Defense Department Expert Katie Arrington Discusses Cybersecurity


Katie Arrington, the Defense Department’s chief information security officer for the office of the undersecretary of defense for acquisition, joins a panel discussion on cybersecurity maturity model certification compliance at the Hack the Building Control Systems Cyber Conference, Annapolis, Maryland, November 17, 2020.

Subscribe to Dr. Justin Imel, Sr. by Email

Transcript

divers a holistic and continuous lifecycle event that it never ever stops. I’ll tell the audience here, we’re gonna be talking about the cybersecurity maturity model certification. We’re gonna be talking about the Defar 70 12, the general rule. Aziz. Well, and why would we mix that topic in with control systems and facility cybersecurity? What are you gonna do? Cyber resilience? As I was saying earlier, it has to be a holistic approach. If you just do, I t Someone’s gonna hit you in your OT or your control systems. If you just do control system, someone’s gonna hit you in your i t and you’re I I o t um So a lot of the systems, a lot of things that we ignore we’re gonna protect manufacturers protected the supply chain. As director Krebs said this morning, clearly, to our audience, those things are happening in facilities. If we’re gonna secure the defense supply chain and factor with any standard, you must pay attention to all of the systems that potential vulnerabilities that could impact whether the Department of Defense component or an actual supply chain. Remember, you have an exciting panel. You have a couple people that are missing out on camera, they may drop in. Who knows when there’s a last stuff going on this week at the department, defense and the government? Well, I talked to a number of different events. I think we have the right set of people here to talk about what the state of affairs is today. Where we going to tomorrow? On DWhite. You should be, uh, considering we put a panel of practitioners there have been dealing with the advent of Deep are 7 12 missed in preparing not only the department defense, but contractors on the supply chain for compliance, but also the folks that are part of the policy. Uh, here. So with that, I will kick this off, and I’m gonna introduce a man that I have worked with very closely. He’s kind of like the boss and certain aspects of what I do. Deputy Director Shannon Jackson from Department of Defense’s office of small business programs, a lot of juice himself and tell you a little bit of his background. Good afternoon, Shannon. Thank you for joining us. Hey, Thank you, Armando and all of the panel guest today and missing for hosting a tremendous event. I’ll tell you, uh, this is my second panel today. One was a little bit earlier, but all well, all well, uh, toe have, ah, panel like this to really help really provides a key information to our department, our workforce, our industry based just to give them where the department is going. And then some of the resources that are out there that are critical to help this change just a little bit about myself. I work in office. A small business programs at the Department of Defense or D level were responsible for really helping the industrial based small business industrial base be a part of the dib on Day one Of the efforts that we have really taken on tremendously is a cybersecurity initiative with some of the things from Congress directing some statue down about two years ago on really helping us drive towards really trying to educate our workforce, educate our small business community and then help drive change. And then Oh, by the way, you know, my partner Katie Harrington has developed has been really instrumental in the CNN scene, roll out and really pushing something that is well needed for the department and is well needed for our industrial base. Eso I welcome the panel welcomed the discussion and look forward in the questions and answers. Thank you. Yeah. Thio Steve here from Verizon tell us a little bit about Verizon and God. Verizon is one of our sponsors here. I’m gonna tell you that the massive internet connection that the hackers were using to get into cameras and yesterday they got into the access control system on and they’re trying to do. A bunch of stuff is provided by Verizon. So thanks to Verizon for helping the Department of Defense and the nation, uh, understand this very critical thing, Steve Armando, and thank you very much. I appreciate you having us on and, yeah, the types of things you’re talking about, the things we see every day, right? The attack surface for cybersecurity is not just limited to the manufacturing base. It cuts across the entire sets of services. So as things are, we seem orm or things as they’re getting bolted down and being used in the mission side as well as in the administrative side. Um, they become an attack vector. Whether they’re you know, it’s a manufacturing a piece of software. Um, and we’re seeing that actually get elevated now as D o. D. Is really starting to move more towards as a service. Um, we integrate a lot of things, right? Manufacturers, software, uh, partners, small business. Um, there are important part of our ecosystem. And so I’m excited to be on this panel because I’ve got some questions for Chris and Shannon. Um, that they’re probably completely unprepared for. So I’m looking forward. Toa having that 50 dialogue and ensuring that what we’re doing as we move forward is also, you know, supporting the d o d of the mission space. So thank you. I want you guys to talk to each other and have it be in exchange. That’s what we have a combination of industry MPP, Department of Defense, and that the audience can hear you guys talk amongst yourselves about what’s important and how you guys were looking at the problems that so I’m gonna go to another. Gentlemen, I know really well have gotten very Kris newborn from Defense Acquisition University. Chris. Yeah, OK, thank you very much. I’m definitely very excited. Thio, be part of this, uh, panel and again this is something that and I have another partner to Paul Shaw that eye teeth to. But we’ve been down this venture probably about five years ago, and the whole thing was really utilized. The you want to say the touch points of Defense Acquisition University. So I am a member off D o D. Acquisition and cybersecurity Workforce, and I was appointed as a professor of information technology, really emphasizing on cyber security. And this is the whole purpose off. What? Why idea you put this team together was really thio help develop curriculum teaching and consulting the members of the opposition in cybersecurity workforce who are responsible for acquiring, deploying, maintain cybersecurity capabilities and defending builds network systems and data. Um, one of the things that we have a uniqueness at de au is that