 All right, we are live so I will say this there is a lag You'll see a lag. Hold on. Let me mute mine as well. Okay. Good stuff So Adam you should see the mute button now I do yep, we are muted. Okay, perfect. All right. Good stuff. All right All right guys, how's it going? Fantastic for Monday for Monday, right? Right. I know right. I always do these things on Mondays. It's it's I don't know This is my start of the week. It gets me pumping Yeah, it's got a good ring to it. Yeah, right master my Mondays. Yeah, doesn't it doesn't it? So hey give conscience family Actually, we we started 605. So I just said I come on talk to some of the people out there let people get Because what'll happen is YouTube will send out notifications to everyone and so that way we could start on time and we could be respectful of Everyone I did receive your list of items That you have your links and everything so we'll just you know, I'll go through that You guys just let me know what you want me to share which you want me to drop in the chat as well. So Okay You could see the you could see the YouTube Adam. We can yeah, so we see the chat coming through as well All right. Good. All right. Hey Pierce. Hey Joshua. Hey Tammy Hey, Maria So welcome welcome welcome Everyone today Adam is going to be discussing DOD Cybersecurity tell us Adam. Tell us what you're discussing today. Yes, we're discussing the cybersecurity requirements For those of us that contracts with the Department of Defense either directly to the Department of Defense as a prime contractor Or part of a prime contractor supply chain the subcontractors suppliers and vendors that support the primes executing government contracts and Because we process certain types of information that's that's truly owned by the Department of Defense, but they sort of Lease it to us or allow us to process it. They authorize us to handle it We have to protect that information for the DOD and it's not classified Information it's not like your James Bond secret or top secret information, but it's what's called controlled unclassified information Sensitive but not quite to the point of being secret level and then and then really anyone that works on any federal government contract processes What's called federal contract information, which is basically any kind of information that we shouldn't be making available to the general public and Whether those folks whether those of us know it or not We actually have some basic cybersecurity protections to put in place to protect that information As well. So we're gonna be chatting about Some of those requirements today. Okay, great. And as always I tell everyone today Make sure that you use this opportunity to share who you are what you do Right now. There's 22 of us on here and growing. They'll probably end up 75 people In the next 20 minutes. So definitely let us know your organization Tell us where you're at what city you're in and what industry you're in so that that way We're looking back at this later on other people can reach out and connect with you And as always if you do have any questions for Adam myself or even I leave sitting up to the side You can ask him as well Let's go ahead introduce yourself We have somebody from Maui on pretty sweet. Oh, yeah Okay. Yes. So again, let us know where you're at. Let us know your industry as well Use this opportunity to network with people again I was on a podcast earlier this morning and I told the lady that you know, again We've had opportunity to meet each and every week with each other And so that way we don't feel so isolated and alone because it can be a lonely journey out here When none of your family understands none of your friends understands what you're talking about No one can relate so use this opportunity to fellowship with other gov con people personnel And and there's people in here that are working for the government There are people that are trying to get in the government. There are people that are established There are small businesses alike. So definitely again, let us know First and foremost the city that you're in and then secondly the industry that you come from and we're going to start in just a few minutes We're gonna let some more people come on to the chat because I know we promised 605 so again and then also Please because you know YouTube and google and all these social media Monsters out here. They only give credit to videos that are liked and shared. So definitely 33 people on I only have 11 likes hit the like button Okay, so push the like button so we can push this up because in the first 24 hours The most people that like it most of that share it that's what's going to be pushed out there into the world So we want this great content that we're presenting today to get shared and pushed out to as many people as possible because We all truly do need this information And so for us Who are wanting the information and want to have access to it? Some of us unfortunately may not be able to make it because of work family other obligations We want those persons parties to have access to this high quality content So definitely hit the like button out there and let us know what city you're in and the industry you're from so And then i'll let these guys take it away shortly How would I do pretty good? Excellent. You got our lake too. Thank you All right, there you go. I got 12 I just noticed that our very first intern adam's first intern under And jim morphed into a very talented engineer full-time employee too. So he's got he's on with us Okay. All right. Nice. Good stuff Great stuff And we should I guess eric we should start by describing what we do and where we are right absolutely definitely start Take it away. Can we get wrong with that get roll? Let's get rolling six or seven Right on well let the late people come in. Well, you know, there's always gonna be those late comers dragging in You got to set up a chair in the back of the room. So The flowers on the wall, right? Yeah, so go ahead talk to us Tell us about what you do and and how do we come to know you like you and and why we're here today Yeah, so we are if you're good with it Yeah, we're hate bay and associates. We're actually two entities The the main entity that we're talking with you today is as totem technologies Which is an operating unit of a of another business hate bay and associates. This is the bay aliahu bay in the hate bay and associates and Hate Bay and associates is a prime u.s. Air force contractor. We run a logistics contract. We were lucky enough five six years ago to under the guidance of ali to write a winning proposal as a small business set aside for a logistics contract for the air force and we executed that successfully for five years and we were lucky enough actually the first incumbent To to win back that contract so to have a follow-on contract and win it So we're very proud and we just were actually this is our first week on the follow-on contract Because we are a prime contractor for the u.s. Air force a dod contractor. We have we process that controlled unclassified information As part of this contract and we have to secure our own it systems The ones that we own the government doesn't own them. It's the it's your company it system, right? We have to secure it to be able to process this dod information so That those requirements to to secure have been around for five six years we've been on our own journey to to implement all of us the safeguards for this information for the past like i said five years And myself and my team have been doing that type of work for the dod for over a decade now So we realized Pretty early on in our own journey help how complex And how big of a challenge this is especially for small business Prime contractors much less the subcontractors and suppliers and vendors and so To bring our experience and what we consider expertise To our peers our peer small business dod contractors Uh three years ago. We launched totem technologies as a business To business and consulting offering to our peers and small business dod contractors and we've been doing that very successfully Really huge growth over the last half a year more as more of these as the as the The requirements themselves gain publicity and so we're we're going to talk today about what at a high level what those requirements are Some of the approaches that a small business should be taking to get in line to be able to continue to compete and on four contracts and be members of Of the the contracting team that actually execute the contracts going forward. So we're based out of Ogden, utah west haven utah, which is just outside of Ogden, which is about 40 miles north of