(Season Two Episode 2) Bobby is joined by Mark Berman, CEO of FutureFeed.co, to discuss his connection to Cyber AB and why GRC tool are so important to your security and compliance journey. We hope you enjoy today's episode and make sure to comment any questions you may have.
The conversation also touches on the concept of security protection data (SPD) and the challenges it poses for GRC tools. The need for clarity and regulation in handling SPD is highlighted, along with the importance of choosing a GRC tool that prioritizes data security.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Welcome back to season two of Climbing Mount CMMC. Today Bobby is joined by Mark Berman. Mark is the CEO of Future Feed.
[00:00:16] Bobby and Mark are going to be talking about what to expect from a GRC tool. We are so excited for you guys to join us in today's episode, and we hope that you enjoy.
[00:00:29] I've gotten the pleasure of working with Mark because of the fact that we use Future Feed as well. And what I wanted today to talk to you about Mark is a little bit about the evolution of cyber AB and your involvement, you have an interesting story there.
[00:00:44] As well as just kind of lean into what you would want to expect from any type of GRC tool you're using. Plus, you know, with the rule, the proposed rule out that has some impact right on GRC tools and there are some questions that you really want to ask.
[00:01:00] So I just I just really kind of want to lean into some of those more difficult conversations. How you feel about that, Mark?
[00:01:06] I'm happy to do it. And there's a lot to talk about. So if you and I talking helps other people start continue the conversation even better.
[00:01:14] Awesome. All right, well, first off, let's get into kind of like the story of how the cyber AB got involved. I think some people that may be listening to our podcast may not even know that it's not actually a government organization per se.
[00:01:28] Can you sort of talk about like what the cyber AB is and how your involvement was in its infancy?
[00:01:34] Sure. So the the defars regulation came out before CMMC existed and there was a requirement for all companies in the supply chain to be compliant with 800 171.
[00:01:49] And it was an optional program, so companies were expected to review all of the controls, do a self assessment and and do it accurately and truthfully and be able to defend it if they needed to do it.
[00:02:01] And when that program came out in 2017, became clear almost immediately that companies were not really going to undertake the effort and the time to do it.
[00:02:13] Certainly not to the extent that we're seeing people who are going through joint surveillance assessments now doing it. So government, I think to the credit of government, honestly, to it had my admiration that it didn't take 10 years to figure out that people weren't doing it.
[00:02:30] Instead, they immediately started working on a way that there would be an enforcement mechanism for it. And that's where CMMC came.
[00:02:38] Now that seems he is more from the DOD perspective, right?
[00:02:43] CMMC is from the DOD perspective. So CMMC is not a compliance framework. So many people think of it as this is the framework we have to do CMMC. There's nothing that CMMC is the mechanism for validating that a company is doing the 800 171 framework properly.
[00:03:03] So when we realized that the self-assessment wasn't happening, that people who are to this day and back then were supposed to submit their score to the SPRS system, which is a site run by the Navy, that that wasn't happening.
[00:03:20] And when it was happening, people looked really good. I look really great in my own mirror every single morning when I look into it.
[00:03:27] And in fact, when we started this podcast, I thought it was already to go and you pointed out that my glasses were there or something like that.
[00:03:33] I didn't even see it because when you look in your mirror, you feel ready for the day and ready to go. When you look at your controls, you're like, oh, we identify all of our users.
[00:03:41] Well, do you identify them with the scope of are they authorized to see CUI? That's what the question really was about and has always been about.
[00:03:49] And people didn't have a list of authorized users who were authorized to see CUI and so forth and so on.
[00:03:55] So that's CMMC came about to create a mechanism where we could document and validate. It's the government's information controlled and classified information.
[00:04:03] I don't have any. I'm not a government contractor, but if you do right, it's not your information.
[00:04:08] You it's the government's information that was shared with you in the furtherance of your contract.
[00:04:13] Therefore, you have a responsibility to prove to the government that you can be trusted.
[00:04:18] That's what CMMC is all about. Right, because the government's got FIPS requirements that and all types of other, you know, the risk framework and all those things to help 853 to kind of protect their systems.
[00:04:31] But once it goes over the wall to us, like how are they going to protect it? And the CMMC program is an integral part of that.
[00:04:38] But it seems like they didn't want to create another IRS department per se.
[00:04:44] So the cyber AB was born. Can you sort of talk about the cyber AB and its relationship and how you were you were sort of connected with that as things were starting off?
[00:04:55] There there was and is pressing need to protect the government's information as it is shared for the furtherance of contracts that need.
[00:05:07] Frankly, it is more pressing than a bureaucracy can be built and be responsive to that need.
[00:05:14] So in 2019, I'm sure it was developed in 2018 and during 2019, the decision was made that private industry could be much more responsive to the needs of the government than the government itself.
[00:05:29] There are all sorts of protections for people's jobs and you have to build a bureaucracy and a hierarchy and and all that.
[00:05:35] And and frankly, government isn't great at innovating.
[00:05:39] I think it's getting better these days, frankly, but it's not great at innovating where private industry was.
[00:05:44] So they came to private industry. It was in November of 2020, I believe.
