Leveraging RMF for CMMC Success Strategy, Structure, and Solutions for Defense Vendors

Welcome to the next session leveraging risk management framework for CMMC success. This will be pres presented by Mike Brooks. Mike is a retired US Air Force cyber operations officer and post 11 911 veteran who led and commanded cyber mission supporting national security and cyber terrorism. Mike has founded VetNet Cyber, a service disabled veteranowned small business, and is a CMMC certified assessor. Please welcome Mr. Mike Brooks. Thank you, Mike. All right, welcome. Good morning, everybody. Thank you for being here. I really appreciate it. Uh, I got to tell you, I'm really I'm really excited about Bides. You know, you go to conferences, I think I've been to four or five this year, and these local conferences,

they're just different. There's just something about them. They're cooler. uh you know the people are the people are nicer and you seem to get a lot out of them. So I really appreciate the work that Bides have done to pull this together Mike to you and your team this has been great. All right. Uh so this morning I want to talk to you guys about risk management framework and CMMC. So just what everybody wants to hear on a Saturday morning. Uh actually with a show of hands here. Who has heard of CMMC? Who's familiar with that? Okay so just about everybody in the room. Uh what about riskmanagement framework or RMF? Okay, so again just about everybody in the

room. Uh so what I want to do this morning is I want to connect those two uh and show you how they can be a powerful combination together. CMMC is actually maps pretty well to the CMMC uh requirements. And so I want to show you that. Um I work with defense vendors. That's primarily where I focus. I do do some assessments. Uh but again, I primarily do those to get the answers to the tests and and share them so that we can get our vendors ready to uh ready to pass their certifications. Um again, who who am I and why am I here? Uh Mike kind of hit it. Uh you know, I've been on both sides of this.

Uh I've been on the war fighter side. I've sat in the CISO seat. I've been a program manager. I've been an assessor. um you know and I you know through the military career that I had and and for those of you that have been in the military you know um it's a mission focus and so that's kind of what I bring to the CMMC uh ecosystem is a mission focus so I did found a service disabled veteranowned small business about two years ago focused primarily on CMMC readiness I'm also pursuing some government contracts myself uh so I have to have that uh accreditation as well so I'm not only helping others implement CMMC I'm implementing it uh for myself.

So when we talk about risk management framework and again for those of you that are familiar with that framework uh it's essentially what the department of defense uses and the government at large uses to accredit its information systems. Information system is a key word that we're going to come back to several times today because that is a fundamental component to how all of this works. Um, you may have seen, uh, the acting DoD CIO recently has been very vocal about the riskmanagement framework. Uh, she said, "Hey, I'm going to blow up the RMF. Uh, I'm blowing up ATO's. They're stupid. They're dumb. They're archaic." Uh, what she didn't say was, "We're going to stop doing risk management.

We're going to stop accrediting systems. We're going to stop uh, protecting our data." She's talking about the bureaucracy attached to the RMF. She's not talking about the process itself and she's 100% right. And so when we look to apply RMF to the defense base, these are businesses. They do not have time for bloated bureaucracy. They do not have time for unnecessary steps. So that agile approach is extremely important to a profit-driven organization, not the government, but a business that's supporting the government. And so when we look at the RMF, we've got to figure out how can we apply this in a way that gets to the outcome without going through all of this bureaucracy. And so

that's that's a little bit of what I want to go into today. Um, anybody directly involved with supporting defense-based companies or working with defense-based companies? Please let me can just show. Okay, it's about half of you. Um, so the defense industrial base for those of you that don't know is a sector of critical infrastructure for the United States government. I think we have 13 critical infrastructure sectors. The defense is a sector. Uh there's, you know, debatable number of companies, some will say 300,000ish companies that support the DoD. Um, the DoD created cyber security requirements for these vendors seven years ago. uh in in the form of NIST 800171. Uh they worked with NIST to develop a

tailored baseline for defense companies focused primarily on the confidentiality of what is called control and classified information or covered defense information. Those cyber security requirements were selfattast. So when you submitted a bid for a contract 2017, you just checked a box and said, "Yay, verily, we meet our D4712 compliance requirements." That was it. Uh, and then you you went about your day. You went about your business. You executed your contract and and u and all was well. What the DoD found out was that a lot of the defense vendors didn't necessarily have the cyber security posture that was required. Um, you could argue they ignored the regulation. Uh the other the other side of that coin is