salt lake in utah And yeah, that's a little bit about us. That's where we are and Go ahead. I'd like to throw out there like sure I'm I'm not a cyber expert. So I was good at running. I was I'm a program manager So I was good at running government contracts and finding the people that I needed Thank god I had adam on my staff when we when we were hit with an istate 171 requirements because it was It was too much for me to even think about absorb All right, I took an adam's an expert and it took him 18 months to get us squared away So I'm in the same boat or I was in the same boat as many of the contractors out there Right, right. No, no, that's good. That's good stuff. Um, No, thank you for sharing and also just want to let everyone know who's out here watching If you have questions drop it in the chat I will be monitoring the questions while they do all the talking and teaching So I'm going to monitor the questions Maria even came back on and join us to help with building questions as well And then we have Pierce on here. So there's a couple of us in the audience that will be fielding questions and responding So if you do have questions or comments, just drop it in the chat And I will curate those questions And then if you have anything that you want to ask about us an organization Like I said, we've got a couple people in the chat monitoring that will be available to do so so Again, if you have not already hit the like button hit the like button and we are going to jump right in So adam take it away Yeah, so the first thing we need to do is is Talk about the types of information that we could run into By virtue of being either a prime contractor or a member of the contracts team And this is this is not classified information that we're talking about So this is not the secret top secret confidential not the james bond stuff But the other more run-of-the-mill information. And so we have many of our clients are In the manufacturing space they build widgets for the dod What we're talking about are the unclassified drawings of those widgets or the Instructions for how to build those widgets if they're if that widget is specific to the dod that type of information about how to produce it or how to build it Is sensitive obviously it's intellectual property both for that company as well as for the department of defense and Our adversaries are actively trying to steal that information from us to compromise our military competitive advantage so we have Requirements to safeguard That information that information is called controlled unclassified information or the acronym is cui Those requirements can be quite a challenge for a small business, especially a small business that's not used to cyber security lingo And There are clauses That can be injected into a prime contract and that the prime contractors are required to flow down To its contract team. So by clause. I mean a requirement statement And it's part of the d-fars the department of defense federal acquisition regulation supplement And there's a clause that's that's injected if cui is expected to be present on that contract So this is information like engineering drawings work instructions for how to build How to build that those widgets we are talking about there are types of information that are related to nuclear propulsion and nuclear facilities explosives and ordinance magazine type of facilities the information about How to how to build and maintain those buildings is considered controlled unclassified information. So we have to Because the dod is authorizing us to handle this information. We have to safeguard it And we have to put protections certain protections in place and there are literally hundreds of Individual safeguards that we have to implement into a small business environment and like I said, it can be challenging But it is approachable if you approach it from the right direction The key is or one of the kickers is is that pretty soon We're all going to be held much more accountable for safeguarding this information right now the dod has has minimal mechanisms to hold us accountable Minimal like accountability tool tools and it's tool belt is the way I like to think of it But over the course of the next five to six years the dod is going to be rolling out something called the cyber security maturity model certification Where we will be required by contract All the way down all the way through the dod supply chain and there are hundreds of thousands over probably something like 250 to 300 thousand members of the dod supply chain what they call the industrial base we're going to be required to procure the services of a third party assessment organization to assess Our level of implementation of these safeguards. It'll be similar to Like an iso 9001 or as 9100 type of quality Certification and audit we'll have that same thing on the the cyber security side so The gone are the days of just being able to attest Through by virtue of signing a contract that we have met and implemented all these safeguards We're going to be truly held accountable At some point in the next like I said five to six years So our mission at totem technologies Well, first of all our mission at hay bay is to get squared away so that we can continue doing business with dod and then our mission at totem technologies is to Is to bring that methodology that we're squaring ourselves away with and offer that to our our peer contractors That's a mouthful. So I'll shut up and see if you have questions. Yeah, let me let me ask some questions You said control and classified information like engineering drawings Correct, correct. Okay. All right. So, um, for example, I'm in construction And I have a lot of plans of government buildings that they email me Is that considered controlling classified information? Most likely is especially the for the buildings themselves for the things like the peripheral designs like parking lots and You know concrete walkways and things like that. Maybe not but I would I would imagine so for the facilities Okay. All right. So the facilities side. All right, and then, um How do we determine what's controlled and classified? It's a great question. So it's really a It's partially the department of defense's job to determine that for us. Okay, but they also have Sort of mini sub clauses where they can direct us as We're called authorized holders of this information, especially if we generate the drawing So if like if you are as part of a proposal hiring an architecture firm to actually Generate a building architectural diagram. Okay, we're authorized holders that information and it's up to us to determine we have What we call a CUI identification guide, which is a little decision tree and flowchart we offer on our Website through a blog. We also offer it through what we call our knowledge base Which is a actually just a subreddit for those of your audience that are familiar with reddit.com We have a subreddit. It's called totem knowledge base and that'll be one of the The links that we can share Yeah We have we've published our CUI identification guide and through those platforms Like I said, it's a decision tree that will guide any contractor through the path of determining Whether or not they they handle this control on classified information Okay, someone asked what's the name of the model that you just mentioned Uh the cmmc, I believe. Can I type that in the chat? Are you cool with that? Yeah, not all type in the chat Definitely. We know this is interactive. I mean we someone already beat you to it There we go cmmc cyber security see how fast and accurately I can type and then also, um What it was one of the links that you want me to drop in there based on something that you said, let me know Let me let me grab our link sheet. I don't think I brought it in with you unless you have a copy No, that's not I have I haven't I hear myself. So I can yeah, so there's a Uh a link to our blog As well as uh our knowledge base in there, which the subreddit Alifat asks if one of the requirements is iso 27,001 certification Not not specifically Uh alif but the department of defense has indicated That there might be a reciprocity between iso 27,001, which is an iso cyber security Certification for a business there might be some reciprocity between that and the cmmc Okay, no, all right. So now We So we have example, okay That's what I saw something in the back one. Um, so now we've determined control and classified um And you said there's a way of there's a formula for doing the the dld does it? Um, or if for example, if we create the actual drawings, then it's on the onus falls on us, correct Most of the onus falls on us. Ultimately, we're