[00:05:50] And they said, hey, we need you to create a mechanism so that we can document and validate and prove that all of these companies that are supplying the supply chain and we can go into in a separate conversation about all the risks and make clear evidence that our supply chain was compromised.
[00:06:09] We need you to create a method that these companies can document what they're doing and what is the inspection system going to look like?
[00:06:16] And from that question of what is the inspection system going to look like comes the CMMC accreditation body.
[00:06:22] The government, to its credit, gave no direction on how to create that body.
[00:06:27] They just said, you need to solve this problem for us.
[00:06:31] All of you, the supply chain benefit from from earning and winning our contracts.
[00:06:36] You get together. You solve the problem.
[00:06:39] From that came the accreditation body.
[00:06:41] Four years later, we're still kind of going back and forth a little bit on the regulation because it turns out there's a lot of detail that's involved in inspecting 120, 110 controls and 320 objectives.
[00:06:55] And then you have the whole aspect of what if we don't agree with the validation that the assessor is doing and who's going to approve these C3PAOs, the private bodies that are doing.
[00:07:08] So we've been spending the last year with I think in something that's never been done in government.
[00:07:13] You have DIPCAC representing government and you have private companies, the C3PAOs jointly assessing and building sort of what is normal?
[00:07:22] What is the norm for doing an assessment? How much detail can we expect? What questions should we ask?
[00:07:27] What questions are kind of out of bounds or unreasonable?
[00:07:30] That's been happening over the last year through companies.
[00:07:33] And think about how crazy this would have been 10 years ago.
[00:07:36] Companies literally volunteering to have government inspectors to come in and take a look.
[00:07:40] That just doesn't happen.
[00:07:42] I used to run a food business.
[00:07:44] I didn't call the health department and say, would you please check me out?
[00:07:47] I'm not sure that I looked forward to the health department coming in, but I was ready for it when they came.
[00:07:52] I never called them and brought them in in advance.
[00:07:55] That sort of public-private partnership is unique.
[00:07:58] And yeah, it's been a bumpy road.
[00:08:01] It should have happened in two years, not in four.
[00:08:04] But the original promise in 2020 was that the system would be live and running in five years.
[00:08:09] Last time I checked, it's not 2025 yet.
[00:08:12] So we're actually on schedule. It just doesn't feel that way.
[00:08:15] When I was first getting involved, I assumed Cyber AB was a part of the government.
[00:08:20] But to find out it was a nonprofit that is working in collaboration with the government as a separate entity and standing that whole thing up, man,
[00:08:28] it really kind of opened my eyes to the challenge of what they've been given and what they're trying to accomplish.
[00:08:33] It's a pretty daunting moment.
[00:08:36] Yeah, there had been no government money allocated to the Cyber AB, to the state.
[00:08:42] So we had to create a system for getting revenue, frankly, so that we could have a staff and the staff remain small because the system isn't up and running yet.
[00:08:54] And we tried various experiments along the way.
[00:08:57] Some things work better than others.
[00:08:59] Essentially, the system is funded by industry through the RP and the RPO program and the C-3PAO program.
[00:09:06] Those fees that are collected each year have funded just enough money to have the small staff for that staff to operate and to lead the rest of the industry across the threshold.
[00:09:17] Let's switch gears, if we will, to GRC and having a tool.
[00:09:24] A lot of organizations utilize just basic templates and they kind of create everything in Excel and other types of software, things of that nature.
[00:09:34] But talk to me about how someone would kind of come to the conclusion that they need to get a specific software tool to help track their progress and maturity in getting ready for CMMC versus just using Excel spreadsheets.
[00:09:52] Excel, spreadsheet, and SharePoint. It's usually a combination of Excel and SharePoint.
[00:09:57] It presents a challenge. And here are the challenges as I see it.
[00:10:01] Number one, it's collaborative.
[00:10:04] So at the end of the day with 320 objectives, it's very difficult for one person or two people to go through all those things and document them and do that in isolation.
[00:10:14] So as soon as you have two people collaborating and imagine a cell in Excel, it only has one value at a time.
[00:10:20] How are you going to keep that history of who changed the cell and all that?
[00:10:23] Yes, you can go back to previous versions and you can find ways to see what but who did each previous.
[00:10:29] It becomes very complicated to manage.
[00:10:31] Number two, the answer is dynamic.
[00:10:33] It is not static.
[00:10:36] Look, everything, all the imagery, all the marketing imagery of IT is that the world is changing and especially with AI at an increasingly speedy rate.
[00:10:46] Yet you need to document that you're being compliant through all of those changes, which means you're constantly updating it.
[00:10:53] Try updating 320 cells and maintaining as our companies change, as somebody leaves the company, a new person comes in.
[00:11:03] All of these things that are collaboratively put in, it's not a point in time.
[00:11:07] It's a continuous set of points in time.
[00:11:10] And part of the cap, not unreasonably says we need six months of uninterrupted evidence on each one of those controls.
[00:11:18] So that means you have to be adding not just, hey, how's it going, Bobby?
[00:11:24] I did my job today and I feel really great about it.
[00:11:27] You need to that's the big page that is actually the hardest thing about CMMC.