not really what they do. So maybe they didn't really understand the level of rigor that was required to implement those controls and all the documentation that goes along with it. That is was really the impetus behind CMMC the cyber security maturity model certification. It was to establish not only that baseline of what's acceptable across the defense base but also to validate that you're doing what you're supposed to be doing. So, CMMC doesn't introduce new requirements. That's a that's a key point. It just validates that you're doing what you're already supposed to be doing. Um, a lot of organizations that I work with and speak to, um, probably have spoken to hundreds over the last several years, they all treat it like a

checklist, like, okay, what do I just tell me what I need to do and I'll do it. Just just just what are the four things, five things I need to do. Um, and it it is not that way. It is a program. It is a strategy. Um, it is based on an information system. Again, we'll come back to that term a couple more times. Um, and while CMMC tells you what to do, what's really missing is the approach is is okay. So, how do we structure all of this stuff so that we can deliver the outcomes that we need to, which is protecting the data and executing our contract responsibilities and RMF really provides that how it really

provides a framework for how to do that. Um, without it, teams are reactive. They're misaligned. And I can tell you again from my experience from working with the defense vendors, uh, the leadership disconnect is probably the biggest component to CMMC readiness that I see. Teams are starting to implement things at the tactical level. It lands on the IT director's desk. Uh, and that poor guy's got to figure out how to do it. Implement, you know, 110 controls and 320 security objectives and create 400 pages of documentation. and nobody's really helping them and nobody wants to hear it because everybody's busy. So, um you know that's where again RMF can really come into play. So when we look at a framework and again

I want to provide the frame for the framework. Um you may be familiar with the the triangle here. comes out of the NIST documentation, NIST documentation 839, but it's a great way to think about how do we approach an information security program uh and how do we build that inside of an organization and so again as I said folks typically start very tactical they start implementing controls that's where they start um they start with solutions right we got Zcaler we got CrowdStrike uh what they don't start with is the strategy So it really needs to be a top-down bottom up approach. And so what I mean by that is when you start with the strategy, you can start to understand

the governance component of it. Um this touches everybody in the business. This is not an IT program. This is going to touch all components of the business. You've got to understand who's doing what to who, who's responsible for what. That's the strategy. You've got to understand what right looks like. You've got to drive investment. You got to lot do lots of things at a strategic level at the organizational level um that a lot of lot of organizations that I work with simply don't do. They don't start there. Next is your structure. You have to actually build a program. You have to have documentation. You have to have uh reporting. You have to have reviews. You

have to have accountability. You have to have that in the middle layer uh especially around that information system that's housing the sensitive data. Without that definition, you're implementing controls across a universe of unknowns. And so that's where the structure is critically important. And then once we have that, we can implement the solutions. And again, those solutions kind of feed back up to the top because it's what helps us meet the requirements. And again, it it kind of puts everything in the right order. So it has to be done at the organizational level, it has to be done at the program level, and then it has to be done at the tactical level. So that's just a good framework that I like to use

especially when I'm talking to uh some of the senior leaders in the organization to kind of understand okay how do we frame this how do we really need to approach this so why RMF is the missing piece again it's it's it's what the DoD uses to secure its own information systems um it's funny if you look at the risk management diagram there on the slide uh it says CUI registry on it um it says NIST 853 which is 8171 one was derived from 853. Um it it talks about all of the riskmanagement functionality that uh needs to occur. And so again, this is why it's a good framework. And you know, my mom always used to just I would ask

her mom, how do you make that food? And she she would just always make it the way that she made it the way that she liked it, right? And she couldn't really tell you why she made it that way. It's very similar here. DoD implemented CMMC not even realizing they're using the RMF because that's what they know that's what they do. Um and so they've implemented that CMMC requirement uh and and RMF is really the missing framework around it. Um it's a decision framework. It's not a document framework. So this is where the bureaucracy comes in. So it's about making the right decisions going through a structured process to deliver outcomes rather than providing uh documentation or an evidence

repository or different things like that. Um it's a seven-step process. Again, it's very structured. Um it provides a a consistent output. Uh and a lot of firms don't know it exists. In her last uh round of comments, um the acting DoD CIO, Katie Arrington, actually said as they redo the RMF, industry is going to have a vote on it. Industry is going to get to to coordinate on it, which tells you that um it's something that they want to use across the defense base. So that's why I think it's the missing piece. Um one of the key components in DAR 712, for those of you that are familiar with it, you know what it is. Uh for those of you