going to have to open up a line of Communication back through the prime to the dod to have them Affirm that it is cui. Okay. All right. All right. So now, um, let's talk about this because you mentioned a couple things As you glanced over which was the third party assessors and this being a requirement that's going to be putting into Some of the rfp is coming out down the road Um, I you know, I guess I want to know what is it that I'm expected to do because I've heard it's expensive and that people are supposed to be Helping you like check some boxes and meet some some minimum standards. Can we talk through what that looks like? Yeah, so there's a lot to unpack even in that simple simple statement that you mean. I know I know We have a three-phased approach a three-phase methodology for compliance The first phase is you have to understand Uh in conjunction with your prime contractor and the dod itself, whoever the program management office We have to wrap our head around what information it is that we're processing. So we We take our clients through and we have a methodology that we've published to Go through and determine the life cycle of this information in your organization. So Where who do you receive it from and how if you generate it internally who internally who Which of your staff members handle and generate this information? Do you share it with third parties like your suppliers and vendors? And uh, how do you store it? Do you store it on premise or in the cloud? And finally at the end of the the information life cycle, how do you dispose of it? Like Is it on paper products? Do you have to you then have to shred that paper? Or is it on digital media like on laptops and servers and what do you do with those? We call this exercise life cycle determination and it helps determine the scope The footprint of your it system that has to be protected Once you have Once and that's in itself some some legwork it takes some time to do It's not an overnight thing to determine this information You often have to have communication with your prime contractor To to help go through this life cycle determination process, but it's the necessary first step And once we have an idea of the footprint Of our it system and where that information resides within our organization and how it's handled We can then look at the safeguards themselves and start exploring those safeguards What I would call best practices cyber security practices And those practices are published by the department of defense and coupled with the best practices themselves the department of defense has also published assessment objectives What we like to think of as action items So here's the requirement And here are the six things that the six steps you have to take to implement that requirement in your it system Right, so there's a requirement for instance for Antivirus on endpoints So at the high level the requirement is as an organization you're going to have antivirus capability Well, then underneath of that the individual actions you're going to have to determine what endpoints need the antivirus What antivirus solution you're going to go with who's going to manage that antivirus solution And so that goes on to one of your other the other aspects of that question and statement eric was Who's going to do this stuff? Right, who's going to actually do the implementation, right? Many of us have internal it folks, right, but I would say probably more small businesses actually outsource a lot of the day-to-day it work Security implementation to what we would call a managed service provider, right, right msp Many of your of the typical msp's are not used to working in this strict of a cyber security environment And will require some some hand-holding through that process Which which we help with that's actually a major part of our consultation is Leading msp's through this process as well the it folks and it's most likely going to result in additional costs from those managed service providers because there are So many additional practices that we have to put in place as a to handle this do the information And that's just the day-to-day it stuff. There are also requirements for ongoing continuous security monitoring What we call hunting looking for Anomalous or potentially adversarial activity in network traffic or on your endpoints and most of your Regular like day-to-day it managed service providers are not equipped to perform that monitoring And so we'll have to outsource that those capabilities that ongoing monitoring to what we call managed security service providers msp's And they mean those entities those organizations maintain what we call security operations analysis and security operations centers We in fact outsource our day-to-day it to an msp And we outsource our ongoing monitor monitoring capability to an mssp both actually located here in utah But we partner with other msp's and mssp's around the country And find the right fit for the right client. So The basically we use the right tool for the right job So let me let me um stop you and take this down to a novice level Uh, I actually just learned the term msp today With my podcast guys, but I think I mean I know what it means. I have a friend of mine who He sets up networks for small businesses. Uh, he's got like three or four guys He goes to your office that's a part of computers ties them together Uh, and then they pay him a fee correct. That's a msp. Yeah, he's not an employee They they're outsourcing this company, right, right exactly. That's an msp Okay, perfect. So and that probably fits the mold of most of us Right who have small offices just because yeah, we don't do computers and it All right. So now, uh that particular person, uh, he needs to learn and understand this Correct. Yeah, he or she needs to be immersed themselves in this world Yeah, okay, great now. Um, the good thing about that is at least I don't have to worry about it because that person needs Go learn this now. Where would I send that person to to learn how to do this for me? Yes, so uh, you can send them some technologies actually we run a monthly workshop Leading a small group what we call a cohort through and soup to nuts. Here's the requirements Here's how you can implement those requirements Okay, and that monthly group. Um, is that for techie people or is that for anyone? It's for everyone. Yeah, so we we do spend some time in some tech weeds occasionally, but the Overall presentation the overall workshop is is conducted from the layman's or novice Uh, perspective. All right, let me ask a better question. Um The the objective of the Workshop is at the end of the day of the end of the day. What is it the objective to accomplish? What? You will be compliant with the current defars Clause as it currently stands and you will have a roadmap laid out for the future state Which is the cmmc and the cmmc is being phased in in new rfps and new contracts over the course of the next five years Right. Okay. So now, um, we go to the workshop and um at the end of the workshop I will know how to make my Network secure and compliant. Is that correct? Absolutely. Okay. Yeah, we'll have the full full roadmap laid out Okay, what I really like about the workshop and the format that adam lays out in the workshop is I hate to use the term dumps it down But he does he makes it so that the layman can understand what cmmc means And some of these big technical terms that are overwhelming and it were overwhelming for someone like me that wasn't in the it tech field Yeah, so I I went through the workshop and I better understand the cmmc You know, thank goodness 90% of the people that I talked to so it's it's a truly an educational experience Okay, no, that's great. That's great. Uh, someone asked the question. Do you recommend a particular network or system? The unfortunate answer to a lot of these types of questions is it's going to depend it's going to depend on your information You're processing how you do that. So Like do I recommend a particular let's talk about antivirus? We get this question all the time Do I recommend a particular antivirus? We totem technologies is technology agnostic I got to recommend the right tool for your particular environment When it comes to antivirus for instance, I think of antivirus like A guard dog, right? So let's say you got you have a You're in construction. You have a a lot where you have to store material. You have a chain link fence That protects that lot. You could have a guard dog Patrolling that chain link fence, right? Right. You can get a really good guard dog for really cheap from the pound Every pound you go to will have a pit bull or three or