 Hey Aloha welcome to the Think Tech Hawaii studios for a really exciting episode of Security Matters Away. Today Dave Stevens is in the house, fresh off the campus and we got a what do we call you surprise guest. Gordon Bruce has showed up because we're talking about NIST, we're talking about the cyber security framework, we're talking about 871 compliance and the whole state is having trouble with this. I've got some experts here to help me get through it. Now, I even have slides, I even have like images. So there's some stuff today, it's kind of cool. This is like a real show. Yeah, so you got, we're gonna have to do a brain dump. Thanks for coming. How come you never did slides when I'd had the show? I did it today because I can't explain this stuff, I gotta have some problems. It's because you got Angus. Yeah, I do all the work and he'd take all the credit. All right, give me the far, the first slide one. So this is something that I was surprised that so many government contractors don't realize there's some cyber assurance associated with this basic safeguarding. And I want to read this to you and I want you to tell me how many people are doing this. No, not don't name names. All right, access control, limited privileges, that's for like logging in, right? So give an admin, admin only, right? Device auditing, data control, user auditing, user authentication, media disposal, physical access control, visitor management, communication and boundary control around the data, breach reporting, anti malware, patch management, periodic system scans and audits. Now you're responsible for that. This is not DeFar's 871. This is if you do business with the federal government at all. This is in your contract. This is the federal acquisition regulation. It's super tough for a small company to comply. The first thing you can do is share logins. But these are just sort of statements, right? I mean, there's no real guidance. It just says you will do these things. You'll be, I mean, I'll read it to you. Limit information system access to authorized users. Everybody gets a log in. So the good news is, there's a ton of workbooks out there that the Fed has put together and it will walk you through what those requirements are. Basic safeguarding, yes. Basic safeguard and such like that. So there's a plethora of information and maybe there's almost too much, but it's there. Well, you brought plethora in here today. So there's a plethora of information out there that will help the client or anyone that's doing Fed-related work walk through what they need to do. Now, you said it earlier, this is not inexpensive. No. Well, the basic safeguarding could or should be. This is stuff you ought to be doing anyway. But you know what? Let's go back and be real. There's a lot of non-federal contractors out there that are not doing this either. Of course. Yeah, that's what's keeping me from retiring. If you reach out and you email any of us, we will send you a copy or you can just go online and Google Basic Safeguarding Requirements for Federal Acquisition Regulations. It's right, there's a really nice document like that. There's guidance there and it's free and get it and get to work on it because this is stuff you should be doing really anyway. The biggest problem though, and I'm going to use another word of the day as opposed to the plethora of information, there's a dearth of effort. There is a lack of responsibility being taken by the smaller businesses and mostly because they're like five people running the whole business and they're going to do all the work and then you dump this on them on the front page of their contract. They're not looking at that. Well, they will next year. Next year. Oh, we're going to get to that. Oh, he almost stole my whole episode. Okay, they're my slide number two. So, outside, right, right under the FAR, we've had the DFARS compliance, the Defense Federal Acquisition Regulations, which is a smaller subset of the FAR, very particular, I might say a larger subset really in some ways, it's far more prescriptive than the Federal Acquisition Regulations Basic Safeguarding Guidance. Right, right. Now, we got how many families? 14 families here. 14 families here of stuff you need to take care of. Let's get to some some professorial stuff here. Walk us through just walk us through in general these these these families and sort of what they're about. Well, it's a combination of two things. It's the old FIPS 200 and it's the new NIST rules. Some of them taken out from the 853, which is organizing for the huge government organizations, right? So, this is a subset of the controls for non-governmental organizations, but that are vendors of the federal government. And a lot of people don't understand that this is for downstream. So, if you're the federal government, I have a contract with you and Gordon subbing out to me, we all have to be compliant. We all have to be compliant. And that's hard when when I'm going to have to get, you