that aren't, that is what establishes a defense vendor's contractual requirements to do cyber security. I think it's the second sentence. Uh it refers to something uh as a covered contractor information system, CCIS. Uh so your contract with the DoD specifies they think you have a covered contractor information system. They think you actually have an information system. Most of the companies that I work with, they don't have a defined system. They're using technology. They're using Outlook for this. They're using Dropbox for this. They're using all of this random technology, but there's no structure. There's no information system that's defined. And that's that's a fundamental problem that we have to solve right away because again, it's a

mindset shift. Um, so when we talk about information system, and again, this is a key term because when you sign a contract with the DoD, if you're a vendor, they think you have one of these. They think you have an an information system. So you ought to know what it is and you ought to know how they define it. Um so they define it as a discrete set of information resources organized for the collection, processing maintenance use sharing dissemination or disposition of information. And so what you see there in the triangle is you see an authorization boundary. This is a key component of a CUI CMMC program. You have to have an authorization boundary. You see system elements in the middle of

the authorization boundary. Those are any technologies that store, process, transmit cover defense information, control and classified information. So we have to start with a picture like this, we have to start with a conceptual framework so that we understand when they say covered contractor information system, what do they mean? Well, what they mean is this. And so whatever technologies you're using inside of your business, however you're implementing these requirements, it has to be implemented around uh this notion of an information system. So when we look at RMF and we look at the information system, this is really where you start to get a playbook and a game plan for how to attack, you know, CMMC requirements. Um it helps align

leadership, it defines roles, it clarifies scope and it develops a strategy. Um without it you have no accountability and you have no ownership. The first thing that I typically see when I talk to folks is and this pain point is my experience but I run into it almost 100% of the time. There's a disconnect between leadership and the implementers. There's just a disconnect. It's like we don't know. I was talking to a president of a manufacturing company yesterday. um he said, you know, I can't believe this is actually real. What do we need to do? Um his team's been working on this for I think three or four years. Uh they've gone through SSPs, they've gone through

assessments, they've hired outside help. He, you know, there's still that disconnect uh in inside of this company. Um when you use RMF, the be one of the benefits of using it is you get to define who the affirming official is. That's part of establishing the roles and responsibilities. So I tell them tag that guy as it or gal. Make sure they understand what role they're filling in this program and what those responsibilities are. There's also an annual requirement in CMMC to do what's called affirmation. So once you pass your CMMC and you get oh we're CMMC level two certified. That's awesome. Annually you have to now go into the DoD supplier risk system and and and affirm

some an affirming official within your organization. Not your vendor, not your service provider, not your cloud service provider. Somebody inside of your organization has to go in and say, "Yay, Verily, we still are good. We still are 110. We still have all of our controls implemented." That's somebody's job. That's somebody's role. That's somebody's responsibility. Without an RMF kind of mindset, you wouldn't have that. You wouldn't know who that person is and and how those things get defined. Um, I have a picture of Bill Bich on the slide. I don't know for those of you that know him, uh, he's got six Super Bowl rings with the Patriots. He's got two Super Bowl rings from the New York

Giants as a defensive coordinator. He is a disciple of Nick Sabin. They coached together uh a few times. Nick Sabin has seven national championships. So I think altogether that's about 15 championships. Their coaching philosophy is three words. Their core coaching philosophy is do your job on every single play. You have a job to do. Just do your job. You just do your job. Everybody else will do their job and everything else will take care of itself. If you don't know what your job is, if you don't know who's implementing access control, if you don't know who's managing the baselines, if you don't know who responds to the incident, if you don't know who the affirming

official is, that's where you're going to start having problems and struggles. And again, so that's an area where CMMC can really help. What I want to do now is kind of walk through the steps. Again, just I don't want to give you kind of a RMF201, but I do want to kind of just again introduce the seven steps and and kind of talk about them um in the context of CMMC. So, step one is not implement controls, right? Step one is prepare. Step one is strategy. Again, this is a decisionmaking framework. So, we have to identify who is the affirming official, who is the information system security officer. You have a question.

Mhm.

Exactly. And so you take that authorization boundary and that becomes your assessment scope. So the boundary is where the CUI is stored, processed, and transmitted. That's the way that I use RMF and tailor it to a CMMC implementation is there's still a red box around everything that stores, processes, and transmits CUI. There's still a logical separation requirement for things inside of that red box. And there's still a physical separation requirement for things inside of that red box. You can call it an assessment scope. When I show up as a CMMC certified assessor, I'm looking for a boundary. I'm looking for a box and I'm looking for those assets inside. That's good good question. Good point.