ten, right? Right free all you got to do is care and or feed and water that thing, right? That guard dog will will be able to thwart most of your average threat The kid trying to climb the chain link fence is probably going to be scared off by that guard dog But the flip side of that is it's pretty easy to feed to to defeat a guard dog You could throw a stake over the fence And you're going to be on your merry way right into your lot Yeah Yeah, because I think it's hungry It's had to share food. That's right. I think it's hungry It's the same for antivirus like it really depends on on on your environment And you can get really good antivirus for free the antivirus that comes on windows Is called defender. It's it's free. It's really good but it's at the same token easy to defeat relatively easy to defeat and That also doesn't offer all of the bells and whistles for endpoint management. So It's it really just depends on what your it folks already have in place and what you need to protect Now one of the cool parts about our workshop is that we keep the the cohort size small So we maximize the the one-on-one time that our attendees have to ask us specific questions Like I think it was jillian that asked that And I would come back with well jillian. What what's your environment like? Who do you get the information from who do you send it to? And through the course of that conversation in the workshop we have conversations We can hone in on some specific technologies that might help jillian's particular company No, okay. No, I mean I that makes sense. I guess We all would like to think that we have the best or we want the best I don't know if it's it's practical or reasonable. Um, you know, why can't we just get the best Antibyrus What is the best and Even if there was a best Uh, the best cost money Right and we're small businesses. So we have to find best value, right? Right. We're all resource Strapped and so that's what is unique about our approach totem technologies as approaches We are a small business. We're a micro business in fact 13 employees growing, but Uh, that is our approach We are in the same resource strapped mode that our clients are in and so it's we are strongly motivated to find best value as opposed to Best or newest or shiniest or Technology that just happens to have the best marketing campaign. We're strongly motivated to Weed through and call out and find the best value Okay Um, someone asked must we be certified before pursuing opportunities? What opportunities so uh, that's bobby that's asking that Must we be certified before pursuing opportunity? Oh, yeah. Yes when cmmc I think that's the context here. Correct. Correct in rfp Uh, that includes d farge clause 252 204 70 21 7021 That will that is the clause that will indicate that to compete or execute that contract You will have to have a cmmc certification Can you drop that clause in there or repeat it slowly so we can right now? Yeah, I'll type it in right now d farge So this is the department defense supplement to the far. We should all know what far is right? I assume is that No, they know they know the far. Yeah, everyone's aware d farge 252 204. Oh, no, I just typed it check that 252 204 dash 70 21 Okay 70 21 it will be the requirements to have a cmmc certification before contract award All right, so this means we're gonna have to go hire that assessor and be assessed before award Now the dod is not Backporting they're not modifying existing contracts. They are slowly Phasing in the clause 70 21 into new rfps going forward They've said they're going to do that with 15 contracts affecting about 1500 Members of the defense industrial base in calendar fiscal year 21 But that is sliding to the right rapidly They are already The dod is all over a year behind an implementation of cmmc Right, so it's more likely going to be fiscal year 22 before even these 15 contracts And then it slowly ramps up over the course of the next five or six years But like I said, that's sliding to the to the right I would imagine most of your audience that's on is not going to see the clause 70 21 in an rfp For a year two years three years Oh, okay, that doesn't mean That doesn't mean there isn't a lot of work to do and it doesn't mean you need to you do not need to get started now You need to get started now. There's a lot of work to do. We are still at hay bay and associates micro business prime contractor Still in our journey to become fully compliant with cmmc. Wow All right, um, we'll quick just pause. Let's just go ahead and reset the room everybody We're talking to adam and ali from totem technologies discussing the dod cyber security framework and We are here discussing The the Procedures that the government has set out for us small businesses to follow Adam just dropped in the chat the de farce clause that's now being written to into some of the rfps But as he just stated it's sliding to the right. So probably by next year We'll start seeing it written in more rfps At the dod and eventually it'll that'll be passed along to all government contractors whether it's dod or non dod work Is that safe to say adam? Well, right now the dod is the tip of this spear and they're piloting the cmmc program. It looks like there are other Departments and agencies that are interested in it, but they have not adopted it yet right now. It's just dod. Okay, great. All right Um, someone asked what about comp tia security? That's a nice personal certification. So it's a certification for an individual. It's not a certification for an organization so it will It will help lend credence to your organization's cyber security program But it won't necessarily help you pass the cmmc certification Okay Now, um, let's let's talk about the the you gave us some examples about the Controlled and classified You mentioned life cycle determination. Can you just repeat life cycle determination for us? Yeah, let me all it has something to interject real quick. Okay, go ahead ellie. Yeah, we're talking about We're talking about time frame if you have to be you have to be certified before you pursue opportunities um One of the things that I really wanted to stress for the audience because I've lived through it is how long this actually takes It is a long Long process like 18 months and we had an absolute expert on staff doing it for us every single day So if you plan on pursuing opportunities start early build your plan of mile When build your plan of action in milestones and set yourself Set set marks in the ground so that you you know when you're going to have to spend that money to implement some of the Some of the non policy based technical solutions And we cover building those plans in our workshop and it's like everything right you can have it quick fast or cheap choose to You can get it done on a quicker time frame than than we have in our in our journey, but it would be Much more expensive than the route that we've had and we're small business. We have resource limitations. So All right Um, you said start early. So what are some of the things that we as small business can do now to start early? That doesn't cost us a lot of money Uh, yeah, so that life cycle determination, which is the the question that you were asking earlier like okay So go through a process of it's kind of like a thought experiment We actually have a tool that facilitates this in our workshop this this exercise Where do you receive this information from the government from is it directly from the dod? Is it from a prime contractor or do you generate it internally? and how on what i what it components hardware software networking devices like wireless access points and switches and routers and who does that right so For receipt or generation of the information what hardware what software what network? components are affected and what users and you do that same exercise for Okay, we've received it. How do we store it? Where how who does it who comes in contact with it? We either generate or receive this information. How do we manipulate it in our environment? How do we process it? Who does that on what it stuff? Right? If we transmit it externally so we have to send like an engineering drawing Let's say we're building a valve that goes into The engine of a fighter jet of an f-35 But we outsource the o-ring fitting for that valve to maria's o-ring shop Okay, we have to send her the drawing right We're transmitting that information. How do we do that? What systems and who? Uses those systems to do that is maria's o-ring shop prepared to Receive that information that's on us to make sure And then at the end of all that Have we printed out any printed documents? And if so, how do