know, Gordon to sub for me, I got to say, hey, you 800-171 compliant. If you're not, I can't put you on my contract. Yeah, there's no there's no contract. So, you got 14 families and they're broken down to about 110 controls. And those controls mean what you have to do to comply with that rule. And when you read the 800-171, it's a little vague. Okay, however, it does refer you to the document that is extremely specific, which is the 800-53. That sub rule will reference in this 800-171, it should be 3.3.5. And if you go to the 853, that's AC2 and it shows you a paragraph. This is how you comply. Yeah, right. It's exactly what you're supposed to do. It's highly prescriptive. So, it's not mysterious, but it's not easy. But there is a workbook too. And I keep referring to the workbook because the workbook distills it down even further. And it gives you the question to ask about yourself. Are you talking to 800-171A, the auditing document? Well, it's actually, it's not even the auditing document, it's another workbook document. Oh, I missed this one. It's really neat. It asks you like the questions, do you do this, yes or no? Yeah, do you do this, do you do that? If that tells you where you should be looking for, what you should be doing and who you should be asking, it sort of kind of walks you through it. It's free. But it's a lot of work. So, 110 points is a lot of work. That's a lot of work for a small business. The 110 break down to some 400 plus checkboxes, like you're sort of talking about. So, it's not, it isn't just for, it's nice to say 14 families. That's great. Each family's got mother, father, daughter, son, brothers, and all kind of stuff, right? And then their kids, and then their kids' kids, and then so it just keeps going down. And then some of the rules might not apply to you, which is a hard one, which is another one. It's like, well, does that or doesn't, I don't know. Yeah, I like some of the questions about, you know, wireless access for me. Like, I just say no. Like, no, just get rid of that piece. Yeah, there's no wireless access. Because there's some known vulnerabilities in the side channel and all kind of stuff we don't want to deal with. So, just how about no. And you just say no. And then what? What's your, what do you have to put on your checkboxes? Oh, yeah, well, it ain't nothing. It's like, no, we just don't allow wireless in our particular environment. So, you still have to describe what you do and how you control for it. How do I stop someone from bringing in a wireless device? Bring in their hotspot. Sure. Bring in their mobile device and dropping it. Turn on their phone on to personal hotspots. Personal hotspots. Once they're on your website. Dave always does that. In your office. I open up a hotspot and plug my USB drive into their admin computer. Well, there is another one. Right, there you go, USB drive. See, the USB drives. You guys want to help, but they, you got to watch them. It's all I'm saying. Okay, slide number three. Easiest security. Take all you people out of your company. Okay, this is important. Don't say any contracts. The important thing I really want to talk about here is you can be 8171 capable and not be in what we call GCC high in the fed ramped environment. But in order to do DFAR C and G, which is sort of like if the government decides, first of all, C says you get a note. You must notify of a breach within 72 hours. Right. That's something you've got to do if you're a federal government contractor under DFARs. You don't get that with the normal GCC licensing. You can get it with GCC high. The G stuff says that, you know, where your data is. And if the government says, you know, we want to look at those hard drives, they can actually retrieve them from your provider, your CSP. So, DFAR C and G requires fed ramp 8171. You know, I think you might as well just go ahead and get in the fed ramped environment is my take on it. What do you guys think? Well, I really think I suggest we suit back up a little bit here for the people in the cheap seats. First of all, we're looking at Office 365. I guess what I was going to do. There's equivalence of Google environment in the enterprise. And there's also Amazon Web Services. They have these government cloud for fed ramp certified organizations. GCC is government community cloud. GCC high is the DFAR's, you know, environment where you can't just like you said, you can't just go and sign up. You have to show them a vendor like Summit 7. I have a letter saying this is on my contract. I need this. And then they will migrate you over and it's not easy. And so, you know, and there's only, I can't tell you how many GCC high, Office 365. 