[00:11:32] Is the company culture, whereas I might have had a change management meeting an hour ago and that change management meeting, we went over the changes we want to do.
[00:11:42] Everything got approved and we did our job.
[00:11:44] And maybe my company's been doing that for the last 20 years.
[00:11:47] The problem is I need a record of that now because every three years an assessor is going to come and look for that record and they're going to be looking for continuous.
[00:11:57] So if I'm supposed to do that change management meeting whenever there's a big change or once a month, that's typical.
[00:12:03] Right. So I need for the last six months, the minutes from that meeting, we reviewed the following things.
[00:12:08] We made the approvals and we're done.
[00:12:10] You can't just have the meeting and not keep a record.
[00:12:12] That is literally the hardest thing to do.
[00:12:15] So when you have a GRC tool, of course, there are functions in Microsoft Office and the Google Office app where you can record all this.
[00:12:23] And then what happens is you get it spread out on all the desktops or all the cloud file folders, which you need to run an assessment that could cost you 30 to $50,000 is you need to be quick and agile and fast with the answers.
[00:12:36] And the answers shouldn't have a bunch of conflicts built in where it looks one way on Bobby's computer and a different way on Mark's computer because that's going to come out.
[00:12:44] That's going to result in findings for at least this team of people who will be paid $150, $200 an hour or several of them.
[00:12:51] Now they're spending time digging in your rabbit holes that don't need to be spent.
[00:12:56] So what a GRC tool can do is it can bring all of the answers to the questions which are changing over time in one place.
[00:13:06] It can bring together the things that you maybe haven't finished yet so you can make good project plans, which we call PELMs and get those things finished.
[00:13:15] And when everything is up and running and you think your system is working, now we have a place where that system is going to give you a location for that list of evidence that we can just provide to the assessor.
[00:13:28] Say hey, we do everything right. Here's the list. Open up anything you want. I'm sure you'll be happy and then move on to the next control.
[00:13:35] Yeah, for me something that also surprised me as I started utilizing a GRC tool that I didn't expect is as we stepped into it some years back, obviously coming from the MSB space, I had ignorance.
[00:13:48] I didn't know. I didn't grow up in the Dib and DoD either. I didn't come through 20 years of government jobs and understand how the ecosystem and how that worked.
[00:13:58] So kind of when I started getting into that space, there was ignorance involved in my part a lot as I tried to understand it.
[00:14:07] And then as I tried to make changes to how I was implementing and doing things, Excel and those other types of things were infinitely more complicated and difficult because there's so much spider webbing that goes on from your system security plan.
[00:14:22] And having that connectivity and knowing exactly how it ties together in the tool is massively helpful because then you can feel a lot more confident that as you're changing something that not only if you do it right, it could change appropriately in those other areas.
[00:14:38] Or you know where to go to make those changes and do it with confidence knowing that you haven't compromised with just one simple addition of a few words, your posture.
[00:14:48] Right? That you don't want an auditor to find out.
[00:14:51] Those are one of the things that man, just as I started doing, I'm like this is not cutting it.
[00:14:55] Like just pure Excel editing for us just wasn't doing that because we were constantly learning and evolving and changing how we were doing things.
[00:15:03] And as a managed service provider, you have to think about scale.
[00:15:06] Right? So you got to think about how you can scale and do that with multiple clients and track that with multiple clients.
[00:15:13] And that's also another area where she surely really challenging.
[00:15:18] If you're a service provider, the challenges multiply because you don't offer a different service to all of your clients.
[00:15:26] Yes, you're going to interpret your service a little bit differently for each client situationally, but you're not going to use radically different tools and radically different support methods for each client.
[00:15:36] And since you are part of the assessment as a service provider, you're now called an ESP, an external service provider.
[00:15:43] You need to be at the ready with your answers, not for one client, but you may want this once the system's up and running.
[00:15:50] You could have five assessments simultaneously underway and you could be asking questions about how you deliver service to all of those clients.
[00:15:58] And you just don't have time for there to be a radically different answer for all of those controls and the injecting.
[00:16:06] Imagine a week where you have like three to four assessments with a client.
[00:16:09] And it might not be that hard if you documented your service well and you've made your documentation a part of their documentation, which would be a trick in Excel or in SharePoint.
[00:16:21] But in a year, she's cool. It's built for that.
[00:16:24] And I think the other issue is the controls themselves there.
[00:16:28] So back in college, they told us set theory where you have like an answer that is in this circle and you have an answer that's in this circle.
[00:16:36] And the reality is with 110 controls and 320 objectives, many of them are overlapping.
[00:16:41] So the evidence for this one and the evidence for this one, they may be a it may be the exact same evidence just looking at a different part of the tools or the documents.
[00:16:53] But the fact is those two circles are overlapping.
[00:16:57] So I don't want to support this one and this one separately.
[00:17:01] I want to support them both together and compile that same evidence and make it available to the assessor together again, do anything in Excel formulas.
[00:17:09] But that's not your life. Your life is to be a supplier, building Excel formulas, assessments.
[00:17:16] That's why we have GRC.
[00:17:18] Well, so let's switch gears a little bit.
[00:17:21] And we've sort of talked about why we like GRC tools.