we dispose of those? Or if our workstation or our laptop Goes kaput. What do we do with the hard drive that that information was stored on that's disposal? So receipt generation storage internal processing dissemination and disposal those are all phases of a life cycle of that information And and going through that exercise of determining how the information moves to that life cycle A natural result of that exercise is a list a catalog of all the hardware software networking devices and users in our And the very first step for any cybersecurity journey is to develop that catalog And then begin to manage the configuration so establish what looks like normal in your environment, what is What's a list of all the servers and workstations and network devices in our environment a list of all the users? This is establishing a baseline what looks like normal And then we can start then and only then we can start worrying about the actual Implementation of the safeguards. So the very first step Is to get a list of your Assets all right, so I think that makes sense. So the very first step We list all of our assets and all of our people that fair Indeed exactly. Okay, and then We write down How they are sending the information and receiving it internally and externally Absolutely because that's going to change the asset list, right? Right. Okay. Okay And then you said you write down. How do we dispose of it? Yeah, or yeah, so many of us hire a shredding company to dispose of paper products So now what does that look like? Is that a just a big book of all this stuff? What does that look like? We catalog all this in a simple spreadsheet in fact a spreadsheet. Okay So we have on you can picture a row on a spreadsheet of The engineering drawing as a row And you have columns for receipt generation storage Transmission disposal And you just start listing stuff under each column for that particular piece of information And then what flows out of that is a list of Assets that you can capture on a spreadsheet. Most of you most of us are outsourcing our it to an msp, right? The msp If they're worth their salt is using some kind of asset management tool already Sure, and so we make sure that what the reports that come out of their tool line up with the exercise that we just did Right. Nice. They should they should match up Now again, uh, we're going to continue, but I just want to tell us where can we get the information on the monthly cohorts You can get it from our website. So I'm going to type in the chat The url for that a couple things and I've got a totem demo totem tech I'm typing in the totem tech slash workshop Okay, that's a link to our monthly workshops Yep, I don't have that one and through Wednesday, we have an early bird discount for the june workshop. In fact Okay, 10 off Okay All right, so it's totem. Um dot tech For slash workshops workshop Okay, workshop good There's lots of goodies on our totem doc tech site We have a blog there where we dive into go down some rabbit holes with some of the safeguards that we're expected to put in I'll also put in our, um We have the reddit on there Okay, I will Copy and paste that Oh, I don't see the um works up in there Yeah, we missed out on the look of you here That's okay. It's coming right now into the chat. All right. Good stuff. This is our free open to the public Knowledge base all right Which uh, I mean reddit can be Reddit can be chaotic By putting euphemistically We try to treat our knowledge base as a source of truth. It's only us moderators that are able to To uh post to that we don't allow the general public to post although we do allow the general public to read So we keep it as a source of truth from small business perspective for DoD cyber security compliance Okay All right now talk to me about this uh risk assessment template The risk assessment template that you can download so one of the requirements For small businesses to conduct a cyber risk assessment And that can be quite a challenge And there are risk assessment methodologies That exist out there some of them are free some you have to pay for but essentially like The the set of procedures for how to conduct a cyber risk assessment I'm imagining most of your audience has never conducted or participated in a cyber risk assessment um So it can be a challenge. So we developed our own small business focused risk assessment And it's a simple worksheet. You can download that from our website And it has a set of instructions with it. We will lead you through it. We lead you through it in the workshop as well And essentially it it leads you through the three factors of risk Some threat out there some adversarial activity that is targeting you They have to target some weakness in your organization some vulnerability And there's some likelihood that they can do that And then there has to be an impact to the organization. So risk ultimately has to be calculated in intangible terms Like does it how long is it going to shut our systems down? There's a really good example of real-life risk going on right now with the colonial pipeline ransomware attack that That you may have heard of some of your audience may have heard of a major east coast pipeline has been shut down for several days Due to a threat exploiting a vulnerability and causing impact To that organization a risk has been realized And they're in trouble. They're they're to put it figuratively they're fighting a fire right now. So We all have to do this to to manage the risk of the do d information that we handle getting spilled No, I am Okay, and I just saw your uh, cui system inventory samples, which is great I didn't see that earlier. So I just dropped that in the chat Okay, um, I'm still waiting on you guys drop the workshop in there, but that's okay. Maria appears to find it for me Yeah, it's in there. Uh, I'm under blown blown fuse 76 by the way. That's my Maybe it hasn't reset on my computer. Okay All right Pierce can you find that that workshop and drop it in as well? Or copy it so I could see it. Thanks All right, um continue So what else do you know you would mention costs earlier? Costs is always a factor. We always get this question And uh, so I want to be real with the audience and real costs for a small business to become compliant with The the cmmc that we're talking about Uh, it's not going to be Cheap, but it's approachable for a small business. So you're looking at And if if you have no if you if your small business has no cyber security precautions to speak of Maybe you have antivirus on your laptops and that's about it You're looking at tens of thousands of dollars in initial Cost to reconfigure even a small it network by small. I mean 10 to 20 It gets significantly cheaper if you're a one man or a one woman shop or like between one and five Employees, but I'm talking about 10 and up You're looking at tens of thousands of costs in an initial reconfiguration You're looking at 10. So that's one time engineering costs You're looking at tens of thousands of dollars on an annual ongoing basis for your managed service Your day to day it probably okay And if you don't outsource that you're going to have to hire an it person that person those people are tens of thousands Of dollars annual salary, right? And then for managed security service The ongoing monitoring you're also looking at tens of thousands of dollars annually ongoing. So This is this these are real numbers i'm being real with you. So the initial The initial year of trying to get squared away to something like this. You're looking at multiple tens of thousands of dollars may be pushing a hundred grants In Recurrent engineering day-to-day it and ongoing security monitoring for that first year And that doesn't cover the costs of the assessment itself Which the dod has estimated for a small business assessment cost at 60 000 annually For cmmc level three now. I personally think that's a little bit high and the marketplace will not sustain that will not support that For us that's like two tax salaries that we can't pay Right, that's like two employees that we can't hire Right that order of magnitude doesn't jive with other assessments like iso 9001 So I I think that those numbers will come down But i'm being forthright that that is the dod's own estimate of costs for small businesses So you're talking about a really potentially high barrier to entry just in terms of costs for this stuff But our opinion allie and i's opinion and many of the others in our small business You know group of peers feel like that prohibitive cost is going to remove Small businesses, especially the innovative small businesses from the marketplace And we our hope is that the