we can link both government, industry and academia to the and to utilize all three of those particular avenues will allow us enable us to come up with a standardized training. You want to say package or training methodology and strategy. And the key thing is to make sure that as we take a look at things from a strategic standpoint, operational standpoint and tactical standpoint to make sure that all entities in regards to government industry at academia as well as taking a look at our policies as there, uh, developed and and employed by OSD and make sure that we incorporate them implemented and execute, Um um and we make sure we do it in the most efficient and cost effective manner. So So that’s the key thing everybody talks about Cyber. I’m probably the most anti cyber person because I want to make sure that the infrastructures are there and make sure that way teach, but also to make sure that I’m not doing anything that is outside the line in regards to the OSD is expected, but also to make sure that we support our command position, workforce as well as ensure that the defense industrial based and they is enabled to meet our expectation, which is the bottom line to protect the information. The rest were great introduction and and got, you know, that’s why I listen to all your lectures in your classes. I mean, you’re dealing with this subject and really emit level now, uh, one of my new friends that I was introduced to from the M v p Jennifer Kurtz from your in Colorado, right, Jennifer somewhere. Right. So I’m gonna e o e from the great state of Colorado, which I’ve never been to have even been invited, like 1000 times the Air Force. Just ask me. Oh, what do you think, e? I don’t want to ski. I don’t want to shovel snow, you know. Good. I told him I would see them in the spring, but Jennifer, tell us what you do. There’s Katie. Look at that. I told you, she pops in. I’m hitting it right out of the sky s Jennifer, tell us what you do in the great state of Colorado with the manufacturing essential partnership. Okay, thanks. I’m separate program director for Manufacturers Edge, which is the Colorado MPP center. And, um, Colorado has actually been recently designated as to go to satellite center. Uh, under a d o d grant. That means that I get to help the m e p centers. I’m designated to help those in the Rocky Mountain region specifically. So that’s Colorado, Utah, Montana, North and South Dakota and Wyoming. And then I also get Thio to work with others across the network. The, uh, Celia Paulson from this Demi p has asked me to work with with different M e p centers. I work with clients to get them in conformance with the MMC and also to follow the next 801 71 uh, and are good, okay. And also to make sure that they’re compliant with Defar 7012 and one of my, um, major efforts is to demystify some for security because I think there’s so much wrapped around, you know, these obscure terms and it’s a way of separating. So it’s a way of containing and keeping cybersecurity in the I T department. Whereas the cyber resiliency that is required that is really needed by the d. O. D. To maintain that our national security, uh, really depends on that. That that coordination that partnership between the O. T and I t worlds and the recognition that cyber that risk is a business problem is not just a night t problems. So this is some of the some of what I get to talk to people about and how to bring analogies into play that make make them or really like, you know, network segmentation. People go. You know, if you’re a manufacturer, don’t want to know about that. I said, Well, think of your house. Okay? You’ve got rooms for different purposes within your house, and that’s the kind of thing I get to do. And I just wanna thank you for letting me be part of this panel. I love seeing Chris and I’ve been his student multiple times at de Au Yea, and also my colleague Gene from from Indiana, M E P. I want to say Purdue MMP, and it’s just a thrill to be here. I worked with as a consultant also with the small business development centers in Colorado. So I get to work on multiple levels and work closely with the P Tech in Colorado because it Z it’s a team sport. Cyber is a team sport, and I love being on the team. Thanks we’re building, and I’m happy to be able to count on this team as a brain trust of information. Azzawi go across the nation supporting department defense with this very, very important mission, you know, have been at it now for a couple of years, and you guys have just been incredible uh, to rely on to get information from a zoo. We’ve been going across the country. It was great meeting you, Jennifer. So as soon as I heard you and you and I talked for a number of hours, e gotta have her, you know, any any front of jeans, a friend of mine anyway, So I got you know, And, you know, Jean and I have been going across the country, the different MVPs, and it’s been fun. It’s that we’re learning a lot. I’m gonna go over to Tony. Introduced yourself, Sir Rondo. Thank you very much. I really appreciate it, sir. Just to give you a little bit of background, Um, I worked for in this technology. Um, and back in 2019, our company and a company called Full Circle Communications were asked to put together what we called cyber Learning labs. And essentially, it was a pilot program to try to teach or to teach cybersecurity for unmanned aerial vehicle manufacturers. Eso we developed the curriculum. There was a five week course, five hour sessions, and, uh, it was it was The contract was put out by the South County Economic Development Corporation and propel. And of course, it was a grand from the Office of Economic Adjustment to the city of San Diego. So we did do two cohorts taught the lab, and and it was amazing to me to see all the concerns toe learn all the concerns that small business has today regarding all of the requirements and the changing requirements. So the program was very timely. We like, as I say, we had to to on ground cohorts and lo and behold, Kobe. It hit. And so everything came to a screeching halt. So then we were asked by El Camino Community College under a Cascade grant to develop an online version of that training, which we did do the beginning of this year and the online learning still five weeks. But we were able to split it into 2.5 hour sessions once a week. Once again, we went out to small businesses, and it was amazing to me that when we sent out the invitation within six hours of sending out the invitation, we had over 40 applicants and we were looking for about 18 participants. So there is a dire need out there for training for these small businesses going forward. The plan is with El Camino College planning to dio at least six more online cohorts in 2021. We’re looking at doing a train. The trainer, uh, to teach the community college. Some I t