[00:17:25] But what would you think that someone would want to see that that maybe a punchdown list of things that you're like, OK, if you're considering a GRC tool, these are the things that you would want to ask to know that they have these meeting your needs.
[00:17:41] And if you're if you're not asking these kinds of questions, you could find yourself possibly painting yourself an answer.
[00:17:45] I'll answer the question first from the perspective of a contractor and the supply chain.
[00:17:51] So so if you're a contractor and you need to document your clients, there are some things that you need.
[00:17:57] First of all, an assessment is a combination of three things.
[00:18:01] Examine they're going to examine your documents because your documents are basically management telling the staff what they what they're expected to do.
[00:18:10] It starts with policies and then you have procedures.
[00:18:13] You might have lists of things. You have other things that support the policies.
[00:18:16] So examine is about a third of the assessment.
[00:18:19] Then there's test. Then there's sorry interview, which is the assessor comes and asks you questions because the documents may tell a very rosy story of how things work.
[00:18:31] But they want to talk to the actual people and and decide as assessors are these documents telling me the true picture of how this business operates.
[00:18:41] So they will talk often on each objective or each control to the person in charge.
[00:18:48] So our particular product, we use the racy model.
[00:18:51] So the A in our ACI means who's accountable.
[00:18:55] So it's who's in charge. The assessor's trick, if you will, is to ask some of the doers to support the person in charge the same questions that they asked the person who is in the A.
[00:19:07] So if you are if you're the CIO, you're the A.
[00:19:10] You're in charge and you're accountable to the rest of the management team.
[00:19:14] And maybe you have three admins, one that works for an MSP and two that work in house.
[00:19:19] So those three are the are they're the responsible people.
[00:19:22] They are responsible. That assessor wants to talk to both sides of that equation.
[00:19:26] They're probably not going to talk to every single responsible person, but they would like to talk to any one, maybe two of the responsible people.
[00:19:35] Now, there's nothing stopping them if you direct them to the responsible and accountable people from asking a random person.
[00:19:41] But the reality is with an assessment, they don't have time to just ask people who don't have some sort of knowledge on a topic.
[00:19:49] It's just like hitting a brick wall. There's no reason to continually bang your head against the wall.
[00:19:53] So part of the part of the trick and part of why you would use a GRC tool is you want to identify who are the A's and who are the R's.
[00:20:02] Who are the documents you want to identify and have in one place all the documents.
[00:20:06] And since the documents tend to blossom over time, once you kind of get into it, you start to realize I can't get away with the 12 documents.
[00:20:16] I need the procedures that support policies. Oh, and these are both supporting to list.
[00:20:20] Those lists have to be updated once a month or once a quarter or once a year.
[00:20:24] So I need copies of those lists because I got to prove that I've been doing this right for three years.
[00:20:28] So you have a whole bunch of documents with the GRC tool, which you can do is let's say you have 250 documents, but you're on control 3.2.1.
[00:20:40] And we don't need all 250 documents. We need three. Right.
[00:20:44] Do you really think that is cost effective for the assessor to meander through your list of 250 documents to pick out which one to open?
[00:20:52] Or can we just say, hey, this is the stuff that's relevant to 3.2.1?
[00:20:56] That's the second thing that your GRC tool will do for you.
[00:21:00] The third thing is the test part. So it's examine, interview and test the test part.
[00:21:06] So for all those people who think you're going to give logins to the assessors and they're going to just go wild on your system, that's completely not true.
[00:21:14] That is not how it works. What they will do is they will read your documents, they will talk to their people, to your people, and then they'll say, okay, let me see how it works.
[00:21:24] And they'll stand over their shoulder virtually or in person and they'll say open up the Active Directory and show me the list of users.
[00:21:31] This is a nice example. It's very easy to wrap our heads around.
[00:21:34] And show me your 941 from last quarter. Okay, the 941 lists 12 people in this company.
[00:21:41] Are there 12 people or less that have access? Or are there 14, 15, 16 people who seem to work for the company but actually they left the company quite a while ago and they're going to compare.
[00:21:52] So by doing the test, you can also narrow the focus because you'll say these are the tools and services that you should be looking at, Mr. or Ms. Assessor.
[00:22:02] And these are the, these are, you can use this for inspiration as to how that test invalidates that we're doing everything correctly.
[00:22:09] Yeah, and that's going to be dynamic in your organization.
[00:22:15] People do come and go.
[00:22:16] As you come and go knowing how you got to do that.
[00:22:21] And then if it's a critical document and the owner of that company, of that document is no longer at the company.
[00:22:28] Not only do people come and go but responsibilities change and they change all the time.
[00:22:33] Right. And people leave absences, people have kids, all sorts of things happen.
[00:22:39] So that's always changing. And so this is not something you do once every three years, it becomes a new way of life.
[00:22:46] And that's the culture change. We're going to write down what we do as it happens.
[00:22:50] We're not going to play catch up and distract the company three years from now when it's time for a new assessment.
[00:22:56] We're just, I mean, a good and well functioning GRC tool is something that you're kind of ready for an assessment all the time because you're just capturing this flow of activity.
[00:23:06] That's a good point.