dod will recognize that in the near term and Work somehow I don't have a good answer for how to do this but work somehow to either change the requirements or Lower the barrier to barrier to entry cost-wise For small businesses. Otherwise, we're going to lose a lot of innovation Uh as a as a country as a nation really so But i'm being real with you those are the current numbers as they stand in the order of magnitude of numbers that hay bain associates has had Outlay as part of our journey And that's one of the reasons we focus on keeping our costs so low Um is because our passion minds specifically to enable small businesses I need more small businesses in that Defensive industrial base Some people ask why are you creating competition with healthy competition comes great innovation, right? i'm scared of that I would think there would be like some out of the box solution Yeah, you know like you know like everything goes through a box and then it comes out and it's It's compliant We all want that and we want like okay, so for example, we didn't we all use the cloud now, right? And before we didn't have cloud, right? I know you guys remember we didn't have drop box or cloud services, right? So now it goes into the cloud and it just goes that's like it goes away The problem is the security responsibilities don't go away The the cloud they go to the cloud So for example, I you know again, i'm also a dld contractor Uh, and we have the navy uses a service sometimes for us to send large emails Yeah So they'll send it to me I send it to them and then whatever happens it gets to them it works out you understand It's an understanding. Yeah, and we I know it's called safe site. Yeah, let's say there you go. That's it Yeah, so the problem So the safe side is a nice convenient method that the dld has put for transferring files Right, but those files are living somewhere in your environment on a laptop or on a surface or on an iPad or a macbook whatever you have to secure that device You have to put policies and procedures in place to secure that device in your possession And even if let's say you never stored anything locally on a on a mac You only worked in the cloud. You only used dropbox or you only used office 365 You still have to connect to those cloud services securely So one of the examples that we suggest our clients put in place is to set a policy That your employees will never connect to those cloud services from like starbucks cafe Because you don't control that network. It's not a secure connection So there's always like these policies that you have to put in place In fact, fully half of the battle half of the compliance battle Is developing policies it had really It's has nothing to do with the technology 50% is writing down policies and procedures and training your users in those policies and procedures Which is the flip side of that is that's a good thing. You can get 50 compliant simply by virtue of developing some policies Okay, and then the other half is going and hunting for that box that you're talking about although I do want to caution There's no several silver bullet Technology out there. There's no one box that solves all these problems At this time wish there were but there's just at this time At this time, right? There's there's opportunity for it for sure Right, right. Maybe amazon to figure it out We want a small business innovator to finish All right, I agree with you. Jeff Bezos has enough money. No, I agree. No, I agree. I just I agree with you I totally agree. Talk to me about the separation of duties. What does that mean? Separation of duties. So you're required essentially to not have one individual in your organization Have all the keys to your it kingdom You want to have some checks and balances in place in your so that's if you have a disgruntled employee That turns rogue and I don't know starts wanting to sell information to the russians That he or she Can't doesn't have access to all of that information and certainly doesn't have access to all of your it systems And so that general principle Is called separation of duties checks and balances just like we have in the federal government We're required to have that internally That's a huge challenge for small businesses where many of us wear multiple different hats And how do we show the separation of duties? In our workshop and I think you referenced it because we have a link to downloadable Tool right go through that process and that concept in our workshop and give you tools and techniques for how as a small business to try to Identify some duties that can be separated Okay, no Again, listen, I'm the audience feel free to ask questions. Okay I definitely don't know at all. This is my third pass at discussing cmmc We've talked about nist in the past. So again, I'm not the the one to know at all I just again, I'm trying to feel questions for those people who may be afraid To ask questions so yeah, we're just broken through looking for questions. Yeah now What's this e-book about that you guys have on here? So the e-book encapsulates so we're just scratching the surface of this topic I do want to stress though that it seems complex and it is complex, but we Pride ourselves and our mission is to develop that clear roadmap to success for small businesses So to use another metaphor we break it off into bite-sized chunks the chunks that we were trying to Swallow and chew up when we first started this journey. We break that up. We lay that roadmap to success the e-book Captures our small business perspective on all of these requirements In pdf format. So all the topics we've been talking about today that we go much more in depth from a small business perspective as well as Dozens of other topics in this free e-book so you can get a copy of that by just by sending I'll type this in chat. I've got the link on this spreadsheet you guys gave me Yep, perfect. So link to that Okay I can't hear you. We can't hear you. I'll speak up Kevin Fox had a question and he says if you're an msp or mssp that utilizes contractors overseas Are there restrictions on where these contractors reside slash operate? Yeah, absolutely So, uh, one of the types of cui is export controlled information itar. So international trafficking arms regulation information The you have to have a quote-unquote us person Or only us persons can come into contact with that information And that is a us citizen or a permanent lawful resident a green card holder And so if your msp Or mssp personnel could conceivably come in contact which they can because they are system administrators Then you're going to need to You're going to need to take a look at that relationship if you work with this export controlled information The other stuff it's more nebulous So when I say the other stuff the other types of cui like the engineering drawings if it's not export control Right now it's more nebulous as to who can access that information We have a topic of discussion in our knowledge base differentiating between the use of the word basic In this in this context of dods contracts or cyber security I'd I'd recommend that your audience go and check out that knowledge base post The use of the term basic you can look for that in the knowledge base and we talk about A differentiating between basic and specified cui essentially the specified cui which is most dod related cui requires what's called sovereignty Which means a us person Only us persons can come in contact with that information And so that may have ramifications for your msp's and mssp's Our general recommendation is Use a conus based msp that employs us persons only in this environment Which I I can say You know coming from miami We could use one that's a usa base but The other part of that I don't know if we could find out if they're only if they're citizens or not that citizens or lawful permanent residents. Yeah, that one Would be tough to find out for us But a lawyer could answer that question better and give Further advice, but our general recommendation is look for a conus at us by msp. Okay. All right Mark B. How how much to secure five computers for a small office instead of 20? It depends Now it will be tens of thousands annually All right now is that 50 or is that 10? It depends Now let me ask you this adam Now what you're talking about terms of the cost or though that's that the cost if I like If we have our msp do it or is that a cost if I just outsource it to someone that does this for a living? Is there any difference? Uh, well those to me are the same thing. So your msp is the is the entities are outsourcing it to so But I guess I feel like since my msp is you know, maybe it's my friend or