community college instructors, uh, toe also teach the curriculum Onda. We’re also working with Cascade to, you know, for other types of training that we’re going to be doing. But it’s dire need out there for training for small business. Certainly thank you very much for talking about Cascade all the time when we when we have our conversations and what they’re doing out there being one of, obviously, Cascade is part of the state of California huge state, right, so big industrial base there. So a lot of heft out there that we have to deal with. So I know we have a lot of conversations about some of the initiatives out there and how they’re doing things in a Christian is also out there in California in San Diego, so it’s pretty connected with that whole community out there in the California state of California. So now, right before another one of my favorite people, But I’m gonna go to Eugene from Indiana Jones. Uh, he and I have become tied at the hip with Purdue University and Purdue MPP program. You know, while Chris. Meanwhile, Eugene thinks, you know, he learns things from me and my team that are supporting him through Project Spectrum and a lot of the other things that we’re doing. I learned so much from Eugene and our weekly or biweekly check ins where we sit around and we talk about the real world. What’s going on with the manufacturers in the ST Jean is very connected to other MPs. Aziz, your Jennifer saying these guys have a network and they all trust each other. And there’s some brain trust out there, and Gene is definitely one of them. So, Jean, go ahead. And I’m sorry. I probably there too much of introducing you, but let me let you introduce yourself, Jean. Well, thank you for that. Armando, I You’re right. It is. It is a team sport. There is a brain trust out there. My MPP sister Jennifer and learning from Kris newborn really appreciate the leadership that you have with the technical implementation that z really going to help small manufacturers in the field. And, of course, the you know, the programs that Shannon’s introducing for small business and the leadership that Katie is executed making wide eyes, really making a nim packed I won’t repeat the things that Jennifer said about M E T s. You know, we’re manufacturing extension partnerships were focused on manufacturers, right? So we’re focused on that. That portion that 30%. That’s going to need the CMC level three when we have conversations with them. And so, uh, that’s one of the services we provide along with, you know, lean quality, all the leadership cyber. Who’s, uh, um cybersecurity program manager, cybersecurity defense program manager at Purdue MPP. I’m really looking forward to this panel so we can talk about the challenges that still exist, although there has been a Herculean effort executed nationwide but really looking forward to diving into what those what those specific challenges still are. Thank you very much in, and I appreciate you participating in this. I know I have Thursdays with jeans, everyone, someone, when I could make it have Thursdays way chat about what we’re seeing in and out there in the field in the manufacturers in Indiana that were working with in other instances. Again, Jean has been amazing. So, like, who doesn’t know this woman? She’s probably just the most exciting person in the government. She’s revolution way the government’s looking forward about You guys were socially distanced here, and I got a bunch of people with master have a bunch of military people here. I was telling him about the CMC and that they’re probably gonna have to comply with within their individual agencies. Like, uh, we’re gonna have to do that as well. Like who’s gonna make us do that like, well, you just waiting. Pay attention and you’ll see. But here s so they’re they’re watching here. These Have you seen? The tackle is a bunch of military folks that are sitting here supporting this conference. So without further dio, I’ll still let her introduce yourself. It’s the one and only Katie Harrington. Thank you, Armando. And to all of you on the panel, um, I fell in love with Cascade when I went thio Navy, Gold Coast and I had an hour or an hour and a half, and I think Tony, you were there, uh, the girl remembers, and when when we were talking. And this is really at the start of C MMC right? It’s really not about a checklist, and Cascade got it right. It’s about critical thinking and with the M e PS. Um, where did I go that it was a Saturday morning and I spoke in an M E P conference in Atlanta Right before Cove. It and I talked about what I knew about the machines, right and where the vulnerability lies and I talk to people all the time. It’s, you know, the adversary is working in ways to disrupt the supply chain. The easiest access point is to cause distrust within our own supply chain. And how do you do that? Well, if you have a Bosch tool that’s been out on the floor and it’s been drilling the same drill for, you know, 5 to 10 years and the software patch, you know it’s calling out to somebody you don’t know, and it’s coming in. And the specs that that little tiny nuance of ah, 1/100 of a millimeter could be life or death and the fact that it may not be picked up in a quality run, and then it gets put on a plane or it gets put into a nuclear warhead. Or or that’s where the adversaries gaining and we need to shut it down. Um, Cascade. What? You guys were doing it. Purdue. Um, what what Maryland is doing, You know, love Michigan, too. Um, there’s a South Carolina who, if I didn’t acknowledge my own state, But it is a team sport. There is not one of us that’s going to solve this alone and that its opportunities like this, where we can talk to each other, that we actually say, Hey, I’m learning this. I’m learning that the C M. M. C is great to have an adjudication baseline and a place to toe like get to Yeah, but that’s it’s about the critical thinking. If you have a machine on your shop floor right, What we should be thinking about is is a kinetic to the Internet. Is there a way that the adversary can get to it? It’s so how do we get the risk mitigation strategies in place at the time of relevancy for that small shop floor, the small shop? How do we disseminate that information to the to the network, right? So that our partners get it. And we have Thio. I cannot say this is a team sport and three cannot be should not be a four letter word. We have to open the coms and understand that the adversary there. You know, when I say one team one fight, they literally one team one fight. So all in looking forward, this panel couldn’t say more about the m e ps. And I will tell you the beeping light is the new secretary is getting ready to walk into the hallway that I’m at. So if it beeps really loud, it’s because he’s walking by. All right, Well, like like I was telling all of our