150. No, I mean in the state of Hawaii. In Hawaii. Okay, so here's something that people need to be led there. If you fit into that middle box in that graphic that you have there, and you're running Office 365 home addition, you've got a problem. You cannot, and I'm not spoiler alert. You've got a problem and you better be looking at getting migrated over to GCC high. There are only five companies authorized to sell GCC high in the United States. Only five. That's right. There's only five people that you can buy licenses for for GCC high in the entire country. Oh yeah, because there might be other obviously there's I know there's 150 FedRAMP providers, maybe they do other services. Yeah, other services, but there's Microsoft licensing. Yes, you can. So you can't go to the Microsoft, the Microsoft Apple Store. You can't go to the Microsoft Store and say, I want to go to GCC high. Can I buy a license? No, no, no, no. There's a whole process and it takes right now. They're what three months backlogged. I think you can get you can get authorization to get the license right away that you just have to provide as you said, you gotta wait to get then on to a FedRAMP compliant stand up times I've been quoted for six weeks. So here's a good question. When you do that, when your company you're doing that now, did you have to come to them with a system security plan saying you are compliant? No, no, they just wanted to know your size of mailboxes and then they can project how long it's going to take to migrate your environment. That's 0365. Now you've also got to add your stuff. You need to migrate that as well. Right. And also there's gaps between if you're running Office 365 E1, that particular suite, there's a bunch of the things that are not currently available in Office 365 GCC High. So maybe you're using a particular product within the E1 stack. It doesn't work within GCC High. I think you have to go three at minimum, right? I think it's E3. Yeah, E3 and then they both on ATP. But there's even gaps. There's even gaps between E3 and GCC High. Microsoft has not finished it. ATP is Advanced Thread Protection. It comes with the E3 license. And in tune, which Gordon says is also not working in GCC High right now. I guess there's a bug, which I didn't read about. One more slide and we'll go to the break. This is just a real quick description of what's going on with FedRAMP by the numbers. Yeah, so that was what I was keyed on. There's 150 cloud security service providers in the FedRAMPed environment. About 100 agencies are in there now from the Fed. These would be federal agencies, not subcontractors or contractors like us. And you can see that we've got four different baselines that the government's looking at, right? So you need to match that to the risk profile that you're going to be assessed with for the type of work that you do in your contract with the government. And it will be on your contract. And we're going to talk about how that's going to build out. So all this game's changing. We've been talking about self-attestation to where we are with this for the government. We're going to talk about when we come back what's going to happen in this next year to change that game and start to audit your actual compliance levels. So we'll be back if we pay some bills in a minute. Aloha. This is Rob Hack. My show is exporting from Hawaii every other Thursday from 12 to 12.30 p.m. where I bring in people involved in the entire exporting infrastructure in Hawaii, including government, academia, and manufacturers and shippers themselves. Please join me every other Thursday, 12 to 12.30 p.m., and exporting from Hawaii. Mahalo. Aloha. My name is Becky Sampson, and I'm the host of It's About Time. On the ThinkTech Hawaii, a digital nonprofit organization that's raising public awareness. Join us on Wednesday at 2 p.m. where we talk about real issues. Some of the topics will include entrepreneurship, health, life skills, and growing your business. So once again, this is Becky Sampson on It's About Time. On Wednesday at 2 p.m. on ThinkTech Hawaii. Mahalo. All right. Welcome back to Security Matters Hawaii. We're having a lot of fun with the difficult topic. It was pointed out we could call this acronym city. So let's talk a little bit about some of these acronyms that we're bringing up here. GCC, I think we expanded on that, right? So don't get confused with just GCC. You may need GCC high for your work with the federal government. Through your homework. Through your homework on some of the homeworks available from NIST, from SANS, from CIS. So yeah, so a lot of these organizations, what's your sort of entry? Like where would you advise people to go online to start to gather some of this information? Well, before I tell them to do that, I tell them to read their contract. See what they need. Get into their contract. The front page is going to say, for the defars, the rate of defars clause, this is going to be this long number separate by decimal points, and it ends in 7012. That's your first clue. Just 800171. If you have that on your contract, you can do research into 800171, those 14 families. Then keep reading if it says C, G, or any of those others that have to be in the sections, I think in L and M in your RFI or request for