Um, so again, so these are these are some of the things that you want to discuss and have these conversations so that you understand, okay, what do we mean when we say boundary? What do we mean when we say scope? What's in, what's out? You have to decide this uh upfront. If you don't do that, then again, you're you're going to risk uh, you know, wasting time, wasting energy, and wasting resources. Step two is categorize. Okay, so we have to define uh we're going to have a list of assets inside of the red box. We're going to have a list of assets outside of the red box. One of the issues uh that I feel with CMMC is it's very

nuanced. Okay, they created asset categories. They created their own asset categories. You have CUI assets, you have security protection assets, you have contractor risk manage assets, you have specialized assets. These are CMMC unique. Uh, and so if I'm a mid-tier defense vendor and I make engine fan blades, um, and I have an IT team of one, maybe two, and I have an MSP, I don't know what a contractor risk management asset is. I don't I don't know what a specialized asset is. I'm trying to make engine fan blades. Um, and so this again becomes a very important step as somebody's working through building a program uh to define what's in and what's out because anything that gets categorized as a CUI

asset is going to be inside of that red box is subject to the 110 controls is subject to the 320 objectives and is subject to the full to the full accreditation assessment which essentially you could think of it as federally protected land. And so obviously we want that to be as small as possible. And so the categorize step is is where you can do that. Uh the select step is is kind of been done for you. Um it's NIST 8171. Uh now I'll tell you I do work with a lot of vendors and a lot of companies who have additional requirements, right? They have additional def requirements. They might have some 853 requirements. Um so

it's not just 8171. For some it is it's pretty cut and dry, pretty simple. for others um again it's not necessarily just 8171 they may run an ISO 2701 on some portion of their of their process and so then we have to figure out okay how do we map control A64 to 3.14 and we kind of have to harmonize those um another area of where we where select is important is this notion of control inheritance right so RMF uh identifies what they call common controls those are controls that you can inherit whether that's from an external service provider or from a cloud service provider. This is where you hear a lot of folks use the

term shared responsibility matrix right because the implementation of the control may touch three or four different organizations before we can get that output of that evidence that the controls uh properly implemented. This is where we talk about that and we understand that if we're using a Fed ramp solution, we want their SSP, we want their their system security plan, we want their boundary diagram, we want to understand what does this cloud service provider do and what is our responsibility as the organization because we're going to have some responsibility here. Um, and so this is this is where um, a lot of that would happen. This is where we start to bring the system security plan to life. Uh,

the SSP, which is a core document. If you're not familiar, if you don't have an SSP, you don't pass go. You don't get to continue. You don't I mean, it is it is a go no-go. You must have a system security plan. It's the first question I ask when I work with companies. Uh the answer is usually we don't really have that. Um we know we're supposed to have it, but we've got we've got some files we can show you. Uh and it it doesn't really look like a system security plan. This is where we start to lay that in. Understanding the control framework, understanding the inheritance, understanding the implementation. As we implement the controls, it's and

and the security professionals in the room will know this. It's people, process, and technology, right? It's not just a tool. Uh we have to show evidence that the controls are implemented uh and they're working appropriately to protect the data. This is if you're a defense vendor, this is for your customer. This is for your client. uh the one that you signed probably a a million or multi-million dollar contract with, right? They're requiring you to meet these requirements. Uh and so we have to really work together on doing that. And implementation is not where we start. You can see we've we've done some strategy. We've looked at the boundary. We've selected the controls. Now we can

start to implement the controls. Now we can start to talk about what are we using. I was talking to another company this past week. Uh they're looking for an assessment. They've got an October deadline. Hey, we need to get CMMC. Our prime's banging on us. We've got to get this done. Said, "Okay, well, what have you done to date?" Uh, they said, "Well, we got Zcaler. We got uh CrowdStrike. We we we we got Octa. We we we we got GCC High. We got They just listed off about nine different tools and said, "This is what we've done. We've went out and we bought all these tools." Um, and it's like, well, if you're in GCC High, can't

you just use Entra ID? Uh, can't you just use Sentinel? have you guys considered using the native tools in GCC high like we didn't know we could do that. I mean so they've already invested you know a million dollars probably in tooling uh that they may not need uh because they started with implementation. The other key component of this is you have to kind of own the outcome here as a leader within a defense organization. Your service provider is not doing this for you. They will do portions of this for you but they do not own the outcome. you know, you inside of that uh defense organization, you own the outcome. You have to put your name on the line here.