[00:23:07] The perspective of a service provider is actually kind of different from the perspective of a contractor.
[00:23:14] So from a service provider, whether you're actually an MSP or an MSSP providing managed services or security services or just somebody who's providing advice, we can take the case of somebody who's just providing advice.
[00:23:27] You're not going to provide random advice every single time, which you have done if you're in a position to be a consultant of any of those types.
[00:23:35] You have gained a certain level of expertise. You've taken classes, you've become certified and you have probably the most important thing real world experience.
[00:23:43] So you're not giving impractical advice, you're giving practical advice.
[00:23:47] What can a well run GRC tool do for you?
[00:23:53] Well, one of the things you can do is instead of starting out from scratch every time you have a new client, you can start out from the best of your expertise being embedded in it.
[00:24:02] Either embedded forwardly into the GRC tool, meaning like the answers are done in advance or they're easily accessible so that when you get to somebody and you've seen that situation before a couple of clicks away and you're not writing as a fresh instance.
[00:24:18] You're not writing three paragraphs that you wrote two weeks ago at your old client.
[00:24:23] You're kind of starting and then you're editing it and customizing it.
[00:24:27] That efficiency is really important for two reasons. One, yes, you're a service provider.
[00:24:33] You want to make a profit. You don't make a profit by typing the same paragraph every single week when you go to a new client.
[00:24:39] You need to be more efficient than that.
[00:24:42] And also we are all human. So even if we know that advice, we know it cold over time.
[00:24:48] The reason pilots and airplanes have checklists, they know how to fly a plane. They know how to get it ready, but they still go through the checklist because they don't want to forget anything and crash the plane.
[00:24:57] And they're human. So a good GRC tool gives you yourself as your strongest and best resource and puts that resource out in front of you as you're working with your clients.
[00:25:10] So you're looking for a library of your old work. You're looking for a way to get started with the old stuff and then just customize it and other little benefits that can be built into a tool so that you're not in the same place.
[00:25:27] And then taking it from scratch every time you get a new, you're going to end up with a higher quality deliverable in that case.
[00:25:33] In my opinion, I think you can measure an MSP or MSSPs understanding of CMFC compliance and the dib space by probably one of the most important factors is how much are they going to already have ready for me?
[00:25:54] When I say yes to doing business with that organization, how much are they going to try to help satisfy with me based on their already existing like you're saying processes and templates and pieces that they know that this is how they operate within reason.
[00:26:09] Obviously of flexibility because not everybody's the same. But boy, that's a tough challenge in an organization that understands that challenge and braces it fully tries to help their clients get there as fast as possible by completing as much of the work that they need.
[00:26:24] As much as they can for the client when they just sign on the dotted line. All they have to do is say yes to the implementation projects of those pieces and having a GRC tool that allows you to do that type of collaboration and helps propel you more efficiently down that road.
[00:26:40] The better that's going to be and I would add one more thing on there is you want to if you're looking at a GRC tool, you want to see that they have an evolution that they are continuing to move the curve as a tool.
[00:26:53] That they're not a stagnant solution that you want to if you're looking at one you want to look and see the evolutionary journey and how well they're changing because there's things that are happening right?
[00:27:05] The proposed rule some of those things came in that we weren't knowing about like security protection data. That was a little bit interesting. We'll talk about that a little bit later.
[00:27:13] What about you know some of the things like for example the FedRAMP requirement memo that came out about what they said if you were equivalent, what does that mean?
[00:27:24] Different things are happening in the ecosystem that are going to impact your GRC tool and you have to be able to see REV3 of 800.171A.
[00:27:36] How is your GRC tool going to address that? Those are things that I would before I picked one I would want to see their approach and understand how they're doing because what you don't want to do is get a good product that looks good right now but isn't really developing.
[00:27:51] And as you can tell in the ecosystem it's still very much in its infancy. There's a lot of evolution and maturity that still has to happen. I mean we're not even officially doing real certifications yet.
[00:28:02] So what we know today is definitely going to be molded in the future.
[00:28:08] Absolutely true and I think obviously it has to evolve. So one of the differentiators that you'll find out there and I think that we're just talking about GRCs in general but many of them and I think the ones that you may have the most trouble supporting in the same way that you can't really manage an Excel spreadsheet and do this in the long term.
[00:28:29] If your GRC tool is essentially an online version of that spreadsheet, say you're doing it in Smartsheets or using the browser based version of Excel so lots of people can collaborate and all that.
[00:28:41] That's still really not enough to do the trick here because if it's just a list of controls what you're doing is you're putting in the information. It's like you literally look at the first control.
[00:28:50] You brainstorm it. You type it up. Maybe somehow you've got the service providers information and wisdom in there. Okay great. And then you do the next control and you're starting from a blank page and you're brainstorming again.
[00:29:05] Now imagine we get to 800-171 R3 where many of the controls are going to be similar. We already know from the version they put out there that the form and format of them is going to be different.
[00:29:18] So it's not going to be a one-to-one on very many of the controls at all. Therefore there's going to be a new interpretation.
[00:29:24] So a proper GRC tool is going to help you sync the evidence from similar controls the old way with the new way.