information, you have to comply with that level of security. And that, and is a C, it actually says you have to give your physical hard drives over, is a G. Yeah, what happens is it's in, is so when you, if you use a cloud service provider, which when I asked this in a room, almost everyone's Office 365. So if you use a cloud service provider, there's a clause that refs that, and in that ref, you'll come across that C and G, or the cloud service provider requirements. Right, so we're regular environments in the cloud, AWS, Google, Enterprise and, and, and Office 365, they won't surrender their physical hard drives. And it's usually because it's shared space, somewhere it's virtualized, right? But if you're in the the GCC high or better cloud environment in Office 365, you have dedicated hard drives for your system. So they can actually remove those and hand those over. And the reason you brought that is a breach. It was a breach. I mean, it's not like there goes a breach investigation and they decide they want them. Then they want them. And that's why you have to be a FedRAMP compliant cloud provider for your GCC high Office 365, because then you meet the federal requirement for that particular piece. There's a lot more. There's a lot more of pieces in there. Even the administrative. So the staff that they use to administer that environment is clear. There's a whole lot of other stuff in the background. Maybe a quick point of note that you, when you are supplying your documentation to the government, and you are in a FedRAMP environment, part of your technical control for your shared responsibilities documentation is the audit letter that your cloud service provider gets about their certifications. And that satisfies a lot of those technical controls. I think 50 or 60 of them we talked about. Well, there's one of those auditors in one of your other slides. There's four 40 auditors or so and coal fire is one of them, right? They provided that for Office 365 by letter of attestation saying we're FedRAMP monitor better in this environment. So your shared controls for the cloud are covered. Just a letter by the way, you still need to have a policy form. There's still work that you need to do on your side and maybe MFA they enable you got to turn it on. So there's still stuff that you have to do on your side of those controls, but they're audit on the control. You don't have visibility on what they've done on their side. So the letter provides your level of attestation. But that doesn't get you off the hook. That just takes care of Office 365 GCC. What about if you're writing code? What about if you're an architect? What about if you're designing things for the military? All your information, all your different files, your share files, all the stuff that you're doing, all your engineering drawings, all that stuff isn't covered by that little letter from. Yeah, you want to move that up into FedRAMP. Now, if you got in your little data center in a closet somewhere down the hall, good luck with that one. You've already insisted on your phone. Or it's on your phone. Another problem. Come on. So if you're on site, I hope this is a wake-up call for anyone that's doing federal government contract. Your contracting officer should be looking at this stuff right now. And now we're going to, if you haven't gotten the wake-up call in the last couple years that we've been really dealing with this, right? Now they're going to turn up at the volume. There it goes. Here's your push. So we'll talk about that these next 10 minutes or so. Give us the next slide five, I think it is. CMMC. This is the change to the game. Okay, let's do the CMMC. Cyber Security Maturity Model Certification. Certification. That's a different animal. There was self-attestation. Now we're going to have a certification level that's going to be conducted by an auditor. Can we say why really quick? There's a lot of self-attestation out there. A lot of people kind of fudge the numbers and say we're covered and they use somebody else's security plan and say look, we're covered. Contracting officers not really paying attention. Someone was caught, a company that shall be nameless and was charged I think three quarters of a million dollars. Whistleblower. From a whistleblower that says that we're not really covered. We lied and they came back checking sure enough. There was a huge one in the paper even Cisco had a Whistleblower. Eight million. They settled with him. Eight million is not going to kill Cisco but three quarters of a million could kill a small business. That'll kill a small business for good. Yeah. So let's look at these levels. So the maturity model certification right here. So up through level three that's that first 110 controls that we talked about. The 800 171 as it stands. Yes. Revision one. It's going to change. It may change. It may change. No, it will change. It's going to change in January. Revision B right there. You see Revision B in the second one. Another 