listeners and folks who have been tracking the hack the building event. You know, we had General Knocker Sony talk about the importance of this and the time of this of this event. The fact that we’re giving the workforce the military theater. Adina I was interviewing Cem Cem graduate students from Johns Hopkins who I didn’t realize we’re deep into this problems that and they were telling me what they’ve been seeing in the world and types of things that they’re studying relatives of securing our nation through its all of the different, vulnerable potential vulnerability paths. But this event is about control systems. And then once you get into the control systems and you get into this facility, I mean, as people started doing yesterday, we have See you I that our students from are no, which senior military college put on different servers and different endpoints. And that’s one of the things that we’re looking to see. If these hackers from all across the country, we have a socially distance tent out there that many times bigger than that in the red teams that are outside. And then we have to focus their virtually coming into the event A Z, General Chris, Sony and Command Sergeant Manager uh, Reliance was telling us on Monday, um, what? Nothing better than, uh, you know, fighting forward and fighting, you know, getting the real skill. And that’s what this event is all about. And ah, lot of people thought it was strange that would bring in CNN, C or C Y into the context. But as you’ll hear tomorrow when I have, I won’t announce him yet. But but someone who’s the point to the White House is gonna come over to talk. Talk to us about why this event is so important to the nation. You’ve heard General Persona. You heard Chris Krebs this morning talking about what his team has been seen, uh, in the real world, in terms of adversarial attacks and in probes into control systems to try to get into video DIY facilities that in steel controlled unclassified information and other really important information. So that’s the importance of this panel, and that’s why we mixed it in with this event. It’s related again. You’ve heard our leaders in the last couple of days. Senior government leaders. You know you’re getting tomorrow. Why this all matters. It all matters. It’s a holistic approach to cyber, as Jennifer was telling us. So let me start out with this. Katie, let’s clean up house really quick. Ah, the interim rule. I see all the forums out there that I’m a part of that don’t have time to respond or jump into the pool with all these folks. Is so the animal right now, I think has a November 30th sort of date on it. But that’s not really the date that people have to comply with, right? Do you know? Can you say when they will have to comply with the interim rule? Oh, yeah. November 30th. So, um hey, everybody, If you’re not paying attention, pay attention. Um, if you have in your contract today Defar, Clause 2522047012 And you’re looking for an award after December 1st, you better get on the Spurs. The Supplier Performance RISC system. You have to register prior to contract award. You have to do a self assessment on your implementation of the NIST 800-1 71. You have to do that before contract awards starting November December 1st 2020. That is happening now. So if you’re on that and you’ve got Kui right controlled unclassified information and you’re looking for a contract, I award it’s happening now. Um, there’s three rules that spurned out of the 70 12 Defar cause there’s the 70 19, which is the Spurs. Self assessment, right? Because I’ve been saying it is a secret or not, but security is foundational to new all acquisition, So I made security. We made security foundational right, with the exception of micro purchases under $10,000 and, um, cots products. So like, if you’re buying a software product like a Microsoft office, right, those have a different certification. Um, that’s That’s not the CMC. The suppliers are required. So 70 19 happening December 1st, the 70 20 which is the second clause that also is December 1st. What that says is that if you rate yourself on that methodology that’s there on the Spurs link and you rate yourself medium to high, the government reserves the, um, the right to audit you on your compliance. So if you’re if you have a poem, a plan of action management, I would clean it up now because when they come out to audit, what they will do is validate a what they see, and they can start issuing cars. Corrective action reports, right? So that starts December 1st. Now the team doing those assessments is only about 50 people. They maybe get 80 to 90 a year done. We knew that in the D. O. D. And December 1st starts the C M. M. C, where we will start rolling it into all d o. D contracts over the next five years. The 15 contracts that you know, I’m I’m hoping my memo clears Aiken, tell everybody what they are. But they’re not small contracts, folks. It’s riel, right? G s a star’s Keith nakase Oniy a G s a is an illuminate airy. He led the charge on day and why it matters, um, to to the m e ps also to, you know, the the the infrastructure and the control, the industrial control systems Miss Lord, the undersecretary of acquisition and the undersecretary of defense for acquisition and Sustainment My boss, um made infrastructure that transmits Kui compliant to the 70 12 clause two years ago And the reason why all of this is such urgency why the rule did not come out as a proposed rule. The whole of government said this is so critically important that it’s gonna be an interim rule is going to come out be published on September 29th and go into effect on November 30th because the adversary is deeply entrenched. And I have some people that have said to me, You know, I make it seem like the, uh you know, that that it’s really bad It’s really bad. Um, and why is it really bad? Because we didn’t think like the adversary. Um, and we we need to start thinking about that. The easiest way in Occam’s razor. Thank you. Jodie Foster, for that movie contact. I learned about that theory back then. Um, no, no, that’s literally where I learned about it. Um, what’s the easiest way in, right? What’s the common denominator? What is something that virtually every building, every machine, every power switch has? It’s an industrial control system. Say Easiest, right? Occam’s razor. All I have to do is figure out how to break into that. There are multiples of an industrial control. If I figure out the in on that cake, work right. Our job as a community is to figure out ways with the most return on investment. The juice has to be worth the squeeze. So what are the things that we can do to buy down the risk? Significantly and you think about it. The M E ps and the industrial control systems. Too easy access points that if we could just get thio common standards with each