You have to annually, again, affirm that your posture is uh meeting all of the requirements. When I think of capabilities, I think of something that we're able to do. Uh and that's a good way to think about implementation. It turns controls into capabilities. Uh and what do I mean by that? uh I I say when we can use the control family as a verb, we know we've implemented correctly, right? When we can control access, when we can manage configurations, when we can respond to incidents, that's how we know we actually have a capability, that's what our customer, the DoD wants us to have. That's where the assurance comes in. Not we racked a bunch of

tools, we set a bunch of policy, and we're not really doing much after that. So implementation is a is a key step. Um, RMF has an assess step in it, right? Continuous assessment. You have to do security assessment plans. If anybody's worked with Fed Ramp, continuous monitoring is in there as well. You have to have a security assessment plan. It's a key document within an RMF framework. Well, well, guess what? Those two controls happen to make it into 8171. There's a 311 is a risk assessment. You have to do an assessment. You have to do a risk assessment. 312.1 is controls assessment. You got to do a full controls assessment. Uh I was talking to

a company uh two weeks ago uh and they were looking at uh doing a mock assessment. They they said, "Hey, can you come and do a mock assessment for us?" I said, "Sure, I can absolutely." Um I said, "Did you do your security assessment 3.12.1? How are you meeting that control?" Because you should have already been doing an annual security assessment, right? Or a periodic security assessment, right? what's 3.12.1 you know so it's like it's it's already kind of built into the framework and the fabric of the of the baseline I mean it's in there for a reason so uh again assessment is a key step this is where we can judge our output we can

start to understand where we have gaps uh things change that's another thing change all the time we use different tools we get different clients we get different requirements we need to share data with this person uh so assess is where you can kind of really help calibrate that okay so authorize guys in the in the DoD RMF world. Uh I was an authorizing official, right? You sign off on the package. Somebody puts their name on the package that says you have your approval to operate. You are good to go based on everything I'm reading, based on everything I'm seeing. In the CMMC model, your ATO is coming from your C3PAO, your certified thirdparty assessment organization via a CMMC level

two certification. That's essentially you're right. You could think of that as your ATL. That's the way that I think of it. And again, I'm giving you a mental model that I use. I'm not saying this is the way that you have to do it. I'm just my background as an RMF. That's what I grew up with. That's what I learned. And I see it's very similar to CMMC. And I see a lot of value in thinking about it in those terms. But essentially, that's your atto when you get when you get CMMC level 2 certified. you know, that's your validation uh that you are meeting the requirements and you can effectively protect uh the control unclassified

information. Um if you wouldn't sign your name to it, then you're probably not ready. Uh and you know, when I was a lieutenant, I had to sign an accreditation package. They brought it to me. It had to be signed today. We got to get it up now. I signed it. I trusted them. You know, the next afternoon I was in my boss's boss's office talking about the changes that weren't incorporated in the signed package that I had pack, you know, just signed. So, learned a valuable lesson, right? Before you put your name on something, you got to really make sure that uh you can validate it. The last step in uh in the RMF here is

monitor. And again, we kind of already talked a little bit about this. This is staying vigilant, staying ready. Um many of the organizations that I work with, if not all, I would say 99 95 to 99.9% don't have any sort of reporting on on how they're doing. No executive reporting. Um they're implementing a program, people are working on the program, they're implementing tooling, but there's not a monthly review. There's not an executive quarterly review. There's not a business review. There's there's no real reporting going on. uh within the organization which is a huge gap and that's an output of continuous monitoring and so again if I'm the affirming official if I'm the person that has to sign my name on that

line and enter into the DoD database that we are still good um I don't want to I don't want it to be 11 months and 29 days before I see you I want to know hey how we doing this quarter how we doing next quarter how we do in this quarter so that we can really build that that cadence this is how you stay ready this is where com the compliance mindset really moves into readiness readiness. Um, and and again, as a defense vendor, as as uh military folks, readiness is a is a concept. That's a mission concept. We have got to be ready. Uh, and we know we're ready because we we've tested and