30 controls have been introduced in the last three months. So we shouldn't scare people. Those three controls. We should scare people. For level four and five you need to be a serious player. Oh yeah. I mean you need a security. You're a Boeing. You're a Martin. You're a Raytheon. You're up in those spaces right? Right. Right. But interesting. But remember think about this. You said it earlier. But if you're a sub to one of them. Then you need to be. Then you need to be. If you're participating as a part of their project or program. Now they could share their SOC with you. They could share their SOC. Their SSP and all of that. You could sign off on it. A lot of that stuff. But you're still going to have to comply with those 110 plus. Yeah. They're going to want to go maybe walk into your office. You have access control. Do you have logs? Then log in all of your guests. Do you walk your visitors around and stay with them all the time? I mean all that stuff. I think they're going to ask for your audit document which will be produced. We have a time. I will sort of talk about all that last. Let's look at the vision. The next slide is sort of the vision for where we are today. So the CMM derives sources right? So notice how the Fed's gone at the lower level and said listen we're trying to incorporate a lot of these other references because we have people outside of the U.S. that need to work with our partners right? Our defense industrial based partners. And so you see Australia is essential aid. UK cyber essentials down there. So you see some of that now going to be ref in the initial. And actually I think it maps anyway. I don't see China on that list. I wonder why. Most of this maps to 853 which maps to the Australia. All this mapping sort of been done. But interestingly these derived sources pending. The CMM I think they may get outside of this a bit or go a bit deeper. I think that's still open. You know I listened to that the broadcast the other day from the development center. And you know they're quite a ways up the road. But I feel like many more changes could come. And I think to your point the higher level the risk of the work that you're doing is represented. You know you could have been able to consider your level two. You may find yourself at level four. So let's throw just two more accurate names into it. So if you're doing if you're out there you're doing CUI. Controlled Unclassified Information. Or CDI. Controlled Defense Information. If you're any of those show up on any of your contracts or anything you're doing you got to comply. That's it right there. Now the argument always applied from small businesses is okay it's on our contract but we don't actually handle that data. And that's a misnomer. So it's not just the data. The contract officer will say this is what we consider CUI or CDI. But you yourself got to know that it's not just the data that he's giving you or she's giving you. It's what you can create. And it's if you create something that's innocuous. Another big word. If it's harmless right. But you create a lot of those things you put them together. The aggregate or the total of all those things together could be. Yes harmful to the government. And it's controlled. And the project that you're working on. Right. Right. 100% agree. That's sort of the world that I live in. We're out as security documents for facility. I have network information. I have basement information. Maybe a demark information. And when you put all that together that that could be used to. Something as harmless as the floor plans to buildings. Right out of my head. Those those you could look to see where the biggest offices are. Those are the officers. The highest ranking officers. You can see where the armory is and the motor T. And the fence and the ingress and egress for the base. Right. So just a janitorial contract with floor plans at CUI. Yep. There you go. So look at the I'm looking at architectural firms in this town that are doing work. I mean I don't know of any that I know or even kind of even looking at this. Oh no. It amazes me how much how many of these A&E plans are downloadable from a portable that doesn't have HTTPS. I hate to say this but in most of the companies I work with. The first barrier I have to overcome is not the C level executives. It's legal department. Oh yeah. I have to walk the contract into the legal department and show them the exact clause and the exact rules they're not complying with. And then I have to have a 20 or 30 minute discussion on the legal ease because they try to say no no this doesn't apply to us. That's great. Yeah. There's no defense. Go ahead. You take that position and at the next year when you when you don't get any contracts or if I think the legal department can go well I'm unemployed now because my company's got no work. No work. Really good point. Right. And here's what the government is saying as the audit capacity rolls out across the defense industrial base