[00:29:32] Or is R3 just going to be that they took a spreadsheet and they uploaded the new controls and they say go to town? Our tool handles that too because you can start over from scratch.
[00:29:43] So certainly our goal is to not let people start over from scratch but also not get too carried away and say if they did change the wording on a control, the final decision on whether you're compliant or not is going to be yours.
[00:29:56] So we're not going to over promise but we're going to do enough of that evidence support. Who's in charge of a similar control in R3 versus R2? Probably the same people right?
[00:30:07] So we can help there but we can't give you the final answer. Many of these products that don't really have those underlying connections, that's something that you can be looking out for when you're trying to differentiate.
[00:30:19] How do you add evidence? Do you do it one control or one objective at a time or do you have some way of operating involved? And that's probably a good question to ask.
[00:30:28] Right. Yeah, you definitely need to have a good hand around that. It's not just I think that'll do. Let's just make it work like you really need to think about all of those very complex questions and make sure that you feel a level of comfort that you have them answer before you make that decision.
[00:30:47] And I think that is it can't be stated enough that you want to do that because there's a lot of snake oil out in the industry, sadly, that I have seen. And I have fallen victim to it in the past and it could be expensive in time and money.
[00:31:05] And you really want to think and make sure that you're making the right choice. So hopefully these things that we share will provide some guidance. I want to shift gears to a more heavy hitting topic to some extent and that's security protection data.
[00:31:20] So for some that may not know what that is and the proposed rule that came out late last year, it talked about a new category that until the leaking from Ohio, nobody knew about.
[00:31:32] And it's called security protection data. If you do a search for 800 171 and 171 a document, you will not see any reference to security protection data in there.
[00:31:43] It's something that has been defined by the rule that has been proposed and it could be interpreted that it could be a challenge for someone who's utilizing a GRC tool and kind of to kind of satellite view perspective security protection data.
[00:31:59] So security protection data, what it basically is the DOD's attempt just for people that are listening is that it's the DOD's attempt to try to make sure that the data that me as an MSP is collecting, it may not be control unclassified information, it's still sensitive.
[00:32:17] So they want to make sure that that data is is being encompassed in the assessment and that it is being protected because it has very sensitive information that could be leveraged in a threat attack.
[00:32:30] It could be utilized to aggregate information to get a comprehensive understanding of things that they don't want to have happen.
[00:32:36] So they created this security protection data, but a GRC tool definitely has sensitive information. How do you see GRC tools handling that? What is the challenges? I'm just really curious your opinion.
[00:32:49] Let me get back before we dive into the details. The whole CMMC thing came about because we saw our adversaries taking our competitive advantage when we built a bomber.
[00:33:04] And the Chinese could build it in half the time. It took us 20 years, took them 10. I forget, but figure $20 billion took them 10. Whatever the actual numbers are, they were doing things in half the time.
[00:33:17] And how were they doing it? Because they were getting to our control unclassified information and taking all the little pieces together that went into the plane or the tank or the truck or whatever it is or the radio that we were building.
[00:33:29] And they were able to catapult and catch up to where we were. And that's why sometimes their airplanes may have down to the rivets the exact same pattern because it's everything they could see and they got to our plan.
[00:33:45] So I'll come CMMC because we're going to do something about that. So now if we secure the suppliers and they are going to jump, okay, the supplier is secure, but maybe the data also is secure.
[00:33:58] And maybe the data, all the log files that are passing through your network can be combined with other information that is not so well secured. That's why FIPS is in there so that data and transit is harder to grab as it's passing through the internet.
[00:34:14] So if they're going to infer the answers first by looking at the suppliers as a whole, and now we're locking that down, the next challenge is, well, let's just get all the log data and we can figure out a heck of a lot from the log data.
[00:34:26] We can figure out what they're using and then at least we can figure out the targets. So if company X doesn't have a relationship with me, I know something that company X is probably not somebody I want to target if I'm the adversary.
[00:34:40] But if company Y has a lot of log traffic and I'm talking a lot to them and I do one thing, I make it as radar or do I do something, then company Y is definitely part of it.
[00:34:48] And now I have a target. So the government has correctly said we can't just be carefree about the security protection data because from that data, we can infer a lot of information about the data that's being protected.
[00:35:02] Does that make sense, Bobby? Okay. So if we accept that there's legitimate reason to worry about it, if you're taking a GRC tool and you do what I think you should not do, which is take all the data that you're using,
[00:35:18] that you're talking about in these controls and put it in the same place as the description of how you're protecting that data, because that's what a GRC tool is. We have the 110 controls and we are describing to the government or to the assessors,
[00:35:32] how do we protect this CUI data? So if we're going to not only put our description of how to protect the data and then also put the data in there too, because it's convenient to knock out reports from that or something like that,
[00:35:45] that's probably not the best idea. And in fact, before I have a government contract, the data and even my system security plan, that's my company confidential information.
[00:35:57] And in America, the government doesn't get to come into a private company unless they have a contract with that private company or flow down, which is indirectly a contract with the company.
[00:36:07] And then on the right to come in, there's a bakery across the street. Government doesn't come in and ask them for their data logs or any other information because they have no business doing it and they have no regulatory right to do so.