other and understanding of the risk, think of the world. And that’s what all these panel members are about. Right? So the time to worry about the CMC or the Defar? It was three years ago. Four years ago. Uh, execute now. Okay, that brings up a really good point that I’ve talked to a lot of MPs around the country. I’m gonna bring in, Gene, I hope. Jean, I hope you don’t mind me putting you on the spot because you’re not Just had this conversation, You know, I’m working with Jean and Purdue. We have a number of key manufacturers in the state. You know, Gene is a student of perfection. So Jeanne and I didn’t know each other. We got to know each other. I told them about some things that we had. He goes, let’s put him to the test. He gave me a couple of manufacturers in this state. We started out with a small one. Then we went to a big one. And Jean, you know, sees what’s going on in that environment. And Gene and I literally had a conversation last week. The week before last. Was it Jean? Um, the the you know, the 870 12 70 12 clause has been there since 2015. Deadline was 2017 today if Katie or someone were to come and knock on the state of Indiana store how many again? Jean, you answer however you want. How many manufacturers are gonna be ready? Thio upload into the SPR s, uh, on the ones that aren’t ready. Why aren’t there already? And that’s been the challenge that we’ve been dealing with on a state by state, by state by state basis. That I’ve been talking to all the MVPs. What has prevented them? What? What are the roadblocks is a budget is a resource is training. So, Jean, I’m gonna let you go. Then I wanna go. I wanna give, uh, Jennifer shot because she’s in Colorado and she’s seeing some of this, and then we’ll expand the conversation. Go, Jean. Okay. Well, thank you for that. I’m a Christian. I’m a student of Kris newborn, Uh, s. So I think that really the issue is knowledge. Um, the PM MPs And I know that Jennifer has done this well, I’ve personally given three different our plus long seminars just specifically on the interim rule in the state of Indiana. As a matter of fact, we’re doing one in the region now with Kentucky, Indiana and Ohio today And, uh, this afternoon, So it really is knowledge. So if I had, I couldn’t estimate. Since we haven’t touched every defense manufacturer in Indiana, I guess I should use some precision in my language. I can say that in the 60 or so companies that are in the defense industrial base that we’ve helped with a new assessment, um, my estimation is that less than 10 of them are on track. Thio have a score of 1 10 by the end of this month, and I don’t think that’s really out of bounds with my other MPP folks that that I talked thio and you know it za question. Why haven’t they done anything over the past over the course of the past three years? There’s lots of different things and, you know, let me try to convince this answer down there all patriotic, hard working Americans who believe, who understand that there’s hundreds of billions of dollars at risk. They understand the technological advantage loss. They understand the Defense Science Board, uh, presentation or report from 2013 that says we may not be able to defeat a near peer if we were Thio have, ah, a war and they have significant cyber capabilities. They understand all of that. But they have their own challenges, right? They’re not in business to do cyber. They’re in business to make a specific product. They don’t have the expertise in that area. Normally a to the smalls, they There’s one person who’s doing lots of different things. So, uh, getting out of the I t dead associated with cyber, it takes a significant amount of time and a significant amount of money. Now I realize that the assumption is that the starting point for the D. O. D assessment methodology and and CMC rollout is that they’ve complied with State 101 71. But they haven’t I? You know, I’m still having conversations with with small manufacturers about what is this state 101 71 what is CMC despite you know, the dramatic efforts that the D O. D. Has put into, uh, CMC. In fact, after talking to 11 manufacturer for about 20 minutes about CNN C, he asked me what’s in this state 101 71 that Zack words. But anyway, that’s, you know, that’s kind of that’s kind of the state of play. Um, you know, really? So I’ll just finish with this one. Last point is that it’s I know that we want to get them to transition, to make this a cultural change and a methodology of critical thinking. But we’re taking them from Just tell me what I need to know to make this right so I can continue toe work and focus on these other things to move them out of that space and into a space where cybersecurity is an integrated portion of their business venture, and I’ll stop there. So Katie So Katie, one of things I’ll tell you in my travels, virtually throughout the maps on. Not that we’ve had everyone, but I think we’re working with about almost 50 manufacturers, defense, industrial based suppliers across the country after get the number of states. But there’s a lot of them at this point. We’re starting to really look like an election map. Or has we’re starting to spread across the country? Uh, many, many 23 manufacturers in each state and connected to MVPs. Um, I have learned that were Gene, which is why I was asking geniuses, It’s just It’s just me Or why are these folks ready after all these years? And why are they still struggling and on? And I hear all the stories, and I know, um, they’ve listened to you. They listened to Shannon. And many instances, they’re still as Jean will tell you saying, I don’t have the dollars. I don’t have the knowledge. I don’t wanna be a cyber expert. I know I have to do this, but you guys is Can you guys give me helping? Maybe more time, isn’t it? That’s why I asked you Katie, about the deadline, because some of them are saying they’re gonna give me 30 60 days to do something I should have done in 2000 and 17. Uh, and I think you just said the answer is no s. I’m gonna ask Jennifer to give the from the great state of Colorado. Um, I’m gonna let you reclaim. Yeah, thanks. Well, everything Jean said for sure, and just is, it’s a little bit of back drop. When I worked as a team manager for Delta Re Meet International in Indiana. You know I was the first security person there, and this was back in the 19 nineties and they were just coming into the world of I t. So that that lingering that that slow adoption of of I t. Is part of it. And so it helps frame the kind of the problem definition. It’s still still stays within like a nightie problem, not a business problem. I think there’s also a differences and manufacturing with respect to the security triad priority. So you know the confidentiality, integrity, availability. Well, if you’re a product, if you’re a manufacturing plant like Delta