSP driven community, but informed with cyber security compliance professionals.

[00:41:25] Well, Shell, Brian, thank you so much for joining me today and going over this really topic that

[00:41:30] I haven't seen covered in much detail to the level that Shell, thank you so much for

[00:41:34] kind of organizing and getting just a regular RFP to go through and help people kind of see

[00:41:38] the type of questions and expectations. So thank you both so much. It's a pleasure.

[00:41:42] Thank you. Well, again, we'll be sharing some of those resources that you might be able

[00:41:48] to go shoulder to shoulder with other organizations and learn more about it.

[00:41:52] And so again, thank you so much for joining us on this great topic.

[00:41:55] And as always, keep on climbing and we'll see you next time.

[00:41:59] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.

[00:42:04] We hope you guys enjoyed today's episode and listen out for the next one.

[00:42:08] But until then, keep on climbing.