[00:36:20] So the GRC tool is currently an out-of-scope asset. If you choose to put security protection data in there, the government can suggest that it should be treated as if it's CUI, but they can't actually make you do it as if it's CUI because they don't have the regulatory authority
[00:36:36] to do that because they don't regulate the GRC tool. Now, should they regulate GRC tools? That's a different topic and I strongly believe that they should. And that all GRC tools, because they are a consolidator of system security plans across multiple suppliers,
[00:36:53] should be stored in IL-4, IL-5, highly regulated because it is a consolidator of information that is valuable to our adversaries. So far, I don't think our government has paid attention to that risk adequately.
[00:37:07] So the GRC tools are kind of left out of the regulation. They're out-of-scope assets. The recommendation, for the reasons I stated earlier, don't put your SBD in there. Store your SBD in a nice secure location that is going to keep that location distributed and separated from your confidential system security plan, which is how you secure it.
[00:37:30] Now, sorry, I should pause. Is everything I say make sense so far? Okay.
[00:37:37] Yeah, I think some auditors may have different opinions on those types of things, but I'm tracking the system security plan when it's finished is still not CUI. However, if you take a copy of today, today happens to be April 8th as we're recording this.
[00:37:54] If I take a copy of the plan and I give it to my contract officer or as part of the audit process, they are empowered to declare that as CUI. So that version of my SSP is CUI. Now tomorrow I could have a big project going on.
[00:38:08] That's back to my confidential information. They don't have control over what I do tomorrow in my company or the next day. And there's just no authority right now to do that.
[00:38:18] There are a couple of exceptions inside of government where that system security plan that belongs to the contractor is automatically CUI. We're not talking about those cases. So.
[00:38:27] That so as a CEO of a company that produces a GRC tool, we have choices.
[00:38:35] One of the things is this is a somewhat nuanced conversation and honestly, I'm not a lawyer. I'm not a regulator. And so in 2021 when we realized that we were a consolidator of system security plans.
[00:38:50] Without being prompted by anyone, nobody's even talking about this. SBD didn't exist as a term as far as I know in 2021. We moved our product from the commercial cloud to AWS for government.
[00:39:03] There's a similar product from Microsoft Azure for government. So we pay about a third more every month to make sure that all of our data, regardless of whether it's confidential or public or controlled.
[00:39:14] We don't accept controlled and classified information, but the system security plan, all that data has been in the GovCloud. Now that this is a thing, we have started on our journey to be FedRAMP moderate equivalent.
[00:39:26] And there's been a lot of noise about equivalency and that's all going to play out in the next few months. But we are in a 12 to 15 week plan where we should be listed as FedRAMP moderate equivalent under one of the listings in the marketplace by early summer.
[00:39:43] And for me, because the regulation hasn't caught up to the need.
[00:39:49] This is about making sure that people feel comfortable putting their data in our tool. And if talking about SPD is a big topic of conversation, we're going to have that FedRAMP moderate equivalency.
[00:39:59] I can't answer for other GRC tools, but we're doing that. I think that it would be absolutely appropriate. You asked this question, but I think it would be absolutely appropriate for government to say that all GRC tools need to be FedRAMP moderate and government should also be moderate.
[00:40:19] And that should also create a path where we can be authorized as FedRAMP moderate, not equivalent. But we should go through the same process that our contractors are going through in order to and if it requires passing a law so that they get the authority, we have a Congress and Congress should pass laws.
[00:40:35] But if I'm going to take thousand system security plans and put them into one AWS GovCloud, Azure GovCloud, or maybe the government should be making some resources available to us that are secure.
[00:40:48] Those tools that consolidate system security plans should absolutely be required to go through the same things that the suppliers are about whose data it is.
[00:41:02] Right. So.
[00:41:04] Yeah, I think that's a really good point. The comment that I made that some assessors may feel a little different. It's not a knock on the fact that I think that what you're saying is right or wrong.
[00:41:16] It's that people have different opinions and I think it's really important when you are picking your CQPO that you're going to go through that you're transparent about what tools and things that you're utilizing and how they function and work.
[00:41:28] Because if you happen to run in an auditor that may have a different opinion about it, you want to know that now upfront before you in that audit process that you want to make sure that they're on board from those perspectives because those are things like when the auditor is how are you going to allow the auditor?
[00:41:47] If at all access to your C tool, do they have those are things that you really kind of want to make sure that you're on the same page clarify and they haven't really clarified. However, we're in the, we're in the comment area on the CMMC regulation and there were tons of comments.
[00:42:04] Tons of comments. So for a little bit, we all need to be a little bit patient here. It was originally 750 comments after duplication and deciding what was irrelevant. They're actually going to go through 300. I think it's 368 comment.
[00:42:20] And that's going to come out the next few months and hopefully we're going to get more clarity. It shouldn't be a matter of opinion of anybody's opinion. It should just be clear.
[00:42:30] Right now it's going to be and I agree. I actually have faith that there's enough people talking about this that we are going to get some clarity from the government. I can just tell you that from my company's point of view, it's a huge investment to get better at moderate.