we've measured and we've reported. Um, so, you know, to kind of round all this out again, I would say, um, I use the RMF. It's it's proven useful for me. Um, I like the framing of it. I think the the DoD has um knowingly or unknowingly leveraged it because it's it's the language that they speak. It's what they do on their own systems. Uh and again when you see things like covered contractor information system in the DAR's language and you go I mean go inside a company and you say show me your information system what is that what do you what do you what do you mean by that? you know, it's uh that those

types of disconnects are fundamental uh for alignment uh and culturally there's just a huge difference. And so I think by working with the vendors, using something that's culturally accepted within the DoD, the model that they themselves use, um it really helps to kind of understand and put things in the right perspective and then follow the same framework. uh and tailor it. Tailor it. Use whatever value you can get out of it uh to to maximize kind of the impact of it to help uh the defense vendors build information security programs which costs money and is not something they do unless they absolutely have to, right? And uh define the scope of their information systems and narrow

that down as much as possible. So we truly do uh reduce the exposure to this sensitive data. Um, you know, when you support the US military as your customer, you inherit their adversaries, right? Their adversaries are nation state cyber threat actors, right? They have teams of people who dissect our supply chain and who get assigned, hey, you're going to work on defense. Hey, you're going to work on small manufacturing. Hey, here's your portfolio of 50 companies. Find a way in. You know, hey, this is the new F-38 program that the DoD is doing. These are this is the list of vendors. find a way in. Um, that's what they're doing. Uh, and so it becomes much more

than, "Oh my god, we got to meet our CMMC requirements. Oh my gosh, we got to build an information security program. Oh god, we need a system security plan." Um, and so again, that's that's kind of the bottom line for me uh and and what I try to remember when I'm working with these companies. And the other thing I is I try to be a little bit empathetic because again, it's not really what they do. You know, this is this is not their area of expertise. And so um sometimes just helping them make smart decisions around who can I partner with? What's a good vendor look like? You know, what should this look like? What does right

look like? Can we just have a conversation around this? That's all in that prepare space, right? Which is which is all very good uh conversations to have. Um I have a guide here that I that I've written specifically for business leaders. Uh I think I'll share the slides and so that guide will be available. It's got some checklists in it. It breaks down the steps. Uh it's got some leadership takeaways. Um I just wanted to create a resource again to share with leaders uh to help them make better decisions around this stuff rather than continue to you know pretend it it doesn't exist uh and we get into you know seven more years down the road

here. Uh so so so that's why that's there. But uh yeah so that's my talk. That's my presentation. I really appreciate I'd love to entertain any questions. I know this is this is a hot topic. So we can we can go anywhere with CMMC. I think there's actually a CMMC presentation after this uh as well. So, uh we got Pete back there. He he can he can weigh in on uh you know, help me out if I if I get stuck on anything. Yes, sir. >> Mhm.

Yeah, great question. Um, both. Yes. Uh, you know, typically what is continuous monitoring in the compliance world is I need an evidence artifact to validate the output of the control that I can file away and show an assessor when they come. That could be an operational output, right? It could be something within tolerance. We've got to be able to detect within these parameters and this evidence shows that we're doing that. Like we're we're remediating within 14 days. We've remediated within seven days. Some of the controls are administrative. Uh this slide does a good job. Our friends at Compliance Forge, this slide does a good job of um it's a little hard to see, but the coloring basically tells you what's

an administrative control, what's a technical control, what's a physical control. And so some of it is just administrative. Uh did we do a review at the our prescribed time. Um, that will be documented in the system security plan in the SSP. Uh, and and this is a this is a key gap that you see a lot in these assessments is, you know, say what you do. We review this log monthly, then do what you say. It's like, okay, hey, you say you reviewed it monthly. Do you got any evidence that you reviewed your logs monthly? We did we review them monthly? I thought it was week. I thought it was quarter. you then this conversation happens about

like well we don't even nobody knows that you're even supposed to be doing it monthly it's in your SSP and so that continuous monitoring helps alleviate some of that no did I answer your question

>> uh

There are those are organizationally defined parameters. So you get to establish those. If it's not prescribed in the current baseline, a lot of those are left to you uh as risk decisions. They're not prescribed. If there is a prescribed time, it will be in the standard. The new rever revision uh revision three which is going to be implemented soon um actually has a lot more organizationally defined parameters because the DoD has essentially tightened their risk tolerance on some of those things. So they said instead of you say you tell me how often you review the logs you know it's you know organizationally defined. It's like we want you to review the logs at least annually as an example. I don't

know if that's the the real one, but there's a series of those coming.