somebody went to college with that You know, maybe my cost won't be $50,000. Yeah, sure. Does that make sense? Absolutely. Yeah I would encourage y'all to look for those opportunities like that But I definitely need him but my ms But my msp my buddy doesn't know about these requirements. So he's got to go And learn how to help me become compliant. So he's got to go to something like your workshop Right. Okay. So I could send my msp to your workshop. He'll learn how to become compliant Then he could come back my buddy from college or my you know cousin venny and he'll come back and he'll know what to do for me And then I could save my $50,000 nut So so a prime example, Eric is my buddy Adam can you hear me better now? I can hear you better. All right. So yeah prime example is my buddy adam Saved me that $50,000. So he did it internally for us. Perfect. That's that's exactly how we got to solve the first time No, I love it. I love it and I and that's the approach that I would suggest because again, I'm always um looking for ways to help small businesses save and um I've got a lot of techy nerdy friends that do this stuff for fun. Anyways Just that's what they do in their night to weekend. So why not like hey, you know, learn this help me out Hey after they after they get drove through the weeds though, they may not be your friends. I'll tell you that No, I'm sure again, I will equip them in the workshop to Understand these requirements and we have lots of great conversations. We just had the workshop session today lots of great conversations where we'll introduce you you're all and the attendees to the free and open source tech options that really save you a lot of money and Teach you how to build your own policy statements. So you don't have to outsource that to consultants like us We do help Companies with that in one-on-one engagements. Uh-huh. The workshop is all about Handing you a fishing rod and teaching you how to fish, right? What's what's a policy statement? That's the first time I heard you mention that word and I've been writing notes Yeah, so the policy statement is a statement of expected outcome for your cyber security program So it's like a statement like Hate Bay and associates shall have antivirus install on all laptops and workstations. Okay, that's a policy statement Right, and then it's up to our IT folks to make that policy happen To put that policy and make it a reality As can I find all this information in your ebook? Find much of it in the ebook. Yep. And then we expand upon all the topics in the ebook in the workshop Okay, I'm gonna drop the ebook back in there for everyone just to look at because I know that We're covering a lot of information and we're going back and forth and It to me what I think about is in excel when it says you get that circular reference So that's kind of what I I'm saying and again, look, I've promised you I have a whole page of notes here So but it's still like all right. I need something to put it from like a to z for me Um, so and that's the that's the roadmap that we lay out in our in the ebook In fact, but then expand upon that in the workshop and give you the tools to do it in the workshop Okay, great. By the way, if you're if you're just joining us Hit the like button gives a thumbs up and again, we we can use that it's helpful I have an entire page of links that they've shared with me that I intend on sharing with you out there. In fact, I will Because it's so much I'm gonna have to create One link to share it all with everyone, but like you see it here So I will create a link that I will drop after this conversations over with I'm going to drop it in the chat on our youtube channel. So that way you guys can have all these links Um, and then anything else that we're discussing that maybe we don't have a link to at this moment fair Fair enough and you can find everything that you need from totem.tech Right, exactly. You can go to website totem.tech as well. Um, questions questions Carl asked a question earlier if we're are we willing to partner with newbies to enable growth? Okay We partner with newbies all the time. So just reach out to us on linkedin and let's have a conversation Okay, all right, cool. Um How can a small business get into the cyber gov con sector without having a security clearance? I don't think that's related to this. Yeah, we're not talking about security clearance Yeah, we're talking about the stuff to deal with unclassified information, right? Okay, um So ron, we'll we'll table that one for another session Uh, giant hawaiian says go through the layout of cmmc one two and three For everyone. So there's a stratification. There's layers to cmmc And it depends on what type of information you process as an organization into what Level of cmmc you'll have to target your assessment all dod contractors all 300 000 of us Will have to at least to target a cmmc level one certification This includes Like the lawn maintenance crews that mow the grass at the pentagon Or the waste management crews that have the contract to empty dumpsters at Idaho national labs It's everyone because we all process some kind of contract information Which is not gen available to the general public and deserves minimum some certain minimum protections If you process controlled unclassified information, you're going to have to target cmmc level three The difference between in the number of controls between cmmc level one and cmmc level three is an order of magnitude There are almost a hundred. No, there are over a hundred additional controls at cmmc level three Not to say cmmc level one is a cakewalk But it's much simpler implementation compared to cmmc level three And those top those costs I was discussing earlier were for cmmc level three Okay, so significant reduction in cost if you just have to target cmmc level one We break all the differences we go we go uh In depth into the differences between those in our workshop in fact in the session one of our workshop But that's a great question How many sessions are in the workshop? Nine sessions hour and a half Long each spread out over three weeks monday wednesday and friday It's a really good format. We get a lot of great feedback on the format the layout the pace the structure Okay, all right I had another question but I can't remember it now Adam's the primary trainer and that's um in our cohorts So he's um, he's just not bragging but out of the hundreds of people that we put through the cohort We have over a 99 um satisfaction right at everybody loves it and We've even considered that we're too low because a lot of the feedback too low It were price too low because a lot of the feedback is We didn't think that we're going to get this level of expertise and this this type of output from this From our program price like this Oh, that's great That's it. No, it's good. That's good stuff. Yeah um What else do you want? What else do you want to leave the people with knowing? About this process that would be beneficial to them That it's It seems daunting and it seems complex and we've just scratched on the surface in this in this conversation today, but We have purposefully built a methodology and a roadmap to make it approachable for the small business Especially those small businesses that are trying to to break into the market because as I always said our passion is Empowering small businesses And the innovation that comes with us small businesses, right? So If you approach it if you if you put your crosshairs on the target from the right perspective, which is that perspective that we give you It is approachable and you can do it You just have to start So in general the the mantra is don't panic But get started Like we give you your audience some tips on how to get started start building a catalog of your system Start doing that it or sorry that information lifecycle exercise. You can do that on a spreadsheet Get started and and uh We can help Put you on the right path Towards success um How do I choose an msp and an ms sp? Do you have a Criteria that you guys operate by? Ali, yeah, so let's start with msp first The criteria is we ask them if they have heard of 800 171 and the defars and cmmc Okay, listen everybody out here take note. See this is the question that you guys did not ask Right and I think someone mentioned it in here, but this is a question you did not ask Oh, Atlanta Atlantapreneur said that most msp's don't have a clue about security 100% agree Atlantapreneur. That's a sweet handle too Atlantapreneur So number one question is what? Do you have you heard of cmmc and nist 800 171? Okay, and really that's our criteria at this point because like Atlantapreneur said