[00:42:45] But we decided as, as we fall out, fall into the pattern that we've already been in that if that's the assurance that people need, then that's what we're going to do. Whether the government is making us do that or not. We think that people will value that and we expect to deliver that.
[00:43:01] Well, I think it's you sort of touched on something that I think is really important that also affects MSPs and MSSPs and whatever term you want to use for ESP. But the.
[00:43:12] The reality is because of some of this ambiguity that we're dealing with, I think is a part of the reason why you're not seeing as many vendors as well as MSPs like myself trying to step into that space because there's still things that are being defined and patience is required.
[00:43:27] And when you're trying to run a business, patience should not necessarily be the determining factor of how you invest money.
[00:43:33] I mean, you want to be like, hey, if I have to have this money that I'm going to be investing when you have the risk involved with being patient about whether or not the industry is going to go the way that you think it could be financially challenging to do that.
[00:43:49] I would suggest challenging to look at it through a lens of 90, 10, the old 80, 20 rule. 90% of this stuff isn't changing at this point. Right?
[00:43:59] So they made it clear that service providers who have CMMC level 2 clients will also have to be CMMC level 2. We know that that process takes 12 to 18 months typically.
[00:44:12] So you don't want to be sitting on the sidelines if you're a service provider going like, I wonder about this last little thing about whether this cloud provider that's going to get worked out.
[00:44:20] That's in the 5 or 10%. That's still uncertain. We have a comment period that's going to bring that forward.
[00:44:25] But don't use that as an excuse to sit on the sidelines because what's going to happen is you're going to lose business because the ESP is going to have to become CMMC level 2 certified to serve CMMC level 2 clients.
[00:44:37] Those clients are going to be waiting around while you go through your 12 months.
[00:44:40] So whether you're a supplier or you're a service provider now is no longer the time to be sitting on the sidelines. It's really clear where this is going.
[00:44:50] And yes, companies that were not kind of included in the first rollout of the regulation like a GRC tool.
[00:44:58] We had some uncertainty as I shared my decision with that uncertainty. Everybody else will have to share their decisions.
[00:45:05] But there's a heck of a lot less uncertainty if you're a supplier or if you're a service provider.
[00:45:10] So I don't think now is the time to wait. I think now is the time to decide to stay in or get out.
[00:45:15] If you're a service provider, you don't want to be in.
[00:45:18] They're going to be I like to call them mission critical service providers, people who understand this, who are who are going to get trained, figure out what they need to do and build their expertise into their service delivery.
[00:45:31] And then there's going to be the other thousand service providers to decide to enter this market and make a relationship with somebody you can give referrals to back and forth and just get out of the way.
[00:45:42] So just decide what you're doing. That's what I think people should be doing right now.
[00:45:47] Exactly right.
[00:45:48] Fisher cut bait.
[00:45:49] Either you're fishing or you're cutting the bait and hand it to somebody else because that's really what it comes down to.
[00:45:56] And I think part of the other challenge, especially for MSSPs and MSPs is in our ecosystem we've grown up having a lot of comrades that we can go shoulder to shoulder with that have a lot of experience in that industry knowing what right looks like.
[00:46:12] But then when you go with the CMMC program, like exactly what right look like there's we're down to a much smaller percentage now of what we're trying to get determined.
[00:46:23] But there isn't that shoulder to shoulder comradeness that you're used to having because it's so new. There's a lot of infancy about of that.
[00:46:31] There isn't lots of peer groups that have been doing this forever that you could turn to that could kind of explain what right looks like about how to implement and work in this.
[00:46:40] This is all sort of becoming relevant and defined as time is going on.
[00:46:47] And I think it just creates some interesting challenges and I just want to say thank you for stepping into space as a GRC tool.
[00:46:54] And that the midst of some fear and swinging as hard as you can.
[00:47:00] So thank you so much for coming on and sharing with us.
[00:47:04] There are a couple of groups that people might be interested in.
[00:47:07] If you're a service provider, there's the CISC forum.
[00:47:11] There's a C3PAO forum for people who are becoming assessors.
[00:47:17] And there is a new group formed and you can find it online called the MSP Collective.
[00:47:21] So all of these are groups that have sort of a they're all in it for the same reason.
[00:47:27] And that camaraderie, it's starting to appear these groups. We support them and we see meetings that can typically weekly meetings that could have 40, 50 people on them.
[00:47:40] And we're all trying to figure out where the uncertainty is and resolve that uncertainty.
[00:47:44] So you shouldn't feel alone if you're out there.
[00:47:48] We're all working together and we're going to secure the supply chain for the warfighter who's at risk every single day.
[00:47:56] And we can do higher purpose for them what they can't do for themselves.
[00:48:01] We can support secure their supply chain. Thank you very much.
[00:48:07] So anyway, I'm very grateful for having the opportunity to speak with you today.
[00:48:11] And I really appreciate what your company does and the tremendous effort that's happening all over the country to secure the supply chain for the warfighter.
[00:48:21] Thanks very much.
[00:48:22] Well, thank you all so much for joining us today.
[00:48:24] And as always, keep on fighting.
[00:48:27] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:48:32] We hope you guys enjoyed today's episode and listen out for the next one.
[00:48:36] Until then, keep on climbing.