Ream Iwas and it’s $50,000 an hour back in the nineties, if if your production failure caused the GM line to go down, so you know okay, availability is key. Just don’t bring me down, keep us moving, keep product pushing through. And then integrity and confidentiality fell off. From there. It was more integrity as faras producing the right parts and more or less what kind of information is in your MRP and confidentiality was really protecting priceless. So I think that that’s another part of it, and I and I think the difference with respect thio risk appetites. So So you know there’s a conventional risk appetites of that range from promiscuous too permissive thio, prudent to paranoid. But to those I I add perplexed and paralyzed, I think. Ah, lot of people is genius referring to there perplexed. I mean, they’re just going well, yeah, What is it? What is 871 doesn’t apply to me on day. Three other part. They’re paralyzed. They don’t know where to start. And I think, um, you know that there’s an old saying something that goes something like There’s nothing like a hanging in the morning to clarify the mind And I think the C M M C interim rule saying clearly, deadline and you will be assessed and you will not be able to bid on. You will not be able to accept a future contract award. I think that’s providing some kind of clarity of mind because we’ve received so many more calls. I mean, my gosh, I’ve got five different project client projects. I’m working right now, and people are calling every day, which is not the way it’s been historically. So with Jennifer on that point exactly, right. What? We’re talking about Ain’t something new, right? The 1 71 came out right and everybody on this call has a superpower. Everybody, right? And everybody watching has a superpower. My superpower is I have a big mouth, right? That’s mine, It z that’s really it. Three Onley thing that’s different than 2015 to 2020 is that I’m loud. You all have been beating the drum and it’s really, you know, and you said it right when the d. O d um, said clearly they define what they want done. They set a timeline. But more importantly, the fact that we have said security is an allowable cost you as a community, the MMP is that the community right are so critical to national defense. You are national defense. You may not realize it. You may not see it, but you’re it. It doesn’t get any more it than you and the adversaries targeting you. And they’re they’re having their they’re going about it in such a very in 2015. If you I owned a small business and I was already in legislature. Now I own my own small business. I didn’t think like I do today. I didn’t think two years ago like I do today. And we have to realize the adversary is definitely changing the tune on how they come at us on DWhite. They come at the small businesses, they’re coming in and they’re taking everything right. They’re not just manipulating drawings, they’re messing with everything. They’re taking everything on your employees. They’re following people through linked in to, you know, from research institutions, right to your manufacturing facility. So we we value you so much that I said, put your money where your mouth iss right? And d o d did. Right? They said we’ll make security and allowable cost. Here’s the cost associated with it. So the get well is it’s the bell ringing, right? Right Now we put in that federal rule in the rule. I’m sorry. In the federal registry, we put the cost associated with obtaining a C MMC preparing for the C, M, M. C and the controls on level 34 and five because we understand, um, that s so where it’s it’s a little bit disconcerting on eso. Chris Krebs spoke this morning. I believe I’m a big fan of Chris, right, that that whole team Bob Colakovski. All of them, Um, the challenges were allowed to carry a big stick. I can say I’m willing to pay for it, right, because I had the backing of the secretary of Defense and Congress Not every federal agency does, but as a company and take a step back. And I hate to Bogart time, but I think it’s so critical your manufacturing company may not be, um, you know, my my husband owns a small business in South Carolina under 5,000,010 million for merger and acquisition toe. Happen to which you either. You know, Either way, you grow with the community, right? Or you stay stagnant. So I assume everybody on here wants to grow as they’re looking for mergers and acquisition, as banks are looking to finance. Right? So if you have ah, machine line that needs to be updated, they’re going to be looking at your cyber posture. It will become part of how they evaluate you. You may not realize it today. Tony’s nodding his head because because you know that it’s that cyber rating score exists on your company. Today. They they are watching, right the sensors on the networks that are out there commercially available are showing the traffic on your your I p right. They see it and they’re reporting it. And it’s a security rating score. So as you look to borrow money, one of the things they’re gonna think of how are you positioned to protect what I’m loaning you? Very few things are just software. It’s software enabled hardware. So they’re gonna want you toe have an understanding. And five years ago, on going to use the superstore might like you wouldn’t think that a cashier at one of my favorite places target right? You need to understand cyber thio even work that terminal, right? It’s got to become commonplace. And the Onley way to do it to shake us all up is to make it, um, mandatory, right? It’s a go no go decision. Because if you set a clear definition of the standard the mission and you’re willing to pay for it, we can get there. The problem in 2015, it was squishy. Nobody really knew what? See you. I was back then. You know that that was the whole thing. And then thirdly, we really didn’t do the cost analysis behind that that rule change. So here we are today, whole new day. Um, there’s no going back. And this Katie, um you know, I’m a Z, you know, I’ve been with you and I have gone, you know, from the, you know, way back when ASUs all was going and we were out there in the battle trying to get these companies ready to go. Um, to Jane’s point, to Jennifer’s point, I think I don’t think it would be shocking Our surprised a lot of them are gonna be ready to go, but we’re gonna continue to get them there. I want to give Shannon an opportunity to talk about what he’s doing with Project Spectrum because that’s part of how we’re trying to get them there. I mean, it’s small steps with Jean on with Jennifer and I had a call today from New Jersey was pegging to get access to some of the tools and solutions that I know genes aware of on Jennifer and some of the other MPs where we’re trying to accelerate and reduce the cost of compliance Project spectrum with Channon has been doing