most of them don't have a clue about this I would I would slightly disagree with Atlantapreneur that you recommend to look for an mssp at least Yes, you also need an mssp But most of your mssp's don't want to do the day-to-day it stuff like Unlocking user accounts and resetting passwords. They don't want to do that so we sort of have this We have this day-to-day work that needs to be done managing the catalog of hardware for instance your mssp is going to be highly specialized in anomaly detection and incident response I'll talk about one more number real quick the average small business minimum cost for incident response so recovering from ransomware or You realize that a rogue employee absconded with some sensitive information The average minimum cost for recovery for that is 50 000 The average median cost is a million So imagine ransomware the average cost to recover from ransomware is a million dollars Most of your small businesses are not going to survive that type of incident In fact 60 percent of small businesses go out of business within six months of an incident like that So you're looking for with an mssp your service security service provider You're looking that they offer incident response and they'll have your back like they suit up in a fire fireman suit and go to bat fighting that fire with you and Responds quickly so that the quick the earlier and quicker you can respond the lower that cost of incident of fighting the fire becomes No, no that that makes sense. Uh, I first thing comes to my brain is I hope we got some kind of insurance policy to cover this stuff So insurance policies are out there. They exist You really need to read them closely and see what they cover and see and many of them actually more and more Maybe all of them are requiring Implementation of something like nist 800 171 That makes sense. Yep. Yeah, it's kind of like your house insurance now You got to get a new roof for them to cover the roof exactly Exactly and you can't just put sheet metal over uh, right? Oh, we're corrupted That's a really shingles, right? Yeah, you got to fix the underlying problem. Yeah. No, I know Ron Smith wants to know It's a good start there are lots of overlaps with PCI as a payment card industry standards for protecting credit card information It's a good start and there's lots of overlap There I will say there's significant increase in Types and number of best practices in for DOD Over and above the stuff for credit cards, but it's a really good start. Yeah So rana, if you're there, I would encourage ronald. I would encourage you to continue on that path We need folks that can help Latin for nurses. Why do you think business don't have backups and encryption? Which helps big time with ransomware Yeah, your best insurance to recover from ransomware is a good backup solution and Uh, so many of us are deficient in that. I mean Yeah, if you if you have a good backup solution, you don't necessarily have to pay that ransomware And you can just tell them to go bug off. We're gonna rebuild Right. Yeah. No, actually, I was uh, so our gilcon giant site was hacked. Actually all of my sites were hacked Oh, no, I was down for a good, uh Almost two weeks from ransomware. Uh, it wasn't ransomware. They just they just I mean they they redirected all of us to like these like spam sites and things like that. Uh, yeah, like We end up having to delete everything. Fortunately, again, you know, we pay for backups And so but even even with the backup It still took two weeks And we had like two day the backup from like two days prior Which we still lost information because of whatever just I don't know we lost it But yeah, we have bluehost and and we lost information. But we it did save us. We were able to rebuild everything back in about a month Okay, good, but you're still in business Oh, yeah Well, fortunately, um You know all of our like customer data we have that through third party vendors. So none of that's um on our websites Good. Yeah with the information you're not going to be allowed to put anything on your website It's forbidden Well, fortunately, we don't anyway just because I I just kind of always never really want to have that liability So I stayed away from that. Anyway, yeah, good. So that's a good policy that you've established for your business That's an example of a policy Okay, see one check for me Boo Listen, we're we're wrapping this thing up. I've kept these guys on for just over an hour Uh, so definitely get your questions Now, um, I know there's a little bit of a delay a little bit of lag If you enjoy the conversation give us a thumbs up give us a like That helps us get this information out to the maximum amount of people that need to hear it We're also going to drop the links to everything we discussed In the show notes on the site after we conclude this lesson Make sure to look these guys up on linkedin find their information I think I have some links to that as well. I will drop in there for both adam And also Let's see. What's this height bay video? Ali, what's this video? That's the video of uh, it's given a little overview of a piece of software that we built to Facilitates building the plans that are required for compliance And then I think I think the other one is just a video of um starting hate bay Okay I'm about us video Okay All right, um Yeah, there's our linkedin. We saw them come through. All right The linkedin's there All right, good And hit us up linkedin uh info at totem.tech Pretty simple email box send us questions We'll get back to you. All right. Someone says can you restate what is not allowed on the website? Any federal contract information period What does that mean? So like the delivery orders that come down from a prime contractor Not allowed to post them on a website The the information about the contract that's not posted publicly on sam.gov You can't publish any of that invoices um certainly not the engineering drawings and the technical information about parts but All federal contract information the definition almost literally is All information generated by or for a contract that you would not publish to the general public It can't be on your website. You can't be touting it on linkedin. You can't be Taking pictures of it and put it on instagram Facebook none of that all the stuff I do now. I'm just kidding The contract numbers are public knowledge right the fact that hate bay and associates want a contract That's public knowledge. We can brag about that on on linkedin, but we wouldn't be posting our delivery orders on right Sure sure sure No, I just again I like to show people Um, and I don't post it. I just you know To pay out we'll write that we want another contract, but we don't actually post the copy of the contract itself So, yeah, I usually just cut and paste the um the the press release from somebody else. There you go I like that. That's a good one. That's a good one. That's a good one That's a good one. All right. Well, it looks like, uh Everyone is out of questions or exhausted one or the other I I um, this was a lot of information, but I will say that I'm closer to understanding this than I was before today's session. So for that, I'm very thankful for you guys today And for that that makes our one day to hear that from you, eric. No. Yeah, great. And no, I'm seriously I've written a lot of notes and Again, you know people tell you about all these models and these things and I'm and yes, there are some cybersecurity people on here There's it people on here. But again, I I needed some I need I need I need simple. I need lay person's terms You know, um, and so that was good for me. Uh, one person says are there any workload? Products for cmc like there was for hippa. Yeah, there's a lot of overlap between hippo, which is the health care Protection of protective health information and health care environment. There's a lot of overlap In fact, our software tool that I mentioned before Was built to also support hippo Environment organizations as well The same plans we have to build very similar plans to to manage our cybersecurity program Okay, all right. Well, listen, um, thank you so much guys for coming on. I've dropped all the links in the chat And like I said, if anyone has any questions about this Make sure to contact these guys. Um, their information is here. It will also be in Um, everywhere that you hear this information, whether you're listening to it on a podcast Or whether you're watching it on youtube live. So hey guys, listen, thank you so much for coming on today I really appreciate you guys Eric, thank you. We appreciate you and everybody's listening to gopcom. Yep. Thank you opportunity. Hey guys