sector. Okay. Your contracts that get issued will have a required level of auditability. So when for you to bid on that contract you will have to supply the document demonstrating that you've been audited to that level of compliance. And certified. And CMMC. That's right. And you're assigned a level. And you're assigned a level. And you have to have your SSP system security plan. And all the related 110 plus items taken care of. Oh yeah. Yeah. All there and all in place by what date. Well let's look at the timeline. Yeah. What's supposed to be done now. You're self attesting that it's done now. Right. But once they come to all of you. That's why I can't retire. Imagine if you have a imagine if you self attested that you're fully compliant and the audit finds you at level one you could lose contracts or not be offered those same contracts come next September. So here's the government's timeline. So they they looked ahead that leveling criteria that we had that little block on the right all the all the all the things that they want to feed into this defined by the end of August which this is mid August now so we're getting there. End of August. This year. Yeah. Yeah. This is this is coming right up. So you can see our current the red is our current timeline in July actually. So there you go. Where they're starting to incorporate this integrity and availability. Complete the information and assurance of corporation. Thread of day one. Thread of day two. You can see how they're they're modeling. They're looking for ease of use. These are all the things on the left hand side that you can tell that they're taken into consideration because for small business this is a nightmare. And it's been a nightmare that you've been living with for three years now. Almost. But yeah. But now we're going to go test. Yes. What kind of dreams you're really having. Maybe we should tell the audience about the plans of the DOD is going to go pick a third party nonprofit nonprofit to be the train the trainer. To train. To train the auditors. The auditors. Right. And so there are no auditors at this point. There are no auditors. Jump on the bandwagon. And there's no criteria for what there'll be auditing and things like that. So the 871 version B is supposed to come out in September. And that's when the third party auditor is supposed to be picked. That nonprofit. And by January of next year we're supposed to actually be training those auditors. Training the auditors. May I have no one that might be. I'm going to try my best. Maybe someone in this room. Be an otter. I'm not going to go down. We definitely need some local auditors in Hawaii. I mean we're going to have to have some people that spend that money to get themselves certified to be auditors. How many contractors are impacted by this. You know it just. I think there's about 10,000 D.I.B. contractors. They said 300,000. Well total across the country. Across the country 300,000 contractors that will have to be audited by June. Well if you want RFIs according to their schedule. Next September. No for contract for RFI June. Yeah yeah. June of next year. June of next year. So 300,000 contractors are going to have to be audited by June of next year when we don't even have auditors yet. That's going to be tough. Who are trained. That's going to be a push. Yeah that's going to be. There's a bit of a challenge. So what we're professing is to get in line with someone you believe is going to go through and become an auditor. Try to get high on their progress so you can be audited. I think there will be an advantage to you to offer your services to the government. If you are assured at a level three you'll be able to offer yourself to participate in those level three contract offerings. But get your stuff done now. You've got to roll out all these 110 criteria. Yeah the auditors just check you. You've got to start doing that now because it doesn't start. It's going to cost you money that you might be able to get reimbursed back by the government when you get contracts. Later. Later. But you're going to have to put some money up front here and it could be substantial depending on the size of your company or how far behind you are. I'm amazed that all the people in Hawaii think this really isn't going to be a big thing but we have 11 military bases in the state. Oh it's huge. I mean we do a lot of deals. How many subcontractors. So oh my god how many. I hope you learned something today. If you didn't learn enough catch up with me and Dave. We're going to be on the cyber underground on Friday. We're going to talk about this same word. We'll try to hash it out a little broader for you. What time is that? It's going to be uh 1 p.m. 1 p.m. Friday. Hawaii time. Uh thanks so much for joining us today. I hope it was eventful for you. It was definitely eventful for us Gordo. Thanks for dropping in. If there's any time Dave thanks for the support. You bet. Appreciate you guys. Appreciate you out there. Stay safe. Aloha.