a phenomenal thing, and he’s launching here with a CO work here real soon. Shannon, Just tell us a little bit about that so that Katie and everyone listening know a little bit more about that. Well, thank you, Armando. A lot of good dialogue has gone on. Just a few minutes ago, I was here in 2015 when that rule came out on drily December 31st when the room came out and really nobody knew really the impact that it would cause or what Really? We needed to do the question you asked at the beginning. Waas. Why aren’t they there now? I think it was something you know, I use The simple term is you can expect something if you can’t inspect it. And we have spent five years looking at how do we inspect it? And now we when we roll out the standard of CNN C now is we’re calling them to the carpet of something that they should have already done, or at least acknowledge the rule. And what challenges that they did have that that they needed to help address the issues or at least try to bring it forward? Um, you know, But again, I think that, you know, it’s something that we’re going to get at. I think from a department standpoint, we’ve taken a proactive approach, you know, especially when Katie came on. You know, I think one of the things that Congress does to the department is really push requirements. Um, in 2018, even though it’s three years after they asked the Department of Defense to really look at how do we educate a workforce? How do we educate the industrial base and try to address these cyber security issues and really, you know, utilizing some of our investment programs and one of the investment programs that we really have taken advantage of to utilize and really try toe to bridge that gap? The gap is still large, but we tried to bridge this gap, utilizing the deal D Mentor Protege program. And you know, this program has been in existence for over 30 some odd years, but it really focused on growing industrial base to be, ah, small business industrial base in being a part of some of our large primes and whatnot. But we’ve taken another approach, or I guess, another direction with the program. We still have that focus, but one of the things we were able to do in 2018 was launched or 2019 was to launch Project Spectrum and which projects Spectrum really is trying to get at one of those biggest things. And I know Tony talked about it. Training were create. We have created a venue or a network off trained professionals to try to help educate and inform, provide best practices, provide Webinars to our industrial base. Because if you look at any of the reports, even even the committee report, uh, Celeron no report talks about education. Um, and one of the things we’re really have done in this last year, two years is really trying to push the education, push the information. You know, if some small business out there today, you know you could go toe projects spectrum dot io and get the latest and greatest information you have. Webinars, you have training. Resource is you have all the things that can help you get prepared for the test. Um, now you still have to really look at you know, once you get prepared for the test and again, here’s how I look at cyber security. It is a continuous improvement. Once you get to a certain point, you have to continue to improve your position to make sure that you maintain protection. Now again, you’re gonna have challenges. I think the department and what Katie is really, really pushing with the CMC is that, you know, we know you’re gonna have challenges, but we know that if you follow what we’re trying to do from a department standpoint with this ecosystem, you know, the last panel I was on earlier is we have to from a department standpoint, industry standpoint is really open up the aperture. We have to really break down the silos amongst the different organizations that are doing things and really come together and bring more Resource is, you know, project project minutes left. In the any time we get you guys together like this, it’s like just everyone wants you guys for hours. There’s a lot of questions, you know? I warn you guys, the media is watching because of the hot topic that this is. But Shannon, you brought up something that I know. Jean and I have experienced Onda. Some of the other MVPs is I’m working with an M e, p or manufacturer that already has a, uh a d a m score. Uh, they’ve uploaded and their poem and SSP into the SPR s system. And when we did the vulnerability scan, talking about cyber as a continuous kind of thing, of course, had a number of deficits in their in their environment. Eso Whenever that date was they loaded All of that today, they would not really pass a new assessment or audit of compliance because, um, they haven’t kept up with it. And that’s what they learned. It’s like Okay, because they’re so diligent in this particular manufacture that we’re working with has the assets and the resource is toe focus on catching up. They will catch up. In fact, they already, uh, readiness level for CNN C level three. By the way, Katie, all of our team members that supporting Shannon have all gone through the PCMCIA training, So we’re RPS a lot of us RP So we’re waiting for the rest of the stuff. So I just wanted to let you know that we’re following the model prescribed by the curriculum that exist today, and I kind of good stuff, but we have a huge supplier. Someone had no, really well from many years ago as a consultant to the organization. Verizon. You guys are a big behemoth, e No. You You know, I wanted to tell Steve that you got a question. I don’t know if it’s for Katie or Shannon. Who but as a multibillion dollar defense supplier, I know what you guys dio tell me a little bit about what? You what you want to say, Thio? Idiot. Yes, I’ll open it up to the panel. But the one of the things we look at is we tend to prime a lot of the big programs we go after and we use a lot of small business and one of the questions and I’m purposely making this pithy is what’s the primes responsibility. And what’s that? How do you envision SPR s scores going into what we step up to from a subcontractor at stations? Perspective, Anybody want to take that one? Oh, I will. So, minutes It’s a hard stop. And I hate you mean this is just again always happens to me with this panel leads that this subject. But go ahead, Katie. But we got literally one minute and it’s gonna just I might I can’t even control. It’s gonna cut us off. It’s an automated thing. Okay, so I’m going to say that the flow down of contract information on the 70 12 clauses the same is the 70 1970 2017, 21. The Spurs Representation for the primes right now is via an excel spreadsheet. You have to request because the system is just coming online. Um, but the prime is going to need to validate their subcontractors. Um, uh, they acknowledge ah, lot of