Yep. You're talking about Rev 3, the ODPs. >> Yep. Yep. Yep. Yep. Yep. But again, that's where the continuous monitoring really comes into play. Um, it also helps drive investment decision, too, which is an area that I, you know, the business leaders like to hear that. It's like, okay, hey, you're paying for stuff you don't really need, or hey, you need to get a better tool or a better provider. Yes sir. >> Here, sir. In the front row, did you have a question?

Exactly.

>> Yeah, that's an excellent point. The the data flow is critical here and two things that you mentioned. Uh flow down is absolutely important. That's in the D4712 clause 2. Good question to ask is do we need to flow this down? You know, can we do the library approach where they come in and they just view it in our environment? they don't get to take the book home like if you can do it that way then there's no flow down required um the other tool that I use to to do the data flow analysis is user stories right because the business part business partners they don't I don't know it's like do you use cui who do you then what

do you do with it where do you and this is an open you know my daughter we have a safe zone right this is safe zone you can tell me anything like what do you do with it where does it go what do you okay and then what and then what and then what and then you understand it's like okay now we can really start to do something with that because we're we've understood it, right? And we can say, "Oh, do you have to send it to Tom? Does he really need it? Can you just give him conditional access?" And that's how you can narrow the scope. >> Yeah, Mike. Go ahead.

Right. Yeah, they skip right over it. Skip right over it.

Yeah, this is where we, you know, and I tell the IT, normally I work with IT directors because I typically work with companies that are large enough to have big DoD contracts that have small IT teams. They probably need a CISO, but they don't have one, right? That's that's kind of the sweet spot of the company that I work with. Um, and they're so busy. Those people are so busy implementing. This is more of a business strategy conversation. And so it's like I try to tell them, let's have a let's lead up here and and and and really frame this more as a strategy conversation, as an investment conversation rather than an implementation conversation. >> Yeah, it's a workshop. I mean, just

something to kind of get people aligned. >> Yeah.

Yeah, I I think that's a great approach. Uh, personally, um, the pitfall that I see there is thinking that it's a completely outsourced deal. So in other words, I'm working with a vendor. I'm working with a provider. They got my CMMC. They're doing CMMC for me. They're going to tap me on the shoulder and tell me what to say at the assessment. Uh but without realizing that I myself internally, there's some controls that they can't even help me with. I have to implement and I have the ultimate ownership and accountability, right? The handshake is between me and the DoD. It's not between my vendor. So that's a great solution. It can get people spun up pretty quickly. A lot of those are

getting proven. a lot of them are getting CMMC certified. The enclave approach is really really good. Uh but again I just caution folks to understand and I typically work independent with the vendor. I don't I don't sell services. I don't sell product. I don't work for you know I have a small company. I work directly with the vendors and more of an advisory role and I always tell them you've got to make sure you understand your responsibilities what you're accountable for. Yeah. Yes sir. Awesome.

Mhm.

Yeah. Yeah. Absolutely. That that that works. The other part of it that works, you know, when you start talking about manufacturing is really understanding specialized assets and and and flow down and and CUI flavor like is this actually CUI? People again the defense vendors I tell you don't have to be a CUI expert. if it's not spelled out in your contract that it's CUI and it's not clear in the registry that CUI. If you have a question, go back to your contracting government lead and ask them. But if if we know for sure that we're going to have CUI on the floor, right, then we've got to understand, okay, what systems are those flowing into? And then again, because those are

going to now be be in scope. So, yeah, that's a critical point. Uh especially around manufacturing because that's what a lot of this is is manufacturing. It's not office work. you know the consulting companies I think are uh not going to grow very much. I think it's going to happen more on the manufacturing space.

Yeah. Yeah. >> Yeah. Exactly. Yeah. I mean it cloud you know is there but it that's not the only answer right. It doesn't have to be cloud. It can be onrem.

Yep, exactly. Good point. Um, again, our friends at Compliance Forge have put together a great chart here. The light blue is technical controls, the orange is administrative controls. Um, so you can see typically the technical controls around access, uh, auditing, uh, identity, and then the network SC domain. I think that's all the time we have. I'll stick around. I'd love to talk more about it. And again, I think like I said, we've got another CMMC session coming up after this one. Thank you guys so much. Enjoy the conference.