large primes have set it up in in advance through products like Exxon Star. Um, but please reach out to me independently, sir. And I will make sure I get your answer so that we can post it out for everybody to see how they can actually see who has made the representation of their assessment. All right, great. Thank you. Thank you, thank you. Steve is a big supplier, and again, we got a minute. I don’t know when it’s gonna cut us off. Chris, what do you have to say as we close out? And we will probably have to do this again after Thanksgiving or something? Go ahead, E. You know, it was great conversation. However, the biggest group that you forgot and this is to Katie, This is the Shannon. You forgot the acquisition. Workforce. You’re doing a great job. No, I I understand you’re shaking your head, but I’ll give you an emphasis. Number one. This lord produced a August 4th memo. I’ve been talking to about six or seven commands. They have no idea what that memo is. Uh, in regards to implementing CMC Ah, lot of the training that we’ve been doing has been dedicated to defense industrial base and not to the acquisition workforce. So there’s great, wonderful work that the depth is doing. If it’s not in the contract, if and if A and s thinks that they could just push down the policy, who has the contract privy? Who has the liability and the risk? It’s not always the It’s the procuring commands and activities. And this is what we’re trying to say is the the policy that you’re doing Shannon and Katie are great. But if nobody is following up on providing that training on getting the commands to understand exactly what they’re supposed to be doing, Uh, this is what I’m saying. I need a little love on my side to help out the acquisition workforce and and to get them to understand their duties and responsibilities. I mean, over the last four years, I did I don’t know how maney road trips and a lot of the command said, What is dif arts? What is this as well as for the N d. P s they’re doing. They were doing these conferences and the contractors weren’t responding because the government wasn’t telling them that they had to respond. So I would say, Chris, I appreciate that. And I’m putting a bunch of stuff in there. A The new 5000 dot CS launches at the on November 30th. De AU has an entire curriculum dedicated to this for the acquisition workforce. Much like with the 889 right, I set up a task force. I had hundreds. When I say hundreds of commands dialing in bi weekly on 89 I’m gonna launch the same thing with the sea MMC. We’re sending out draft language right now to the service acquisition executives on R p R. If I and how to put it into contracts. So the S a s and D p. C. Are the owners of getting this information down to you guys? But I take that loud and clear. You will definitely see the contract language rolling out toe to an acquisition near you. Okay, Okay, that’s me. That’s great. But again, they have to understand because most of their cyber engineers guess what they’re doing right now. Rmf So? So, Chris, I wanna I wanna echo that too. Is that Let me just be clear. The last two, almost three years we have hosted the From the office of Small Business Programs Acquisition Train, and it’s opened the all acquisition work force to come out. The last two years, we’ve had over 1000 acquisition professionals, and one of the General Sessions is talking about cyber security. And we have had every person that we know of from the deal d standpoint from D A. You participate in that event. So, you know, there stuff that’s going on, you know, and whatever community, that’s where we have again come together and ensure that that has spread across, you know, you mean our event. Every year we hosted and we’ve had over 1000 participants this year, we had almost 1100 last year we had nine. Uh, and one of the major sessions is cybersecurity. Andi, The General session is the biggest one we have, and we have it literally today. One last year, Katie spoke at it. We had DPC talking about the rules that are going to in place a couple of years ago. We have Biggie Machete and Thea other lady. I can’t remember her name participate in those events. So I think, you know, I think from the department standpoint, we have taken a somewhat of a proactive approach, really? To try to help educate, you know, we’ve had boot camps from D C M A provided boot camps with the training, training, the workforce, maybe in small groups. We probably need to do better and expanding that. And that’s something probably, you know, getting with Mr Wu’s Lee, uh, to really help push mawr of that across the acquisition workforce is critical in those lives through this because I think I like it’s like this is like the Thanksgiving table with all the relatives from out of town. E think Chris brought a really good point on. We’re at 14 05 and another waiting for us to end. They looked at the software. Didn’t take over. Obviously, this is a spirited discussion. Obviously, we continue to go, but I need to let the disguise because a bunch of other D O d people waiting to kind of use the element the platform. Maybe we Mr Harrington, put a bunch of stuff in the chat. I’m gonna get to you, Chris, and to Steve that she was typing as fiercely as she possibly could. I’m sure she’s gonna circle back with. You guys know each other, so I know that’s gonna happen. And maybe we can collectively get together after Thanksgiving and have a roundtable with Shannon and D A. You and Ms Harrington, when we don’t have to be on, zoom it to the world to do it and discuss how we work together. How about that channel? You think that makes sense? Um, makes perfect sense, you know? Let’s do that. I’m gonna close out. Thank you guys for joining again. I don’t know why I do this to myself. This is probably the most popular topics. I bring an interesting people. I think we got some information out. We’ll probably do this again on a smaller subset. After the holidays, we’ll find some time to do this. Thank you. Everybody for participating. I know there’s a several D O. D panels coming right behind this hack the building. Um, look for Shannon’s Project Spectrum program. We’re doing an MPP launch here that’s not open to the public. I’m here on Thursday and then obviously, keep listening to the news of all the work that we’re doing with the M E PS. Uh, Jean will tell you, Jersey will tell you. Florida will tell you, George will tell in Texas, Will tell you. And hopefully soon. Colorado rate. Jennifer, how we’re helping accelerate compliance and awareness and getting folks on the road to realistic readiness for C, M c and D person until Chris, I’m gonna circle back with you because you’re one of my guru. So I always got to go to you to get to get Steve. Everyone. Thank you, Tony. Appreciate you guys. Bye. Bye. Thank you. Amount of

Share with Friends: